pub trait AclDb: Send + Sync {
// Required methods
fn has_permission<'life0, 'life1, 'async_trait>(
&'life0 self,
principal_id: Uuid,
dataset_id: Uuid,
permission_name: &'life1 str,
) -> Pin<Box<dyn Future<Output = Result<bool, DatabaseError>> + Send + 'async_trait>>
where 'life0: 'async_trait,
'life1: 'async_trait,
Self: 'async_trait;
fn authorized_dataset_ids<'life0, 'life1, 'async_trait>(
&'life0 self,
principal_id: Uuid,
permission_name: &'life1 str,
) -> Pin<Box<dyn Future<Output = Result<Vec<Uuid>, DatabaseError>> + Send + 'async_trait>>
where 'life0: 'async_trait,
'life1: 'async_trait,
Self: 'async_trait;
fn grant_permission<'life0, 'life1, 'async_trait>(
&'life0 self,
principal_id: Uuid,
dataset_id: Uuid,
permission_name: &'life1 str,
) -> Pin<Box<dyn Future<Output = Result<(), DatabaseError>> + Send + 'async_trait>>
where 'life0: 'async_trait,
'life1: 'async_trait,
Self: 'async_trait;
fn revoke_permission<'life0, 'life1, 'async_trait>(
&'life0 self,
principal_id: Uuid,
dataset_id: Uuid,
permission_name: &'life1 str,
) -> Pin<Box<dyn Future<Output = Result<(), DatabaseError>> + Send + 'async_trait>>
where 'life0: 'async_trait,
'life1: 'async_trait,
Self: 'async_trait;
fn ensure_principal<'life0, 'life1, 'async_trait>(
&'life0 self,
principal_id: Uuid,
principal_type: &'life1 str,
) -> Pin<Box<dyn Future<Output = Result<(), DatabaseError>> + Send + 'async_trait>>
where 'life0: 'async_trait,
'life1: 'async_trait,
Self: 'async_trait;
fn has_permission_with_roles<'life0, 'life1, 'async_trait>(
&'life0 self,
user_id: Uuid,
dataset_id: Uuid,
permission_name: &'life1 str,
) -> Pin<Box<dyn Future<Output = Result<bool, DatabaseError>> + Send + 'async_trait>>
where 'life0: 'async_trait,
'life1: 'async_trait,
Self: 'async_trait;
fn authorized_dataset_ids_with_roles<'life0, 'life1, 'async_trait>(
&'life0 self,
user_id: Uuid,
permission_name: &'life1 str,
) -> Pin<Box<dyn Future<Output = Result<Vec<Uuid>, DatabaseError>> + Send + 'async_trait>>
where 'life0: 'async_trait,
'life1: 'async_trait,
Self: 'async_trait;
}Expand description
Access control list database trait.
Provides methods to check, grant, and revoke permissions on datasets for principals (users, roles, tenants). All implementations must be thread-safe for async multi-threaded usage.
The blanket impl AclDb for DatabaseConnection moved to the closed
cognee-access-control crate. OSS callers wire ACL through MockAclDb (tests) or through the
closed AccessControl newtype (production cloud builds).
Required Methods§
Sourcefn has_permission<'life0, 'life1, 'async_trait>(
&'life0 self,
principal_id: Uuid,
dataset_id: Uuid,
permission_name: &'life1 str,
) -> Pin<Box<dyn Future<Output = Result<bool, DatabaseError>> + Send + 'async_trait>>where
'life0: 'async_trait,
'life1: 'async_trait,
Self: 'async_trait,
fn has_permission<'life0, 'life1, 'async_trait>(
&'life0 self,
principal_id: Uuid,
dataset_id: Uuid,
permission_name: &'life1 str,
) -> Pin<Box<dyn Future<Output = Result<bool, DatabaseError>> + Send + 'async_trait>>where
'life0: 'async_trait,
'life1: 'async_trait,
Self: 'async_trait,
Check if a principal has a specific permission on a dataset.
