Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
4 changed files
with
66 additions
and
33 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -3,9 +3,47 @@ | |
Custom authorization | ||
====================== | ||
|
||
Our :ref:`auth` section describes general authentication and authorization handling in FlexMeasures. However, custom energy flexibility services developed on top of FlexMeasures probably also need their custom authorization. | ||
Our :ref:`authorization` section describes general authorization handling in FlexMeasures. | ||
|
||
One means for this is to define custom account roles. E.g. if several services run on one FlexMeasures server, each service could define a "MyService-subscriber" account role. To make sure that only users of such accounts can use the endpoints: | ||
If you are creating your own API endpoints for a custom energy flexibility services (on top of FlexMeasures), you should also get your authorization right. | ||
This comment has been minimized.
Sorry, something went wrong. |
||
It's recommended to get familiar with the decorators we provide. Here are some pointers, but feel free to read more in the ``flexmeasures.auth`` package. | ||
|
||
In short, we recommend to use the ``@permission_required_for_context`` decorator (more explanation below). | ||
|
||
FlexMeasures also supports role-based decorators, e.g. ``@account_roles_required``. These authorization decorators are straightforward. However, they are a bit crude as they do not qualify on the permission (e.g. read versus write). A consequence of this is that the ``admin-reader`` role cannot be checked in role-based decorators. | ||
This comment has been minimized.
Sorry, something went wrong.
Flix6x
Contributor
|
||
|
||
Finally, all decorators available through `Flask-Security-Too <https://flask-security-too.readthedocs.io/en/stable/patterns.html#authentication-and-authorization>`_ can be used, e.g. ``@auth_required`` (that's technically only checking authentication) or ``@permissions_required``. | ||
|
||
|
||
Permission-based authorization | ||
-------------------------------- | ||
|
||
Via permissions, it's possible to define authorization access to data, distinguishing between create, read, update and delete access. It's a finer model than simply allowing per role. | ||
|
||
The data models codify under which conditions a user can have certain permissions to work with their data. | ||
You, as the endpoint author, need to make sure this is checked. Here is an example (taken from the decorator docstring): | ||
|
||
.. code-block:: python | ||
@app.route("/resource/<resource_id>", methods=["GET"]) | ||
@use_kwargs( | ||
{"the_resource": ResourceIdField(data_key="resource_id")}, | ||
location="path", | ||
) | ||
@permission_required_for_context("read", arg_name="the_resource") | ||
@as_json | ||
def view(resource_id: int, resource: Resource): | ||
This comment has been minimized.
Sorry, something went wrong.
Flix6x
Contributor
|
||
return dict(name=resource.name) | ||
As you see, there is some sorcery with ``@use_kwargs`` going on before we check the permissions. `That decorator <https://webargs.readthedocs.io>`_ is relaying to a `Marshmallow <https://marshmallow.readthedocs.io/>`_ field definition. Here, ``ResourceIdField`` is a definition which de-serializes an ID (passed in as a request parameter) into a ``Resource`` instance. This instance can then be asked if the current user may read it. That last part is what ``@permission_required_for_context`` is doing. You can find these Marshmallow fields in ``flexmeasures.api.common.schemas``. | ||
|
||
|
||
Account roles | ||
--------------- | ||
|
||
One means for this is to define custom account roles. E.g. if several services run on one FlexMeasures server, each service could define a "MyService-subscriber" account role. | ||
This comment has been minimized.
Sorry, something went wrong. |
||
|
||
To make sure that only users of such accounts can use the endpoints: | ||
|
||
.. code-block:: python | ||
|
@@ -14,9 +52,13 @@ One means for this is to define custom account roles. E.g. if several services r | |
def bananas_view: | ||
pass | ||
.. note:: This endpoint decorator lists required roles, so the authenticated user's account needs to have each role. You can also use the ``account_roles_accepted`` decorator. Then the user's account only needs to have at least one of the roles. | ||
.. note:: This endpoint decorator lists required roles, so the authenticated user's account needs to have each role. You can also use the ``@account_roles_accepted`` decorator. Then the user's account only needs to have at least one of the roles. | ||
|
||
|
||
There are also decorators to check user roles: | ||
User roles | ||
--------------- | ||
|
||
There are also decorators to check user roles. Here is an example: | ||
|
||
.. code-block:: python | ||
|
@@ -25,5 +67,4 @@ There are also decorators to check user roles: | |
def bananas_view: | ||
pass | ||
.. note:: You can also use the ``roles_accepted`` decorator. | ||
|
||
.. note:: You can also use the ``@roles_accepted`` decorator. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
a service (singular)