Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Flaskのセキュリティどうしてます?アクセス制御ライブラリCasbin入門! #pycharity / flask-authz-with-casbin
Search
Masatoshi Tada
February 24, 2021
0
810
Flaskのセキュリティどうしてます?アクセス制御ライブラリCasbin入門! #pycharity / flask-authz-with-casbin
Python Charity Talks in Japan 2021.02 でのLT資料です。
https://pyconjp.connpass.com/event/199787/
Masatoshi Tada
February 24, 2021
Tweet
Share
More Decks by Masatoshi Tada
See All by Masatoshi Tada
プロになるためのSpring上級知識 #jsug / advanced-spring-for-professionals
masatoshitada
3
1.9k
OpenID Connect 1.0 with Spring Security #jjug_ccc #jjug_ccc_b / oidc-with-spring-security
masatoshitada
1
1.3k
今こそ知りたいSpring DI×AOP / spring-di-aop-for-every-developers
masatoshitada
4
1.9k
OAuth 2.0 with Spring Security #jjug_ccc #jjug_ccc_b / oauth2-with-spring-security
masatoshitada
4
1.8k
基礎から分かる!アプリケーション開発者のためのKubernetes入門 / kubernetes-basics-for-application-developers
masatoshitada
10
3.5k
2時間で分かる!Kubernetesとは何なのか / what-is-kubernetes
masatoshitada
0
880
Introduction to Resilience4j
masatoshitada
2
1k
SpringOne Platform 2019報告会 -概要、Resilience4j、LT- #jsug / springone-platform-2019
masatoshitada
0
1.1k
From Hystrix To Resilience4j
masatoshitada
1
1k
Featured
See All Featured
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
24
2.2k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
185
15k
Code Review Best Practice
trishagee
54
15k
Code Reviewing Like a Champion
maltzj
512
39k
Designing for humans not robots
tammielis
247
25k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
657
120k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
39
4.3k
How GitHub Uses GitHub to Build GitHub
holman
467
290k
Why You Should Never Use an ORM
jnunemaker
PRO
50
8.6k
Teambox: Starting and Learning
jrom
126
8.4k
A better future with KSS
kneath
230
16k
For a Future-Friendly Web
brad_frost
170
8.9k
Transcript
(C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ 'MBTLͷηΩϡϦςΟ Ͳ͏ͯ͠·͢ʁ
ΞΫηε੍ޚϥΠϒϥϦ $BTCJOೖʂ ג ΧαϨΞϧଟాਅහ ݄ 1ZUIPO$IBSJUZ5BMLTJO+BQBO 1
(C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ ࣗݾհ ▸ ଟాਅහʢ!TVLF@NBTBʣ
▸ ݚमτϨʔφʔ!ΧαϨΞϧ ▸ +BWB1ZUIPO(PMBOH .JDSPTFSWJDFT,VCFSOFUFT 2
(C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ גࣜձࣾΧαϨΞϧ ▸ ଞࣾʹແ͍৭ʑͳϓϩάϥϛϯάݴޠͷ
ݚमΛఏڙ͍ͯ͠·͢ʂ 3 /&8
(C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ 🎉1ZUIPOݚमϦϦʔε🎉 4 1ZUIPOೖ
جຊจ๏ɺϥΠϒϥϦͷར༻ɺ8FCεΫϨΠϐϯά ʢؒʣ 'MBTLʹΑΔ1ZUIPO8FCΞϓϦέʔγϣϯ։ൃ %#ΞΫηεɺ3&45ɺ+BWB4DSJQU࿈ܞɺηΩϡϦςΟ ʢؒʣ ࠓίνϥͷ
(C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ 'MBTLݚमͷΧϦΩϡϥϜ 5 1
DBΞΫηε(MySQL Connector / Python) RESTͷ։ൃ 2 JavaScriptΫϥΠΞϯτͱͷ࿈ܞ ΤϥʔϋϯυϦϯά όϦσʔγϣϯ ϩάΠϯɺΞΫηε੍ޚ ࠓίνϥͷ
