Back to all speakers
GS

Gergő Simonyi

I'm a senior backend engineer at authentik from Budapest, Hungary.

Role-based access control in Django - How we forked Guardian

Talk
We approach access control from the viewpoint of an authentication company dealing with increasingly impossible requests. We highlight challenges with the access control system of Django and one of its most popular extensions, Guardian. We then solve those challenges using RBAC (role-based access control), without cost to interoperability with Django REST Framework or to performance. Layout:
  1. Introduction (1 minute) Quick introduction describing the speaker. Links to the slides and the code if you want to follow along at your own pace.
  2. Overview of the Django access control system (2 minutes) Django's access control system is more involved than you might think. It defines the interface for access control and it calls to different backends. Not wanting to fork Django itself, we had to work within its limitations.
  3. How Guardian ties into Django (2 minutes) Django Guardian is a popular object-level access control extension to Django, it acts as an additional backend. We describe some of its authorization-related utilities we used and had to keep in our role-based solution.
  4. The great demands of enterprise customers (5 minutes) Enterprise loves control. Over time our customers wanted more and more: a group hierarchy, just-in-time privileged access, delegating permissions to other users, custom permissions, etc. For a while, we accommodated these by additional checks and custom permissions, but cracks were showing.
  5. Key takeaway: the issue is coupling permissions to users and groups (3 minutes) The major source of our frustrations was that Django (and Guardian) ties its access directly to users and groups. Inserting a new model ("Role") between them seems to address many issues.
  6. How role-based access solved our issues (8 minutes) We go through the list presented in Section 3 and how role-based access control solves each of these issues.
  7. How all this translates to SQL: performance (5 minutes) Our Hippocratic oath, when starting out, was that performance could not get worse. We show the SQL queries our system produces before and after the change and identify key points of why it's fast.
  8. ABAC? (3 minutes) As we mentioned earlier, enterprise loves control, and ABAC (attribute-based access control) is a superset of RBAC (role-based access control). We solve even the wildest customer requests by embracing customer-written code within the Django REST framework's permission checks, essentially turning our RBAC solution into an ABAC solution, if you have the resources to maintain it yourself.
  9. Outro (1 minute) Quick outro to match the intro with links to everything in the talk. Questions from the audience if time allows.