Jeremy Stretch - Leveraging the ORM to enforce object level permissions

DjangoCon US

23 Oct 202127:52

Summary

TLDRJeremy Stretch's DjangoCon 2021 presentation introduces an advanced object-based permissions system for Django, developed for NetBox, a network infrastructure modeling application. The talk outlines the limitations of Django's default permissions and explores third-party packages before diving into a custom solution using JSON-stored QuerySet filters. This approach allows dynamic permissions based on object attributes, offering scalability and flexibility for diverse user needs. Stretch also discusses the implementation of a custom authentication backend and atomic transactions for secure object modifications, with plans to release the solution as a standalone package for the Django community.

Takeaways

😀 Jeremy Stretch, a former network engineer turned software developer, is the founder and lead maintainer of NetBox, an application for modeling network infrastructure.
🔧 NetBox is built on Django and has around 70 complex models with various relationships, making it an advanced application popular for managing large-scale network infrastructures.
🌐 NetBox's user base is diverse, with users having large networks and unique use cases, leading to the need for more robust permission systems beyond Django's native capabilities.
🛠️ Jeremy discussed the limitations of Django's default permissions system, which are based on models and do not support object-level permissions out of the box.
🔒 The talk focused on implementing object-based permissions in Django, allowing permissions to be granted for subsets of objects on a dynamic basis, even for objects not yet created.
📝 The default Django permissions are automatically created with four CRUD actions (view, add, change, delete) for each model, named in the format 'app_label.action_model_name'.
📦 Third-party packages like django-guardian and django-rules were considered for object-based permissions but did not meet NetBox's requirements due to scalability and flexibility issues.
💡 A custom solution was developed for NetBox that uses JSON to store QuerySet filters in the database, allowing for complex, attribute-based permissions.
🔄 The custom permissions system involves creating an ObjectPermission model that captures the flexibility of Django's ORM for permissions enforcement, using JSON to define constraints.
🔑 A custom authentication backend was implemented to support the new permissions logic, overriding Django's ModelBackend to handle object-level permissions evaluation.
🔍 The permissions are applied using a RestrictedQuerySet manager that simplifies the process of filtering objects based on user permissions and object attributes.

Q & A

What is the main topic of Jeremy Stretch's presentation at DjangoCon 2021?
-Jeremy Stretch's presentation is about implementing object-based permissions in Django, focusing on how to grant permissions to users or groups for subsets of objects dynamically.
What is Jeremy Stretch's professional background before becoming a software developer?
-Jeremy Stretch was a former network engineer before transitioning into full-time software development.
What is NetBox and why was it created?
-NetBox is an application for modeling network infrastructure, including data center infrastructure and IP address management. It was conceived at DigitalOcean and released as an open source project under the Apache 2 license in 2016.
How does the diversity of NetBox's user base present challenges in terms of permissions?
-The diversity of NetBox's user base, which includes users with large networks and unpredictable use cases across different industries and organizational sizes, presents challenges in creating a permissions system that can accommodate unique approaches and requirements.
What is the default permissions backend in Django and how does it work?
-The default permissions backend in Django is ModelBackend, which automatically creates four default permissions (view, add, change, delete) for each model, following a specific naming structure.
Why did Jeremy Stretch and his team decide to build their own permissions system for NetBox?
-They decided to build their own permissions system because existing packages like django-guardian and django-rules did not meet their needs for scalability and flexibility, especially considering the unpredictable and diverse use cases of NetBox users.
What is the key idea behind the custom permissions system developed for NetBox?
-The key idea is to declare QuerySet filters in JSON, store them in the database, and use these filters to enforce permissions on objects based on their attributes, leveraging the flexibility of Django's ORM.
How does the ObjectPermission model differ from Django's stock Permission model?
-The ObjectPermission model bundles model-based permissions together, allowing for more streamlined permission assignments, while the stock Permission model has one instance per content type per action.
What is the purpose of the RestrictedQuerySet manager in the custom permissions system?
-The RestrictedQuerySet manager simplifies the process of applying permissions to a QuerySet by providing a .restrict method that takes the user and the desired action as parameters, handling the permissions retrieval and caching behind the scenes.
How does the custom permissions system handle the modification of objects to ensure they remain in a permitted state?
-The system uses Atomic Transactions to check the pre-modified and post-modified states of an object. If the modified object no longer meets the permissions criteria, a custom exception is raised, undoing the transaction and preventing the changes from being saved to the database.
What is the current status of the custom permissions system developed for NetBox?
-The custom permissions system has been implemented in NetBox version 2.10 and is being worked on to be extracted as a standalone package, expected to be available by the end of 2021 or early 2022.