nvflare.fuel.sec.authz module

class Authorizer[source]

Bases: object

Base class containing the authorization policy.

authorize(ctx: ~nvflare.fuel.sec.authz.AuthzContext) -> (<class 'object'>, <class 'str'>)[source]
evaluate_rule_on_site(rule_name: str, site_name: str)[source]
evaluate_user_right_on_site(right_name: str, user_name: str, site_name: str)[source]
get_policy() Policy[source]
load_policy(policy_config: dict) str[source]
class AuthzContext(user_name: str, site_names: List[str])[source]

Bases: object

Base class to contain context data for authorization.

Parameters

  • user_name (str) – user name to be checked

  • site_names (List[str]) – site names to be checked against

get_attr(key: str, default=None)[source]
set_attr(key: str, value)[source]
class Policy(conf: dict)[source]

Bases: object

The authorization policy definition.

Authorization policy definition with methods to access information about the policy. Init creates the internal representation of the policy from a config dictionary.

Policy evaluation result:

For bool type of rules or rights:

True - the rule is satisfied or the right is granted False - the rule is not satisfied; the right iis not granted None - the rule or right is not applicable (precondition not met)

For int type or rules or rights:

Number - the value of the evaluation None - the rule or right is not applicable (precondition not met)

Parameters

conf (dict) – the configuration dictionary with keys=groups, users, rights, rules, sites, orgs

evaluate_rule_on_org(rule_name: str, org_name: str)[source]
evaluate_rule_on_site(rule_name: str, site_name: str)[source]
evaluate_user_right_on_org(right_name: str, user_name: str, org_name: str)[source]
evaluate_user_right_on_site(right_name: str, user_name: str, site_name: str)[source]
get_config()[source]
get_right_type(right_name: str)[source]
get_rights()[source]
get_rules()[source]
get_sites()[source]
get_user(user_name: str)[source]
get_users()[source]
validate_policy_config(config: dict) str[source]

Validates that an authorization policy configuration has the right syntax.

Parameters

config – configuration dictionary to validate

Returns: empty string if there are no errors, else a string describing the error encountered