Python Authorizer API Client

Overview

This package provides a high-level interface for interacting with the Aserto Authorizer API.

Installation

Using pip:

pip install aserto

Using Poetry:

poetry add aserto

Usage

Creating a client

The AuthorizerClient class provides the methods for interacting with the API. The constructor takes two arguments:

identity (required): An Identity instance that represents a user. To create an Identity you need to provide a type and a value. Example:

from aserto import Identity, IdentityType

  identitySub = Identity(type=IdentityType.IDENTITY_TYPE_SUB, value=identity)
  idenitytNone = Identity(IdentityType.IDENTITY_TYPE_NONE)

options (required): An [AuthorizerOptions] that contains the necessary information to create an Authorizer client. The options that can be provided are:
- api_key (optional): An Aserto Authorizer API Key
- tenant_id (optional): An Aserto Tenant ID
- cert_file_path (optional): Path to Authorizer certs if the authtorizer runs locally.
- url (optional): hostname:port of Aserto Authorizer. Defaults to "authorizer.prod.aserto.com:8443".

Creating an AuthorizerClient example:

from aserto import Identity, IdentityType
from aserto.client.authorizer import AuthorizerClient, AuthorizerOptions

client = AuthorizerClient(
    identity=Identity(IdentityType.IDENTITY_TYPE_NONE),
    options=AuthorizerOptions(
        api_key=YOUR_ASERTO_API_KEY,
        tenant_id=YOUR_ASERTO_TENANT_ID,
    ),
)

Client methods

decisions

Arguments

decisions (required): A list of decision values to request, e.g. ["allowed"]
policy_path (required): The path of the policy module, including the policy root.
policy_instance_name (optional): The policy instance name run by the authorizer.
policy_instance_label (optional): The policy instance label run by the authorizer.
resource_context (optional): The resource context provided to the Authorizer as a serializable dict
deadline (optional): How long to wait for the request to time-out. Either a Python timedelta object representing the duration to wait or a datetime object representing when the request should time-out

Example

decisions = client.decisions(
    decisions=["allowed", "enabled"],
    policy_instance_name=ASERTO_POLICY_INSTANCE_NAME,
    policy_instance_label=ASERTO_POLICY_INSTANCE_LABEL,
    policy_path="my_policy_root.GET.user.__id",
)

assert decisions ==  {
    "enabled": True,
    "allowed": False,
}

decision_tree

Arguments

decisions (required): A list of decision values to request, e.g. ["allowed"]
policy_path_root (required): The root path of all the policy modules
policy_instance_name (optional): The policy instance name run by the authorizer.
policy_instance_label (optional): The policy instance label run by the authorizer.
resource_context (optional): The resource context provided to the Authorizer as a serializable dict
policy_path_separator (optional): Either "DOT" or "SLASH", the delimiter to use in the returned policy path keys
deadline (optional): How long to wait for the request to time-out. Either a Python timedelta object representing the duration to wait or a datetime object representing when the request should time-out.

Example

result = await client.decision_tree(
    decisions=["visible", "enabled", "allowed"],
    policy_instance_name=ASERTO_POLICY_INSTANCE_NAME,
    policy_instance_label=ASERTO_POLICY_INSTANCE_LABEL,
    policy_path_root=ASERTO_POLICY_PATH_ROOT,
    policy_path_separator="DOT",
)

assert result == {
    "GET.your.policy.path": {
        "visible": True,
        "enabled": True,
        "allowed": False,
    },
}

`query`

Arguments

query (required): A rego query that is evaluated over the policy. Example: x = input (bind the input to the x variable).
input (required): A string that encodes a JSON document.
policy_path (required): The path of the policy module, including the policy root.
decisions (required): A list of decision values to request, e.g. ["allowed"].
policy_instance_name (optional): The policy instance name run by the authorizer.
policy_instance_label (optional): The policy instance label run by the authorizer.
resource_context (optional): The resource context provided to the Authorizer as a serializable dict.
options (optional): QueryOptions that can indicate the trace level, if the result should include the metrics, etc.
```
  metrics: bool
  instrument: bool
  trace: TraceLevel
  trace_summary: bool
```
The trace levels can be one of the following values:
- TRACE_LEVEL_OFF
- TRACE_LEVEL_FULL
- TRACE_LEVEL_NOTES
- TRACE_LEVEL_FAIL
deadline (optional): How long to wait for the request to time-out. Either a Python timedelta object representing the duration to wait or a datetime object representing when the request should time-out.

Github

This package is open source and can be found on GitHub.

Overview​

Installation​

Usage​

Creating a client​

Client methods​

decisions​

Arguments​

Example​

decision_tree​

Arguments​

Example​

query​

Arguments​

Github​

Overview

Installation

Usage

Creating a client

Client methods

decisions

Arguments

Example

decision_tree

Arguments

Example

`query`

Arguments

Github