// the find
apache/casbin-pycasbin
An authorization library that supports access control models like ACL, RBAC, ABAC in Python
PyCasbin is a Python port of the Go Casbin authorization library, implementing ACL, RBAC, and ABAC through a policy/model config file system. It separates the authorization model from your application code — you define rules in .conf files, policies in CSV or a DB adapter, and call enforce() at the gate. Aimed at Python backend developers who want structured, auditable access control without rolling their own.
The PERM metamodel (Policy, Effect, Request, Matchers) is genuinely flexible — you can express multi-tenant RBAC with domain-scoped roles in a .conf file without touching application code. Async support landed in 1.23.0, so it fits FastAPI/async SQLAlchemy stacks without blocking. The adapter system is practical: file CSV for prototyping, SQL adapters for production, swappable without changing enforcement logic. Test coverage is solid — dedicated test files per model type, plus benchmarks, which is more than most authorization libs bother with.
Policy evaluation loads everything into memory at startup; at serious scale (millions of rules) this becomes a problem and the docs basically tell you to shard manually. The ABAC support is weaker than it looks — attribute expressions are evaluated via govaluate (a Go library concept) and the Python version has lagged behind with less operator support. The Go version is the canonical reference and the Python port consistently trails it; the README links to Go source files for the Management and RBAC API docs, which is sloppy. Watcher/invalidation for clustered deployments (multiple app instances sharing a DB adapter) requires external setup and the built-in watcher interface is thin — you'll wire this yourself in production.