mewlo.mpacks.core.rbac.mrbac module

mrbac.py This module contains classes and functions to manage the RBAC/ACL (permission) system.

The documentation discusses the RBAC system in more detail.

Essentially we have 3 tables that work together to build an RBAC system:

  1. Role definitions (role_def table; MewloRole class).
  2. Role entailment (inheritance hierarchy) (role_entail table; MewloRoleEntails class).
  3. Role assignments (role_assign table; MewloRoleAssignment class).

The Role definitions table actually defines roles; this gives each role a name, id, and description. An example of a role might be “IsOwnerOfGroup”. Note that the role definition does NOT refer to a specific resource (specific group) or subject (specific user).

The Role hierarchies table establishes a hierarchy of role DEFINITIONS. That is, role (definitions) may be parents of one another. Child roles inherit permissions of the parents. This is a very simple table that simply definines which role definitions are parents of which others. If role A is a parent of role B, we say that role A entails role B. Note that we allow role definitions to be children of multiple parents. Note that our hierarchy describes a relationship between role DEFINITIONS (not actual assignments). That is, we can say the the role of “Group Ownership” is a parent of “Group Membership”. Note that the key purpose of hierarchies is implying role assignments for children roles. For example, if role A is a parent of role B, and user X has role A, then user X also has role B.

Note that role hierarchies express a very limited form of relationships of role implication (entitlement). By that I mean that we cannot express arbitrary entitlements like “Having role #45 on resource #67 entails having role #48 on resource #910.” The most we can say is that “Having role #45 entails having role #48” or equivelently, that “Having role #45 on resource #67 entails having role #48 on resource #67.”

The Role assignment table assigns a specific role (definition) to a specific subject (typically a user), and possibly restricted to a specific resource object. Some example role assignments:

“Subject #123 (user X) has role #45 (IsOwnerOfGroup) for resource #67 (group y).” “Subject #123 (user X) has role #1 (IsAdmin).” “Subject #67 (group y) has role #23 (IsParentGroup) for resouce #68 (group z).”
Some kinds of queries we might ask the RBAC system:
“Does subject #123 have role #45 for resource #67?” “What roles does subject #123 have for resource #67?” “What subjects have role #45 on resource #67?” “What roles does subject #123 have?” “What subject roles are held on resource #67?” “What subjects and resources are using role #45?”

It is important to note that the role hierarchy makes queries non-trivial. So if we ask “Does subject #123 have role #45 for resource #67?”, this should be understood as “Does subject have role #45, or any parent role of role #45, for resource #67 (or for all resources)?”

There are some common things that will require multiple steps to check. For example, let’s say we wanted to know if Subject #123 had role #40 (edit) for resource #600 (which was a blog page in group #67.

In addition to checking for the permission directly on resource 600, this might require that we check if subject has role #41 (edit group-owned blogs) on group #67. This check is something that the coder would have to perform – the RBAC system itself does not know that this “group role” implies a role on the specific object.

If we DID want to extend the RBAC system to handle such scenarios automatically, it would require an extension that allowed us to express relationships like:
“Role #r1 held by subject s1 (of TYPE S1) on resource r1 (of type R1), implies role #r2 by subject s2 on resource r2, where some set of role assignments constain s1,s2,r1,r2.” or in our example above: “Rule #isadmin held by subject s1 (of type USER) on resource r1 (of type GROUP), implies role #canedit by subject s1 on resource r2 (of type BLOG), where r2 hasrole #isownedby on resource r1” We judge that the complications of expressing such relationships is best handled in code rather than automatically in the RBAC system, and restrict the RBAC system to the simpler cases.
class mewlo.mpacks.core.rbac.mrbac.MewloRbacManager(mewlosite, debugmode)[source]

Bases: mewlo.mpacks.core.manager.manager.MewloManager

The Rbac system manager.

add_uniqueval_to_listkey(val, keydict, key)[source]

Add id to list indexed by key in keydict.

annotate_assignments(assignments)[source]

Given a list of assignments, annotate them with real info about the roles and objects involved.

create_assignment(subject, role, resource=None)[source]

Create a new assignment.

create_role(rolename, label, classname_subject, classname_resource=None)[source]

