Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Flaskのセキュリティどうしてます?アクセス制御ライブラリCasbin入門! #pycharity / flask-authz-with-casbin

5dbaf4015e7f249ab21b195ced8e9e46?s=47 Masatoshi Tada
February 24, 2021
0
620

Flaskのセキュリティどうしてます?アクセス制御ライブラリCasbin入門! #pycharity / flask-authz-with-casbin

Python Charity Talks in Japan 2021.02 でのLT資料です。
https://pyconjp.connpass.com/event/199787/

5dbaf4015e7f249ab21b195ced8e9e46?s=128

Masatoshi Tada

February 24, 2021
Tweet

More Decks by Masatoshi Tada

See All by Masatoshi Tada
プロになるためのSpring上級知識 #jsug / advanced-spring-for-professionals
5dbaf4015e7f249ab21b195ced8e9e46?s=48 masatoshitada
3
1.1k
OpenID Connect 1.0 with Spring Security #jjug_ccc #jjug_ccc_b / oidc-with-spring-security
5dbaf4015e7f249ab21b195ced8e9e46?s=48 masatoshitada
1
830
今こそ知りたいSpring DI×AOP / spring-di-aop-for-every-developers
5dbaf4015e7f249ab21b195ced8e9e46?s=48 masatoshitada
4
1.4k
OAuth 2.0 with Spring Security #jjug_ccc #jjug_ccc_b / oauth2-with-spring-security
5dbaf4015e7f249ab21b195ced8e9e46?s=48 masatoshitada
4
1.2k
基礎から分かる!アプリケーション開発者のためのKubernetes入門 / kubernetes-basics-for-application-developers
5dbaf4015e7f249ab21b195ced8e9e46?s=48 masatoshitada
10
3.1k
2時間で分かる!Kubernetesとは何なのか / what-is-kubernetes
5dbaf4015e7f249ab21b195ced8e9e46?s=48 masatoshitada
0
720
Introduction to Resilience4j
5dbaf4015e7f249ab21b195ced8e9e46?s=48 masatoshitada
2
780
SpringOne Platform 2019報告会 -概要、Resilience4j、LT- #jsug / springone-platform-2019
5dbaf4015e7f249ab21b195ced8e9e46?s=48 masatoshitada
0
720
From Hystrix To Resilience4j
5dbaf4015e7f249ab21b195ced8e9e46?s=48 masatoshitada
1
670

Featured

See All Featured
The Power of CSS Pseudo Elements
5b6a2bd86ef643786a381a212e0ef2f1?s=48 geoffreycrofte
47
3.9k
How GitHub Uses GitHub to Build GitHub
78b475797a14c84799063c7cd073962f?s=48 holman
465
280k
Unsuck your backbone
B83d5b590577969ee79a5ad845411a7d?s=48 ammeep
659
55k
Designing for humans not robots
D36d2c1821af9249b69ff7f5ed60529b?s=48 tammielis
241
23k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
C44e1f7e22c3f23cff7bc130871047ef?s=48 eileencodes
119
28k
Building Your Own Lightsaber
Fe6b81005d1553accd6b2a28f6a2bef1?s=48 phodgson
94
4.6k
It's Worth the Effort
Ba530e786553390f3fb271848485681c?s=48 3n
172
25k
How to Ace a Technical Interview
2f5463832ccb768ccb4a1ca3607c27ef?s=48 jacobian
265
21k
Optimizing for Happiness
25c7c18223fb42a4c6ae1c8db6f50f9b?s=48 mojombo
365
63k
BBQ
761be20b5ebd271008bcee1244fc5b52?s=48 matthewcrist
74
7.9k
Designing for Performance
245cee81a9c424266e5e401d844ea881?s=48 lara
597
63k
The Illustrated Children's Guide to Kubernetes
0438ae60cde4c7add6f9da48f28c15cc?s=48 chrisshort
15
36k

Transcript

  1. (C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ 'MBTLͷηΩϡϦςΟ 
 Ͳ͏ͯ͠·͢ʁ

