Expand description
Role-based access control for Grafeo sessions.
This module provides Identity, Role, and StatementKind types
that let callers scope sessions to specific permission levels. The caller
is trusted to assign the correct role: there are no credentials or
cryptographic verification at this layer.
§Roles
Roles follow a hierarchy: Role::Admin implies Role::ReadWrite
implies Role::ReadOnly. Permission checks use the convenience methods
on Identity (can_read, can_write, can_admin) which respect this
hierarchy.
§Usage
use grafeo_engine::auth::{Identity, Role};
use grafeo_engine::GrafeoDB;
let db = GrafeoDB::new_in_memory();
// Anonymous session (full access, backward compatible)
let admin_session = db.session();
// Scoped session by role
let reader = db.session_with_role(Role::ReadOnly);
// Scoped session with full identity
let identity = Identity::new("app-service", [Role::ReadWrite]);
let writer = db.session_with_identity(identity);Structs§
- Grant
- A per-graph access grant.
- Identity
- A verified identity bound to a session.
- Permission
Denied - Permission denied error with context about what was attempted.
Enums§
- Role
- Database-level roles.
- Statement
Kind - Classification of a parsed statement for permission checking.