Skip to main content

PolicyChecker

Trait PolicyChecker 

Source
pub trait PolicyChecker: Send + Sync {
    // Required method
    fn check(
        &self,
        action: PolicyAction,
        scope: &ResourceScope,
        actor: &str,
    ) -> Result<(), PolicyError>;
}
Expand description

Engine-layer policy enforcement trait. Implemented by PolicyEngine (Cedar-backed) and any mock checker used in tests.

MR-725 will extend this trait with a query-layer pushdown method — roughly fn predicate_for(&self, type_ref: &TypeRef, actor: &str) -> Option<DataFusionExpr>. Engine and query-layer enforcement back to the same Cedar policies but consume different methods. Don’t conflate them by overloading check.

Required Methods§

Source

fn check( &self, action: PolicyAction, scope: &ResourceScope, actor: &str, ) -> Result<(), PolicyError>

Engine-layer gate. Called at the head of every mutating engine method. Ok(()) allows the action; Err(PolicyError::Denied) denies; Err(PolicyError::Internal) reports an evaluation bug.

Dyn Compatibility§

This trait is dyn compatible.

In older versions of Rust, dyn compatibility was called "object safety".

Implementors§