Arrthorizer

Dynamic and Static Access Control
for your Rails Application



What is the problem?

Authorization is hard. We can't even agree on its spelling.

  • Static access control: 'administrators can do anything they damn well please'
  • Dynamic access control: 'people are only allowed to edit their own forum posts'

What's the Problem? (2)

In some cases, authorization is even harder than otherwise:

  • Multi-deployment applications where authorization might depend on what the organization wants
    • i.e., Coconut.

What's the Problem? (3)


  • Developers have an opinion on authorizations
  • So do the client organizations
  • Code changes and evolves - and so do privileges
    • How to grant or revoke - permanently, without the next deploy potentially undoing your configuration because "stuff changed"?

History (1)

Way back when, in 2010 (Terminal):
first attempt at dynamic access control

Put some code in the database and eval() it. Problems? A gazillion. For example, debugging is hell. Transparency is out the window. Maintainability is non-existent.

History (2)

Second attempt: CBAC (Context Based Access Control)

Some great ideas, some awful and outdated code. Not actively maintained and not well-tested.

History (3)

Two developers who were more or less fed up with not-really-maintaining CBAC and the code required to "glue" it to Coconut...






...went to ArrrrCamp and started coding "something better."

Arrthorizer's Principles:

  • Implement dynamic and static access control
  • Mountable engine (reusable sub-application)
  • Easy installation
  • Self-documenting
  • Simple and easy (which is hard to do)
  • Integrates with your code (like groups for static access control)

Concepts (1): ContextRole


You implement all ContextRoles with one instance method:

class MessageAuthor < Arrthorizer::ContextRole  def applies_to_user?(user, context)    context.message.author == user  endend



Concepts (2): Context

You configure context builders in your controllers:
to_prepare_context do |c|  c.defaults do    { message: message }  endend
def message  @message ||= Message.find params[:id]end

Concepts (3): Configuration


A simple YAML file provides the link between controller actions and context roles:

read_message:        # any name will do, as long as it's unique.
  actions:
    - messages:      # controller_name
      - show         # action_name  roles:
    - MessageAuthor  # any Arrthorizer::Group or Arrthorizer::ContextRole

Concepts (4): Groups


Group membership logic is owned by your app
Arrthorizer.configure do
  check_group_membership_using SomeServiceObject
end
Dependency injection. Default implementation will be provided as separate plugin.

Live Demo


aka

The part where everything blows up in my face

Arrthorizer

By reneb

Made with Slides.com

Arrthorizer

  • 928

More from reneb