-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Setting objects' attributes in vakt #2
Comments
Hi @anton-khodak, Generally speaking vakt is not as opinionated and maybe powerful as other ABAC implementations found in the wild in defining attributes. It's more a "policy-based access control" part of ABAC definition per se. But from another perspective it's somewhat more flexible since it allows you to build your own vision on setting attributes. Answering your question (2 variants since I haven't clearly understood the scenario), one possible way to do it with vakt: Policy(
uid=12345,
effect=ALLOW_ACCESS,
subjects=['username=<.*>;position=<owner|collaborator>'], # `;` and `=` here are arbitrary delimiters
resources=('some-resource-definition'),
actions=['<read|update>'],
rules={
'dataset-ids': InList(['a', 'b', 'c', 'd', 'e']),
},
) and build an Inquiry: Inquiry(subject='username=max;position=collaborator', action='read', context={'dataset-ids':'d'}) where Every time you add an additional ID to your system you should update the corresponding '12345' Policy 'dataset-ids' rule with a new list of IDs that is [old-list] + new-id. If your resource is the dataset-IDs you are talking about, then possible way: Policy(
uid=12345,
effect=ALLOW_ACCESS,
subjects=['username=<.*>;position=<owner|collaborator>'], # `;` and `=` here are arbitrary delimiters
resources=['dataset:1', 'dataset:2'], # imagine 2 possible datasets each with some information like IDs
actions=['dataset:id:<add|remove>', 'delete'] # add/remove id from dataset; delete - action that deletes the whole dataset
) Inquiry(subject='username=max;position=collaborator', action='dataset:id:add', resource='dataset:1') # allowed
Inquiry(subject='username=jerry;position=contributor', action='dataset:id:add', resource='dataset:1') # rejected
Inquiry(subject='username=kim;position=owner', action='dataset:id:remove', resource='dataset:3') # rejected |
Is planned to be implemented in #4. |
@anton-khodak, you probably might be interested: Thanks for the issue. |
Hi Egor,
I'm looking into your library, and I would like to understand is it possible to attach attributes to entities as per ABAC model (https://en.wikipedia.org/wiki/Attribute-based_access_control#Attributes)? So far, I see that I can use contextual attributes in Roles, but I can't see how I can add subject, object and resources attributes.
For example, how do I implement the following simple scenario with vakt: I have users that register continuously, a user has an attribute "collaborator" with a list of dataset ids, when a new id is added to this list, they can update a dataset with this id.
The text was updated successfully, but these errors were encountered: