Authorization as a service for your Python apps
from flask_aserto import AsertoMiddleware # ... @app.route('/protected_route/<parameter>', methods=['GET, POST']) @aserto.authorize
Fine-grained authorization in Python
Authorization in Python
Python is an object-oriented programming language used for web and app development. It is extremely attractive for web app development because it offers dynamic typing and dynamic binding options making it lightweight, easy to master, and extensible. Aserto is an application access control platform that brings secure, auditable, distributed access management to python applications.
Built on trusted open-source CNCF projects like Open Policy Agent (OPA), Aserto brings high-performance role-based access control (RBAC), attribute-based access control (ABAC), and access control lists (ACL) to Python applications.
Why use Aserto over libraries like Flask-Authorize, Flask-RBAC, Flask-ACL?
There are a few key differences that set Aserto apart from the Python/Flask libraries you may be familiar with.
Authorize locally, manage centrally
Libraries in Python/Flask are embedded directly into the application. When implementing authorization in a microservices architecture, this means each microservice has to define its own authorization policy as well as manage that data if leveraging a library for access control. It also needs to capture, and handle decision logs, meaning we need to custom build a centralized management plane for any semblance of audibility.
Aserto handles all of this for you: it allows you to manage authorization policies, user data, and resource data in one central management plane, and automatically gathers and aggregates decision logs from every authorizer instance used across your application. At the same time, the Aserto Edge Authorizer instances are deployed right next to your application instances, so authorization decisions happen at the same low latency and high availability as if you were using a library.
If your application consists of multiple services and runs multiple instances of these services, central management of all the authorization artifacts and decision logs is the only way to scale the operation of a modern microservices architecture.
Separation of concerns
Aserto also extracts authorization policy out of the application logic and stores/versions policy as its own code artifact. This separation of concerns allows security engineers to evolve the authorization policy separate from the application code. Authorization policies are stored and authored using Rego, a declarative and flexible open source policy language. This means developers can write and evolve policies using a source control system rather than the traditional approach of flipping rows in a database.
Users as first-class citizens
Additionally, Aserto treats users and roles as first-class citizens. Our user/role directory is continuously synchronized with the Aserto authorizer(s). This empowers Aserto to reason about users and roles as a part of the policy without requiring role resolution as an additional external step.
Having user and role information come from the Aserto directory mitigates the risks of coding errors feeding incorrect data into the decision engine.
Setting things up
To get started you’ll want to leverage the aserto package, or if using Flask,flask-aserto package to add authorization middleware. These packages have two primary components:
- The authorizer client, the low-level interface in communication with our authorization API
- Authorization middleware focuses the responsibility of making authorization decisions on a single component rather than fragmenting the logic across multiple routes.
The Authorizer is an authorization engine built on top of the open source Open Policy Agent (OPA) decision engine. The Python/Flask SDKs use the gRPC API bindings to make it easy to integrate the Aserto authorizer into python apps. Creating a tenant in Aserto will automatically create a corresponding Authorizer instance which you can use to develop and test.
For your production workloads, the Aserto Authorizer(s) can be deployed as a sidecar, or local service right next to your application instance(s) to provide minimal latency and 100% availability tied to your application’s uptime.
Out-of-box decision logging creates an easy audit trail for security and compliance. All decisions made by the Aserto authorizer can be easily viewed and tracked via the Aserto control plane.
The Edge Authorizer
The Edge Authorizers make authorization decisions based on three important inputs:
1. Policies from your policy registry
2. Users, attributes, and roles from your identity provider (e.g. Okta, Auth0, etc.) supplemented with application-specific information stored in the Aserto directory
3. Resource context passed by in your application
Any changes made to your hosted directory (i.e. in your IDP or enterprise directory) are automatically synchronized into the Aserto directory. Aserto pushes updates to the edge authorizer in near real-time, ensuring your decisions are based on up-to-date information.
Aserto comes with the following benefits:
- Out-of-the-box support for audit trails, custom roles, RBAC, ABAC, and ACL
- Use a policy-as-code workflow to build, tag, push, version, and pull policy images just like docker images
- Quick onboarding via first-class citizen integrations with Auth0 and your artifact registry, logging system, backend programming language, and frontend framework.
- Built on top of a trusted open source policy engine, the Open Policy Agent (OPA)
VP of Technology
"Authorization involves really hard problems that I want experts to solve. We like to focus our internal engineering efforts on our customers and their problems. Aserto allows us to do just that, at a small fraction of the cost it would take to build and maintain it ourselves, not to mention the opportunity cost."
Mathias Biilmann Christensen
Co-founder & CEO, Netlify
"As millions of developers and businesses are adopting a Jamstack approach, most modern web applications involve multiple APIs and services. Aserto's promise of separating policies from code could radically simplify the implementation of authorization across the front-end UI and the larger world of back-end functions and endpoints."
"Building & managing an authorization/RBAC system is a huge pain, especially at enterprise scale. So stop! Aserto has a distributed, millisecond latency, 100% availability API for that. I'm excited to help as an angel investor!"