首页 > 其他分享 >oso -- Batteries-Included Authorization

oso -- Batteries-Included Authorization

时间:2022-09-22 11:14:31浏览次数:78  
标签:name Repository -- repository Batteries User Oso Included oso

oso

https://github.com/osohq/oso

Oso is a batteries-included framework for building authorization in your application.

OSO是一款功能齐全的框架, 可以在应用中使用这个工具构建授权功能。

What is Oso?

Oso is a batteries-included framework for building authorization in your application.

With Oso, you can:

  • Model: Set up common permissions patterns like role-based access control (RBAC) and relationships using Oso’s built-in primitives. Extend them however you need with Oso’s declarative policy language, Polar.
  • Filter: Go beyond yes/no authorization questions. Implement authorization over collections too - e.g., “Show me only the records that Juno can see.”
  • Test: Write unit tests over your authorization logic now that you have a single interface for it. Use the Oso debugger or REPL to track down unexpected behavior.

Oso offers libraries for Node.js, Python, Go, Rust, Ruby, and Java.

Our latest creation Oso Cloud (Preview) makes authorization across services as easy as oso.authorize(user, action, resource). Learn about it.

 

https://www.osohq.com/

 

理解

https://docs.osohq.com/getting-started/quickstart.html

policy定义

如下定义了一个permission, 如果是public属性,则有read权限。

actor User {}

resource Repository {
  permissions = ["read", "push", "delete"];
  roles = ["contributor", "maintainer", "admin"];

  "read" if "contributor";
  "push" if "maintainer";
  "delete" if "admin";

  "maintainer" if "admin";
  "contributor" if "maintainer";
}

# This rule tells Oso how to fetch roles for a repository
has_role(actor: User, role_name: String, repository: Repository) if
  role in actor.roles and
  role_name = role.name and
  repository = role.repository;

has_permission(_actor: User, "read", repository: Repository) if
  repository.is_public;

allow(actor, action, resource) if
  has_permission(actor, action, resource);

 

model

在model中定义资源可以被访问的权限。

例如 react可以被任意访问。

from dataclasses import dataclass
from typing import List


@dataclass
class Repository:
    name: str
    is_public: bool = False

    @staticmethod
    def get_by_name(name):
        return repos_db.get(name)


@dataclass
class Role:
    name: str
    repository: Repository


@dataclass
class User:
    roles: List[Role]

    @staticmethod
    def get_current_user():
        return users_db["larry"]


repos_db = {
    "gmail": Repository("gmail"),
    "react": Repository("react", is_public=True),
    "oso": Repository("oso"),
}

users_db = {
    "larry": User([Role(name="admin", repository=repos_db["gmail"])]),
    "anne": User([Role(name="maintainer", repository=repos_db["react"])]),
    "graham": User([Role(name="contributor", repository=repos_db["oso"])]),
}

 

授权验证

当访问 http://localhost:5000/repo/react

使用os.authorize接口去校验react是否有权限被访问。

from flask import Flask
from oso import Oso, NotFoundError
from .models import User, Repository

# Initialize the Oso object. This object is usually used globally throughout
# an application.
oso = Oso()

# Tell Oso about the data you will authorize. These types can be referenced
# in the policy.
oso.register_class(User)
oso.register_class(Repository)

# Load your policy files.
oso.load_files(["app/main.polar"])

app = Flask(__name__)


@app.route("/repo/<name>")
def repo_show(name):
    repo = Repository.get_by_name(name)

    try:
        oso.authorize(User.get_current_user(), "read", repo)
        return f"<h1>A Repo</h1><p>Welcome to repo {repo.name}</p>", 200
    except NotFoundError:
        return f"<h1>Whoops!</h1><p>Repo named {name} was not found</p>", 404

 

与AD比较

https://www.quest.com/solutions/active-directory/what-is-active-directory.aspx

微软提供的AD服务器,是一个大而全的工具,

包括用户管理以及用户组织管理,

还包括资源管理,以及资源的权限管理(授权功能)。

与此相比, oso是一个轻量级的库,可以被嵌入python程序中做授权功能。

 

Active Directory (AD) is a database and set of services that connect users with the network resources they need to get their work done.

