MBAC - Method based access control
MBAC is a design pattern that I've been experimenting with, following the HTTP request method verbs as a means of access control.
The 3 key components of MBAC:
- subject - The subject wanting to act on a resource
- method - The access method
- resource - The resource the subject wants to act the method upon
The HTTP methods used in MBAC can be mapped to the following actions:
| HTTP Method | Act |
|---|---|
| GET | Read |
| POST | Create |
| PUT | Update |
| PATCH | Update |
| DELETE | Delete |
TODO: Make a distinction between PUT and PATCH or remove PUT as an access method
The MBAC model:
class MBAC(Document):
meta = {
"indexes": ["subject", "resource"]
}
subject = DynamicField(required=True)
methods = List(required=True, choices=["GET", "POST", "PUT", "PATCH", "DELETE"])
resource = DynamicField(required=True, unique_with="subject")
Checking access:
def check_access(subject, methods, resource):
""" Check if a subject can perform specific methods against a resource
Args:
subject: The subject
methods (list): Methods to chack
resource: The resource
Returns:
bool: True if the subject has access, else False
"""
if MBAC.objects(subject=subject, methods=methods, resource=resource):
return True
return False
- The subject can be anything, a string, a database reference, a user id
- The resource can also be anything - A database reference, a string, an ID, an endpoint
The MBAc model can be used to control access to endpoints, as well as database objects:
subject = get_user(id="12345")
methods = ["GET", "PATCH", "DELETE"]
resource = f"/api/users/{subject.id}" # /api/users/12345
TODO: Update this article after more experimentation
Related items
Building scalable Flask applications from the start using the application factory pattern, blueprints and the current_app proxy
Debugging and connecting to an Azure Cosmos DB using the MongoDB API using PyMongo, PyMODM and MongoEngine
Harnessing the power of Pythons enumerations and exploring the enum module
A handy Python snippet for web developers