pub enum Authorizer {
AllowAll,
AllowList(HashMap<String, HashSet<String>>),
Custom(Arc<dyn Fn(&Identity, &str) -> bool + Send + Sync>),
}Expand description
Per-query authorization hook, consulted after a query resolves to its registered name. Dependency-light by design — no external policy engine.
The default Authorizer::AllowAll permits everything (so wiring it in is
a no-op for existing servers). Authorizer::AllowList keys on
Identity::name and permits only the named queries listed for that
identity. Authorizer::Custom defers to a closure for arbitrary policy.
Variants§
AllowAll
Permit every identity to run every query (the default).
AllowList(HashMap<String, HashSet<String>>)
Permit each identity only the registered-query names listed for it.
An identity absent from the map is denied every query; the special key
"*" is consulted as a fallback for identities not otherwise listed.
Custom(Arc<dyn Fn(&Identity, &str) -> bool + Send + Sync>)
Arbitrary policy: (identity, resolved_query_name) -> allowed.
Implementations§
Source§impl Authorizer
impl Authorizer
Sourcepub fn allow_list<I, S1, S2>(entries: I) -> Self
pub fn allow_list<I, S1, S2>(entries: I) -> Self
Build an Authorizer::AllowList from (identity_name, &[query_name])
pairs. Each identity is permitted exactly the listed registered-query
names (table names from register_named, or the Cypher key otherwise).
Sourcepub fn custom<F>(f: F) -> Self
pub fn custom<F>(f: F) -> Self
Wrap a closure as an Authorizer::Custom.
Sourcepub fn is_allowed(&self, identity: &Identity, query_name: &str) -> bool
pub fn is_allowed(&self, identity: &Identity, query_name: &str) -> bool
Is identity allowed to run the query resolved to query_name?
Authorize or reject, mapping a denial to permission_denied.
Trait Implementations§
Source§impl Clone for Authorizer
impl Clone for Authorizer
Source§fn clone(&self) -> Authorizer
fn clone(&self) -> Authorizer
1.0.0 (const: unstable) · Source§fn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
source. Read moreSource§impl Debug for Authorizer
impl Debug for Authorizer
Source§impl Default for Authorizer
impl Default for Authorizer
Source§fn default() -> Authorizer
fn default() -> Authorizer
Auto Trait Implementations§
impl !RefUnwindSafe for Authorizer
impl !UnwindSafe for Authorizer
impl Freeze for Authorizer
impl Send for Authorizer
impl Sync for Authorizer
impl Unpin for Authorizer
impl UnsafeUnpin for Authorizer
Blanket Implementations§
Source§impl<T> BorrowMut<T> for Twhere
T: ?Sized,
impl<T> BorrowMut<T> for Twhere
T: ?Sized,
Source§fn borrow_mut(&mut self) -> &mut T
fn borrow_mut(&mut self) -> &mut T
impl<ST, DT> CastableFrom<ST, Initialized, Initialized> for DT
impl<ST, DT> CastableFrom<ST, Uninit, Uninit> for DT
Source§impl<T> CloneToUninit for Twhere
T: Clone,
impl<T> CloneToUninit for Twhere
T: Clone,
Source§impl<T> Instrument for T
impl<T> Instrument for T
Source§fn instrument(self, span: Span) -> Instrumented<Self>
fn instrument(self, span: Span) -> Instrumented<Self>
Source§fn in_current_span(self) -> Instrumented<Self>
fn in_current_span(self) -> Instrumented<Self>
Source§impl<T> IntoEither for T
impl<T> IntoEither for T
Source§fn into_either(self, into_left: bool) -> Either<Self, Self>
fn into_either(self, into_left: bool) -> Either<Self, Self>
self into a Left variant of Either<Self, Self>
if into_left is true.
Converts self into a Right variant of Either<Self, Self>
otherwise. Read moreSource§fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
self into a Left variant of Either<Self, Self>
if into_left(&self) returns true.
Converts self into a Right variant of Either<Self, Self>
otherwise. Read moreSource§impl<T> IntoRequest<T> for T
impl<T> IntoRequest<T> for T
Source§fn into_request(self) -> Request<T>
fn into_request(self) -> Request<T>
T in a tonic::Request