-
Notifications
You must be signed in to change notification settings - Fork 1
Home
Role-Based Access Control (RBAC) APIs for python projects. The back-end is LDAP, an industry standard and proven means of processing security operations and data. Yes, it would be easier for projects to get started with something simple, like file-based. But, there are far too many drawbacks of that approach when in production.
PY-Fortress uses the same logical and physical data model as Apache Fortress. We're good there because plenty of implementations use it and it's stable. It depends on python-ldap to access LDAP, which is also proven, efficient and most important -- stable.
We're talking python here and Apache Fortress is written in Java. Yes, you could deploy the Apache Fortress Rest server in your network and let your python applications communicate with it over HTTP. That's certainly a viable option and we're not telling you not to do that. However, from a simplicity standpoint, it's easier, and more efficient to skip the extra hop and communicate directly with the system of record, i.e. LDAP.
It's unproven. Wait, you just told us it's proven! Well, yes and no. Certainly, using LDAP to store and process security data are. Also, the Apache Fortress way of performing authorization by calling RBAC APIs is a best practice. But, this particular python API implementation is still, um, "fresh".
This takes a leap of faith. It "should" work because we've vast experience doing this "kind" of thing. We've thought about it carefully. There aren't many gotchas that haven't already got us. These APIs have been reviewed and tested. But, to date, it hasn't been used in production (that we know of).
But, there will be bugs. You have our commitment to fix them in a "timely" manner on a "best effort" basis. Security defects will be given priority. Also, we'll answer your questions on getting started and integrating with python apps. We'll learn together with the benefit being our application security is not haphazard and uses best practices. That's not exactly a guarantee, but it's the best we've got.
-- Shawn