repoze.what – Authorization for WSGI applications
repoze.what is an authorization framework for WSGI applications,
based on repoze.who (which deals with authentication and
On the one hand, it enables an authorization system based on the groups to
which the authenticated or anonymous user belongs and the permissions
granted to such groups by loading these groups and permissions into the
request on the way in to the downstream WSGI application.
And on the other hand, it enables you to manage your groups and permissions
from the application itself or another program, under a backend-independent
API. For example, it would be easy for you to switch from one back-end to
another, and even use this framework to migrate the data.
This is just the authorization pattern it supports out-of-the-box, but you
can may it support other authorization patterns with your own
predicates. It’s highly extensible, so it’s
very unlikely that it will get in your way – Among other things, you can
extend it to check for many conditions (such as checking that the
user comes from a given country, based on her IP address, for example).
Unless mentioned otherwise, the following features are available in
repoze.what and its official plugins:
- Web framework independent. You can use it on any WSGI
application and any WSGI framework (or no framework at all). Web frameworks
may provide integration with it (like TurboGears 2, which features a strong integration with
- Authorization only. It doesn’t try to be an all-in-one auth
monster – it will only do authorization and nothing else.
- Highly extensible. It’s been created with extensibility in mind, so
that it won’t get in your way and you can control authorization however you
want or need, either with official components, third party plugins or your
- Fully documented. If it’s not described in the manual, it doesn’t exist.
Everything is documented along with examples.
- Reliable. We are committed to keep the code coverage at 100%.
- Control access to any resource. Although it’s only recommended to control
authorization on action controllers, you can also use it to restrict access
to other things in your package (e.g., only allow access to a database table
if the current user is the admin).
- If you use the groups/permissions-based authorization pattern, your
application’s groups and permissions may be stored in an SQLAlchemy
or Elixir-managed database, in .ini files or in XML files (although
you may also create your own adapters!).
- The only requirement is that you use the powerful and extensible
repoze.who authentication framework (which can be configured for you
with the quickstart <repoze.what.plugins.quickstart plugin).
- It works with Python 2.4, 2.5 and 2.6.
- It’s not hard to get started!
And according to the to-do list,
we will have official plugins to:
- Enable OAuth support.
- Enable authorization based on certain network conditions
(e.g., grant access if the user’s IP address belongs to a given IP range,
deny access if the user’s host name is “example.org”, grant access based on
the user’s ISP).
- Enable authorization based on client-side SSL certificates (e.g., allow access if the
Certificate Authority is XYZ, allow access if the user is called “John
Smith” or “Foo Bar”).
- Enable authorization based on LDAP attributes of the authenticated user’s
entry (e.g., allow access if the user can be reached at a cellular phone,
allow access if the user belongs to the “ABC” organization), as well as
the ability to re-use LDAP Organizational Units as groups.
- Enable a highly extensible CAPTCHA
driven authorization mechanism to restrict access to a given resource
(possibly the hardest to create plugin).
- Store groups in Htgroups.
How to install
The only requirement of repoze.what is repoze.who and you can
install both by running:
The development mainline is available at the following Subversion repository:
The following documents will help you implement repoze.what in your
framework (if any):
If you have written documents to implement repoze.what in a web
framework, please let us know
to get a link here.
How to get help?
The prefered place to ask questions is the Repoze mailing list or the #repoze IRC channel. Bugs reports and feature
requests should be sent to the issue tracker of the Repoze project.
If you have problems, please don’t forget to include the output of your
application with the AUTH_LOG environment variable set to 1 when you
get in touch with us. For example, if your application is based on TurboGears
or Pylons, you may run it with the following command:
AUTH_LOG=1 paster serve --reload development.ini