atoti_query.security.security module#
- class atoti_query.security.Security#
Manage the parts of the security config that can be changed without restarting the
Session.The roles and restrictions are stored in the
user content storage. Multiple sessions configured with the same user content storage will thus share their roles and restrictions.Note
Users without the ROLE_USER will not be able to access the application.
- property basic: BasicSecurity#
- property individual_roles: IndividualRoles#
- property kerberos: KerberosSecurity#
- property ldap: LdapSecurity#
- property oidc: OidcSecurity#
- property restrictions: MutableMapping[str, Condition[ColumnCoordinates, Literal['eq', 'isin'], Constant, Literal['and'] | None]]#
Mapping from role name to corresponding restriction.
There are reserved roles for which restrictions cannot be declared:
ROLE_USER: gives access the application
ROLE_ADMIN: gives full access (read, write, delete, etc) to the application
The restrictions associated with a role can be modified at any time.
Restrictions apply on table columns and are inherited by all hierarchies based on these columns.
Restrictions on different hierarchies are intersected.
However, if a user has several roles with restrictions on the same hierarchies, access to the union of restricted elements will be granted.
Example
>>> df = pd.DataFrame( ... [ ... ("Asia", "Korea", "KRW"), ... ("Asia", "Japan", "JPY"), ... ("Europe", "France", "EUR"), ... ("Europe", "Germany", "EUR"), ... ("Europe", "Norway", "NOK"), ... ("Europe", "Sweden", "SEK"), ... ], ... columns=["Continent", "Country", "Currency"], ... ) >>> session = tt.Session(authentication=tt.BasicAuthenticationConfig()) >>> table = session.read_pandas( ... df, ... keys=["Continent", "Country", "Currency"], ... table_name="Restrictions example", ... ) >>> cube = session.create_cube(table) >>> h, l, m = cube.hierarchies, cube.levels, cube.measures >>> cube.hierarchies["Geography"] = [ ... table["Continent"], ... table["Country"], ... ] >>> for name in cube.hierarchies["Geography"].levels: ... del cube.hierarchies[name] ... >>> username, password = "john", "abcdef123456" >>> user = session.security.basic.credentials[username] = password
The user initially has no individual roles:
>>> username in session.security.individual_roles False
Adding ROLE_USER to grant access to the application:
>>> session.security.individual_roles[username] = {"ROLE_USER"}
Opening a query session to authenticate as the user just created:
>>> query_session = tt.QuerySession( ... f"http://localhost:{session.port}", ... auth=tt.BasicAuthentication( ... username=username, password=password ... ), ... ) >>> query_cube = query_session.cubes[cube.name] >>> l, m = query_cube.levels, query_cube.measures
ROLE_USER has no restrictions so all the countries and currencies are accessible:
>>> query_cube.query( ... m["contributors.COUNT"], levels=[l["Country"], l["Currency"]] ... ) contributors.COUNT Continent Country Currency Asia Japan JPY 1 Korea KRW 1 Europe France EUR 1 Germany EUR 1 Norway NOK 1 Sweden SEK 1
Adding a restricting role to the user so that only France is accessible:
>>> session.security.restrictions["ROLE_FRANCE"] = ( ... table["Country"] == "France" ... ) >>> session.security.individual_roles[username] |= {"ROLE_FRANCE"} >>> query_cube.query(m["contributors.COUNT"], levels=[l["Country"]]) contributors.COUNT Continent Country Europe France 1
Restrictions on the same hierarchy grant access to the union of the restricted elements:
>>> session.security.restrictions["ROLE_GERMANY"] = ( ... table["Country"] == "Germany" ... ) >>> session.security.individual_roles[username] |= {"ROLE_GERMANY"} >>> query_cube.query(m["contributors.COUNT"], levels=[l["Country"]]) contributors.COUNT Continent Country Europe France 1 Germany 1
Restrictions can grant access to multiple elements:
>>> session.security.restrictions["ROLE_NORDIC"] = table[ ... "Country" ... ].isin("Norway", "Sweden") >>> session.security.individual_roles[username] |= {"ROLE_NORDIC"} >>> query_cube.query(m["contributors.COUNT"], levels=[l["Country"]]) contributors.COUNT Continent Country Europe France 1 Germany 1 Norway 1 Sweden 1
Also give access to the Asian countries with a restriction on Continent:
>>> session.security.restrictions["ROLE_ASIA"] = ( ... table["Continent"] == "Asia" ... ) >>> session.security.individual_roles[username] |= {"ROLE_ASIA"} >>> query_cube.query(m["contributors.COUNT"], levels=[l["Country"]]) contributors.COUNT Continent Country Asia Japan 1 Korea 1 Europe France 1 Germany 1 Norway 1 Sweden 1
Restrictions on different hierarchies are intersected:
>>> session.security.restrictions["ROLE_EUR"] = ( ... table["Currency"] == "EUR" ... ) >>> session.security.individual_roles[username] |= {"ROLE_EUR"} >>> query_cube.query( ... m["contributors.COUNT"], levels=[l["Country"], l["Currency"]] ... ) contributors.COUNT Continent Country Currency Europe France EUR 1 Germany EUR 1
Removing the roles granting access to France and Germany leaves no remaining accessible countries:
>>> session.security.individual_roles[username] -= { ... "ROLE_FRANCE", ... "ROLE_GERMANY", ... } >>> query_cube.query(m["contributors.COUNT"], levels=[l["Country"]]) Empty DataFrame Columns: [contributors.COUNT] Index: []