Expand description
§OxiFY Authorization Engine (ReBAC)
Google Zanzibar-style Relationship-Based Access Control (ReBAC) implementation.
§Architecture
This crate provides fine-grained authorization based on relationships between entities rather than traditional role-based access control (RBAC).
Key Concepts:
- Relation Tuples:
(namespace, object_id, relation, subject)representing relationships - Check API: Determines if a subject can perform an action on an object
- Expand API: Returns all subjects with a specific relation to an object
- Reachability Index: Leopard indexing for O(1) authorization checks
§Example
use oxify_authz::*;
let engine = AuthzEngine::new("postgres://localhost/db").await?;
// Define: User alice is an owner of document:123
engine.write_tuple(RelationTuple::new(
"document",
"owner",
"123",
Subject::User("alice".to_string()),
)).await?;
// Check: Can alice view document:123?
let allowed = engine.check(CheckRequest {
namespace: "document".to_string(),
object_id: "123".to_string(),
relation: "viewer".to_string(),
subject: Subject::User("alice".to_string()),
context: None,
}).await?;Re-exports§
pub use anomaly::*;pub use audit::*;pub use bloom::*;pub use cache::*;pub use chaos::*;pub use delegation::*;pub use edge::*;pub use engine::*;pub use hybrid::*;pub use leopard::*;pub use memory::*;pub use metrics::*;pub use multitenancy::*;pub use oauth2::*;pub use profiling::*;pub use quantum::*;pub use query_optimizer::*;pub use recommendations::*;pub use redis_cache::*;pub use types::*;pub use warming::*;pub use zkp::*;
Modules§
- anomaly
- Anomaly Detection for Authorization
- audit
- Audit Logging for Authorization Events
- bloom
- Bloom filter for quick negative lookups
- cache
- Caching layer for authorization decisions
- chaos
- Chaos Engineering for Resilience Testing
- delegation
- Permission Delegation System
- edge
- Edge Computing for Authorization
- engine
- Authorization engine implementing the check API
- hybrid
- Hybrid ReBAC engine combining PostgreSQL persistence with in-memory hot-path
- leopard
- Leopard Indexing for optimized reachability queries
- memory
- In-memory ReBAC manager
- metrics
- Performance Metrics Tracking
- migration
- Database migration utilities
- multitenancy
- Multi-Tenancy Support for Authorization
- oauth2
- OAuth2 Scopes → ReBAC Mapping
- profiling
- Performance profiling utilities for authorization operations
- quantum
- Quantum-Safe Cryptography
- query_
optimizer - Query optimization utilities for authorization checks
- recommendations
- Permission Recommendations
- redis_
cache - Redis-based L2 cache for distributed authorization
- types
- Core types for the authorization system
- warming
- Cache Warming Strategies
- zkp
- Zero-Knowledge Proofs for Privacy-Preserving Authorization
Structs§
- Check
Request - Request to check if a subject has a relation to an object
- Check
Response - Response from a check request
- Expand
Request - Request to expand a relation (find all subjects)
- Expand
Response - Response from an expand request
- Relation
Tuple - Relation tuple representing a relationship Example: (document, doc123, owner, user:alice) means “alice owns doc123” Extended with optional conditions from OxiRS
Enums§
- Authz
Error - Subject
- Subject in a relation tuple