oso -- Batteries-Included Authorization
oso
https://github.com/osohq/oso
Oso is a batteries-included framework for building authorization in your application.
OSO是一款功能齐全的框架, 可以在应用中使用这个工具构建授权功能。
What is Oso?
Oso is a batteries-included framework for building authorization in your application.
With Oso, you can:
- Model: Set up common permissions patterns like role-based access control (RBAC) and relationships using Oso’s built-in primitives. Extend them however you need with Oso’s declarative policy language, Polar.
- Filter: Go beyond yes/no authorization questions. Implement authorization over collections too - e.g., “Show me only the records that Juno can see.”
- Test: Write unit tests over your authorization logic now that you have a single interface for it. Use the Oso debugger or REPL to track down unexpected behavior.
Oso offers libraries for Node.js, Python, Go, Rust, Ruby, and Java.
Our latest creation Oso Cloud (Preview) makes authorization across services as easy as oso.authorize(user, action, resource). Learn about it.
https://www.osohq.com/
理解
https://docs.osohq.com/getting-started/quickstart.html
policy定义
如下定义了一个permission, 如果是public属性,则有read权限。
actor User {} resource Repository { permissions = ["read", "push", "delete"]; roles = ["contributor", "maintainer", "admin"]; "read" if "contributor"; "push" if "maintainer"; "delete" if "admin"; "maintainer" if "admin"; "contributor" if "maintainer"; } # This rule tells Oso how to fetch roles for a repository has_role(actor: User, role_name: String, repository: Repository) if role in actor.roles and role_name = role.name and repository = role.repository; has_permission(_actor: User, "read", repository: Repository) if repository.is_public; allow(actor, action, resource) if has_permission(actor, action, resource);
model
在model中定义资源可以被访问的权限。
例如 react可以被任意访问。
from dataclasses import dataclass from typing import List @dataclass class Repository: name: str is_public: bool = False @staticmethod def get_by_name(name): return repos_db.get(name) @dataclass class Role: name: str repository: Repository @dataclass class User: roles: List[Role] @staticmethod def get_current_user(): return users_db["larry"] repos_db = { "gmail": Repository("gmail"), "react": Repository("react", is_public=True), "oso": Repository("oso"), } users_db = { "larry": User([Role(name="admin", repository=repos_db["gmail"])]), "anne": User([Role(name="maintainer", repository=repos_db["react"])]), "graham": User([Role(name="contributor", repository=repos_db["oso"])]), }
授权验证
当访问 http://localhost:5000/repo/react
使用os.authorize接口去校验react是否有权限被访问。
from flask import Flask from oso import Oso, NotFoundError from .models import User, Repository # Initialize the Oso object. This object is usually used globally throughout # an application. oso = Oso() # Tell Oso about the data you will authorize. These types can be referenced # in the policy. oso.register_class(User) oso.register_class(Repository) # Load your policy files. oso.load_files(["app/main.polar"]) app = Flask(__name__) @app.route("/repo/<name>") def repo_show(name): repo = Repository.get_by_name(name) try: oso.authorize(User.get_current_user(), "read", repo) return f"<h1>A Repo</h1><p>Welcome to repo {repo.name}</p>", 200 except NotFoundError: return f"<h1>Whoops!</h1><p>Repo named {name} was not found</p>", 404
与AD比较
https://www.quest.com/solutions/active-directory/what-is-active-directory.aspx
微软提供的AD服务器,是一个大而全的工具,
包括用户管理以及用户组织管理,
还包括资源管理,以及资源的权限管理(授权功能)。
与此相比, oso是一个轻量级的库,可以被嵌入python程序中做授权功能。
Active Directory (AD) is a database and set of services that connect users with the network resources they need to get their work done.
The database (or directory) contains critical information about your environment, including what users and computers there are and who’s allowed to do what. For example, the database might list 100 user accounts with details like each person’s job title, phone number and password. It will also record their permissions.
The services control much of the activity that goes on in your IT environment. In particular, they make sure each person is who they claim to be (authentication), usually by checking the user ID and password they enter, and allow them to access only the data they’re allowed to use (authorization).
Read on to learn more about the benefits of Active Directory, how it works and what’s in an Active Directory database.
https://www.cnblogs.com/IFire47/p/6672176.html
Active Directory中文翻译为活动目录,这个概念不需要太过深入纠结,简单的理解它:Active Directory(活动目录)是微软Windows Server中,负责架构中大型网路环境的集中式目录管理服务(Directory Services),Windows 2000 Server开始内建于Windows Server产品中,它处理了在组织中的网路物件,物件可以是计算机,用户,群组,组织单元(OU)等等,只要是在Active Directory结构定义档(schema)中定义的物件,就可以储存在Active Directory资料档中,并利用Active Directory Service Interface来存取。
