XEFI Logo Entitled
Getting Started

Quickstart

Getting started with Entitled.

Installation

Entitled can be installed with Pip, Poetry or uv. Other tools have not been tested.

Entitled also requires Python >= 3.12.

pip install entitled
poetry install entitled
uv add entitled

Basic usage

Entitled revolves around two core elements. :

  • Rules are Python functions implementing your authorization logic.
  • Policies are sets of Rules relating to the same type of resource.

You can declare a new Policy on the Post type like so:

import entitled

post_policy = entitled.Policy[Post]()

A Policy provides a decorator to easily register rules. You only need to tack it onto a Python function implementing some authorization logic. You will also need to provide it with a name.

@post_policy.rule("edit")
def can_edit_post(actor, resource: Post, context) -> bool:
    return resource.owner == actor

To be a valid rule, a function must follow a specific signature defined by Entitled. In particular, it must have the three parameters actor, resource , context.

The context parameter is made available as a tool to provide additional context info that can simply be determined from the (resource, actor) tuple. More on that later.

Making authorization decisions

The Client

While you can technically call Policies directly, you will want to use an instance of Client class.

import entitled

auth_client = entitled.Client()

This client will serve as your single source of truth for all your authorization decisions. Once it is declared, you can register policies on it using the register() method.

auth_client.register(post_policy)
Manually registering policies may sound cumbersome... and rightfully so. Entitled provides a mechanism to auto-discover and register policies. More on that later.

Making decisions

Once your policies are registered, making authorization decisions is extremely simple! The Client object provides the allows function to evaluate a rule. This function takes as parameters the name of the rule you want to authorize, an actor, a resource and optionally a context dictionary.

if auth_client.allows("edit", actor, resource):
    # Your application logic...

The allows functions returns a boolean indicating whether the actor can perform the given action.

If you want, you can also make use of the authorize methods that will automatically raise an AuthorizationException if the user is not allowed to perform the action. Both function are called the exact same way.

Wrapping things up

That's it for the absolute basics of Entitled! But we barely scratched the surface here, as the library offers many more features, including but not limited to :

  • Resource-bound policies, or how to group your rules around a specific resource type.
  • Auto-discovery of policies.
  • Answering the question "What can this actor do?"

Check out the detailed documentation!

Overview

Welcome to Entitled!

Core Concepts

The core concepts behind Entitled

Copyright © 2024