Route RBAC Enforcement

Lowball implements role-based access controls (RBAC) at the endpoint level via a handful of route decorators that make it easy for you as a service developer to add RBAC enforcement at the endpoint level without disrupting the structure of your project.

The enforcement decorators use the token’s declared roles to validate the authorization for the transaction.

The following sections describe the various RBAC decorators and their function.

Require Authenticated User

require_authenticated_user allows access to an endpoint for any user who provides a valid token regardless of the token’s roles.

Example

from lowball import Lowball, require_authenticated_user
...
@app.route("/launch", methods=["GET"])
@require_authenticated_user
def view_upcoming_launches():
    return {...}, 200

In the above example, any valid token will be able to access the endpoint.

Require Any of These Roles

require_any_of_these_roles allows any token with at least one of the roles in the provided list access to the given endpoint.

Example

from lowball import Lowball, require_any_of_these_roles
...
@app.route("/launch/<id>", methods=["GET"])
@require_any_of_these_roles(['lead','manager','audit'])
def view_launch_details(id):
    return {...}, 200

In the above example, any token that has at least a lead, manager or audit role granted to it will be allowed to access the endpoint.

Require All of These Roles

require_all_of_these_roles allows only a token possessing all of the specified roles to access the endpoint.

Example

from lowball import Lowball, require_all_of_these_roles
...
@app.route("/launch", methods=["POST"])
@require_all_of_these_roles(['manager','certified_specialist'])
def launch_the_rocket():
    return {"hello":"world"}, 200

In the above example, only a token that has both a manager and certified_specialist role assigned to it will be able to access the endpoint.

Require Admin

require_admin is a convenience decorator for requiring a token to have the admin role assigned to it. This is the equivalent of:

@require_all_of_these_roles(['admin'])

Example

from lowball import Lowball, require_admin
...
@app.route("/reboot", methods=["POST"])
@require_admin
def reboot_the_system():
    return {...}, 200