The database (or directory) contains critical information about your environment, including what users and computers there are and who’s allowed to do what. For example, the database might list 100 user accounts with details like each person’s job title, phone number and password. It will also record their permissions.

The services control much of the activity that goes on in your IT environment. In particular, they make sure each person is who they claim to be (authentication), usually by checking the user ID and password they enter, and allow them to access only the data they’re allowed to use (authorization).

Read on to learn more about the benefits of Active Directory, how it works and what’s in an Active Directory database.

 

https://www.cnblogs.com/IFire47/p/6672176.html

Active Directory中文翻译为活动目录,这个概念不需要太过深入纠结,简单的理解它:Active Directory(活动目录)是微软Windows Server中,负责架构中大型网路环境的集中式目录管理服务(Directory Services),Windows 2000 Server开始内建于Windows Server产品中,它处理了在组织中的网路物件,物件可以是计算机,用户,群组,组织单元(OU)等等,只要是在Active Directory结构定义档(schema)中定义的物件,就可以储存在Active Directory资料档中,并利用Active Directory Service Interface来存取。

 

标签:name,Repository,--,repository,Batteries,User,Oso,Included,oso
From: https://www.cnblogs.com/lightsong/p/16718475.html

相关文章

  • 正则表达式中的 (?:)
    (?:)表示不存储匹配的值假如我们要在字符串中查找两个重复的单词,比如"123abcdefabc456"letstr='123abcdefabc456';letreg=/(\w+).*?\1/;str.match(reg);//['ab......
  • 数组模拟环形队列
    简介对前面的数组模拟队列的优化,充分利用数组.因此将数组看做是一个环形的。(通过取模的方式来实现即可)代码实现importjava.util.Scanner;publicclassCir......
  • python生成sql server 数据库表名和sql脚本
    #-*-coding:utf-8-*-#作者:TY#时间:2020-08-0522:03#文件名称:sqlserver数据库导表脚本.PY#开发工具:PyCharmimportpymssqlimportosclassSQLServer:......
  • 终端连接神器Tabby及背景图片设置方法
    part1对于终端连接工具,最开始用的xshell破解版(需要破解,无法更新,xftp独立安装),后来用的MobaXterm(启动和反应比较慢,传文件不好用),直到最近在github发现了一款......
  • 彻底掌握Makefile(一)
    彻底掌握Makefile(一)介绍makefile就是一个可以被make命令解析的文件,他定义了一系列编译的规则,帮助我们更加方便、简洁的去完成编译的过程。在一个大工程当中我们会有各种......
  • 方法引用基本介绍和方法引用-通过对象名引用成员方法
    方法引用基本介绍在使用Lambda表达式的时候,我们实际上传递进去的代码就是一种解决方案:拿什么参数做什么操作,那么考虑一种情况:如果我们在Lambda中所指定的操作方案,已经有地......
  • 通过异或(^)实现基本数据类型(浮点型除外)值互换
    一般情况下,我们要实现值替换的时候需要引入一个中间变量,以int为例代码如下inta=10,b=20;//中间变量inttemp;temp=a;a=b;b=temp;//a=20,b=10......
  • apisix 源码简单分析(未完)
    1APISIX概述apisix与kong类似,基于openresty构建的api网关,抽象了route、service、upstream、plugin、consumer等数据模型。基本可以将apisix看作是kong的重构,运用大量Lu......
  • 【SQLServer 】SQLServer健康报告
    使用:1.创建存储过程:usp_SQLhealthcheck_report2.执行存储过程executeusp_SQLhealthcheck_report3.输入mail地址(可选项)4.保存结果输出格式:HTML(支持将html以邮件附件的......
  • 数字IC手撕代码-分频器(任意小数分频)
    什么是分频    分频就是生成一个新时钟,该新时钟的频率是原有时钟频率的整数分之一倍,新周期是原有周期的整数倍。        再简单来说,让你手撕一个四分频......