我有一个用python编写的web应用程序(django REST framework),现在我想在我的web应用程序上实现基于属性的访问控制(ABAC)以进行授权,如何在此应用程序上实现ABAC策略(我可以使用XACML策略(如何在python web app上实现XACML)或者是否有其他方法在python上编写ABAC策略以及如何在我的web应用程序上实现) 我可以使用py ABAC吗?如何使用
import vakt
from vakt.rules import Eq, Any, StartsWith, And, Greater, Less
policy = vakt.Policy(
123456,
actions=[Eq('fork'), Eq('clone')],
resources=[StartsWith('repos/Google', ci=True)],
subjects=[{'name': Any(), 'stars': And(Greater(50), Less(999))}],
effect=vakt.ALLOW_ACCESS,
context={'referer': Eq('https://github.com')},
description="""
Allow to fork or clone any Google repository for
users that have > 50 and < 999 stars and came from Github
"""
)
storage = vakt.MemoryStorage()
storage.add(policy)
guard = vakt.Guard(storage, vakt.RulesChecker())
inq = vakt.Inquiry(action='fork',
resource='repos/google/tensorflow',
subject={'name': 'larry', 'stars': 80},
context={'referer': 'https://github.com'})
assert guard.is_allowed(inq)
Or if you prefer Amazon IAM Policies style:
import vakt
from vakt.rules import CIDR
policy = vakt.Policy(
123457,
effect=vakt.ALLOW_ACCESS,
subjects=[r'<[a-zA-Z]+ M[a-z]+>'],
resources=['library:books:<.+>', 'office:magazines:<.+>'],
actions=['<read|get>'],
context={
'ip': CIDR('192.168.0.0/24'),
},
description="""
Allow all readers of the book library whose surnames start with M get and read any book or magazine,
but only when they connect from local library's computer
""",
)
storage = vakt.MemoryStorage()
storage.add(policy)
guard = vakt.Guard(storage, vakt.RegexChecker())
inq = vakt.Inquiry(action='read',
resource='library:books:Hobbit',
subject='Jim Morrison',
context={'ip': '192.168.0.220'})
assert guard.is_allowed(inq)
Thanks in advance!
我没有使用Py-ABAC的经验,但通常XACML是用XACML(一种基于XML的语言)编写的,或者使用GUI或编译成XACML的语言,比如ALFA
然后,您的Python web应用程序将使用REST或SOAP(最好是REST)调用策略决策点(PDP)。您可以使用类似于请求的HTTP库
JSON示例:
我有没有提到(至少我是这样认为的)创建自己的授权引擎(PDP)是不明智的?有些产品已经实现了外部化授权
使用开源产品,如WSO2或AuthzForce,或购买Axiomatics(完全公开:我曾在这里工作)
对于XACML实现的完整列表,您可以在Wikipedia上查看此list
相关问题 更多 >
编程相关推荐