(C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ 'MBTLͷΞΫηε੍ޚϥΠϒϥϦ ▸ 'MBTL4FDVSJUZ
▸ 'MBTL6TFS ▸ 'MBTL)551"VUI ▸ 'MBTL"VUIPSJ[F 6 🤔 ͲΕଟػೳ ͩͳ͋…
(C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ ͕ཉ͔ͬͨ͠ͷ ▸ ػೳ͕γϯϓϧͰ͍͍͢
▸ 3PMF#BTFE"DDFTT$POUSPM 3#"$ ͕Ͱ͖Δ ▸ ಛఆͷ03.ʹґଘ͠ͳ͍ ▸ ͳΔ͘ଞͷηΩϡϦςΟϥΠϒϥϦʹґଘ͠ ͳ͍ 7
(C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ ͦ͜Ͱ$BTCJO 8 https://casbin.org/
(C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ $BTCJOͱ ▸ ͱͱ(PͷΞΫηε੍ޚϥΠϒϥϦ
▸ ʮೝূʯͰͳ͘ʮೝՄʯʹಛԽ ▸ ಛఆͷ03.ͦͷଞϥΠϒϥϦʹґଘ͠ͳ͍ ▸ pip install casbin 9
(C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ $BTCJO͕Δ͜ͱ🙆 ʮ୭
ϩʔϧ ͕ʯʮԿʹʯʮԿΛ͢ΔʯܗࣜͰ ΞΫηεՄ൱Λஅ ΞΫηε੍ޚͷϞσϧͱϙϦγʔͷετϨʔδΛཧ ϩʔϧϢʔβʔϩʔϧϩʔϧͷରԠ͚Λཧ ʮSPPUʯͳͲͷεʔύʔϢʔβʔΛαϙʔτ ϧʔϧϚονϯάΛαϙʔτ͢ΔෳͷԋࢉࢠΛఏڙ 10 https://casbin.org/docs/en/overview#what-is-casbin
(C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ $BTCJO͕Βͳ͍͜ͱ🙅 ೝূʢϢʔβʔ໊ɾύεϫʔυΛϩάΠϯ࣌ʹ
ݕূɺͱ͔ʣ ϢʔβʔϩʔϧͷҰཡΛཧʢϓϩδΣΫτ ࣗͰཧͨ͠΄͏͕ศརͳͣʣ 11 https://casbin.org/docs/en/overview#what-is-casbin
(C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ ϙϦγʔ 12 p,
USER, /user, GET p, ADMIN, /admin, GET g, ADMIN, USER ▸ ΞΫηεϧʔϧΛهड़ σϑΥϧτͰ$47 ▸ Ξμϓλʔ ޙड़ ΛೖΕΔ͜ͱͰɺ༷ʑͳετϨʔδ ʹରԠՄೳ 64&3ϩʔϧVTFSʹ(&5ͰΞΫηεՄೳ "%.*/ϩʔϧ64&3ϩʔϧΛܧঝ
(C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ Ξμϓλʔ ▸ 3%#ͳͲ༷ʑͳετϨʔδ͔ΒϙϦγʔใΛ
औಘՄೳ ▸ 42-"MDIFNZ"EBQUFS ▸ .POHP&OHJOF"EBQUFS ▸ %ZOBNP%#"EBQUFS ▸ ɾɾɾ 13 https://casbin.org/docs/en/adapters
(C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ Ϟσϧ ▸ ϙϦγʔͷهड़ํ๏ɺϙϦγʔʹج͍ͮͯ
ΞΫηεՄ൱ͷఆϧʔϧΛςΩετͰهड़ ▸ ͪΐͬͱॻ͖ํ͕Ή͔͍ͣ͠ ▸ ৄࡉˠIUUQTDBTCJOPSHEPDTFOTZOUBYGPS NPEFMT 14
(C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ Ϟσϧͷॻ͖ํͷྫ 15 [request_definition]
# enforce()ͷҾॱΛఆٛ r = sub, obj, act [policy_definition] # ϙϦγʔͷهड़ํ๏Λఆٛ p = sub, obj, act [policy_effect] # ෳͷϙϦγʔ͕Ϛονͨ͠ࡍͷఆํ๏Λఆٛ e = some(where (p.eft == allow)) [role_definition] # ϩʔϧͷܧঝؔΛఆٛ g = _, _ [matchers] # ΞΫηεՄ൱ͷఆํ๏Λఆٛ m = g(r.sub, p.sub) && keyMatch(r.obj, p.obj) && r.act == p.act
(C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ $BTCJOΛ'MBTLʹΈࠐΉ 16 enforcer
= Enforcer('Ϟσϧͷύε', 'ϙϦγʔCSVͷύε') def authorize(): # ϩʔϧɺURLɺϦΫΤετϝιουΛऔಘ sub = current_user.role obj = request.path act = request.method # CasbinʹΑΓΞΫηεՄ൱Λఆ if enforcer.enforce(sub, obj, act): return None # ޭͨ͠߹Կ͠ͳ͍ else: # ࣦഊͨ͠߹ΤϥʔΛϨεϙϯε # FlaskͷϦΫΤετલॲཧͱͯ͠ొ app.before_request(authorize)
(C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ ·ͱΊ ▸ $BTCJO
▸ ΞΫηε੍ޚʹಛԽͨ͠ϥΠϒϥϦ ▸ γϯϓϧͰ ɾ㱼ɾ ŘŘ 17
(C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ ࢀߟใ 18 ▸
ެࣜυΩϡϝϯτ ▸ IUUQTDBTCJOPSHEPDTFOPWFSWJFX ▸ ιʔείʔυ ▸ IUUQTHJUIVCDPNDBTCJOQZDBTCJO
(C) CASAREAL, Inc. All rights reserved. QZDIBSJUZ ͝ਗ਼ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠ʂ 19