nvflare.fuel.sec.authz module

class AuthorizationService

Bases: object

static authorize(ctx: AuthzContext)

static get_authorizer()

static initialize(authorizer: ~nvflare.fuel.sec.authz.Authorizer) -> (<class 'nvflare.fuel.sec.authz.Authorizer'>, <class 'str'>)

the_authorizer = None

class Authorizer(site_org: str, right_categories: dict | None = None)

Bases: object

Base class containing the authorization policy.

authorize(ctx: ~nvflare.fuel.sec.authz.AuthzContext) -> (<class 'bool'>, <class 'str'>)

evaluate(ctx: ~nvflare.fuel.sec.authz.AuthzContext) -> (<class 'bool'>, <class 'str'>)

get_policy() → Policy

load_policy(policy_config: dict) → str

class AuthzContext(right: str, user: Person, submitter: Person | None = None)

Bases: object

Base class to contain context data for authorization.

get_attr(key: str, default=None)

set_attr(key: str, value)

class ConditionEvaluator

Bases: ABC

abstract evaluate(site_org: str, ctx: AuthzContext) → bool

class FalseEvaluator

Bases: ConditionEvaluator

evaluate(site_org: str, ctx: AuthzContext) → bool

class FieldNames(value)

Bases: str, Enum

An enumeration.

CATEGORY_RIGHT = 'Right for Category'

EXP = 'Expression'

RIGHT = 'Right'

ROLE_NAME = 'Role name'

SITE_ORG = 'Site org'

TARGET_TYPE = 'Target type'

TARGET_VALUE = 'Target value'

USER_NAME = 'User name'

USER_ORG = 'User org'

USER_ROLE = 'User role'

class Person(name: str, org: str, role: str)

Bases: object

class Policy(config: dict, role_right_map: dict, roles: list, rights: list, role_rights: dict)

Bases: object

evaluate(site_org: str, ctx: ~nvflare.fuel.sec.authz.AuthzContext) -> (<class 'bool'>, <class 'str'>)

Parameters:

• site_org –

• ctx –

Returns:

A tuple of (result, error)

get_rights()

get_roles()

class TrueEvaluator

Bases: ConditionEvaluator

evaluate(site_org: str, ctx: AuthzContext) → bool

class UserNameEvaluator(target: str)

Bases: ConditionEvaluator

evaluate(site_org: str, ctx: AuthzContext)

class UserOrgEvaluator(target)

Bases: ConditionEvaluator

evaluate(site_org: str, ctx: AuthzContext)

parse_policy_config(config: dict, right_categories: dict)

Validates that an authorization policy configuration has the right syntax.

Parameters:

• config – configuration dictionary to validate

• right_categories – a dict of right => category mapping

Returns: a Policy object if no error, a string describing the error encountered