Expand description
§beep-authz
A Rust authorization library with SpiceDB integration for fine-grained permissions.
This crate provides a high-level, type-safe interface to SpiceDB, a Google Zanzibar-inspired authorization system. It enables relationship-based access control (ReBAC) for your Rust applications with minimal boilerplate.
§Features
- SpiceDB Integration - Native support for SpiceDB/AuthZed with gRPC
- Type Safety - Strongly-typed permissions and objects
- Async/Await - Built on Tokio for high-performance async operations
- Easy to Use - Simple API for checking permissions
§Quick Start
use authz::{SpiceDbRepository, SpiceDbConfig, SpiceDbObject, Permissions};
#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
// Configure connection to SpiceDB
let config = SpiceDbConfig {
endpoint: "localhost:50051".to_string(),
token: Some("your-preshared-key".to_string()),
};
// Create repository
let authz = SpiceDbRepository::new(config).await?;
// Check permissions
let result = authz.check_permissions(
SpiceDbObject::Channel("channel-123".to_string()),
Permissions::ViewChannels,
SpiceDbObject::User("user-456".to_string()),
).await;
if result.has_permissions() {
println!("Access granted!");
} else {
println!("Access denied!");
}
Ok(())
}§Permission Checking
The main functionality is provided by SpiceDbRepository, which offers two methods
for checking permissions:
SpiceDbRepository::check_permissions- High-level, type-safe APISpiceDbRepository::check_permissions_raw- Lower-level API for advanced use cases
§Permission Types
The Permissions enum defines all available permission types:
- Administrator, ManageServer, ManageRoles
- CreateInvitation, ManageChannels, ManageWebhooks
- ViewChannels, SendMessages, AttachFiles
- ManageNicknames, ChangeNickname, ManageMessages
§Object Types
The SpiceDbObject enum represents different resource types:
Server- A server/workspaceChannel- A communication channelUser- A user/subjectPermissionOverride- A permission override rule
§Configuration
Configure your SpiceDB connection using SpiceDbConfig, which supports:
- Manual configuration
- Environment variables (
SPICEDB_ENDPOINT,SPICEDB_TOKEN) - Command-line arguments (via clap)
§Error Handling
The crate defines AuthorizationError for authorization failures:
Unauthorized- Permission deniedConnectionError- Failed to connect to SpiceDB
§Examples
§Checking Administrative Access
let is_admin = repo.check_permissions(
SpiceDbObject::Server("my-server".to_string()),
Permissions::Administrator,
SpiceDbObject::User("user-123".to_string()),
).await.has_permissions();
if is_admin {
// Grant full access
}§Using Result for Error Propagation
repo.check_permissions(
SpiceDbObject::Channel("private".to_string()),
Permissions::SendMessages,
SpiceDbObject::User("user-456".to_string()),
).await.result()?;
// Code here only runs if permission is granted
println!("User can send messages");Re-exports§
pub use authzed::api::v1::experimental_service_client::ExperimentalServiceClient;pub use authzed::api::v1::permissions_service_client::PermissionsServiceClient;pub use authzed::api::v1::schema_service_client::SchemaServiceClient;pub use authzed::api::v1::watch_service_client::WatchServiceClient;pub use config::SpiceDbConfig;pub use object::SpiceDbObject;pub use permission::AuthorizationResult;pub use permission::Permissions;pub use spicedb::SpiceDbRepository;
Modules§
- authzed
- config
- Configuration module for SpiceDB connection settings.
- grpc_
auth - gRPC authentication interceptor for SpiceDB.
- object
- Object type definitions for SpiceDB resources.
- permission
- Permission types and authorization result handling.
- spicedb
- SpiceDB repository and client implementation.
Enums§
- Authorization
Error - Errors that can occur during authorization operations.