Add Authorization to Python's Bottle Framework with Open Policy Agent
This small example app demonstrates how to implement Access Control / Authorization in Python's Bottle Framework, using Open Policy Agent.
You can get a list of movies, delete or add movies to the list, depending on the requesting user's permissions.
The application has 2 built in users and roles:
- John (read)
- David (read-write)
The app comes with a simple Open Policy Agent policy.
By default, the App will query OPA locally on http://localhost:8181, you can change this by setting an environment variable:
export OPA_SERVER="http://opa.server:8181"
Download OPA from: https://www.openpolicyagent.org/docs/latest/#running-opa
./opa run -s policy.rego
This will start the OPA server on the localhost on port 8080
pip3 install -r requirements
python3 main.py
Listing Movies with John's user should be successful, since John has read permissions.
requests.get('http://localhost:8080/movies', headers={'X-Requesting-User':'john'}).text
'{"data": ["despicable me", "borat"]}'
Adding a movie with John's user should fail, since John does not have write permissions.
requests.post('http://localhost:8080/movies/Matrix', headers={'X-Requesting-User':'john'}).text
'{"Error": "Unauthorized"}'
Deleting a movie with John's user should fail, since John does not have write permissions.
requests.delete('http://localhost:8080/movies/Matrix', headers={'X-Requesting-User':'john'}).text
'{"Error": "Unauthorized"}'
Adding a movie with David's user should be successful, since David has read-write permissions.
requests.post('http://localhost:8080/movies/Matrix', headers={'X-Requesting-User':'john'}).text
'{"data": ["despicable me", "borat", "Matrix"]}'
Deleting a movie with David's user should be successful, since David has read-write permissions.
requests.delete('http://localhost:8080/movies/Matrix', headers={'X-Requesting-User':'john'}).text
'{"data": ["despicable me", "borat"]}'