Returns true if a matching ACL row exists (direct principal match).
Return all dataset IDs for which the principal has the given permission.
Sourcefn grant_permission<'life0, 'life1, 'async_trait>(
&'life0 self,
principal_id: Uuid,
dataset_id: Uuid,
permission_name: &'life1 str,
) -> Pin<Box<dyn Future<Output = Result<(), DatabaseError>> + Send + 'async_trait>>where
'life0: 'async_trait,
'life1: 'async_trait,
Self: 'async_trait,
fn grant_permission<'life0, 'life1, 'async_trait>(
&'life0 self,
principal_id: Uuid,
dataset_id: Uuid,
permission_name: &'life1 str,
) -> Pin<Box<dyn Future<Output = Result<(), DatabaseError>> + Send + 'async_trait>>where
'life0: 'async_trait,
'life1: 'async_trait,
Self: 'async_trait,
Grant a permission on a dataset to a principal.
Idempotent: no-op if the grant already exists.
Sourcefn revoke_permission<'life0, 'life1, 'async_trait>(
&'life0 self,
principal_id: Uuid,
dataset_id: Uuid,
permission_name: &'life1 str,
) -> Pin<Box<dyn Future<Output = Result<(), DatabaseError>> + Send + 'async_trait>>where
'life0: 'async_trait,
'life1: 'async_trait,
Self: 'async_trait,
fn revoke_permission<'life0, 'life1, 'async_trait>(
&'life0 self,
principal_id: Uuid,
dataset_id: Uuid,
permission_name: &'life1 str,
) -> Pin<Box<dyn Future<Output = Result<(), DatabaseError>> + Send + 'async_trait>>where
'life0: 'async_trait,
'life1: 'async_trait,
Self: 'async_trait,
Revoke a permission on a dataset from a principal.
Sourcefn ensure_principal<'life0, 'life1, 'async_trait>(
&'life0 self,
principal_id: Uuid,
principal_type: &'life1 str,
) -> Pin<Box<dyn Future<Output = Result<(), DatabaseError>> + Send + 'async_trait>>where
'life0: 'async_trait,
'life1: 'async_trait,
Self: 'async_trait,
fn ensure_principal<'life0, 'life1, 'async_trait>(
&'life0 self,
principal_id: Uuid,
principal_type: &'life1 str,
) -> Pin<Box<dyn Future<Output = Result<(), DatabaseError>> + Send + 'async_trait>>where
'life0: 'async_trait,
'life1: 'async_trait,
Self: 'async_trait,
Ensure a principal row exists (upsert by ID).
Sourcefn has_permission_with_roles<'life0, 'life1, 'async_trait>(
&'life0 self,
user_id: Uuid,
dataset_id: Uuid,
permission_name: &'life1 str,
) -> Pin<Box<dyn Future<Output = Result<bool, DatabaseError>> + Send + 'async_trait>>where
'life0: 'async_trait,
'life1: 'async_trait,
Self: 'async_trait,
fn has_permission_with_roles<'life0, 'life1, 'async_trait>(
&'life0 self,
user_id: Uuid,
dataset_id: Uuid,
permission_name: &'life1 str,
) -> Pin<Box<dyn Future<Output = Result<bool, DatabaseError>> + Send + 'async_trait>>where
'life0: 'async_trait,
'life1: 'async_trait,
Self: 'async_trait,
Check permission considering role and tenant inheritance.
Resolution order (mirrors Python get_all_user_permission_datasets):
- Direct user ACL
- Tenant-level ACL for each tenant the user belongs to
- Role-level ACL for each role the user holds in those tenants
Return all dataset IDs the user can access via direct, tenant, or role grants. Deduplicates results.
Dyn Compatibility§
This trait is dyn compatible.
In older versions of Rust, dyn compatibility was called "object safety".