Best place for authorization management tool?

Hi all,

I’m sitting on a home-brew rule-based authorization system that I’d
like to release as open source. Its current interface is either the
console or raw SQL though, which makes things pretty unfriendly, so I
was wondering just what would be the most idiomatic interface to such
a system. I was envisioning a “authorization console” in script/
that might work like so:

 $ ./script/authzcon production
 >> allow */* for bob with priority 0
 >> deny */destroy from bob with priority 1
 >> allow vendors/destroy for bob with priority 10
 >> flush

Above, rules are controller/action pairs (permitting wildcards), and
each rule is assigned a priority (so above bob could do everything
except destroy anything other than vendors). Denials outrank
allowances of the same priority. To see if a certain action is
allowed for the current ruleset, one could query a controller/action
pair, or list out all the current rules:

 >> query employees/destroy for bob
 Denied
 >> query vendors/destroy for bob
 Allowed
 >> list rules for bob
 10  Allow  vendors/destroy
 1   Deny   */destroy
 0   Allow  */*

Anyway, the syntax above was completely off-the-cuff, so please
ignore it should you find it abrasive. I was more interested in
hearing whether this sort of tool would make any sense, and if so,
whether the tool would belong in script/. Also, please let me know
if something similar already exists – I don’t follow Rails or the
community too closely.

Thanks!


Nick Murphy
Scientific Programmer
Department of Plant Sciences
University of Arizona

Hi all,

I’m sitting on a home-brew rule-based authorization system that I’d
like to release as open source. Its current interface is either the
console or raw SQL though, which makes things pretty unfriendly, so I
was wondering just what would be the most idiomatic interface to such
a system. I was envisioning a “authorization console” in script/
that might work like so:

 $ ./script/authzcon production
 >> allow */* for bob with priority 0
 >> deny */destroy from bob with priority 1
 >> allow vendors/destroy for bob with priority 10
 >> flush

Above, rules are controller/action pairs (permitting wildcards), and
each rule is assigned a priority (so above bob could do everything
except destroy anything other than vendors). Denials outrank
allowances of the same priority. To see if a certain action is
allowed for the current ruleset, one could query a controller/action
pair, or list out all the current rules:

 >> query employees/destroy for bob
 Denied
 >> query vendors/destroy for bob
 Allowed
 >> list rules for bob
 10  Allow  vendors/destroy
 1   Deny   */destroy
 0   Allow  */*

Anyway, the syntax above was completely off-the-cuff, so please
ignore it should you find it abrasive. I was more interested in
hearing whether this sort of tool would make any sense, and if so,
whether the tool would belong in script/. Also, please let me know
if something similar already exists – I don’t follow Rails or the
community too closely.

Thanks!

P.S. Sorry if this is a repost, but I was having some issues with the
list yesterday.


Nick Murphy
Scientific Programmer
Department of Plant Sciences
University of Arizona

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs