Expand description
Role-based and attribute-based access control (RBAC + ABAC) for storage operations.
This module provides StorageAccessController, a production-grade engine that
evaluates access requests against a set of resource policies. Decisions are
made via a deterministic algorithm:
- Explicit allow-list membership →
Allowed - Explicit deny-list membership →
Denied - Role check (required_roles, incl. inherited via BFS)
- Attribute check (all required key-value pairs must be present)
- Clearance check (subject.clearance_level >= policy.min_clearance)
- Permission check (required_permission must match the requested one)
- Return the policy effect (Allow / Deny); no-match →
default_effect
An append-only audit log is maintained for every evaluated decision when
AclConfig::enable_audit is true.
Structs§
- AclConfig
- Controller-wide configuration.
- AclStats
- Aggregated statistics snapshot.
- Resource
Policy - A policy governing which subjects may perform an operation on a resource.
- SacAudit
Entry - One entry in the audit log.
- SacRole
- A named role carrying a set of permissions and optional parent roles.
- Storage
Access Controller - Thread-safe role-based and attribute-based access controller.
- Subject
Attributes - Identity and attributes of a subject (user / service account).
Enums§
- Access
Decision - Final access decision with a human-readable reason.
- AclError
- Errors produced by the access controller.
- Permission
- Atomic storage operation that a subject may wish to perform.
- Policy
Effect - Determines what happens when a policy matches a request.