Permissions¶
Kinto-Core provides a mechanism to handle authorization on the stored objects.
This section gives details about the behaviour of resources in regards to permissions.
User resource¶
This is the simplest one, as presented in the resource section.
When using a kinto.core.resource.UserResource
, every authenticated user
can manipulate and read their own records. There is no way to restrict this or
allow sharing of records.
Method | URL | permission |
---|---|---|
GET / HEAD | /{collection} | Authenticated |
POST | /{collection} | Authenticated |
DELETE | /{collection} | Authenticated |
GET / HEAD | /{collection}/{id} | Authenticated |
PUT | /{collection}/{id} | Authenticated |
PATCH | /{collection}/{id} | Authenticated |
DELETE | /{collection}/{id} | Authenticated |
Note
When using only these resource, the permission backend remains unused. Its configuration is not necessary.
Public BasicAuth¶
If Basic Auth authentication is enabled, private user resources can become semi-private or public
if the user:pass
is publicly known and shared (for example public:
is a valid user:pass combination).
That’s how most simple demos of Kinto — a Kinto-Core-based application — are built by the way!
Backends¶
The ACLs are stored in a permission backend. Like for Storage and Cache, it is pluggable from configuration.
PostgreSQL¶
-
class
kinto.core.permission.postgresql.
Permission
(client, *args, **kwargs)¶ Permission backend using PostgreSQL.
Enable in configuration:
kinto.permission_backend = kinto.core.permission.postgresql
Database location URI can be customized:
kinto.permission_url = postgres://user:pass@db.server.lan:5432/dbname
Alternatively, username and password could also rely on system user ident or even specified in
~/.pgpass
(see PostgreSQL documentation).Note
Some tables and indices are created when
kinto migrate
is run. This requires some privileges on the database, or some error will be raised.Alternatively, the schema can be initialized outside the python application, using the SQL file located in
kinto/core/permission/postgresql/schema.sql
. This allows to distinguish schema manipulation privileges from schema usage.A connection pool is enabled by default:
kinto.permission_pool_size = 10 kinto.permission_maxoverflow = 10 kinto.permission_max_backlog = -1 kinto.permission_pool_recycle = -1 kinto.permission_pool_timeout = 30 kinto.cache_poolclass = kinto.core.storage.postgresql.pool.QueuePoolWithMaxBacklog
The
max_backlog
limits the number of threads that can be in the queue waiting for a connection. Once this limit has been reached, any further attempts to acquire a connection will be rejected immediately, instead of locking up all threads by keeping them waiting in the queue.See dedicated section in SQLAlchemy documentation for default values and behaviour.
Note
Using a dedicated connection pool is still recommended to allow load balancing, replication or limit the number of connections used in a multi-process deployment.
Noindex:
Redis¶
-
class
kinto.core.permission.redis.
Permission
(client, *args, **kwargs)¶ Permission backend implementation using Redis.
Enable in configuration:
kinto.permission_backend = kinto.core.permission.redis
(Optional) Instance location URI can be customized:
kinto.permission_url = redis://localhost:6379/2
A threaded connection pool is enabled by default:
kinto.permission_pool_size = 50
Noindex:
API¶
Implementing a custom permission backend consists in implementating the following interface:
-
class
kinto.core.permission.
PermissionBase
(*args, **kwargs)¶ -
initialize_schema
()¶ Create every necessary objects (like tables or indices) in the backend.
This is executed with the
kinto migrate
command.
-
flush
()¶ Delete all data stored in the permission backend.
-
add_user_principal
(user_id, principal)¶ Add an additional principal to a user.
Parameters: - user_id (str) – The user_id to add the principal to.
- principal (str) – The principal to add.
-
remove_user_principal
(user_id, principal)¶ Remove an additional principal from a user.
Parameters: - user_id (str) – The user_id to remove the principal to.
- principal (str) – The principal to remove.
-
remove_principal
(principal)¶ Remove a principal from every user.
Parameters: principal (str) – The principal to remove.
-
user_principals
(user_id)¶ Return the set of additionnal principals given to a user.
Parameters: user_id (str) – The user_id to get the list of groups for. Returns: The list of group principals the user is in. Return type: set
-
add_principal_to_ace
(object_id, permission, principal)¶ Add a principal to an Access Control Entry.
Parameters: - object_id (str) – The object to add the permission principal to.
- permission (str) – The permission to add the principal to.
- principal (str) – The principal to add to the ACE.
-
remove_principal_from_ace
(object_id, permission, principal)¶ Remove a principal to an Access Control Entry.
Parameters: - object_id (str) – The object to remove the permission principal to.
- permission (str) – The permission that should be removed.
- principal (str) – The principal to remove to the ACE.
-
object_permission_principals
(object_id, permission)¶ Return the set of principals of a bound permission (unbound permission + object id).
Parameters: - object_id (str) – The object_id the permission is set to.
- permission (str) – The permission to query.
Returns: The list of user principals
Return type:
-
principals_accessible_objects
(principals, permission, object_id_match=None, get_bound_permissions=None)¶ Return the list of objects id where the specified principals have the specified permission.
Parameters: - principal (list) – List of user principals
- permission (str) – The permission to query.
- object_id_match (str) – Filter object ids based on a pattern
(e.g.
'*articles*'
). - get_bound_permissions (function) – The methods to call in order to generate the list of permission to verify against. (ie: if you can write, you can read)
Returns: The list of object ids
Return type:
Return the full set of authorized principals for a given permission + object (bound permission).
Parameters: - object_id (str) – The object_id the permission is set to.
- permission (str) – The permission to query.
- get_bound_permissions (function) – The methods to call in order to generate the list of permission to verify against. (ie: if you can write, you can read)
Returns: The list of user principals
Return type:
-
check_permission
(object_id, permission, principals, get_bound_permissions=None)¶ Test if a principal set have got a permission on an object.
Parameters: - object_id (str) – The identifier of the object concerned by the permission.
- permission (str) – The permission to test.
- principals (set) – A set of user principals to test the permission against.
- get_bound_permissions (function) – The method to call in order to generate the set of permission to verify against. (ie: if you can write, you can read)
-
object_permissions
(object_id, permissions=None)¶ Return the set of principals for each object permission.
Parameters: - object_id (str) – The object_id the permission is set to.
- permissions (list) – List of permissions to retrieve. If not define will try to find them all.
Returns: The dictionnary with the list of user principals for each object permissions
Return type: dict
-
replace_object_permissions
(object_id, permissions)¶ Replace given object permissions.
Parameters: - object_id (str) – The object to replace permissions to.
- permissions (str) – The permissions dict to replace.
-
delete_object_permissions
(*object_id_list)¶ Delete all listed object permissions.
Parameters: object_id (str) – Remove given objects permissions.
-