The document provides an overview of security concepts in Pyramid including authentication, authorization, and implementing a security pyramid. It discusses authentication basics like authenticated_userid and remember/forget. Authorization basics like has_permission and principals_allowed_by_permission are also covered. The document then demonstrates how to enable authentication and authorization policies in Pyramid. Common bundled policies like AuthTktAuthenticationPolicy are described. More advanced topics covered include implementing custom authentication and authorization as well as using ACLs and resources to control access.

1. Pyramid Security

2. Who are you?
村岡友介
MURAOKA Yusuke
@jbking
Self Contractor
pylons-ja
pypy-ja
django-ja

3. Agenda
Security
Basics
Authentication
Authorization
Advanced

4. Before dive into...
http://bit.ly/PyramidSecurity-

5. What about Security
applicatio csrf,
n injections,
Tons of topics we xss
could discuss identifier,
framework authn,
Can be categorized authz
into some layers poisoning,
infra-
structure sniffing,
We focus today
“framework”layer
ddos
shoulder
social
hack

6. No Security Pyramid
development.ini
production.ini
proj/templates/mytemplate.pt
proj/models.py
proj/views.py
proj/scripts
proj/scripts/initializedb.py
proj/scripts/__init__.py
proj/__init__.py
proj/tests.py
small starting...

7. No Security Pyramid
development.ini
Configuration
production.ini
proj/templates/mytemplate.pt
proj/models.py
MV of MVC
proj/views.py
proj/scripts
proj/scripts/initializedb.py
proj/scripts/__init__.py
proj/__init__.py Make WSGI app
proj/tests.py
small starting...

8. Security

9. Basics
Authentication
/etc/passwd
Authorization
ls -l .
-rw-r--r-- 1 yusuke staff

10. Basics

11. Basics

12. Easy enough?

13. How to Enable Security
# in bootstrap
authentication_policy = AnAuthenticationPolicy()
authorization_policy = AnAuthorizationPolicy()
config = Configurator(settings=settings)
config.set_authentication_policy(authentication_policy)
config.set_authorization_policy(authorization_policy)
# in views
@view_config(permission=’...’, ...)
def logout(request):
headers = forget(request)
...

14. Authentication in
Usage
authenticated_userid(request)
unauthenticated_userid(request)
effective_principals(request)
forget(request)
remember(request, principal, **kw)

15. Authentication in
Usage
authenticated_userid(request)
unauthenticated_userid(request)
effective_principals(request)
forget(request) Response
remember(request, principal, **kw) Headers

16. Authentication Policy
interface IAuthenticationPolicy
authenticated_userid(request)
unauthenticated_userid(request)
effective_principals(request)
remember(request, principal, **kw)
forget(request)

17. Authentication Policy
interface IAuthenticationPolicy
authenticated_userid(request)
unauthenticated_userid(request) Principals
effective_principals(request)
remember(request, principal, **kw) Response
forget(request) Headers

18. Bundled
Authentication Policy
AuthTktAuthenticationPolicy
RemoteUserAuthenticationPolicy
RepozeWho1AuthenticationPolic
y

19. Authorization in Usage
has_permission(permission, context, request)
principals_allowed_by_permission(context, permission)
view_execution_permitted(context, permission, name=’’)

20. Authorization in Usage
Check
has_permission(permission, context, request) Permissio
n
principals_allowed_by_permission(context, permission)
view_execution_permitted(context, permission, name=’’)

21. Authorization Policy
interface IAuthorizationPolicy
principals_allowed_by_permission(context, permission)
permits(context, principals, permission)

22. Authorization Policy
interface IAuthorizationPolicy
principals_allowed_by_permission(context, permission)
Check
permits(context, principals, permission) Permissio
n

23. Bundled Authorization
Policy
ACLAuthorizationPolic

24. Any Question?

25. Advanced

26. Security Pyramid
development.ini
production.ini
proj/templates/mytemplate.pt
proj/models.py
proj/views.py
proj/resources.py
proj/authentication.py
proj/authorization.py
...

27. Security Pyramid
development.ini
production.ini
proj/templates/mytemplate.pt
proj/models.py
proj/views.py
proj/resources.py Find Resource
proj/authentication.py
Custom Security
proj/authorization.py
...

28. Typical Stack
# in bootstrap
authentication_policy =
CustomAuthTktAuthenticationPolicy('seekrit')
authorization_policy = ACLAuthorizationPolicy()
config.add_route(..., ..., factory=resources.find_object)
# in resources
def find_object(request):
obj = ...
assert getattr(obj, ‘__acl__’, None) is not None
return obj
# in models
class Model:
__acl__ = [(Allow, Authenticated, ‘view’)]

29. Always Tom
Authentication
class AlwaysTomPolicy(CallbackAuthenticationPolicy):
def unauthenticated_userid(self, request):
return ‘tom’
def remember(self, request, principal, **kw):
return []
def forget(self, request):
return []

30. LDAP? Other Authn?
pip search repoze.who

31. Any Question again?

32. Thanks :)