repoze.what – Authorization for WSGI applications¶

Features¶

Unless mentioned otherwise, the following features are available in repoze.what and its official plugins:

• Web framework independent. You can use it on any WSGI application and any WSGI framework (or no framework at all). Web frameworks may provide integration with it (like TurboGears 2, which features a strong integration with repoze.what).
• Authorization only. It doesn’t try to be an all-in-one auth monster – it will only do authorization and nothing else.
• Highly extensible. It’s been created with extensibility in mind, so that it won’t get in your way and you can control authorization however you want or need, either with official components, third party plugins or your own plugins.
• Fully documented. If it’s not described in the manual, it doesn’t exist. Everything is documented along with examples.
• Reliable. We are committed to keep the code coverage at 100%.
• Control access to any resource. Although it’s only recommended to control authorization on action controllers, you can also use it to restrict access to other things in your package (e.g., only allow access to a database table if the current user is the admin).
• If you use the groups/permissions-based authorization pattern, your application’s groups and permissions may be stored in an SQLAlchemy or Elixir-managed database, in .ini files or in XML files (although you may also create your own adapters!).
• The only requirement is that you use the powerful and extensible repoze.who authentication framework (which can be configured for you with the quickstart <repoze.what.plugins.quickstart plugin).
• It works with Python 2.4, 2.5 and 2.6.
• It’s not hard to get started!

And according to the to-do list, we will have official plugins to:

• Enable OAuth support.
• Enable authorization based on certain network conditions (e.g., grant access if the user’s IP address belongs to a given IP range, deny access if the user’s host name is “example.org”, grant access based on the user’s ISP).
• Enable authorization based on client-side SSL certificates (e.g., allow access if the Certificate Authority is XYZ, allow access if the user is called “John Smith” or “Foo Bar”).
• Enable authorization based on LDAP attributes of the authenticated user’s entry (e.g., allow access if the user can be reached at a cellular phone, allow access if the user belongs to the “ABC” organization), as well as the ability to re-use LDAP Organizational Units as groups.
• Enable a highly extensible CAPTCHA driven authorization mechanism to restrict access to a given resource (possibly the hardest to create plugin).
• Store groups in Htgroups.

How to install¶

The only requirement of repoze.what is repoze.who and you can install both by running:

easy_install repoze.what

The development mainline is available at the following Subversion repository:

http://svn.repoze.org/repoze.what/branches/1.X/

Framework-specific documentation¶

The following documents will help you implement repoze.what in your framework (if any):

• TurboGears: repoze.who and repoze.what are the default authentication and authorization frameworks (respectively) in TurboGears 2 applications. Learn more about them inside TurboGears.
• Authorization with repoze.what on Pylons.

If you have written documents to implement repoze.what in a web framework, please let us know to get a link here.

How to get help?¶

The prefered place to ask questions is the Repoze mailing list or the #repoze IRC channel. Bugs reports and feature requests should be sent to the issue tracker of the Repoze project.

If you have problems, please don’t forget to include the output of your application with the AUTH_LOG environment variable set to 1 when you get in touch with us. For example, if your application is based on TurboGears or Pylons, you may run it with the following command:

AUTH_LOG=1 paster serve --reload development.ini

Contents¶