Python Attribute Based Access Control (ABAC)
Attribute Based Access Control (ABAC) for python.
Py-ABAC is an attribute-based access control (ABAC) toolkit based on policies. ABAC gives you a fine-grained control on definition of the rules that restrict an access to resources and is generally considered a “next generation” authorization model. The design of py-ABAC stems from the XACML standard, and the ABAC python SDK Vakt.
See documentation for more details.
PyABAC runs on Python >= 3.5. PyPy implementation is supported as well.
To install basic package run the following:
pip install py-abac
With the basic package the in-memory policy storage backend can be used. For the other persistent backends run:
# MongoDB backendpip install py-abac[mongo]# SQL backendpip install py-abac[sql]
A quick dive-in:
from pymongo import MongoClientfrom py_abac import PDP, Policy, AccessRequestfrom py_abac.storage.mongo import MongoStorage# Policy definition in JSONpolicy_json = {"uid": "1","description": "Max and Nina are allowed to create, delete, get any ""resources only if the client IP matches.","effect": "allow","rules": {"subject": [{"$.name": {"condition": "Equals", "value": "Max"}},{"$.name": {"condition": "Equals", "value": "Nina"}}],"resource": {"$.name": {"condition": "RegexMatch", "value": ".*"}},"action": [{"$.method": {"condition": "Equals", "value": "create"}},{"$.method": {"condition": "Equals", "value": "delete"}},{"$.method": {"condition": "Equals", "value": "get"}}],"context": {"$.ip": {"condition": "CIDR", "value": "127.0.0.1/32"}}},"targets": {},"priority": 0}# Parse JSON and create policy objectpolicy = Policy.from_json(policy_json)# Setup policy storageclient = MongoClient()storage = MongoStorage(client)# Add policy to storagestorage.add(policy)# Create policy decision pointpdp = PDP(storage)# A sample access request JSONrequest_json = {"subject": {"id": "","attributes": {"name": "Max"}},"resource": {"id": "","attributes": {"name": "myrn:example.com:resource:123"}},"action": {"id": "","attributes": {"method": "get"}},"context": {"ip": "127.0.0.1"}}# Parse JSON and create access request objectrequest = AccessRequest.from_json(request_json)# Check if access request is allowed. Evaluates to True since# Max is allowed to get any resource when client IP matches.assert pdp.is_allowed(request)
Py-ABAC documentation can be found at https://py-abac.readthedocs.io
You can also build the documentation by running make html inside the docs folder.
py-ABAC follows a common logging pattern for libraries:
Its corresponding modules log all the events that happen but the log messages by default are handled by NullHandler. It’s up to the outer code/application to provide desired log handlers, filters, levels, etc.
For example:
import loggingroot = logging.getLogger()root.setLevel(logging.INFO)root.addHandler(logging.StreamHandler())... # here go all the py_abac calls.
Most valuable features to be implemented in the order of importance:
The conceptual and implementation design of py-ABAC stems from the XACML standard and the ABAC python SDK Vakt.
Py-ABAC requires a few backend databases like MongoDB, MySQL, etc for testing and development. For convenience
a docker-compose file is provided in the test folder to spawn up the required infrastructure. Just run:
$ cd tests$ docker-compose up -d # this spawns up all the databases.$ cd .. # returns to the root repo folder
To hack py-ABAC run:
$ pip install -e .[dev] # to install all dependencies$ pytest --cov=py_abac tests/ # to get coverage report$ pylint py_abac # to check code quality with PyLint$ bandit py_abac # to check code security with Bandit
Optionally you can use make to perform development tasks.
The source code is licensed under Apache License Version 2.0
Pull requests and bug reports always welcomed! :)