Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Flaskのセキュリティどうしてます?アクセス制御ライブラリCasbin入門! #pycharity / flask-authz-with-casbin
Search
Masatoshi Tada
February 24, 2021
0
860
Flaskのセキュリティどうしてます?アクセス制御ライブラリCasbin入門! #pycharity / flask-authz-with-casbin
Python Charity Talks in Japan 2021.02 でのLT資料です。
https://pyconjp.connpass.com/event/199787/
Masatoshi Tada
February 24, 2021
Tweet
Share
More Decks by Masatoshi Tada
See All by Masatoshi Tada
プロになるためのSpring上級知識 #jsug / advanced-spring-for-professionals
masatoshitada
3
2k
OpenID Connect 1.0 with Spring Security #jjug_ccc #jjug_ccc_b / oidc-with-spring-security
masatoshitada
1
1.3k
今こそ知りたいSpring DI×AOP / spring-di-aop-for-every-developers
masatoshitada
4
2k
OAuth 2.0 with Spring Security #jjug_ccc #jjug_ccc_b / oauth2-with-spring-security
masatoshitada
4
1.9k
基礎から分かる!アプリケーション開発者のためのKubernetes入門 / kubernetes-basics-for-application-developers
masatoshitada
10
3.6k
2時間で分かる!Kubernetesとは何なのか / what-is-kubernetes
masatoshitada
0
930
Introduction to Resilience4j
masatoshitada
2
1.1k
SpringOne Platform 2019報告会 -概要、Resilience4j、LT- #jsug / springone-platform-2019
masatoshitada
0
1.2k
From Hystrix To Resilience4j
masatoshitada
1
1.1k
Featured
See All Featured
Art, The Web, and Tiny UX
lynnandtonic
291
20k
A Tale of Four Properties
chriscoyier
155
22k
Imperfection Machines: The Place of Print at Facebook
scottboms
262
13k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
20
7.2k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
35
6.3k
Mobile First: as difficult as doing things right
swwweet
219
8.8k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
26
1.6k
RailsConf 2023
tenderlove
16
720
Rails Girls Zürich Keynote
gr2m
93
13k
10 Git Anti Patterns You Should be Aware of
lemiorhan
652
58k
How to Think Like a Performance Engineer
csswizardry
4
590
A designer walks into a library…
pauljervisheath
201
24k
Transcript
(C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ 'MBTLͷηΩϡϦςΟ Ͳ͏ͯ͠·͢ʁ
ΞΫηε੍ޚϥΠϒϥϦ $BTCJOೖʂ ג ΧαϨΞϧଟాਅහ ݄ 1ZUIPO$IBSJUZ5BMLTJO+BQBO 1
(C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ ࣗݾհ ▸ ଟాਅහʢ!TVLF@NBTBʣ
▸ ݚमτϨʔφʔ!ΧαϨΞϧ ▸ +BWB1ZUIPO(PMBOH .JDSPTFSWJDFT,VCFSOFUFT 2
(C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ גࣜձࣾΧαϨΞϧ ▸ ଞࣾʹແ͍৭ʑͳϓϩάϥϛϯάݴޠͷ
ݚमΛఏڙ͍ͯ͠·͢ʂ 3 /&8
(C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ 🎉1ZUIPOݚमϦϦʔε🎉 4 1ZUIPOೖ
جຊจ๏ɺϥΠϒϥϦͷར༻ɺ8FCεΫϨΠϐϯά ʢؒʣ 'MBTLʹΑΔ1ZUIPO8FCΞϓϦέʔγϣϯ։ൃ %#ΞΫηεɺ3&45ɺ+BWB4DSJQU࿈ܞɺηΩϡϦςΟ ʢؒʣ ࠓίνϥͷ
(C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ 'MBTLݚमͷΧϦΩϡϥϜ 5 1
DBΞΫηε(MySQL Connector / Python) RESTͷ։ൃ 2 JavaScriptΫϥΠΞϯτͱͷ࿈ܞ ΤϥʔϋϯυϦϯά όϦσʔγϣϯ ϩάΠϯɺΞΫηε੍ޚ ࠓίνϥͷ
