bluesky_httpserver.authorization.DictionaryAPIAccessControl¶

class bluesky_httpserver.authorization.DictionaryAPIAccessControl(*, roles=None, users=None)[source]¶

Dictionary-based API access policy. Simple extension of BasicAPIAccessControl that provides an option to provide user information, including assigned roles, displayed name and email. The policy is primarily intended for use in demos and testing. Production deployments are expected to use more secure authorization policies.

User information is passed using users parameter, which accepts a dictionary. If the parameter is None, then no user information is passed to the policy and no users are allowed to access any API. The dictionary maps usernames to user information dictionaries, containing roles, displayed names (optional) and emails (optional). The policy arguments are specified as part of config YML files as illustrated in the following examples:

# No users are allowed to access any API.
api_access:
  policy: bluesky_httpserver.authorization:DictionaryAPIAccessControl
  args:
      users: None

# User 'bob' is defined, but he is not allowed to use any API.
api_access:
  policy: bluesky_httpserver.authorization:DictionaryAPIAccessControl
  args:
    users:
      bob: None

# User 'bob' is assigned to 'admin' and 'expert' groups, 'jdoe' is assigned to the 'advanced' group.
# Note: a single role may be represented as a list or a string.
api_access:
  policy: bluesky_httpserver.authorization:DictionaryAPIAccessControl
  args:
    users:
      bob:
        roles:
          - admin
          - expert
        email: bob@gmail.com
      jdoe:
        roles: advanced
        dislayed_name: Doe, John
        email: jdoe@gmail.com

The policy arguments may also include roles parameter, which is handled by BasicAPIAccessControl. See docstring for BasicAPIAccessControl for more detailed information.

Parameters:

roles: dict or None: The dictionary configuration parameters that modifies the default or create new roles. The parameter is passed to BasicAPIAccessControl.
users: dict or None: The dictionary that maps user name to user information.

__init__(*, roles=None, users=None)[source]¶

Methods

`__init__`(*[, roles, users])
`get_displayed_user_name`(username)	Returns the displayed user name for the user. The displayed user name is assembled from `username`, full 'displayed' user name and user's email. The formatting depends on the available data, i.e. if no additional data is available, then `username` is returned. If the user is not found, then `username` is returned. The following output is possible for the user 'jdoe'::.
`get_user_info`(username)	Returns complete user information, including a set of roles, set of scopes and displayed user name.
`get_user_roles`(username)	Returns a set of roles assigned to the user.
`get_user_scopes`(username)	Returns a set of scopes assigned to the user.
`is_user_known`(username)	Performs quick check whether the user is known.