dorgan
Help with authorization system based on roles and permissions
Hi,
I’m working on an authorization system for my phoenix app, and I need some help designing it..
I want it to be based on roles and permissions, and I also want to be able to create, update and delete roles at runtime and have them persisted in the database.
Permissions wouldn’t change very often as they would imply changes to the codebase, so I think they can be hardcoded.
I’ve seen bodyguard, canary and policy_wonk but neither of them seem to suit my needs so I prefer to roll my own.
This is the approach I would follow:
- Create
rolesandrole_usertables for a many_to_many association between users and roles - As the permissions are hardcoded, the roles table would have a column for each of the permissions(ie: a boolean
create_postcolumn) or a comma delimitedpermissionsstring column. I don’t really know which is better, but I like the latter because I don’t need to run migrations if my permissions ever change. - Write an authorization module that exposes an API like
BodyGuard’s, for example:Authorization.can(:create_post, user)
Is this, in general, a good approach I should go for? How would you approach this?
Thanks!
Marked As Solved
OvermindDL1
Similar to what I wrote at work it sounds like (I really should generify it and put it out as a library someday…).
Essentially what I did was this:
- A set of Permission structures (
MyServer.Permissions.SomeBlahPermissionfor example), each of which has at least an ‘action’ field, among other (also a ‘default’ function for displaying in the UI for default values, which are different from default values when instancing it in code). - A
can/can?set of functions (and others) that takes anenvironment (usually aconnorsocketor so that grabs the information from a protocol). - I perform a test like:
conn |> can(%Perms.SomeBlah{action: :list, id: :_}) ~> case do conn -> end - The
can?returns a boolean (great forEnum.filter!), thecanreturns either the environment itself if it passes or an exception structure (not raising it, returning it, I use the Exceptional library a lot, that’s where~>comes from, it pipes into if the value is ‘good’ otherwise returns it directly). Thecan’s tend to be called many times in a single call so efficient cache’ing is pretty important (it can add an inline cache to the, for example, ‘conn’ for faster lookup on future calls as well so there is no ETS hit too via Cachex) - The permission test in
canaccesses a Cachex cache that calls into the database. All Cachex caches of a given account_id are wiped everywhere anytime the permissions are written. - The database side stores a json structure of the serialized permission structure, comparisons happen via my permissions_ex library on hex.pm.
- Each account_id has an associated set of permissions as well as associated groups, each group has an associated permissions as well, all are combined for the person as well as from some other sources like LDAP and some other information in another database, this is why cache’ing is important as looking up all those sources can easily take a few hundred milliseconds to a second when the other sources like LDAP are being particularly slow.
One big change I’d make would probably make the format in the database a bit different, right now the permissions tables for account_id/group is the account_id/group_id, the structure name, and a jsonb of the structure data. I’d probably change it to allow for direct record comparisons more easily in ‘some’ cases in the database so I wouldn’t have to filter in-code so often, though sadly I wouldn’t actually be able to do that in ‘most’ of my cases because so much data comes from the Oracle and LDAP systems, but would be more useful for setups that are more usual.
But with this style I can test to the logged in user, I can test via a variety of other things, all with simple can/2/can?/2 calls. It’s efficient enough that even looping over 2k records for a report is still less than a second with the database lookup and all, which is significantly faster than the system it was replacing anyway. ![]()
On the admin side the permissions are taken a structure to display to the user based on the defaults call on each permissions module, so I can set permissions from the UI in detail. In addition there is a ‘matrix’ view for mass editing of many account permissions via some pre-built sets with ease, all dynamically generated based on the permission structures that are detected in the system (based on their @behaviour module attributes).
EDIT: Oh, also thanks to the permission_ex library there is an admin lookup for easy overriding and a blacklist key for deny’ing, even if other permissions would allow for it. It makes it very easy. ![]()
Also Liked
OvermindDL1
Ugh, must have happened when I updated ex_doc, wonder how that happened as the docs haven’t changed other than just updating that… ^.^;
And fixed it, looks like ex_doc removed a feature I was using, so that was fun… >.>
dorgan
I took a look at your permission_ex, in essence it’s pretty similar to the module I was coding, and I also lookup for an admin permission for easy overriding too ![]()
So, if I understood correctly, you store the permissions per user and per group(what I call roles), serialized in a jsonb column, then retrieve every permission for a given user and match against them. As you match against a list of permissions, you can also get permissions from other sources(eg ldap). You also cache the permissions per user to improve performance.
Is this correct?
If so then I think I will go that way, your approach has enlightened me ![]()
Right now I’m storing the permissions per group and assigning groups to users, I also wrote a plug that checks in the conn struct for a perms assign and match the permissions list against it. Since the user is retrieved from the db on every request and by extension it’s permissions, I guess it’s a good idea to cache it as you do as an improvement, but I think that overall yes, we’re doing similar things ![]()
Thank you!
OvermindDL1
In essence. I just have Cachex with a fallback function do all the lookups when there is a cache miss, it’s a nice singular place to put it all. ![]()
If it’s just hitting the database once per connection it’s not really a big deal to not cache it, I’m mostly caching it because initial lookup can be crazy slow at times because of the way old servers I have to interact with. It’s still good to put it all behind a module API so you can always swap it out with a cache later if necessary without needing to change your API, that is why I pass the 'env’ironment in/out of each function so I can cache on it as well transparently without changing the API. ![]()
Popular in Questions
Other popular topics
Categories:
Sub Categories:
Forums
Popular Tags
- #ecto
- #liveview
- #troubleshooting
- #learning-elixir
- #deployment
- #library
- #erlang
- #testing
- #genserver
- #mix
- #absinthe
- #remote-other
- #otp
- #plug
- #how-to-question
- #macros
- #postgres
- #channels
- #elixirconf
- #exunit
- #discussion
- #code-sync
- #javascript
- #podcasts
- #onsite
- #dialyzer
- #docker
- #authentication
- #umbrella
- #full-time-contract
- #podcasts-by-brainlid
- #ecto-query
- #elixir-ls
- #phoenix_html
- #iex
- #blog-post
- #graphql
- #genstage
- #ai
- #websockets
- #supervisor
- #advent-of-code
- #elixirconf-us
- #distillery
- #processes
- #forms
- #api
- #metaprogramming
- #security
- #performance








