Skip to content

mara/mara-acl

Repository files navigation

Mara ACL

mara-acl PyPI - License PyPI version Slack Status

Default ACL implementation for mara with the following design choices:

  • Authentication of users is handled externally, e.g. through a OAuth2 Proxy. An upstream authentication app manages authentication and then adds a http header identifying the user to each authenticated request.
  • Each user is assigned a single role.
  • Permissions are not based on urls, but on application-defined "resources". Thus, checking of permissions needs to be done in the application.

The ACL provides a single UI for both user and permission management. Users can be added / removed and their roles can be changed like this: User management

New roles are created by moving a user to a new role.

Permissions can be set for

  • an individual user or a whole role,
  • an individual resource, a group of resources or "All" resources.

Individual users inherit permissions from their role, and permissions on higher levels overwrite permissions on lower levels: User management

Each new user that is authenticated is automatically created with a default role in the acl: User management

This behavior can be switched off (so that only invited users can join). See config.py for details.

Please have a look at the mara example application for how to integrate this ACL implementation.

Links