wiki:S3/S3AAA

Version 9 (modified by Dominic König, 14 years ago) ( diff )

--

Table of Contents

  1. Overview
  2. Authentication
    1. Current user
    2. Interactive Login
    3. HTTP Simple Authentication
  3. Roles
  4. ACLs
    1. Record Ownership
    2. Controller Restriction
    3. Resource Restriction
  5. Implementation of Access Control
    1. s3_has_permission
    2. s3_accessible_query
  6. Data Access Logging (Audit)

DeveloperGuidelinesS3Framework | S3AAA

S3 Authentication, Authorization and Accounting

Authentication is the act of establishing or confirming someone's identity.
Authorization is the concept of allowing access to resources only to those permitted to use them.
Accounting refers to the tracking of user actions - an audit trail.

Overview

AAA functions for S3 are implemented in the modules/s3/s3aaa.py module. This module extends the web2py Auth class as AuthS3 (Authentication), and defines additional classes for role management, access control and audit.

ComponentLocationFunction
AuthS3modules/s3/s3aaa.pyAuthentication, Login
S3Permissionmodules/s3/s3aaa.pyAuthorization of Access, ACLs
S3Auditmodules/s3/s3aaa.pyData access logging, audit trail
S3RoleManagermodules/s3/s3aaa.pyRESTful method to manage roles and ACLs
Admin controllerscontrollers/admin.pyUser Management, role management

Authentication

Current user

Interactive Login

HTTP Simple Authentication

Roles

Roles are defined in the auth_group table. This table is defined by the AuthS3 module in modules/s3/s3aaa.py. Each role as an ID, a unique name and can have a description.

Access permissions are granted to roles, while a user gets permissions by assigning roles to him. Role assignment is stored in the auth_membership table, which is defined by the AuthS3 class (in modules/s3/s3aaa.py).

At the start of every request, the IDs of all roles of the currently logged-in user are stored as list in session.s3.roles (in models/00_utils.py. In cases where the user is logged-in during the request (e.g. by HTTP simple auth), a refresh of this list is also triggered by the login_bare() method of AuthS3.

Roles can be managed in the S3RoleManager interface (Administration => User Management => Roles).

ACLs

Access Control Lists (ACLs) are bit arrays with each bit representing a permissions to access data with a particular method:

BitValuePermission
auth.permission.CREATE0x0001may create new records
auth.permission.READ0x0002may read or list records
auth.permission.UPDATE0x0004may update existing records
auth.permission.DELETE0x0008may delete records

ACLs are combinations of these bits (by logical OR), e.g. an ACL with the value 0x0006 defines permissions to read and update records, while no permission to add or to delete any records.

ACLs are stored per role and request destination in the s3_permission table, which is defined by the S3Permission class (in modules/s3/s3aaa.py).

Record Ownership

Controller Restriction

Resource Restriction

Implementation of Access Control

s3_has_permission

s3_accessible_query

Data Access Logging (Audit)

DeveloperGuidelinesS3Framework

Note: See TracWiki for help on using the wiki.