(C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ 'MBTLͷΞΫηε੍ޚϥΠϒϥϦ ▸ 'MBTL4FDVSJUZ
▸ 'MBTL6TFS ▸ 'MBTL)551"VUI ▸ 'MBTL"VUIPSJ[F 6 🤔 ͲΕଟػೳ ͩͳ͋…
(C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ ͕ཉ͔ͬͨ͠ͷ ▸ ػೳ͕γϯϓϧͰ͍͍͢
▸ 3PMF#BTFE"DDFTT$POUSPM 3#"$ ͕Ͱ͖Δ ▸ ಛఆͷ03.ʹґଘ͠ͳ͍ ▸ ͳΔ͘ଞͷηΩϡϦςΟϥΠϒϥϦʹґଘ͠ ͳ͍ 7
(C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ ͦ͜Ͱ$BTCJO 8 https://casbin.org/
(C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ $BTCJOͱ ▸ ͱͱ(PͷΞΫηε੍ޚϥΠϒϥϦ
▸ ʮೝূʯͰͳ͘ʮೝՄʯʹಛԽ ▸ ಛఆͷ03.ͦͷଞϥΠϒϥϦʹґଘ͠ͳ͍ ▸ pip install casbin 9
(C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ $BTCJO͕Δ͜ͱ🙆 ʮ୭
ϩʔϧ ͕ʯʮԿʹʯʮԿΛ͢ΔʯܗࣜͰ ΞΫηεՄ൱Λஅ ΞΫηε੍ޚͷϞσϧͱϙϦγʔͷετϨʔδΛཧ ϩʔϧϢʔβʔϩʔϧϩʔϧͷରԠ͚Λཧ ʮSPPUʯͳͲͷεʔύʔϢʔβʔΛαϙʔτ ϧʔϧϚονϯάΛαϙʔτ͢ΔෳͷԋࢉࢠΛఏڙ 10 https://casbin.org/docs/en/overview#what-is-casbin
(C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ $BTCJO͕Βͳ͍͜ͱ🙅 ೝূʢϢʔβʔ໊ɾύεϫʔυΛϩάΠϯ࣌ʹ
ݕূɺͱ͔ʣ ϢʔβʔϩʔϧͷҰཡΛཧʢϓϩδΣΫτ ࣗͰཧͨ͠΄͏͕ศརͳͣʣ 11 https://casbin.org/docs/en/overview#what-is-casbin
(C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ ϙϦγʔ 12 p,
USER, /user, GET p, ADMIN, /admin, GET g, ADMIN, USER ▸ ΞΫηεϧʔϧΛهड़ σϑΥϧτͰ$47 ▸ Ξμϓλʔ ޙड़ ΛೖΕΔ͜ͱͰɺ༷ʑͳετϨʔδ ʹରԠՄೳ 64&3ϩʔϧVTFSʹ(&5ͰΞΫηεՄೳ "%.*/ϩʔϧ64&3ϩʔϧΛܧঝ
(C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ Ξμϓλʔ ▸ 3%#ͳͲ༷ʑͳετϨʔδ͔ΒϙϦγʔใΛ
औಘՄೳ ▸ 42-"MDIFNZ"EBQUFS ▸ .POHP&OHJOF"EBQUFS ▸ %ZOBNP%#"EBQUFS ▸ ɾɾɾ 13 https://casbin.org/docs/en/adapters
(C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ Ϟσϧ ▸ ϙϦγʔͷهड़ํ๏ɺϙϦγʔʹج͍ͮͯ
ΞΫηεՄ൱ͷఆϧʔϧΛςΩετͰهड़ ▸ ͪΐͬͱॻ͖ํ͕Ή͔͍ͣ͠ ▸ ৄࡉˠIUUQTDBTCJOPSHEPDTFOTZOUBYGPS NPEFMT 14
(C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ Ϟσϧͷॻ͖ํͷྫ 15 [request_definition]
# enforce()ͷҾॱΛఆٛ r = sub, obj, act [policy_definition] # ϙϦγʔͷهड़ํ๏Λఆٛ p = sub, obj, act [policy_effect] # ෳͷϙϦγʔ͕Ϛονͨ͠ࡍͷఆํ๏Λఆٛ e = some(where (p.eft == allow)) [role_definition] # ϩʔϧͷܧঝؔΛఆٛ g = _, _ [matchers] # ΞΫηεՄ൱ͷఆํ๏Λఆٛ m = g(r.sub, p.sub) && keyMatch(r.obj, p.obj) && r.act == p.act
(C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ $BTCJOΛ'MBTLʹΈࠐΉ 16 enforcer
= Enforcer('Ϟσϧͷύε', 'ϙϦγʔCSVͷύε') def authorize(): # ϩʔϧɺURLɺϦΫΤετϝιουΛऔಘ sub = current_user.role obj = request.path act = request.method # CasbinʹΑΓΞΫηεՄ൱Λఆ if enforcer.enforce(sub, obj, act): return None # ޭͨ͠߹Կ͠ͳ͍ else: # ࣦഊͨ͠߹ΤϥʔΛϨεϙϯε # FlaskͷϦΫΤετલॲཧͱͯ͠ొ app.before_request(authorize)
(C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ ·ͱΊ ▸ $BTCJO
▸ ΞΫηε੍ޚʹಛԽͨ͠ϥΠϒϥϦ ▸ γϯϓϧͰ ɾ㱼ɾ ŘŘ 17
(C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ ࢀߟใ 18 ▸
ެࣜυΩϡϝϯτ ▸ IUUQTDBTCJOPSHEPDTFOPWFSWJFX ▸ ιʔείʔυ ▸ IUUQTHJUIVCDPNDBTCJOQZDBTCJO
(C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ ͝ਗ਼ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠ʂ 19