Authorizer - npolar/api.npolar.no GitHub Wiki
The Authorizer is Rack middleware for role-based access control.
The authorizer restrict edits (POST
, PUT
, and DELETE
) to those with a editor
role, in a specified system
. (By default reads are not subject to access control.)
The authorizer performs authentication and authorization using lambda functions Authentication
# default authenticated?
lambda {|auth, request| auth.match? (request.username, request.password)}
Authorization
# default authorized?
lambda {|auth, system, request|
# DELETE, POST, PUT: auth.roles? "writer sysadmin"
}
If you want different roles or different logic, just inject your own lambdas.
If you use the default lambdas, the :auth
backend should implement the following methods
def match?(*args) end
def roles(system) end
# optional
def username=username end
def username end
Use
LDAP
use Npolar::Auth::Authorizer, {
:auth => Net::LDAP.new { :host => "ldap.local" }, # see ...
:system => "system.dn",
:authenticated? => Npolar::Auth::Ldap.autenticator
}
CouchDB
Roles
Npolar::Auth::Couch
{"_id":"api-sysadmin","id":"api-sysadmin","type":"group","systems":["api"],"roles":{"api":["sysadmin"]}}
{"_id":"username1","id":"username1","email":"[email protected]","name":"User One","type":"person","groups":["datacentre-staff","api-sysadmin"],"roles":{"api":["reader"]},"dn":"uid=11389,cn=users,dc=polarresearch,dc=org","ssha_password":"#"}