Pure Python Stateless Tag-Based Authorization Library

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for scartill from gravatar.com scartill

Unverified details

These details have not been verified by PyPI
Meta
Report project as malware

Project description

Stateless Tag-Based Authorization Library

Background

Traditional role-based authorization models are not flexible enough to cover all required use cases. On the other side, full-managed ACLs are too complex for account managers to handle. tagth is a simple and flexible authorization model that can be easily implemented and maintained.

Installation

pip install tagth

Tag-Based Authorization

A lightweight model that is based on three concepts:

  • a principal and its associated tags,
  • a resource and its associated tags,
  • an action.

The model adheres to the following principles:

  • the model is stateless and purely functional, and it has no internal persistence,
  • the model does not interpret the tags or actions, besides the special values,
  • the model produces a binary result: either the action is allowed or not.

Principal and Principal Tags

A Principal is an acting entity. A Principal can be a user, a role, a group, or any other entity that can perform actions.

Principal’s auth tag string looks like a comma-separated list of tags: tag_one, tag_two, tag_three. Each tag should be a string that is a valid Python identifier.

A supertag is a tag that is a prefix of another tag. For example, admin is a supertag of admin_user.

Warning: Matching is based on simple string prefix. This means admin will match admin_user, administrator, and admin123. Ensure your tag naming scheme accounts for this to avoid unintended access.

A principal is said to possess a tag if the tag or its supertag exists in the principal’s auth tag string.

Special values:

  • void (can only access resources with anyone access, see below),
  • root (unlimited access).

Resource and Resource Tags

A Resource is an object that can be accessed by a Principal. A Resource can be a user, a channel, a source asset, an extension, a tenant, a campaign, etc.

A resource tag is a string that is a valid Python identifier. NB: there is no such thing as a supertag for a resource tag.

An action is a string that is a valid Python identifier. A superaction is an action that is a prefix of another action. For example, create is a superaction of create_asset.

Warning: Like tags, action matching is based on simple string prefix. read will match reading and read_all.

Resource auth tag string looks like a comma-separated of colon-separarted pairs of tags and actions: tag_one:read, tag_two:write or multiple actions: tag_one:{read, write}(tags with associated actions).

If the resource auth tag string is empty or contains only whitespace, only the root principal is allowed access.

An action is allowed for a principal if it possesses:

  • a tag that is associated with the action
  • a tag that is associated with the superaction of the action
  • the root tag

Special values:

  • anyone resource tag (any principal is allowed to perform action).
  • all action (all action are allowed).

Access Resolution

The model makes a decision based on the following three values only:

  • the principal’s auth tag string
  • the resource’s auth tag string
  • the action to be performed

The resolution is binary: either the action is allowed or not.

Examples

Basic Usage

from tagth import allowed

# A regular user with basic permissions
principal_tags = 'user, content'
resource_tags = 'content:read, metadata:write'

# Check if user can read content
allowed(principal_tags, resource_tags, 'read')  # Returns True
# Check if user can delete content
allowed(principal_tags, resource_tags, 'delete')  # Returns False

# Multiple actions for a resource
principal_tags = 'user, content'
resource_tags = 'content:{read, write}'

# Check if user can read content
allowed(principal_tags, resource_tags, 'read')  # Returns True
# Check if user can write content
allowed(principal_tags, resource_tags, 'write')  # Returns True
# Check if user can delete content
allowed(principal_tags, resource_tags, 'delete')  # Returns False

# Root user has unlimited access
principal_tags = 'root'
allowed(principal_tags, resource_tags, 'anything')  # Returns True

# Void user can only access 'anyone' resources
void_tags = 'void'
allowed(void_tags, 'anyone:read', 'read')  # Returns True
allowed(void_tags, 'content:read', 'read')  # Returns False

Supertags and Superactions

# Principal tags can be supertags
principal_tags = 'admin'
resource_tags = 'admin_user:write, admin_content:delete'

# 'admin' is a supertag of 'admin_user' and 'admin_content'
allowed(principal_tags, resource_tags, 'write')  # Returns True
allowed(principal_tags, resource_tags, 'delete')  # Returns True

# Actions can have superactions
principal_tags = 'content'
resource_tags = 'content:create'

# 'create' is a superaction of 'create_asset'
allowed(principal_tags, resource_tags, 'create_asset')  # Returns True

Special Values

# 'anyone' resource tag allows access to all principals
principal_tags = 'basic_user'
resource_tags = 'anyone:read'
allowed(principal_tags, resource_tags, 'read')  # Returns True

# 'all' action allows all actions
principal_tags = 'content'
resource_tags = 'content:all'
allowed(principal_tags, resource_tags, 'read')  # Returns True
allowed(principal_tags, resource_tags, 'write')  # Returns True

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for scartill from gravatar.com scartill

Unverified details

These details have not been verified by PyPI
Meta

Release history Release notifications | RSS feed

1.2.5

This version

1.2.4

1.2.3

1.2.2

1.2.1

1.2.0

1.1.1

1.0.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

tagth-1.2.4.tar.gz (8.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

tagth-1.2.4-py3-none-any.whl (5.4 kB view details)

Uploaded Python 3

File details

Details for the file tagth-1.2.4.tar.gz.

File metadata

  • Download URL: tagth-1.2.4.tar.gz
  • Upload date:
  • Size: 8.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for tagth-1.2.4.tar.gz
Algorithm Hash digest
SHA256 0ca90cb93f03ec15163c661157319b7d30a7a5176eeef9fe3defc6b6c50cc3d9
MD5 ef183cf12baf2ea365a2e5fa11856b02
BLAKE2b-256 16bbeab446e53e5cd1198a7e712370105518b69110eba8110f973d0710c78b2e

See more details on using hashes here.

Provenance

The following attestation bundles were made for tagth-1.2.4.tar.gz:

Publisher: publish.yml on scartill/tagth

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file tagth-1.2.4-py3-none-any.whl.

File metadata

  • Download URL: tagth-1.2.4-py3-none-any.whl
  • Upload date:
  • Size: 5.4 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for tagth-1.2.4-py3-none-any.whl
Algorithm Hash digest
SHA256 7246446f832f49257669c7411225df79fb9a5f519cbfebbbe144c7da06a8cbbf
MD5 ae4d3f5f6528aaa16038799a1f3e1310
BLAKE2b-256 e6ae2853cae14e5eee76cc0f2102bf4be839525c6919d34a9d1f54d5e388f89e

See more details on using hashes here.

Provenance

The following attestation bundles were made for tagth-1.2.4-py3-none-any.whl:

Publisher: publish.yml on scartill/tagth

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page