Skip to main content

Python Authorizer API Client

Overview

This package provides a high-level interface for interacting with the Aserto Authorizer API.

Installation

Using pip:

pip install aserto

Using Poetry:

poetry add aserto

Usage

Creating a client

The AuthorizerClient class provides the methods for interacting with the API. The constructor takes two arguments:

  • identity (required): An Identity instance that represents a user. To create an Identity you need to provide a type and a value. Example:

    from aserto import Identity, IdentityType

      identitySub = Identity(type=IdentityType.IDENTITY_TYPE_SUB, value=identity)
      idenitytNone = Identity(IdentityType.IDENTITY_TYPE_NONE)

  • options (required): An [AuthorizerOptions] that contains the necessary information to create an Authorizer client. The options that can be provided are:

    • api_key (optional): An Aserto Authorizer API Key
    • tenant_id (optional): An Aserto Tenant ID
    • cert_file_path (optional): Path to Authorizer certs if the authtorizer runs locally.
    • url (optional): hostname:port of Aserto Authorizer. Defaults to "authorizer.prod.aserto.com:8443".

Creating an AuthorizerClient example:

from aserto import Identity, IdentityType
from aserto.client.authorizer import AuthorizerClient, AuthorizerOptions

client = AuthorizerClient(
    identity=Identity(IdentityType.IDENTITY_TYPE_NONE),
    options=AuthorizerOptions(
        api_key=YOUR_ASERTO_API_KEY,
        tenant_id=YOUR_ASERTO_TENANT_ID,
    ),
)

Client methods

decisions

Arguments

  • decisions (required): A list of decision values to request, e.g. ["allowed"]
  • policy_path (required): The path of the policy module, including the policy root.
  • policy_instance_name (optional): The policy instance name run by the authorizer.
  • policy_instance_label (optional): The policy instance label run by the authorizer.
  • resource_context (optional): The resource context provided to the Authorizer as a serializable dict
  • deadline (optional): How long to wait for the request to time-out. Either a Python timedelta object representing the duration to wait or a datetime object representing when the request should time-out

Example

decisions = client.decisions(
    decisions=["allowed", "enabled"],
    policy_instance_name=ASERTO_POLICY_INSTANCE_NAME,
    policy_instance_label=ASERTO_POLICY_INSTANCE_LABEL,
    policy_path="my_policy_root.GET.user.__id",
)

assert decisions ==  {
    "enabled": True,
    "allowed": False,
}

decision_tree

Arguments

  • decisions (required): A list of decision values to request, e.g. ["allowed"]
  • policy_path_root (required): The root path of all the policy modules
  • policy_instance_name (optional): The policy instance name run by the authorizer.
  • policy_instance_label (optional): The policy instance label run by the authorizer.
  • resource_context (optional): The resource context provided to the Authorizer as a serializable dict
  • policy_path_separator (optional): Either "DOT" or "SLASH", the delimiter to use in the returned policy path keys
  • deadline (optional): How long to wait for the request to time-out. Either a Python timedelta object representing the duration to wait or a datetime object representing when the request should time-out.

Example

result = await client.decision_tree(
    decisions=["visible", "enabled", "allowed"],
    policy_instance_name=ASERTO_POLICY_INSTANCE_NAME,
    policy_instance_label=ASERTO_POLICY_INSTANCE_LABEL,
    policy_path_root=ASERTO_POLICY_PATH_ROOT,
    policy_path_separator="DOT",
)

assert result == {
    "GET.your.policy.path": {
        "visible": True,
        "enabled": True,
        "allowed": False,
    },
}

query

Arguments

  • query (required): A rego query that is evaluated over the policy. Example: x = input (bind the input to the x variable).

  • input (required): A string that encodes a JSON document.

  • policy_path (required): The path of the policy module, including the policy root.

  • decisions (required): A list of decision values to request, e.g. ["allowed"].

  • policy_instance_name (optional): The policy instance name run by the authorizer.

  • policy_instance_label (optional): The policy instance label run by the authorizer.

  • resource_context (optional): The resource context provided to the Authorizer as a serializable dict.

  • options (optional): QueryOptions that can indicate the trace level, if the result should include the metrics, etc.

      metrics: bool
      instrument: bool
      trace: TraceLevel
      trace_summary: bool

    The trace levels can be one of the following values:

    • TRACE_LEVEL_OFF
    • TRACE_LEVEL_FULL
    • TRACE_LEVEL_NOTES
    • TRACE_LEVEL_FAIL

  • deadline (optional): How long to wait for the request to time-out. Either a Python timedelta object representing the duration to wait or a datetime object representing when the request should time-out.

Github

This package is open source and can be found on GitHub.