AuthZ Resolver
Main module for authorization in CyberFabric. Discovers AuthZ plugins via GTS types-registry and routes policy evaluation to the selected plugin (PDP).
Overview
The cf-authz-resolver module provides:
- Plugin discovery — Finds AuthZ plugins via GTS types-registry
- Vendor-based selection — Selects plugin by vendor and priority
- Policy evaluation routing — Delegates AuthZEN-based evaluation requests to the active PDP plugin
- ClientHub integration — Registers
AuthZResolverClientfor inter-module use
This is a main module — it contains no authorization logic itself. All operations are delegated to the active plugin (e.g., cf-static-authz-plugin for development, or a custom implementation).
Architecture
Consumer Module (PEP)
│
▼
PolicyEnforcer (SDK helper — builds request, compiles response)
│
▼
AuthZResolverClient (SDK trait, registered in ClientHub)
│
▼
authz-resolver gateway (this crate — discovers & routes)
│
▼
AuthZResolverPluginClient (SDK trait, scoped by GTS instance ID)
│
▼
Plugin implementation (PDP — evaluates policies, returns constraints)
Usage
Services act as Policy Enforcement Points (PEPs) using the PolicyEnforcer from the SDK:
use ;
use pep_properties;
const USER: ResourceType = ResourceType ;
let authz = hub.?;
let enforcer = new;
// Get access scope for a CRUD operation
let scope = enforcer.access_scope.await?;
// Use scope with SecureORM for row-level filtering
Configuration
The module is configured via the server's YAML config. Plugin selection is automatic based on GTS registration. Use the static-authz feature flag to compile in the development plugin.
Writing a Plugin
Implement the AuthZResolverPluginClient trait from cf-authz-resolver-sdk and register it with a GTS instance ID derived from the AuthZResolverPluginSpecV1 schema.
Testing
License
Apache-2.0