Initial ActivityPub authorization (authz) support has been added to the FIRM software. It's a plugin and specific implementations can customize the policies. Unfortunately, ActivityPub has very minimal guidance on authorization and access control, so different implementations may use significantly different policies.
This initial version is relatively simple. In the future, I plan to explore other, more advanced and general, Python-based authz implementations.
Casbin
- Type: Authorization library
- Description: Casbin is a powerful and efficient open-source access control library. It supports multiple access control models, including ACL, RBAC, ABAC, and others.
- Features:
- Supports multiple models: ACL (Access Control Lists), RBAC (Role-Based Access Control), and ABAC (Attribute-Based Access Control).
- Can enforce policies in various formats (e.g., JSON, CSV).
- Works across different databases and environments.
- Use case: Fine-grained policy enforcement and centralized permission management.
- Repo: Casbin Python
OPA (Open Policy Agent):
- Type: Policy-based authorization engine for defining access control and compliance policies across multiple platforms (Kubernetes, microservices, APIs, etc.).
- Description: Open Policy Agent allows developers and administrators to write policies that govern access and operational rules for applications, infrastructure, and systems.
- Features:
- Policies are written in Rego, OPA’s declarative query language, which is expressive enough to handle complex logic and conditions.
- OPA can be integrated with various systems such as Kubernetes, microservices, API gateways, and cloud infrastructure.
- OPA is typically used in policy-as-code scenarios, where policies are treated like source code, versioned, and managed in the same way.
- Decision API: OPA exposes a RESTful API to evaluate policies in real-time, allowing applications to make decisions based on policy evaluations.
- How it works...
- Policies are written using Rego and loaded into OPA.
- Inputs (like user, resource, action) are sent to OPA by a service or application.
- OPA evaluates the input against the defined policies.
- OPA returns a decision (e.g., allow, deny) based on the policies.
- Repo: OPA
WAC (Web Access Control):
- Type: Web Access Control (WAC) system for defining access to SOLID resources (data stored in Pods).
- Description: WAC is an access control mechanism that defines fine-grained permissions for resources in a decentralized way. In SOLID, users store their data in Pods, and WAC controls who can access that data, under what conditions, and for what operations. It specifies agents (users or groups) and the modes (read, write, append, control) they are allowed for specific resources.
- Agents: Individuals, groups, or public users who are assigned permissions.
- Modes: Define what actions agents can perform, such as:Read: The agent can read or view the resource.
- Write: The agent can modify or delete the resource.
- Append: The agent can add new content but cannot modify existing content.
- Control: The agent can manage access control for the resource.
- Repo: SOLID Web Access Control (WAC)
Oso
- Type: Authorization library
- Description: Oso is an authorization framework that allows you to implement role-based access control (RBAC) and attribute-based access control (ABAC) through policy-as-code. It provides a declarative language (Polar) to express rules and conditions for access control. The software "deprecated", but still supported. I didn't see a recommended replacement mentioned on the GitHub repository. In any case, the source code might be useful for experimentation.
- Features:
- Declarative policy language (Polar) for complex access rules.
- Supports RBAC, ABAC, and other patterns.
- Integrates easily with Python web applications.
- Fast and easy to adopt for both simple and complex scenarios.
- Use case: Ideal for when you need more expressive power over your authorization logic, especially in dynamic environments.
- Repo: Oso Python