|Version 9 (modified by 12 years ago) ( diff ),|
Table of Contents
DeveloperGuidelinesS3Framework | S3AAA
S3 Authentication, Authorization and Accounting
Authentication is the act of establishing or confirming someone's identity.
Authorization is the concept of allowing access to resources only to those permitted to use them.
Accounting refers to the tracking of user actions - an audit trail.
AAA functions for S3 are implemented in the
modules/s3/s3aaa.py module. This module extends the web2py Auth class as AuthS3 (Authentication), and defines additional classes for role management, access control and audit.
Component Location Function AuthS3 modules/s3/s3aaa.py Authentication, Login S3Permission modules/s3/s3aaa.py Authorization of Access, ACLs S3Audit modules/s3/s3aaa.py Data access logging, audit trail S3RoleManager modules/s3/s3aaa.py RESTful method to manage roles and ACLs Admin controllers controllers/admin.py User Management, role management
HTTP Simple Authentication
Roles are defined in the
auth_group table. This table is defined by the
AuthS3 module in
modules/s3/s3aaa.py. Each role as an ID, a unique name and can have a description.
Access permissions are granted to roles, while a user gets permissions by assigning roles to him. Role assignment is stored in the
auth_membership table, which is defined by the
AuthS3 class (in
At the start of every request, the IDs of all roles of the currently logged-in user are stored as list in
models/00_utils.py. In cases where the user is logged-in during the request (e.g. by HTTP simple auth), a refresh of this list is also triggered by the
login_bare() method of
Roles can be managed in the
S3RoleManager interface (Administration => User Management => Roles).
Access Control Lists (ACLs) are bit arrays with each bit representing a permissions to access data with a particular method:
Bit Value Permission auth.permission.CREATE 0x0001 may create new records auth.permission.READ 0x0002 may read or list records auth.permission.UPDATE 0x0004 may update existing records auth.permission.DELETE 0x0008 may delete records
ACLs are combinations of these bits (by logical OR), e.g. an ACL with the value 0x0006 defines permissions to read and update records, while no permission to add or to delete any records.
ACLs are stored per role and request destination in the
s3_permission table, which is defined by the
S3Permission class (in