MBAC - Method based access control
MBAC is a design pattern that I've been experimenting with, following the HTTP request method verbs as a means of access control.
The 3 key components of MBAC:
- subject - The subject wanting to act on a resource
- method - The access method
- resource - The resource the subject wants to act the method upon
The HTTP methods used in MBAC can be mapped to the following actions:
HTTP Method | Act |
---|---|
GET | Read |
POST | Create |
PUT | Update |
PATCH | Update |
DELETE | Delete |
TODO: Make a distinction between PUT and PATCH or remove PUT as an access method
The MBAC model:
class MBAC(Document):
meta = {
"indexes": ["subject", "resource"]
}
subject = DynamicField(required=True)
methods = List(required=True, choices=["GET", "POST", "PUT", "PATCH", "DELETE"])
resource = DynamicField(required=True, unique_with="subject")
Checking access:
def check_access(subject, methods, resource):
""" Check if a subject can perform specific methods against a resource
Args:
subject: The subject
methods (list): Methods to chack
resource: The resource
Returns:
bool: True if the subject has access, else False
"""
if MBAC.objects(subject=subject, methods=methods, resource=resource):
return True
return False
- The subject can be anything, a string, a database reference, a user id
- The resource can also be anything - A database reference, a string, an ID, an endpoint
The MBAc model can be used to control access to endpoints, as well as database objects:
subject = get_user(id="12345")
methods = ["GET", "PATCH", "DELETE"]
resource = f"/api/users/{subject.id}" # /api/users/12345
TODO: Update this article after more experimentation
Did you find this article useful?