mirror of
https://github.com/meta-llama/llama-stack.git
synced 2025-06-27 18:50:41 +00:00
7c1998db25
This allows a set of rules to be defined for determining access to
resources. The rules are (loosely) based on the cedar policy format.
A rule defines a list of action either to permit or to forbid. It may
specify a principal or a resource that must match for the rule to take
effect. It may also specify a condition, either a 'when' or an 'unless',
with additional constraints as to where the rule applies.
A list of rules is held for each type to be protected and tried in order
to find a match. If a match is found, the request is permitted or
forbidden depening on the type of rule. If no match is found, the
request is denied. If no rules are specified for a given type, a rule
that allows any action as long as the resource attributes match the user
attributes is added (i.e. the previous behaviour is the default.
Some examples in yaml:
```
model:
- permit:
principal: user-1
actions: [create, read, delete]
comment: user-1 has full access to all models
- permit:
principal: user-2
actions: [read]
resource: model-1
comment: user-2 has read access to model-1 only
- permit:
actions: [read]
when:
user_in: resource.namespaces
comment: any user has read access to models with matching attributes
vector_db:
- forbid:
actions: [create, read, delete]
unless:
user_in: role::admin
comment: only user with admin role can use vector_db resources
```
---------
Signed-off-by: Gordon Sim <gsim@redhat.com>
129 lines
3.9 KiB
Python
129 lines
3.9 KiB
Python
# Copyright (c) Meta Platforms, Inc. and affiliates.
|
|
# All rights reserved.
|
|
#
|
|
# This source code is licensed under the terms described in the LICENSE file in
|
|
# the root directory of this source tree.
|
|
|
|
from typing import Protocol
|
|
|
|
|
|
class User(Protocol):
|
|
principal: str
|
|
attributes: dict[str, list[str]] | None
|
|
|
|
|
|
class ProtectedResource(Protocol):
|
|
type: str
|
|
identifier: str
|
|
owner: User
|
|
|
|
|
|
class Condition(Protocol):
|
|
def matches(self, resource: ProtectedResource, user: User) -> bool: ...
|
|
|
|
|
|
class UserInOwnersList:
|
|
def __init__(self, name: str):
|
|
self.name = name
|
|
|
|
def owners_values(self, resource: ProtectedResource) -> list[str] | None:
|
|
if (
|
|
hasattr(resource, "owner")
|
|
and resource.owner
|
|
and resource.owner.attributes
|
|
and self.name in resource.owner.attributes
|
|
):
|
|
return resource.owner.attributes[self.name]
|
|
else:
|
|
return None
|
|
|
|
def matches(self, resource: ProtectedResource, user: User) -> bool:
|
|
required = self.owners_values(resource)
|
|
if not required:
|
|
return True
|
|
if not user.attributes or self.name not in user.attributes or not user.attributes[self.name]:
|
|
return False
|
|
user_values = user.attributes[self.name]
|
|
for value in required:
|
|
if value in user_values:
|
|
return True
|
|
return False
|
|
|
|
def __repr__(self):
|
|
return f"user in owners {self.name}"
|
|
|
|
|
|
class UserNotInOwnersList(UserInOwnersList):
|
|
def __init__(self, name: str):
|
|
super().__init__(name)
|
|
|
|
def matches(self, resource: ProtectedResource, user: User) -> bool:
|
|
return not super().matches(resource, user)
|
|
|
|
def __repr__(self):
|
|
return f"user not in owners {self.name}"
|
|
|
|
|
|
class UserWithValueInList:
|
|
def __init__(self, name: str, value: str):
|
|
self.name = name
|
|
self.value = value
|
|
|
|
def matches(self, resource: ProtectedResource, user: User) -> bool:
|
|
if user.attributes and self.name in user.attributes:
|
|
return self.value in user.attributes[self.name]
|
|
print(f"User does not have {self.value} in {self.name}")
|
|
return False
|
|
|
|
def __repr__(self):
|
|
return f"user with {self.value} in {self.name}"
|
|
|
|
|
|
class UserWithValueNotInList(UserWithValueInList):
|
|
def __init__(self, name: str, value: str):
|
|
super().__init__(name, value)
|
|
|
|
def matches(self, resource: ProtectedResource, user: User) -> bool:
|
|
return not super().matches(resource, user)
|
|
|
|
def __repr__(self):
|
|
return f"user with {self.value} not in {self.name}"
|
|
|
|
|
|
class UserIsOwner:
|
|
def matches(self, resource: ProtectedResource, user: User) -> bool:
|
|
return resource.owner.principal == user.principal if resource.owner else False
|
|
|
|
def __repr__(self):
|
|
return "user is owner"
|
|
|
|
|
|
class UserIsNotOwner:
|
|
def matches(self, resource: ProtectedResource, user: User) -> bool:
|
|
return not resource.owner or resource.owner.principal != user.principal
|
|
|
|
def __repr__(self):
|
|
return "user is not owner"
|
|
|
|
|
|
def parse_condition(condition: str) -> Condition:
|
|
words = condition.split()
|
|
match words:
|
|
case ["user", "is", "owner"]:
|
|
return UserIsOwner()
|
|
case ["user", "is", "not", "owner"]:
|
|
return UserIsNotOwner()
|
|
case ["user", "with", value, "in", name]:
|
|
return UserWithValueInList(name, value)
|
|
case ["user", "with", value, "not", "in", name]:
|
|
return UserWithValueNotInList(name, value)
|
|
case ["user", "in", "owners", name]:
|
|
return UserInOwnersList(name)
|
|
case ["user", "not", "in", "owners", name]:
|
|
return UserNotInOwnersList(name)
|
|
case _:
|
|
raise ValueError(f"Invalid condition: {condition}")
|
|
|
|
|
|
def parse_conditions(conditions: list[str]) -> list[Condition]:
|
|
return [parse_condition(c) for c in conditions]
|