CloudNebulaProject/barycenter
1
0
Fork 0
mirror of https://github.com/CloudNebulaProject/barycenter.git synced 2026-04-10 13:10:42 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
barycenter/src/authz/mod.rs

27 lines
887 B
Rust
Raw Normal View History

Implement file-driven authorization policy service (ReBAC + ABAC) Add a Zanzibar-style relationship-based access control engine with OPA-style ABAC condition evaluation. Policies, roles, resources, and grants are defined in KDL files loaded from a configured directory at startup. Exposes a read-only REST API (POST /v1/check, /v1/expand, GET /healthz) on a dedicated port when authz.enabled = true. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-08 18:34:14 +01:00
pub mod condition;
pub mod engine;
pub mod errors;
pub mod loader;
pub mod policy;
pub mod types;
pub mod web;
use std::collections::HashMap;
use types::{PolicyRule, ResourceDefinition, RoleDef, TupleIndex};
/// Fully compiled authorization state, loaded from KDL policy files.
/// Immutable after construction — configuration changes require a service reload.
#[derive(Debug)]
pub struct AuthzState {
/// resource_type -> ResourceDefinition
pub resources: HashMap<String, ResourceDefinition>,
/// role_name -> RoleDef (permissions + includes)
pub roles: HashMap<String, RoleDef>,
/// ABAC rules
pub rules: Vec<PolicyRule>,
/// All relationship tuples, indexed for fast lookup
pub tuples: TupleIndex,
/// permission -> list of role names that grant it (pre-computed, includes inheritance)
pub permission_roles: HashMap<String, Vec<String>>,
}
Reference in a new issue Copy permalink