A framework for unified authorization in Elixir

A framework for unified authorization in Elixir - Michał Buszkiewicz - Elixir Meetup #5

Learn about the limitations of existing authorization libraries and presented a more flexible and comprehensive solution designed to integrate seamlessly with Plug, LiveView, and other frameworks.

Table of contents

    About Michał Buszkiewicz

    Michał Buszkiewicz is an expert in Elixir and the Phoenix Framework with a background in Ruby on Rails. As the co-founder and CTO at Curiosum, he trains junior Elixir developers and specializes in creating innovative solutions for complex problems.

    Understanding Authorization Models

    Different Approaches to Authorization

    Michał began by explaining various authorization models, including Mandatory Access Control (MAC), Discretionary Access Control (DAC), Role-Based Access Control (RBAC), and Attribute-Based Access Control (ABAC). Each model has its strengths and is suited for different types of applications.

    Key Models:

    • MAC: Limits access based on information sensitivity and subject authorization.
    • DAC: Uses Access Control Lists (ACL) for individual resource permissions.
    • RBAC: Permissions are based on user roles.
    • ABAC: Uses attributes of subjects and objects for authorization.

    The Need for a Unified Framework

    Limitations of Existing Solutions

    Michał reviewed existing authorization libraries in Elixir, pointing out their limitations, such as lack of flexibility, inability to reflect on permissions, and poor integration with frameworks like LiveView and Absinthe.

    Common Issues:

    • Rigid Structures: Existing libraries are often too rigid and hard to integrate.
    • No LiveView Support: Few libraries support both Plug and LiveView.
    • Lack of Query Building: Difficulty in building queries for accessible records based on permissions.

    The Proposed Solution

    Structural Permission Building

    The proposed framework uses structural permission building to allow for greater flexibility and the ability to construct Ecto queries based on user permissions. This approach supports both plain Elixir syntax and structural definitions for permissions.

    Key Features:

    • Plain Elixir Syntax: Easy to read and write permissions.
    • Reflective Capabilities: Ability to build queries and scopes based on permissions.
    • Integration with Frameworks: Supports Plug, LiveView, and potentially Absinthe.

    Implementing the Framework

    Defining Permissions

    Michał demonstrated how to define permissions using the new framework. He explained the use of CRUD (Create, Read, Update, Delete) actions and how to map custom actions to these verbs.

    Example:

    • CRUD Model: Basic permission definitions using CRUD actions.
    • Custom Actions: Mapping custom actions to CRUD verbs or defining new permissions.

    Environment Agnostic Authorization

    The framework is designed to be environment agnostic, meaning it can be used across different contexts like web controllers, LiveView, and GraphQL without modifications to the core permission definitions.

    Key Concepts:

    • Unified Permissions: Define permissions once for the entire application.
    • Adaptable Resolvers: Use resolvers to adapt permissions to specific frameworks.

    Practical Application

    Integration with Plug and LiveView

    Michał showed how to integrate the framework with Plug and LiveView, using hooks to manage authorization in different lifecycle phases. This integration ensures seamless permission checks in both traditional and real-time applications.

    Integration Steps:

    • Plug Integration: Using modules and configuration for authorization in controllers.
    • LiveView Integration: Utilizing hooks for mount and handle_params lifecycle phases.

    Future Development

    Expanding Framework Capabilities

    Michał discussed future plans for the framework, including better integration with Absinthe, improved query building capabilities, and expanding community involvement to refine and enhance the library.

    Future Goals:

    • Absinthe Integration: Supporting GraphQL authorization.
    • Enhanced Query Building: Automatic construction of Ecto queries based on permissions.
    • Community Collaboration: Open sourcing the project for broader contributions.

    Conclusion

    Michał Buszkiewicz's presentation at Elixir Meetup #5 highlighted the need for a unified authorization framework in Elixir. By addressing the limitations of existing solutions and introducing a flexible, integrative approach, this framework aims to simplify and enhance authorization across various contexts in Elixir applications.

    Join the Community

    Ready to explore the authorization in your Elixir projects?

    Register for the next Elixir Meetup at Curiosum Meetups: Registration Join our community of Elixir enthusiasts at Elixir LinkedIn Group Prefer watching the presentation? Here’s the video

    Mikołaj Musioł Recruitment Specialist
    Mikołaj Musioł IT Recruitment & HR Specialist

    Read more
    on #curiosum blog

    Bringing SOLID to Elixir

    Bringing SOLID to Elixir

    The SOLID principles, originally designed for object-oriented programming, can also be adapted effectively to functional programming languages like Elixir. Read how to apply it to create more maintainable, scalable, and adaptable software systems.