Skip to main content

AclDb

Trait AclDb 

Source
pub trait AclDb: Send + Sync {
    // Required methods
    fn has_permission<'life0, 'life1, 'async_trait>(
        &'life0 self,
        principal_id: Uuid,
        dataset_id: Uuid,
        permission_name: &'life1 str,
    ) -> Pin<Box<dyn Future<Output = Result<bool, DatabaseError>> + Send + 'async_trait>>
       where Self: 'async_trait,
             'life0: 'async_trait,
             'life1: 'async_trait;
    fn authorized_dataset_ids<'life0, 'life1, 'async_trait>(
        &'life0 self,
        principal_id: Uuid,
        permission_name: &'life1 str,
    ) -> Pin<Box<dyn Future<Output = Result<Vec<Uuid>, DatabaseError>> + Send + 'async_trait>>
       where Self: 'async_trait,
             'life0: 'async_trait,
             'life1: 'async_trait;
    fn grant_permission<'life0, 'life1, 'async_trait>(
        &'life0 self,
        principal_id: Uuid,
        dataset_id: Uuid,
        permission_name: &'life1 str,
    ) -> Pin<Box<dyn Future<Output = Result<(), DatabaseError>> + Send + 'async_trait>>
       where Self: 'async_trait,
             'life0: 'async_trait,
             'life1: 'async_trait;
    fn revoke_permission<'life0, 'life1, 'async_trait>(
        &'life0 self,
        principal_id: Uuid,
        dataset_id: Uuid,
        permission_name: &'life1 str,
    ) -> Pin<Box<dyn Future<Output = Result<(), DatabaseError>> + Send + 'async_trait>>
       where Self: 'async_trait,
             'life0: 'async_trait,
             'life1: 'async_trait;
    fn ensure_principal<'life0, 'life1, 'async_trait>(
        &'life0 self,
        principal_id: Uuid,
        principal_type: &'life1 str,
    ) -> Pin<Box<dyn Future<Output = Result<(), DatabaseError>> + Send + 'async_trait>>
       where Self: 'async_trait,
             'life0: 'async_trait,
             'life1: 'async_trait;
    fn has_permission_with_roles<'life0, 'life1, 'async_trait>(
        &'life0 self,
        user_id: Uuid,
        dataset_id: Uuid,
        permission_name: &'life1 str,
    ) -> Pin<Box<dyn Future<Output = Result<bool, DatabaseError>> + Send + 'async_trait>>
       where Self: 'async_trait,
             'life0: 'async_trait,
             'life1: 'async_trait;
    fn authorized_dataset_ids_with_roles<'life0, 'life1, 'async_trait>(
        &'life0 self,
        user_id: Uuid,
        permission_name: &'life1 str,
    ) -> Pin<Box<dyn Future<Output = Result<Vec<Uuid>, DatabaseError>> + Send + 'async_trait>>
       where Self: 'async_trait,
             'life0: 'async_trait,
             'life1: 'async_trait;
}
Expand description

Access control list database trait.

Provides methods to check, grant, and revoke permissions on datasets for principals (users, roles, tenants). All implementations must be thread-safe for async multi-threaded usage.

The blanket impl AclDb for DatabaseConnection moved to the closed cognee-access-control crate. OSS callers wire ACL through MockAclDb (tests) or through the closed AccessControl newtype (production cloud builds).

Required Methods§

Source

fn has_permission<'life0, 'life1, 'async_trait>( &'life0 self, principal_id: Uuid, dataset_id: Uuid, permission_name: &'life1 str, ) -> Pin<Box<dyn Future<Output = Result<bool, DatabaseError>> + Send + 'async_trait>>
where Self: 'async_trait, 'life0: 'async_trait, 'life1: 'async_trait,

Check if a principal has a specific permission on a dataset.

Returns true if a matching ACL row exists (direct principal match).

Source

fn authorized_dataset_ids<'life0, 'life1, 'async_trait>( &'life0 self, principal_id: Uuid, permission_name: &'life1 str, ) -> Pin<Box<dyn Future<Output = Result<Vec<Uuid>, DatabaseError>> + Send + 'async_trait>>
where Self: 'async_trait, 'life0: 'async_trait, 'life1: 'async_trait,

Return all dataset IDs for which the principal has the given permission.

Source

fn grant_permission<'life0, 'life1, 'async_trait>( &'life0 self, principal_id: Uuid, dataset_id: Uuid, permission_name: &'life1 str, ) -> Pin<Box<dyn Future<Output = Result<(), DatabaseError>> + Send + 'async_trait>>
where Self: 'async_trait, 'life0: 'async_trait, 'life1: 'async_trait,

Grant a permission on a dataset to a principal.

Idempotent: no-op if the grant already exists.

Source

fn revoke_permission<'life0, 'life1, 'async_trait>( &'life0 self, principal_id: Uuid, dataset_id: Uuid, permission_name: &'life1 str, ) -> Pin<Box<dyn Future<Output = Result<(), DatabaseError>> + Send + 'async_trait>>
where Self: 'async_trait, 'life0: 'async_trait, 'life1: 'async_trait,

Revoke a permission on a dataset from a principal.

Source

fn ensure_principal<'life0, 'life1, 'async_trait>( &'life0 self, principal_id: Uuid, principal_type: &'life1 str, ) -> Pin<Box<dyn Future<Output = Result<(), DatabaseError>> + Send + 'async_trait>>
where Self: 'async_trait, 'life0: 'async_trait, 'life1: 'async_trait,

Ensure a principal row exists (upsert by ID).

Source

fn has_permission_with_roles<'life0, 'life1, 'async_trait>( &'life0 self, user_id: Uuid, dataset_id: Uuid, permission_name: &'life1 str, ) -> Pin<Box<dyn Future<Output = Result<bool, DatabaseError>> + Send + 'async_trait>>
where Self: 'async_trait, 'life0: 'async_trait, 'life1: 'async_trait,

Check permission considering role and tenant inheritance.

Resolution order (mirrors Python get_all_user_permission_datasets):

  1. Direct user ACL
  2. Tenant-level ACL for each tenant the user belongs to
  3. Role-level ACL for each role the user holds in those tenants
Source

fn authorized_dataset_ids_with_roles<'life0, 'life1, 'async_trait>( &'life0 self, user_id: Uuid, permission_name: &'life1 str, ) -> Pin<Box<dyn Future<Output = Result<Vec<Uuid>, DatabaseError>> + Send + 'async_trait>>
where Self: 'async_trait, 'life0: 'async_trait, 'life1: 'async_trait,

Return all dataset IDs the user can access via direct, tenant, or role grants. Deduplicates results.

Dyn Compatibility§

This trait is dyn compatible.

In older versions of Rust, dyn compatibility was called "object safety".

Implementors§