    ΞΫηε੍ޚϥΠϒϥϦ 
 $BTCJOೖ໳ʂ ג ΧαϨΞϧଟాਅහ ೥݄೔ 1ZUIPO$IBSJUZ5BMLTJO+BQBO 1

  2. (C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ ࣗݾ঺հ ▸ ଟాਅහʢ!TVLF@NBTBʣ

    ▸ ݚमτϨʔφʔ!ΧαϨΞϧ ▸ +BWB1ZUIPO(PMBOH 
 .JDSPTFSWJDFT,VCFSOFUFT 2

  3. (C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ גࣜձࣾΧαϨΞϧ ▸ ଞࣾʹ͸ແ͍৭ʑͳϓϩάϥϛϯάݴޠͷ

    
 ݚमΛఏڙ͍ͯ͠·͢ʂ 3 /&8

  4. (C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ 🎉1ZUIPOݚमϦϦʔε🎉 4 1ZUIPOೖ໳

    
 جຊจ๏ɺϥΠϒϥϦͷར༻ɺ8FCεΫϨΠϐϯά 
 ʢ೔ؒʣ 'MBTLʹΑΔ1ZUIPO8FCΞϓϦέʔγϣϯ։ൃ 
 %#ΞΫηεɺ3&45ɺ+BWB4DSJQU࿈ܞɺηΩϡϦςΟ 
 ʢ೔ؒʣ ࠓ೔͸ίνϥͷ࿩

  5. (C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ 'MBTLݚमͷΧϦΩϡϥϜ 5 1೔໨

    DBΞΫηε(MySQL Connector / Python) RESTͷ։ൃ 2೔໨ JavaScriptΫϥΠΞϯτͱͷ࿈ܞ ΤϥʔϋϯυϦϯά όϦσʔγϣϯ ϩάΠϯɺΞΫηε੍ޚ ࠓ೔͸ίνϥͷ࿩

  6. (C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ 'MBTLͷΞΫηε੍ޚϥΠϒϥϦ ▸ 'MBTL4FDVSJUZ

    ▸ 'MBTL6TFS ▸ 'MBTL)551"VUI ▸ 'MBTL"VUIPSJ[F 6 🤔 ͲΕ΋ଟػೳ 
 ͩͳ͋…

  7. (C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ ๻͕ཉ͔ͬͨ͠΋ͷ ▸ ػೳ͕γϯϓϧͰ࢖͍΍͍͢

    ▸ 3PMF#BTFE"DDFTT$POUSPM 3#"$ ͕Ͱ͖Δ ▸ ಛఆͷ03.ʹґଘ͠ͳ͍ ▸ ͳΔ΂͘ଞͷηΩϡϦςΟϥΠϒϥϦʹґଘ͠ ͳ͍ 7

  8. (C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ ͦ͜Ͱ$BTCJO 8 https://casbin.org/

  9. (C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ $BTCJOͱ͸ ▸ ΋ͱ΋ͱ͸(P੡ͷΞΫηε੍ޚϥΠϒϥϦ

    ▸ ʮೝূʯͰ͸ͳ͘ʮೝՄʯʹಛԽ ▸ ಛఆͷ03.΍ͦͷଞϥΠϒϥϦʹґଘ͠ͳ͍ ▸ pip install casbin 9

  10. (C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ $BTCJO͕΍Δ͜ͱ🙆  ʮ୭

    ϩʔϧ ͕ʯʮԿʹʯʮԿΛ͢ΔʯܗࣜͰ 
 ΞΫηεՄ൱Λ൑அ  ΞΫηε੍ޚͷϞσϧͱϙϦγʔͷετϨʔδΛ؅ཧ  ϩʔϧϢʔβʔ΍ϩʔϧϩʔϧͷରԠ෇͚Λ؅ཧ  ʮSPPUʯͳͲͷεʔύʔϢʔβʔΛαϙʔτ  ϧʔϧϚονϯάΛαϙʔτ͢Δෳ਺ͷԋࢉࢠΛఏڙ 10 https://casbin.org/docs/en/overview#what-is-casbin

