
Introducing Yosai: A Security Framework for Python Applications - Dowwie
http://daringordon.com/introducing_yosai
======
eganist
Regarding an audit, please apply to the Open Tech Fund's Red Team Lab:
[https://www.opentech.fund/lab/red-team-
lab](https://www.opentech.fund/lab/red-team-lab)

Speaking from experience, Cyph had its audit done through them last year (via
cure53 specifically).

~~~
Dowwie
Thanks, will check this out.

------
vault_
A few questions/observations from reading over the docs and source code.
There's not necessarily any significance to the order, or weight to the
observations.

With the recent NPM stuff fresh in my mind, it seems like you've got a lot of
data serialization libraries as dependencies (YAML, msgpack, rapidjson,
marshmallow). Are all of those really needed? Why depend on rapidjson at all
when Python has builtin json support? It'd be nice if the default config used
only builtin libraries here and allowed users to use something fancier or
faster if they wanted to.

It's not spelled out particularly well how subjects actually acquire roles and
permissions, or how given a subject I'd go about giving them new permissions.

More integration how-tos in general would help a lot with getting started.
e.g. Here's how to make this work in a single sign-on environment. Or here's
how to use ldap for authentication. Or (how I would want to use this) here's
how to use SSO for authentication, group memberships from LDAP, and
permissions those groups have from a database.

Is there any way to deny privileges based on permission/role? e.g. If I have a
forum that doesn't allow new users to post until they've been vetted, I'd like
to be able to say posting requires the 'user' role, but forbids the 'new user'
role. Is there some other way to quarantine users?

You say "Because most account stores usually contain Subject information such
as usernames and passwords, a Realm can act as a pluggable authentication
module in a PAM configuration". Do you just mean that a realm is similar to a
PAM module? Because it sounds like you're saying you can actually stick a
Yosai Realm in a PAM config. I can see the similarities between a hypothetical
LDAPRealm and pam_ldap.so in terms of authentication, but do realms have
analogies in other behaviors of PAM modules?

You describe Yosai as being batteries included, but don't seem to be including
many useful batteries (LDAP, OAuth, SAML). I know this is an early release,
but do you see these being added to base library?

Yosai_AlchemyStore gives me yet another user model (that claims the user table
no less!). Can't I provide it with my own?

This is promising though! Most similar libraries tend to be tied to one
specific framework or another, so it would be very nice to have something
standalone.

(edited for grammar/coherency/tone)

~~~
Dowwie
Thanks for your constructive feedback!

You raise a good point about serialization and I generally agree with you
about "dependency risk". I will mull this over but welcome you to join me.

I am using a mobile app to respond and can't get back to your other remarks so
consider this response part 1

------
brudgers
Looks interesting. Curious if there has been a security audit.

~~~
Dowwie
Author here. An audit is advisable and welcome.

------
awinter-py
no oauth support? that's the piece that's lacking in python. we want something
like ruby's omniauth.

~~~
Dowwie
Sure there's support for it, if someone writes the extensions

------
bulutsuzku
Does implement ABAC/XACML wrappers?

~~~
Dowwie
no.

