flask-authz is an authorization middleware for Flask, it's based on PyCasbin.
pip install flask-authz Or clone the repo:
$ git clone https://github.com/pycasbin/flask-authz.git $ python setup.py install Module Usage:
from flask import Flask from flask_authz import CasbinEnforcer from casbin.persist.adapters import FileAdapter app = Flask(__name__) # Set up Casbin model config app.config['CASBIN_MODEL'] = 'casbinmodel.conf' # Set headers where owner for enforcement policy should be located app.config['CASBIN_OWNER_HEADERS'] = {'X-User', 'X-Group'} # Add User Audit Logging with user name associated to log # i.e. `[2020-11-10 12:55:06,060] ERROR in casbin_enforcer: Unauthorized attempt: method: GET resource: /api/v1/item by user: janedoe@example.com` app.config['CASBIN_USER_NAME_HEADERS'] = {'X-User'} # Set up Casbin Adapter adapter = FileAdapter('rbac_policy.csv') casbin_enforcer = CasbinEnforcer(app, adapter) @app.route('/', methods=['GET']) @casbin_enforcer.enforcer def get_root(): return jsonify({'message': 'If you see this you have access'}) @app.route('/manager', methods=['POST']) @casbin_enforcer.enforcer @casbin_enforcer.manager def make_casbin_change(manager): # Manager is an casbin.enforcer.Enforcer object to make changes to Casbin return jsonify({'message': 'If you see this you have access'})Example Config This example file can be found in tests/casbin_files
[request_definition] r = sub, obj, act [policy_definition] p = sub, obj, act [role_definition] g = _, _ [policy_effect] e = some(where (p.eft == allow)) [matchers] m = (p.sub == "*" || g(r.sub, p.sub)) && r.obj == p.obj && (p.act == "*" || r.act == p.act)Example Policy This example file can be found in tests/casbin_files
p, alice, /dataset1/*, GET p, alice, /dataset1/resource1, POST p, bob, /dataset2/resource1, * p, bob, /dataset2/resource2, GET p, bob, /dataset2/folder1/*, POST p, dataset1_admin, /dataset1/*, * p, *, /login, * p, anonymous, /, GET g, cathy, dataset1_admin - Fork/Clone repository
- Install flask-authz dependencies, and run
pytest
pip install -r dev_requirements.txt pip install -r requirements.txt pytestpre-commit install# update requirements.txt pip-compile --no-annotate --no-header --rebuild requirements.in # sync venv pip-syncbumpversion major # major release or bumpversion minor # minor release or bumpversion patch # hotfix release The authorization determines a request based on {subject, object, action}, which means what subject can perform what action on what object. In this plugin, the meanings are:
subject: the logged-in user nameobject: the URL path for the web resource like "dataset1/item1"action: HTTP method like GET, POST, PUT, DELETE, or the high-level actions you defined like "read-file", "write-blog"
For how to write authorization policy and other details, please refer to the Casbin's documentation.
This project is under Apache 2.0 License. See the LICENSE file for the full license text.