The security manager it's the entry point to validate the configuration of the current user against the configured permission policies. It is accessed and defined using the global functions `get_security_manager` and `set_security_manager`
| 16 | |
| 17 | |
| 18 | class SecurityManager: |
| 19 | """ |
| 20 | The security manager it's the entry point to validate the configuration of the current user against the configured permission policies. |
| 21 | It is accessed and defined using the global functions `get_security_manager` and `set_security_manager` |
| 22 | """ |
| 23 | |
| 24 | def __init__( |
| 25 | self, |
| 26 | project: str, |
| 27 | registry: BaseRegistry, |
| 28 | ): |
| 29 | self._project = project |
| 30 | self._registry = registry |
| 31 | self._current_user: ContextVar[Optional[User]] = ContextVar( |
| 32 | "current_user", default=None |
| 33 | ) |
| 34 | |
| 35 | def set_current_user(self, current_user: User): |
| 36 | """ |
| 37 | Init the user for the current context. |
| 38 | """ |
| 39 | self._current_user.set(current_user) |
| 40 | |
| 41 | @property |
| 42 | def current_user(self) -> Optional[User]: |
| 43 | """ |
| 44 | Returns: |
| 45 | str: the possibly empty instance of the current user. `contextvars` module is used to ensure that each concurrent request has its own |
| 46 | individual user. |
| 47 | """ |
| 48 | return self._current_user.get() |
| 49 | |
| 50 | @property |
| 51 | def permissions(self) -> list[Permission]: |
| 52 | """ |
| 53 | Returns: |
| 54 | list[Permission]: the list of `Permission` configured in the Feast registry. |
| 55 | """ |
| 56 | return self._registry.list_permissions(project=self._project) |
| 57 | |
| 58 | def assert_permissions( |
| 59 | self, |
| 60 | resources: list[FeastObject], |
| 61 | actions: Union[AuthzedAction, List[AuthzedAction]], |
| 62 | filter_only: bool = False, |
| 63 | ) -> list[FeastObject]: |
| 64 | """ |
| 65 | Verify if the current user is authorized to execute the requested actions on the given resources. |
| 66 | |
| 67 | If no permissions are defined, the result is to deny the execution. |
| 68 | |
| 69 | Args: |
| 70 | resources: The resources for which we need to enforce authorized permission. |
| 71 | actions: The requested actions to be authorized. |
| 72 | filter_only: If `True`, it removes unauthorized resources from the returned value, otherwise it raises a `FeastPermissionError` the |
| 73 | first unauthorized resource. Defaults to `False`. |
| 74 | |
| 75 | Returns: |
no outgoing calls