[Twisted-Python] Authentication & Access Control system for web services
I have a REST service I have implemented using twisted.web. Based upon a new requirement I need to put role-based access control security on the service and am trying to find the most twisted way to do it. I would like to have: - Username / password login that is checked against a backend database - Roles and associated privileges associated with each user - Administration interface to edit users, roles, and privileges - "Simple" way to configure the access control requirements on the services. (ex: which services need which roles) Before I role my own code I wanted to check and see if there are any addons for this or if anyone else had attacked this problem with twisted and had some open source code I could look at. I have found a couple of projects for WSGI that I may try to pull ideas from, but I haven't yet found anything that uses the twisted resource model. (http://authkit.org/, http://docs.repoze.org/who/2.0/) Any pointers to twisted projects I could leverage? -Allen
Hi Allen, There's Twisted Cred you could build something on. I've also got a framework my company built internally on top of Twisted Web that I've been planning to open source once we make the unit tests more robust. Would be happy to share it with you. You decorate the render_ method with the permissions the caller must possess. -J Sent via iPhone Is your e-mail Premiere? On Mar 7, 2011, at 8:19, Allen Bierbaum <abierbaum@gmail.com> wrote:
I have a REST service I have implemented using twisted.web. Based upon a new requirement I need to put role-based access control security on the service and am trying to find the most twisted way to do it.
I would like to have: - Username / password login that is checked against a backend database - Roles and associated privileges associated with each user - Administration interface to edit users, roles, and privileges - "Simple" way to configure the access control requirements on the services. (ex: which services need which roles)
Before I role my own code I wanted to check and see if there are any addons for this or if anyone else had attacked this problem with twisted and had some open source code I could look at.
I have found a couple of projects for WSGI that I may try to pull ideas from, but I haven't yet found anything that uses the twisted resource model. (http://authkit.org/, http://docs.repoze.org/who/2.0/)
Any pointers to twisted projects I could leverage?
-Allen
_______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
I would be interested to see anything you have and are willing to share. I don't want to role my own, but it looks like I am going to have to and the more I can learn from what you have done, the better. :) -Allen On Mon, Mar 7, 2011 at 11:13 AM, Jason J. W. Williams <jasonjwwilliams@gmail.com> wrote:
Hi Allen,
There's Twisted Cred you could build something on. I've also got a framework my company built internally on top of Twisted Web that I've been planning to open source once we make the unit tests more robust. Would be happy to share it with you. You decorate the render_ method with the permissions the caller must possess.
-J
Sent via iPhone
Is your e-mail Premiere?
On Mar 7, 2011, at 8:19, Allen Bierbaum <abierbaum@gmail.com> wrote:
I have a REST service I have implemented using twisted.web. Based upon a new requirement I need to put role-based access control security on the service and am trying to find the most twisted way to do it.
I would like to have: - Username / password login that is checked against a backend database - Roles and associated privileges associated with each user - Administration interface to edit users, roles, and privileges - "Simple" way to configure the access control requirements on the services. (ex: which services need which roles)
Before I role my own code I wanted to check and see if there are any addons for this or if anyone else had attacked this problem with twisted and had some open source code I could look at.
I have found a couple of projects for WSGI that I may try to pull ideas from, but I haven't yet found anything that uses the twisted resource model. (http://authkit.org/, http://docs.repoze.org/who/2.0/)
Any pointers to twisted projects I could leverage?
-Allen
_______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
_______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
I have been looking into this further and decided on an API that works as follows: - Use HTTPS for all requests - POST to /session to create a new session token - pass in username and password as parameters - returns token string to be used for all further communication - All further requests must have the token string which is used to lookup the user/session - on the server, the token will map to a user object to give me information about their access rights, etc. Now the question is how does this fit into twisted's view of the world. The twisted web in 60 seconds tutorials [1] seem focused on using HTTP Auth for credential checking and a internal cookie (TWISTED_SESSION) for session management. Is there an easy way to adapt these to my needs or do I need to roll my own code for this type of twisted.web usage? -Allen [1] http://twistedmatrix.com/documents/current/web/howto/web-in-60/index.html On Mon, Mar 7, 2011 at 9:19 AM, Allen Bierbaum <abierbaum@gmail.com> wrote:
I have a REST service I have implemented using twisted.web. Based upon a new requirement I need to put role-based access control security on the service and am trying to find the most twisted way to do it.
