-
Notifications
You must be signed in to change notification settings - Fork 1
Home
Role-Based Access Control (RBAC) APIs for python projects. The back-end is LDAP, an industry standard and proven means of processing security operations and data. LDAP brings complexity. It would be easier for projects to get started using something simple, like file-based. But, there are far too many drawbacks of that approach when in production.
PY-Fortress uses the same logical and physical data model as Apache Fortress Core, which has been in widespread use for some time. It depends on python-ldap to access LDAP, which is proven, efficient and most important -- stable.
We're talking python here and Apache Fortress is written in Java. Yes, you could deploy the Apache Fortress Rest server in your network and let your python applications communicate with it over HTTP. That's certainly a viable option and we're not telling you not to do that. However, from a simplicity standpoint, it's easier, and more efficient to skip the extra hop and communicate directly with the system of record, i.e. LDAP.
It's unproven. Wait, you just told us it's proven! Well, yes and no. Certainly, using LDAP to store and process security data are. Also, the Apache Fortress way of performing authorization by calling RBAC APIs is a best practice. But, this particular python API implementation is still, um, "fresh".
This takes a leap of faith. It "should" work because we've vast experience doing this "kind" of thing. We've thought about it carefully. There aren't many "gotchas" that haven't already got us. These APIs have been reviewed and tested. But, to date, it hasn't been used in production (that we know of).
There will be bugs. You have our commitment to fix them in a "timely" manner on a "best effort" basis. Security defects will be given priority. We'll be sure to answer your questions on getting started and integrating with python apps. We'll learn together about doing security in python with the benefit being our application security is not haphazard and uses best practices. That's not exactly a guarantee, but it's the best we've got right now.
-- Shawn