merge https://github.com/ScienceLogic/flask-casbin code into flask-authz
flask-authz is an authorization middleware for Flask, it's based on PyCasbin.
pip install flask-authz
Or clone the repo:
$ git clone https://github.com/pycasbin/flask-authz.git $ python setup.py install
Module Usage:
from flask import Flask from flask_authz import CasbinEnforcer from casbin.persist.adapters import FileAdapter app = Flask(__name__) # Set up Casbin model config app.config['CASBIN_MODEL'] = 'casbinmodel.conf' # Set headers where owner for enforcement policy should be located app.config['CASBIN_OWNER_HEADERS'] = {'X-User', 'X-Group'} # Set up Casbin Adapter adapter = FileAdapter('rbac_policy.csv') casbin_enforcer = CasbinEnforcer(app, adapter) @app.route('/', methods=['GET']) @casbin_enforcer.enforcer def get_root(): return jsonify({'message': 'If you see this you have access'}) @app.route('/manager', methods=['POST']) @casbin_enforcer.enforcer @casbin_enforcer.manager def make_casbin_change(manager): # Manager is an casbin.enforcer.Enforcer object to make changes to Casbin return jsonify({'message': 'If you see this you have access'})
Example Config
This example file can be found in tests/casbin_files
[request_definition] r = sub, obj, act [policy_definition] p = sub, obj, act [role_definition] g = _, _ [policy_effect] e = some(where (p.eft == allow)) [matchers] m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act
Example Policy
This example file can be found in tests/casbin_files
p, alice, /dataset1/*, GET p, alice, /dataset1/resource1, POST p, bob, /dataset2/resource1, * p, bob, /dataset2/resource2, GET p, bob, /dataset2/folder1/*, POST p, dataset1_admin, /dataset1/*, * p, *, /login, * p, anonymous, /, GET g, cathy, dataset1_admin
# Install Flask-Casbin with Dev packages pip install -r dev_requirements.txt pip install -r requirements.txt pip install -e . # Install Pre-commits pre-commit install # Create feature branch git checkout -b feature-more-cool-stuff # Code stuff
Then push your changes and create a PR
bumpversion major # major release or bumpversion minor # minor release or bumpversion patch # hotfix release
The authorization determines a request based on {subject, object, action}, which means what subject can perform what action on what object. In this plugin, the meanings are:
subject: the logged-in user nameobject: the URL path for the web resource like “dataset1/item1”action: HTTP method like GET, POST, PUT, DELETE, or the high-level actions you defined like “read-file”, “write-blog”For how to write authorization policy and other details, please refer to the Casbin's documentation.
This project is under Apache 2.0 License. See the LICENSE file for the full license text.