Rails Authorization Plugins
14. August 2008
There seems to be a consensus to choose restful_authentication as the Rails way of securing the identity of users, at least with local user databases (in contrast to e.g. OpenID authentication). For authorization, i.e. restricting the access rights of users, the situation is different: there are lots of alternatives. This is probably due to the varying requirements that projects have in the case of authorization. While there are lists and surveys of Rails authorization plugins, I was missing an overview that could help in the decision making process of choosing the right plugin for specific requirements.
Here, I tried to examine each plugin according to a few categories.
- Access control may be enforced on different layers, in the model, for controller actions and in views.
- Most plugins have some user and role concept for restricting access. Authorization constraints allow more fine-grained decisions, though, by defining conditions that need to be met, probably on a context object, in order to grant access.
- It is common to define access rules through Access Control Lists (ACL) whereby an object has a list of users or roles that are allowed to operate on the object. ACLs may increase authorization maintenance as new users or roles need to be added at multiple places. In contrast, Privileges, as known from RBAC, are a further abstraction. Thus, users or roles may possess privileges, which are, on the other hand, assigned as a requirement to operations on the objects.
A table of the evaluated authorization plugins, roughly sorted by activity:
| Restrictions for | Model | Controller action |
View | Authorization constraints |
Privileges | Last activity |
|
|---|---|---|---|---|---|---|---|
| Authorization | Yes | Yes | No | Yes | No | recently | |
| Restrictions based on pseudo natural language sentences; decisions based on role ACLs on models or model instances | |||||||
| base_auth | Yes | Yes | Yes | Yes | No | recently | |
| User object-based restrictions on controller actions and views | |||||||
| acts_as_checkpoint | Yes | Yes | No | Yes | No | recently | |
| Role-based restrictions on controller actions; simple model restrictions through methods on models, employing associations | |||||||
| rolerequirement | No | Yes | No | No | No | recently | |
| Role-based ACLs for restrictions on controller actions | |||||||
| RESTful_ACL | Yes | Yes | Yes | Yes | No | recently | |
| Restrictions based on permission methods on models for CRUD operations; no role concept built in; seems to be restricted to CRUD controller actions | |||||||
| acl_system2 | No | Yes | Yes | No | No | 2007 | |
| Role-based ACLs for restrictions on controller actions and in views; similar: Simple Access Control | |||||||
| ActiveRbac | No | Yes | No | No | Yes | 2007 | |
| Implements only the queries on model instances for access rights | |||||||
| access_control | No | Yes | No | No | No | 2007 | |
| Simple controller action restrictions based on Unix-style rwx ACLs | |||||||
| UserEngine | No | Yes | No | No | Yes | 2006 | |
| Controller/action-based privileges assigned to roles for filtering access to controller actions | |||||||
| ActiveAcl | Yes | No | No | Yes | Yes | 2006 | |
| Complex database design to allow arbitrary user – role – privilege – object relations | |||||||
Let me know if I missed important aspects of those plugins or other plugins that you like.
14. August 2008 at 15:26
Thanks for reviewing RESTful_ACL!
15. August 2008 at 01:19
Thanks for checking out acts_as_checkpoint, as well.