pub trait PolicyChecker: Send + Sync {
// Required method
fn check(
&self,
action: PolicyAction,
scope: &ResourceScope,
actor: &str,
) -> Result<(), PolicyError>;
}Expand description
Engine-layer policy enforcement trait. Implemented by PolicyEngine
(Cedar-backed) and any mock checker used in tests.
MR-725 will extend this trait with a query-layer pushdown method —
roughly fn predicate_for(&self, type_ref: &TypeRef, actor: &str) -> Option<DataFusionExpr>. Engine and query-layer enforcement back to
the same Cedar policies but consume different methods. Don’t conflate
them by overloading check.
Required Methods§
Sourcefn check(
&self,
action: PolicyAction,
scope: &ResourceScope,
actor: &str,
) -> Result<(), PolicyError>
fn check( &self, action: PolicyAction, scope: &ResourceScope, actor: &str, ) -> Result<(), PolicyError>
Engine-layer gate. Called at the head of every mutating engine
method. Ok(()) allows the action; Err(PolicyError::Denied)
denies; Err(PolicyError::Internal) reports an evaluation bug.
Dyn Compatibility§
This trait is dyn compatible.
In older versions of Rust, dyn compatibility was called "object safety".