如何在基于python的web应用程序中实现基于属性的访问控制?

2024-04-24 17:16:31 发布

您现在位置:Python中文网/ 问答频道 /正文
7536 3

我有一个用python编写的web应用程序(django REST framework),现在我想在我的web应用程序上实现基于属性的访问控制(ABAC)以进行授权,如何在此应用程序上实现ABAC策略(我可以使用XACML策略(如何在python web app上实现XACML)或者是否有其他方法在python上编写ABAC策略以及如何在我的web应用程序上实现) 我可以使用py ABAC吗?如何使用

import vakt
from vakt.rules import Eq, Any, StartsWith, And, Greater, Less

policy = vakt.Policy(
    123456,
    actions=[Eq('fork'), Eq('clone')],
    resources=[StartsWith('repos/Google', ci=True)],
    subjects=[{'name': Any(), 'stars': And(Greater(50), Less(999))}],
    effect=vakt.ALLOW_ACCESS,
    context={'referer': Eq('https://github.com')},
    description="""
    Allow to fork or clone any Google repository for
    users that have > 50 and < 999 stars and came from Github
    """
)
storage = vakt.MemoryStorage()
storage.add(policy)
guard = vakt.Guard(storage, vakt.RulesChecker())

inq = vakt.Inquiry(action='fork',
                   resource='repos/google/tensorflow',
                   subject={'name': 'larry', 'stars': 80},
                   context={'referer': 'https://github.com'})

assert guard.is_allowed(inq)
Or if you prefer Amazon IAM Policies style:

import vakt
from vakt.rules import CIDR

policy = vakt.Policy(
    123457,
    effect=vakt.ALLOW_ACCESS,
    subjects=[r'<[a-zA-Z]+ M[a-z]+>'],
    resources=['library:books:<.+>', 'office:magazines:<.+>'],
    actions=['<read|get>'],
    context={
        'ip': CIDR('192.168.0.0/24'),
    },
    description="""
    Allow all readers of the book library whose surnames start with M get and read any book or magazine,
    but only when they connect from local library's computer
    """,
)
storage = vakt.MemoryStorage()
storage.add(policy)
guard = vakt.Guard(storage, vakt.RegexChecker())

inq = vakt.Inquiry(action='read',
                   resource='library:books:Hobbit',
                   subject='Jim Morrison',
                   context={'ip': '192.168.0.220'})

assert guard.is_allowed(inq)

Thanks in advance!

Tags: fromimportweb应用程序contextpolicylibrarystorage
1条回答
网友
1楼 · 发布于 2024-04-24 17:16:31

我没有使用Py-ABAC的经验,但通常XACML是用XACML(一种基于XML的语言)编写的,或者使用GUI或编译成XACML的语言,比如ALFA

然后,您的Python web应用程序将使用REST或SOAP(最好是REST)调用策略决策点(PDP)。您可以使用类似于请求的HTTP库

JSON示例:

{"Request":{"AccessSubject":
{"Attribute":
[ {"AttributeId":"user.name","Value":"alice"} ]
},
"Resource":
{"Attribute":
[ {"AttributeId":"resource.objectType","Value":"insurance claim"} ]
},
"Action":
{"Attribute":
[ {"AttributeId":"action-id","Value":"view"}]
}
}
}

我有没有提到(至少我是这样认为的)创建自己的授权引擎(PDP)是不明智的?有些产品已经实现了外部化授权

使用开源产品,如WSO2或AuthzForce,或购买Axiomatics(完全公开:我曾在这里工作)

对于XACML实现的完整列表,您可以在Wikipedia上查看此list

相关问题 更多 >

    编程相关推荐