  11. (C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ $BTCJO͕΍Βͳ͍͜ͱ🙅  ೝূʢϢʔβʔ໊ɾύεϫʔυΛϩάΠϯ࣌ʹ

    ݕূɺͱ͔ʣ  Ϣʔβʔ΍ϩʔϧͷҰཡΛ؅ཧʢϓϩδΣΫτ ࣗ਎Ͱ؅ཧͨ͠΄͏͕ศརͳ͸ͣʣ 11 https://casbin.org/docs/en/overview#what-is-casbin

  12. (C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ ϙϦγʔ 12 p,

    USER, /user, GET p, ADMIN, /admin, GET g, ADMIN, USER ▸ ΞΫηεϧʔϧΛهड़ σϑΥϧτͰ͸$47  ▸ Ξμϓλʔ ޙड़ ΛೖΕΔ͜ͱͰɺ༷ʑͳετϨʔδ ʹରԠՄೳ 64&3ϩʔϧ͸VTFSʹ(&5ͰΞΫηεՄೳ "%.*/ϩʔϧ͸64&3ϩʔϧΛܧঝ

  13. (C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ Ξμϓλʔ ▸ 3%#ͳͲ༷ʑͳετϨʔδ͔ΒϙϦγʔ৘ใΛ

    
 औಘՄೳ ▸ 42-"MDIFNZ"EBQUFS ▸ .POHP&OHJOF"EBQUFS ▸ %ZOBNP%#"EBQUFS ▸ ɾɾɾ 13 https://casbin.org/docs/en/adapters

  14. (C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ Ϟσϧ ▸ ϙϦγʔͷهड़ํ๏΍ɺϙϦγʔʹج͍ͮͯ

    
 ΞΫηεՄ൱ͷ൑ఆϧʔϧΛςΩετͰهड़ ▸ ͪΐͬͱॻ͖ํ͕Ή͔͍ͣ͠ ▸ ৄࡉˠIUUQTDBTCJOPSHEPDTFOTZOUBYGPS NPEFMT 14

  15. (C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ Ϟσϧͷॻ͖ํͷྫ 15 [request_definition]

    # enforce()ͷҾ਺ॱΛఆٛ r = sub, obj, act [policy_definition] # ϙϦγʔͷهड़ํ๏Λఆٛ p = sub, obj, act [policy_effect] # ෳ਺ͷϙϦγʔ͕Ϛονͨ͠ࡍͷ൑ఆํ๏Λఆٛ e = some(where (p.eft == allow)) [role_definition] # ϩʔϧͷܧঝؔ܎Λఆٛ g = _, _ [matchers] # ΞΫηεՄ൱ͷ൑ఆํ๏Λఆٛ m = g(r.sub, p.sub) && keyMatch(r.obj, p.obj) && r.act == p.act

  16. (C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ $BTCJOΛ'MBTLʹ૊ΈࠐΉ 16 enforcer

    = Enforcer('Ϟσϧͷύε', 'ϙϦγʔCSVͷύε') def authorize(): # ϩʔϧɺURLɺϦΫΤετϝιουΛऔಘ sub = current_user.role obj = request.path act = request.method # CasbinʹΑΓΞΫηεՄ൱Λ൑ఆ if enforcer.enforce(sub, obj, act): return None # ੒ޭͨ͠৔߹͸Կ΋͠ͳ͍ else: # ࣦഊͨ͠৔߹͸ΤϥʔΛϨεϙϯε # FlaskͷϦΫΤετલॲཧͱͯ͠ొ࿥ app.before_request(authorize)

  17. (C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ ·ͱΊ ▸ $BTCJO͸

    ▸ ΞΫηε੍ޚʹಛԽͨ͠ϥΠϒϥϦ ▸ γϯϓϧͰ ɾ㱼ɾ ŘŘ 17

  18. (C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ ࢀߟ৘ใ 18 ▸

    ެࣜυΩϡϝϯτ ▸ IUUQTDBTCJOPSHEPDTFOPWFSWJFX ▸ ιʔείʔυ ▸ IUUQTHJUIVCDPNDBTCJOQZDBTCJO

  19. (C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ ͝ਗ਼ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠ʂ 19