Summary

PEP4Django - A Policy Enforcement Point for Python Web Applications

Paper

Notes from paper

They have used WSO2 Identity server as authorization server. github pep4django

Developer’s proposal for the IAM implementation

What developers are proposing?

The future applications should depend on external IAM solution to decide whether the user is permitted to access and to decide the role he plays in the applications.

  1. Details for the Django framework Every request passes through the middlewares in Django framework, and It is possible to add custom middleware to change the request and response behavior. An IAM custom middlware will contain logic that checks the identity of the user and his groups. The access policy or logic to decide access and roles will be in IAM. The middleware will access the API end point of IAM and gets two types response

  2. Binary(yes/no) response

If the response is no, the request will be returned with 405 response.

  1. Role information

The middlware will assign roles and permissions to the user based on the role that IAM returns for the user based on the application

he/she is requesting the access.

  1. Result IAM team from a central admin panel can
  2. remove a user access.
  3. change role of a user.

Note this is the preliminary proposal from developers, details of the implementation might change as they develop get deeper insights

into the problem and depending on the way IAM organizes the access and role management policies.

  • Questions to clarify from security

    1. Based on the aforementioned details what other information is needed from developers for the project?

<2021-06-02 Wed>

Questions

  • Creating user django specific? transactions handled? what types of restriction are added?
    1. no singals which involves user
    2. no transaction which involves users developer will be handicaped.
  • How are django roles and permission will be managed in IAM?

do them make sense in IAM

  • [ ] requires superuser access to all databases?
  • password sync: already accounts exist with dummy passwords?