mirror of
https://github.com/CloudNebulaProject/barycenter.git
synced 2026-04-10 13:10:42 +00:00
e0ca87f867
Add a Zanzibar-style relationship-based access control engine with OPA-style ABAC condition evaluation. Policies, roles, resources, and grants are defined in KDL files loaded from a configured directory at startup. Exposes a read-only REST API (POST /v1/check, /v1/expand, GET /healthz) on a dedicated port when authz.enabled = true. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
26 lines
887 B
Rust
26 lines
887 B
Rust
pub mod condition;
|
|
pub mod engine;
|
|
pub mod errors;
|
|
pub mod loader;
|
|
pub mod policy;
|
|
pub mod types;
|
|
pub mod web;
|
|
|
|
use std::collections::HashMap;
|
|
use types::{PolicyRule, ResourceDefinition, RoleDef, TupleIndex};
|
|
|
|
/// Fully compiled authorization state, loaded from KDL policy files.
|
|
/// Immutable after construction — configuration changes require a service reload.
|
|
#[derive(Debug)]
|
|
pub struct AuthzState {
|
|
/// resource_type -> ResourceDefinition
|
|
pub resources: HashMap<String, ResourceDefinition>,
|
|
/// role_name -> RoleDef (permissions + includes)
|
|
pub roles: HashMap<String, RoleDef>,
|
|
/// ABAC rules
|
|
pub rules: Vec<PolicyRule>,
|
|
/// All relationship tuples, indexed for fast lookup
|
|
pub tuples: TupleIndex,
|
|
/// permission -> list of role names that grant it (pre-computed, includes inheritance)
|
|
pub permission_roles: HashMap<String, Vec<String>>,
|
|
}
|