Permissions¶
Kinto-Core provides a mechanism to handle authorization on the stored objects.
This section gives details about the behaviour of resources in regards to permissions.
User resource¶
This is the simplest one, as presented in the resource section.
When using a kinto.core.resource.UserResource
, every authenticated user
can manipulate and read their own records. There is no way to restrict this or
allow sharing of records.
Method | URL | permission |
---|---|---|
GET / HEAD | /{collection} | Authenticated |
POST | /{collection} | Authenticated |
DELETE | /{collection} | Authenticated |
GET / HEAD | /{collection}/{id} | Authenticated |
PUT | /{collection}/{id} | Authenticated |
PATCH | /{collection}/{id} | Authenticated |
DELETE | /{collection}/{id} | Authenticated |
Note
When using only these resource, the permission backend remains unused. Its configuration is not necessary.
Public BasicAuth¶
If Basic Auth authentication is enabled, private user resources can become semi-private or public
if the user:pass
is publicly known and shared (for example public:
is a valid user:pass combination).
That’s how most simple demos of Kinto — a Kinto-Core-based application — are built by the way!
Backends¶
The ACLs are stored in a permission backend. Like for Storage and Cache, it is pluggable from configuration.
PostgreSQL¶
-
class
kinto.core.permission.postgresql.
Permission
(client, *args, **kwargs)¶ Permission backend using PostgreSQL.
Enable in configuration:
kinto.permission_backend = kinto.core.permission.postgresql
Database location URI can be customized:
kinto.permission_url = postgres://user:pass@db.server.lan:5432/dbname
Alternatively, username and password could also rely on system user ident or even specified in
~/.pgpass
(see PostgreSQL documentation).Note
Some tables and indices are created when
kinto migrate
is run. This requires some privileges on the database, or some error will be raised.Alternatively, the schema can be initialized outside the python application, using the SQL file located in
kinto/core/permission/postgresql/schema.sql
. This allows to distinguish schema manipulation privileges from schema usage.A connection pool is enabled by default:
kinto.permission_pool_size = 10 kinto.permission_maxoverflow = 10 kinto.permission_max_backlog = -1 kinto.permission_pool_recycle = -1 kinto.permission_pool_timeout = 30 kinto.cache_poolclass = kinto.core.storage.postgresql.pool.QueuePoolWithMaxBacklog
The
max_backlog
limits the number of threads that can be in the queue waiting for a connection. Once this limit has been reached, any further attempts to acquire a connection will be rejected immediately, instead of locking up all threads by keeping them waiting in the queue.See dedicated section in SQLAlchemy documentation for default values and behaviour.
Note
Using a dedicated connection pool is still recommended to allow load balancing, replication or limit the number of connections used in a multi-process deployment.
Noindex:
Redis¶
-
class
kinto.core.permission.redis.
Permission
(client, *args, **kwargs)¶ Permission backend implementation using Redis.
Enable in configuration:
kinto.permission_backend = kinto.core.permission.redis
(Optional) Instance location URI can be customized:
kinto.permission_url = redis://localhost:6379/2
A threaded connection pool is enabled by default:
kinto.permission_pool_size = 50
Noindex:
API¶
Implementing a custom permission backend consists in implementating the following interface:
-
class
kinto.core.permission.
PermissionBase
(*args, **kwargs)¶ -
initialize_schema
()¶ Create every necessary objects (like tables or indices) in the backend.
This is executed with the
kinto migrate
command.
-
flush
()¶ Delete all data stored in the permission backend.
-
add_user_principal
(user_id, principal)¶ Add an additional principal to a user.
Parameters: - user_id (str) – The user_id to add the principal to.
- principal (str) – The principal to add.
-
remove_user_principal
(user_id, principal)¶ Remove an additional principal from a user.
Parameters: - user_id (str) – The user_id to remove the principal to.
- principal (str) – The principal to remove.
-
remove_principal
(principal)¶ Remove a principal from every user.
Parameters: principal (str) – The principal to remove.
-
get_user_principals
(user_id)¶ Return the set of additionnal principals given to a user.
Parameters: user_id (str) – The user_id to get the list of groups for. Returns: The list of group principals the user is in. Return type: set
-
add_principal_to_ace
(object_id, permission, principal)¶ Add a principal to an Access Control Entry.
Parameters: - object_id (str) – The object to add the permission principal to.
- permission (str) – The permission to add the principal to.
- principal (str) – The principal to add to the ACE.
-
remove_principal_from_ace
(object_id, permission, principal)¶ Remove a principal to an Access Control Entry.
Parameters: - object_id (str) – The object to remove the permission principal to.
- permission (str) – The permission that should be removed.
- principal (str) – The principal to remove to the ACE.
-
get_object_permission_principals
(object_id, permission)¶ Return the set of principals of a bound permission (unbound permission + object id).
Parameters: - object_id (str) – The object_id the permission is set to.
- permission (str) – The permission to query.
Returns: The list of user principals
Return type:
-
get_accessible_objects
(principals, bound_permissions=None)¶ Return the list of objects where the specified principals have some permissions.
If bound_permissions parameter is specified, the list is limited to the specified object or permissions.
Parameters: - principals (list) – List of user principals
- bound_permissions (list) – An optional list of tuples
(object_id, permission) to limit the results.
The object ids can be a pattern, (e.g.
*
,'/my/articles*'
).
Returns: A mapping whose keys are the object_ids and the values are the related list of permissions.
Return type: dict
Return the full set of authorized principals for a list of bound permissions (object + permission).
Parameters: - object_id (str) – The object_id the permission is set to.
- bound_permissions (list) – An list of tuples (object_id, permission) to be fetched.
Returns: The list of user principals
Return type:
-
check_permission
(principals, bound_permissions)¶ Test if a principal set have got a permission on an object.
Parameters: - principals (set) – A set of user principals to test the permission against.
- bound_permissions (list) – An list of tuples (object_id, permission) to be checked.
Return type: boolean
-
get_objects_permissions
(objects_ids, permissions=None)¶ Return a list of mapping, for each object id specified, with the set of principals for each permission.
Parameters: - objects_ids (list) – The list of object_ids.
- permissions (list) – Optional list of permissions to limit the results. If not specified, retrieve all.
Returns: A list of dictionnaries with the list of user principals for each object permission.
Return type: list
-
replace_object_permissions
(object_id, permissions)¶ Replace given object permissions.
Parameters: - object_id (str) – The object to replace permissions to.
- permissions (str) – The permissions dict to replace.
-
delete_object_permissions
(*object_id_list)¶ Delete all listed object permissions.
Parameters: object_id (str) – Remove given objects permissions.
-