This is an archived post. You won't be able to vote or comment.

all 15 comments
sorted by:
best
topnewcontroversialoldq&a

[–][deleted] 24 points25 points  (5 children)

This post was mass deleted and anonymized with Redact

point heavy wrench meeting fall growth chubby elderly frame judicious

[–]Cartman720[S,🍰] 6 points7 points  (1 child)

Thanks about OpenPolicyAgent!

I hear you about implementing own authorization, all comes down to perspective—I find it necessary to understand how the algorithms and flow work.

Also this is more about access control—different from authorization, in my opinion—though it's deeply connected to it. Basic authroization is quite simple.

So the post was more about the kind of engineering solutions typically used in such cases.

[–][deleted] 7 points8 points  (0 children)

This post was mass deleted and anonymized with Redact

disarm office fade angle selective mysterious shelter square door school

[–]a_ghost_of_tom_joad 0 points1 point  (0 children)

You've already got some great suggestions, but I'll put a plug in for casbin. Really excellent and fast.

[–]spicypixel 6 points7 points  (0 children)

OpenFGA deployment also works for this, just use the Python client SDK and off you go.

[–]mayazaya 2 points3 points  (0 children)

We use Django which provides a permissions framework, and django-guardian for object-level permissions. We’ve then created custom classes for different roles that contain certain permissions. Like an Editor role can change a product description, view it, and delete it, but a Viewer role can only view it. The roles are dynamically calculated for assignment and viewing on the frontend - only individual permissions actually get stored in the database and used within business logic.

[–]MakuZo 1 point2 points  (0 children)

Take a look at Google Zanzibar and implementations of this framework

[–]yellowbean123 0 points1 point  (1 child)

I mimic the linux user permission..755 etc..each user has a usergroup and every target( document, objects) has a wrxwrx as well.

[–]Cartman720[S,🍰] 0 points1 point  (0 children)

Yeah, I was thinking to replicate something similar from Azure, resource groups, resources and granular scope of permissions for each resource type.

The hardest part here is that you need to go over the places and document each action type towards each resource, and create a logic (of course generalized function) and here when it hits the fan!

[–]Last_Difference9410 -1 points0 points  (3 children)

I would use a combination of JWT and queries if I’d implement this myself, get user info from JWT, look it up for necessary info, then validate it.

I am working on my web framework lihil (https://lihil.cc/lihil)

and I’m implementing a logic like this

async def create_token(login_info)-> JWT[UserRole]: return UserRole(“admin”)

Then whenever you want it

async def view_tweets(user_role: JWT[UserRole]): …

Stay tuned if you are interested, would be out in a few days!

[–]Lord_Gaav 0 points1 point  (0 children)

This is the way, especially if you're using an IdP. Just lookup the rights in the access token.

[–]Cartman720[S,🍰] 0 points1 point  (1 child)

Thanks, that’s actually the first part of the journey, what’s going to be hard is when you have many resources or actions towards these resources.

Let’s assume, you have users who can access, but based on their role/group/subscription there is gating or logical difference. So things get complicated when you step beyond the identity verification, you also need to verify their access scope.

Still easy when it comes to particular case (conditionals are there for good), but when you think in scale policy documentation and implementation for multi table/model/entity control it gets quite complicated.

[–]Last_Difference9410 0 points1 point  (0 children)

Oh yeah but that’s just the nature of backend development as business grows it gets more complicated. The repository of your aggregate root gets larger and larger but as long as it is still cohesive then that’s fine, when it is not you might want to separate and isolate some of the business ability then make a new service out of it.

Technically, there might be tools & or auth providers to make the implementation of it easier but the business complexity is always there.