Skip to main content

Module storage_access_controller

Module storage_access_controller 

Source
Expand description

Role-based and attribute-based access control (RBAC + ABAC) for storage operations.

This module provides StorageAccessController, a production-grade engine that evaluates access requests against a set of resource policies. Decisions are made via a deterministic algorithm:

  1. Explicit allow-list membership → Allowed
  2. Explicit deny-list membership → Denied
  3. Role check (required_roles, incl. inherited via BFS)
  4. Attribute check (all required key-value pairs must be present)
  5. Clearance check (subject.clearance_level >= policy.min_clearance)
  6. Permission check (required_permission must match the requested one)
  7. Return the policy effect (Allow / Deny); no-match → default_effect

An append-only audit log is maintained for every evaluated decision when AclConfig::enable_audit is true.

Structs§

AclConfig
Controller-wide configuration.
AclStats
Aggregated statistics snapshot.
ResourcePolicy
A policy governing which subjects may perform an operation on a resource.
SacAuditEntry
One entry in the audit log.
SacRole
A named role carrying a set of permissions and optional parent roles.
StorageAccessController
Thread-safe role-based and attribute-based access controller.
SubjectAttributes
Identity and attributes of a subject (user / service account).

Enums§

AccessDecision
Final access decision with a human-readable reason.
AclError
Errors produced by the access controller.
Permission
Atomic storage operation that a subject may wish to perform.
PolicyEffect
Determines what happens when a policy matches a request.