Arrthorizer
Dynamic and Static Access Control
for your Rails Application
What is the problem?
Authorization is hard. We can't even agree on its spelling.
- Static access control: 'administrators can do anything they damn well please'
- Dynamic access control: 'people are only allowed to edit their own forum posts'
What's the Problem? (2)
In some cases, authorization is even harder than otherwise:
- Multi-deployment applications where authorization might depend on what the organization wants
- i.e., Coconut.
What's the Problem? (3)
- Developers have an opinion on authorizations
- So do the client organizations
- Code changes and evolves - and so do privileges
- How to grant or revoke - permanently, without the next deploy potentially undoing your configuration because "stuff changed"?
History (1)
Way back when, in 2010 (Terminal):
first attempt at dynamic access control
Put some code in the database and eval() it. Problems? A gazillion. For example, debugging is hell. Transparency is out the window. Maintainability is non-existent.
History (2)
Second attempt: CBAC (Context Based Access Control)
Some great ideas, some awful and outdated code. Not actively maintained and not well-tested.
History (3)
Two developers who were more or less fed up with not-really-maintaining CBAC and the code required to "glue" it to Coconut...
...went to ArrrrCamp and started coding "something better."
Arrthorizer's Principles:
-
Implement dynamic and static access control
- Mountable engine (reusable sub-application)
- Easy installation
- Self-documenting
- Simple and easy (which is hard to do)
- Integrates with your code (like groups for static access control)
Concepts (1): ContextRole
You implement all ContextRoles with one instance method:
class MessageAuthor < Arrthorizer::ContextRole
def applies_to_user?(user, context)
context.message.author == user
end
end
Concepts (2): Context
You configure context builders in your controllers:
to_prepare_context do |c|
c.defaults do
{ message: message }
end
end
def message
@message ||= Message.find params[:id]
end
Concepts (3): Configuration
A simple YAML file provides the link between controller actions and context roles:
read_message: # any name will do, as long as it's unique. actions: - messages: # controller_name - show # action_name
roles:
- MessageAuthor # any Arrthorizer::Group or Arrthorizer::ContextRole
Concepts (4): Groups
Group membership logic is owned by your app
Arrthorizer.configure do
check_group_membership_using SomeServiceObject
end
Dependency injection. Default implementation will be provided as separate plugin.
Live Demo
aka
The part where everything blows up in my face
Arrthorizer
By reneb
Arrthorizer
- 928