Crate llm_orchestrator_auth

Crate llm_orchestrator_auth 

Source
Expand description

§LLM Orchestrator Authentication & Authorization

This crate provides comprehensive authentication and authorization for the LLM Orchestrator.

§Features

  • JWT Authentication: Stateless token-based authentication with short-lived access tokens and long-lived refresh tokens
  • API Key Management: Secure API key generation, hashing, and validation
  • Role-Based Access Control (RBAC): Fine-grained permission system with predefined roles
  • Auth Middleware: Ready-to-use middleware for authenticating requests

§Quick Start

use llm_orchestrator_auth::*;
use std::sync::Arc;

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    // Create JWT auth
    let jwt_auth = Arc::new(JwtAuth::new(b"your-secret-key-at-least-32-bytes".to_vec()));

    // Create API key manager
    let api_key_store = Arc::new(InMemoryApiKeyStore::new());
    let api_key_manager = Arc::new(ApiKeyManager::new(api_key_store));

    // Create RBAC engine
    let rbac = Arc::new(RbacEngine::new());

    // Create auth middleware
    let auth = AuthMiddleware::new(jwt_auth.clone(), api_key_manager.clone(), rbac.clone());

    // Generate a JWT token
    let token = jwt_auth.generate_token("user123", vec!["developer".to_string()])?;
    println!("JWT Token: {}", token);

    // Authenticate a request
    let auth_header = format!("Bearer {}", token);
    let ctx = auth.authenticate(Some(&auth_header)).await?;
    println!("Authenticated user: {}", ctx.user_id);

    // Check permissions
    ctx.require_permission(&Permission::WorkflowExecute)?;
    println!("User has permission to execute workflows");

    Ok(())
}

§Predefined Roles

  • viewer: Read-only access to workflows and executions
  • executor: Can read and execute workflows
  • developer: Full access to workflows, can create/update/delete
  • admin: Full administrative access to all resources

§Security Features

  • JWT tokens expire after 15 minutes by default
  • Refresh tokens expire after 7 days by default
  • API keys are hashed using SHA-256 before storage
  • Cryptographically secure random key generation
  • Token expiration validation
  • Permission-based authorization

Re-exports§

pub use api_keys::ApiKeyManager;
pub use api_keys::ApiKeyStore;
pub use api_keys::InMemoryApiKeyStore;
pub use jwt::JwtAuth;
pub use middleware::AuthMiddleware;
pub use models::ApiKey;
pub use models::ApiKeyInfo;
pub use models::AuthContext;
pub use models::AuthError;
pub use models::AuthResult;
pub use models::AuthType;
pub use models::Claims;
pub use models::Permission;
pub use models::RolePolicy;
pub use rbac::RbacEngine;

Modules§

api_keys
jwt
middleware
models
rbac

Constants§

VERSION
Version information