Create a new role.

create_role_entail(role_parent, role_entailedchild)[source]

Add a role hierarchy relation.

description = 'Handles the authorization and permission API'
does_subject_have_role(subject, role)[source]

Just shortcut to does_subject_have_role_on_resource().

does_subject_have_role_on_resource(subject, role, resource)[source]

Return True if user has a role on an object. This includes looking at role hierarchies and group memberships for user.

lookup_classmodel_from_classname(classname)[source]

Find the MewloModel derived CLASS specified by classname.

lookup_entailing_roles(roleid)[source]

return a list of roleids that entail this one (including itself).

lookup_entailingparent_roleids(roleids)[source]

return a list of parent roleids which are parents to any elements in roleids.

lookup_gobarray_from_assignments(role_assignments, roledefarray)[source]

Return an array of OBJECTS used in either subject or resource part of role assignments (note that many roleassignments may use same pbjects). IMPORTANT: role assignments refer to gobids which are unique numeric identifiers that can refer to multiple kinds of objects. This function must lookup and instantiate the proper object instance for the gobid. There are multiple ways to do this, and some may be messy/slow. So we may want to be cautious about using this function for important things. Return as an array indexed by gobid.

lookup_gobid(obj)[source]

obj may be None, integer (gobid), or an object with a gobid property.

lookup_objarray_by_class_and_gobidlist(classname, gobidlist)[source]

We are given a classname and a gobidlist; we want to return the objects with matching gobids. This is tricky because the classname must be looked up dynamically.

lookup_role_byname(rolename)[source]

lookup a role by name.

lookup_roleassignids(subjectids, roleids, resourceids)[source]

Return list of role assignments where any of subjectids has any of roleids on (any of resourceids or on resourceid==None). Each of subject, role, resource much match (i.e. it’s AND relations)

lookup_roleassigns(subjectids, roleids, resourceids)[source]

Return list of role assignments where any of subjectids has any of roleids on (any of resourceids or on resourceid==None). Each of subject, role, resource much match (i.e. it’s AND relations)

lookup_roleassigns_either_subject_or_resource(obj, role)[source]

Return list of role assignments where any of subjectids has any of roleids on (any of resourceids or on resourceid==None). Each of subject, role, resource much match (i.e. it’s AND relations)

lookup_roledefarray_from_assignments(roleassignments)[source]

Simply get the roledef objects from the assignments (note that many roleassignments may use same roledef). Return as an array indexed by roleid.

lookup_roleid(role)[source]

obj may be None, integer (gobid), or an object with a gobid property.

lookup_roleid_byname(rolename)[source]

lookup a role by name.

typestr = 'core'
class mewlo.mpacks.core.rbac.mrbac.MewloRole[source]

Bases: mewlo.mpacks.core.database.mdbmodel.MewloDbModel

The role class manages hierarchy of roles.

calc_nice_rbaclabel()[source]

Nice display accessor.

dbschemaname = 'default'
dbtablename = 'role_def'
classmethod define_fields(dbmanager)[source]

This class-level function defines the database fields for this model – the columns, etc.

class mewlo.mpacks.core.rbac.mrbac.MewloRoleAssignment[source]

Bases: mewlo.mpacks.core.database.mdbmodel.MewloDbModel

The role class manages hierarchy of roles.

annotate_with_array(roledefarray, gobarray)[source]

Annotate with roledef and gobarrays.

calc_nice_annotated_html_info()[source]

Return a nice html string for the assignment, using optional annotated object info.

calc_nicelabel_from_objorid(attributename, fallbackid)[source]

Return a nice string label for the annotated object.

dbschemaname = 'default'
dbtablename = 'role_assign'
classmethod define_fields(dbmanager)[source]

This class-level function defines the database fields for this model – the columns, etc.

class mewlo.mpacks.core.rbac.mrbac.MewloRoleEntails[source]

Bases: mewlo.mpacks.core.database.mdbmodel.MewloDbModel

The role class manages hierarchy of roles.

dbschemaname = 'default'
dbtablename = 'role_entail'
classmethod define_fields(dbmanager)[source]

This class-level function defines the database fields for this model – the columns, etc.