Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Setting objects' attributes in vakt #2

Closed
anton-khodak opened this issue Oct 29, 2018 · 3 comments
Closed

Setting objects' attributes in vakt #2

anton-khodak opened this issue Oct 29, 2018 · 3 comments

Comments

@anton-khodak
Copy link

anton-khodak commented Oct 29, 2018
edited

Hi Egor,

I'm looking into your library, and I would like to understand is it possible to attach attributes to entities as per ABAC model (https://en.wikipedia.org/wiki/Attribute-based_access_control#Attributes)? So far, I see that I can use contextual attributes in Roles, but I can't see how I can add subject, object and resources attributes.

For example, how do I implement the following simple scenario with vakt: I have users that register continuously, a user has an attribute "collaborator" with a list of dataset ids, when a new id is added to this list, they can update a dataset with this id.
@kolotaev
Copy link
Owner

kolotaev commented Oct 30, 2018
edited

Hi @anton-khodak,

Generally speaking vakt is not as opinionated and maybe powerful as other ABAC implementations found in the wild in defining attributes. It's more a "policy-based access control" part of ABAC definition per se. But from another perspective it's somewhat more flexible since it allows you to build your own vision on setting attributes.

Answering your question (2 variants since I haven't clearly understood the scenario), one possible way to do it with vakt:
You can create a Policy like:

    Policy(
        uid=12345,
        effect=ALLOW_ACCESS,
        subjects=['username=<.*>;position=<owner|collaborator>'], # `;` and `=` here are arbitrary delimiters
        resources=('some-resource-definition'),
        actions=['<read|update>'],
        rules={
            'dataset-ids': InList(['a', 'b', 'c', 'd', 'e']),
        },
    )

and build an Inquiry:

Inquiry(subject='username=max;position=collaborator', action='read', context={'dataset-ids':'d'})

where InList is a custom rule that is, for example, satisfied when 'd' can be found in ['a', 'b', 'c', 'd', 'e'].

Every time you add an additional ID to your system you should update the corresponding '12345' Policy 'dataset-ids' rule with a new list of IDs that is [old-list] + new-id.

If your resource is the dataset-IDs you are talking about, then possible way:

    Policy(
        uid=12345,
        effect=ALLOW_ACCESS,
        subjects=['username=<.*>;position=<owner|collaborator>'], # `;` and `=` here are arbitrary delimiters
        resources=['dataset:1', 'dataset:2'], # imagine 2 possible datasets each with some information like IDs
        actions=['dataset:id:<add|remove>', 'delete'] # add/remove id from dataset; delete - action that deletes the whole dataset
    )
Inquiry(subject='username=max;position=collaborator', action='dataset:id:add', resource='dataset:1') # allowed

Inquiry(subject='username=jerry;position=contributor', action='dataset:id:add', resource='dataset:1') # rejected

Inquiry(subject='username=kim;position=owner', action='dataset:id:remove', resource='dataset:3') # rejected

@kolotaev
Copy link
Owner

kolotaev commented Nov 8, 2018
edited

Is planned to be implemented in #4.

@kolotaev
Copy link
Owner

@anton-khodak, you probably might be interested:
The functionality we've discussed here is implemented in vakt >= 1.2.
See examples and updated documentation.

Thanks for the issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kolotaev @anton-khodak