I would like to have: - Username / password login that is checked against a backend database - Roles and associated privileges associated with each user - Administration interface to edit users, roles, and privileges - "Simple" way to configure the access control requirements on the services. (ex: which services need which roles)
Before I role my own code I wanted to check and see if there are any addons for this or if anyone else had attacked this problem with twisted and had some open source code I could look at.
I have found a couple of projects for WSGI that I may try to pull ideas from, but I haven't yet found anything that uses the twisted resource model. (http://authkit.org/, http://docs.repoze.org/who/2.0/)
Any pointers to twisted projects I could leverage?
-Allen
Allen, In my very limited experience with Twisted, On Thu, 2011-03-10 at 14:01 -0600, Allen Bierbaum wrote:
I have been looking into this further and decided on an API that works as follows:
- Use HTTPS for all requests - POST to /session to create a new session token - pass in username and password as parameters - returns token string to be used for all further communication
In the non-https case, roll a salt and other items (ip address, user agent, etc) into a secondary session key on the server.
- All further requests must have the token string which is used to lookup the user/session - on the server, the token will map to a user object to give me information about their access rights, etc.
that's all I've ever needed: use the session key (token) to access an object array - the accessed object has all the twisty magic.
Now the question is how does this fit into twisted's view of the world. The twisted web in 60 seconds tutorials [1] seem focused on using HTTP Auth for credential checking and a internal cookie (TWISTED_SESSION) for session management. Is there an easy way to adapt these to my needs or do I need to roll my own code for this type of twisted.web usage?
Now you've gone back to credentials - this is outside of my experience with Twisted. Sessions are simple enough with Python alone in a twisted app. I'll need to use credentials soon so I hope you get an answer. Anybody using OpenID or webID instead of login/password? Could be better...
-Allen
George -- George Pauly Ring Development www.ringdevelopment.com
I believe this implements OAuth 2 for Twisted using Twisted Cred: https://github.com/simplegeo/txoauth -J On Thu, Mar 10, 2011 at 2:16 PM, George Pauly <george@ringdevelopment.com> wrote:
Allen,
In my very limited experience with Twisted,
On Thu, 2011-03-10 at 14:01 -0600, Allen Bierbaum wrote:
I have been looking into this further and decided on an API that works as follows:
- Use HTTPS for all requests - POST to /session to create a new session token - pass in username and password as parameters - returns token string to be used for all further communication
In the non-https case, roll a salt and other items (ip address, user agent, etc) into a secondary session key on the server.
- All further requests must have the token string which is used to lookup the user/session - on the server, the token will map to a user object to give me information about their access rights, etc.
that's all I've ever needed: use the session key (token) to access an object array - the accessed object has all the twisty magic.
Now the question is how does this fit into twisted's view of the world. The twisted web in 60 seconds tutorials [1] seem focused on using HTTP Auth for credential checking and a internal cookie (TWISTED_SESSION) for session management. Is there an easy way to adapt these to my needs or do I need to roll my own code for this type of twisted.web usage?
Now you've gone back to credentials - this is outside of my experience with Twisted. Sessions are simple enough with Python alone in a twisted app. I'll need to use credentials soon so I hope you get an answer.
Anybody using OpenID or webID instead of login/password? Could be better...
-Allen
George -- George Pauly Ring Development www.ringdevelopment.com
_______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
participants (3)
-
Allen Bierbaum -
George Pauly -
Jason J. W. Williams