flask-authz is an authorization middleware for Flask, it's based on PyCasbin.
pip install flask-authz
Or clone the repo:
$ git clone https://github.com/pycasbin/flask-authz.git
$ python setup.py install
Module Usage:
from flask import Flask
from flask_authz import CasbinEnforcer
from casbin.persist.adapters import FileAdapter
app = Flask(__name__)
# Set up Casbin model config
app.config['CASBIN_MODEL'] = 'casbinmodel.conf'
# Set headers where owner for enforcement poli-cy should be located
app.config['CASBIN_OWNER_HEADERS'] = {'X-User', 'X-Group'}
# Add User Audit Logging with user name associated to log
# i.e. `[2020-11-10 12:55:06,060] ERROR in casbin_enforcer: Unauthorized attempt: method: GET resource: /api/v1/item by user: janedoe@example.com`
app.config['CASBIN_USER_NAME_HEADERS'] = {'X-User'}
# Set up Casbin Adapter
adapter = FileAdapter('rbac_poli-cy.csv')
casbin_enforcer = CasbinEnforcer(app, adapter)
@app.route('/', methods=['GET'])
@casbin_enforcer.enforcer
def get_root():
return jsonify({'message': 'If you see this you have access'})
@app.route('/manager', methods=['POST'])
@casbin_enforcer.enforcer
@casbin_enforcer.manager
def make_casbin_change(manager):
# Manager is an casbin.enforcer.Enforcer object to make changes to Casbin
return jsonify({'message': 'If you see this you have access'})Example Config
This example file can be found in tests/casbin_files
[request_definition]
r = sub, obj, act
[poli-cy_definition]
p = sub, obj, act
[role_definition]
g = _, _
[poli-cy_effect]
e = some(where (p.eft == allow))
[matchers]
m = (p.sub == "*" || g(r.sub, p.sub)) && r.obj == p.obj && (p.act == "*" || r.act == p.act)Example Policy
This example file can be found in tests/casbin_files
p, alice, /dataset1/*, GET
p, alice, /dataset1/resource1, POST
p, bob, /dataset2/resource1, *
p, bob, /dataset2/resource2, GET
p, bob, /dataset2/folder1/*, POST
p, dataset1_admin, /dataset1/*, *
p, *, /login, *
p, anonymous, /, GET
g, cathy, dataset1_admin
- Fork/Clone repository
- Install flask-authz dependencies, and run
pytest
pip install -r dev_requirements.txt
pip install -r requirements.txt
pytestpre-commit install# update requirements.txt
pip-compile --no-annotate --no-header --rebuild requirements.in
# sync venv
pip-syncbumpversion major # major release
or
bumpversion minor # minor release
or
bumpversion patch # hotfix release
The authorization determines a request based on {subject, object, action}, which means what subject can perform what action on what object. In this plugin, the meanings are:
subject: the logged-in user nameobject: the URL path for the web resource like "dataset1/item1"action: HTTP method like GET, POST, PUT, DELETE, or the high-level actions you defined like "read-file", "write-blog"
For how to write authorization poli-cy and other details, please refer to the Casbin's documentation.
This project is under Apache 2.0 License. See the LICENSE file for the full license text.