Module auth 

Authentication & Authorization

Provides user management, RBAC, and token-based auth for RedDB.

Roles

• admin: Full access (user management, index ops, read, write)
• write: Read + write data
• read: Read-only access

Auth Methods

• User/Password login -> session token
• API key -> direct auth with assigned role

Re-exports

pub use scope_cache::AuthCache;

pub use scope_cache::AuthCacheStats;

pub use scope_cache::ScopeKey;

pub use scope_cache::DEFAULT_TTL as DEFAULT_SCOPE_TTL;

pub use cert::CertAuthConfig;

pub use cert::CertAuthError;

pub use cert::CertAuthenticator;

pub use cert::CertIdentity;

pub use cert::CertIdentityMode;

pub use cert::ParsedClientCert;

pub use column_policy_gate::ColumnAccessRequest;

pub use column_policy_gate::ColumnDecision;

pub use column_policy_gate::ColumnDecisionEffect;

pub use column_policy_gate::ColumnPolicyGate;

pub use column_policy_gate::ColumnPolicyOutcome;

pub use column_policy_gate::ColumnRef;

pub use oauth::DecodedJwt;

pub use oauth::Jwk;

pub use oauth::JwtClaims;

pub use oauth::JwtHeader;

pub use oauth::OAuthConfig;

pub use oauth::OAuthError;

pub use oauth::OAuthIdentity;

pub use oauth::OAuthIdentityMode;

pub use oauth::OAuthValidator;

pub use privileges::check_grant;

pub use privileges::Action;

pub use privileges::AuthzContext;

pub use privileges::AuthzError;

pub use privileges::Grant;

pub use privileges::GrantPrincipal;

pub use privileges::GrantsView;

pub use privileges::PermissionCache;

pub use privileges::Resource;

pub use privileges::UserAttributes;

pub use store::AuthStore;

Modules

cert

Client-certificate authentication (Phase 3.4 PG parity).

column_policy_gate

Column-level IAM policy gate.

locks

Advisory locks (PG-compatible pg_advisory_* family).

middleware

Auth middleware helpers.

oauth

OAuth / OIDC token validation (Phase 3.4 PG parity).

policies

IAM-style policy kernel: data model, JSON codec, validator, evaluator, and simulator.

privileges

Granular RBAC: per-table/action privileges plus user attributes.

scope_cache

(tenant, principal, role) → HashSet<CollectionId> visibility cache.

scram

SCRAM-SHA-256 (RFC 5802 + RFC 7677) primitives.

store

AuthStore – manages users, sessions, and API keys in memory.

vault

Encrypted vault for auth state persistence.

Structs

ApiKey

A persistent API key bound to a user.

AuthConfig

Configuration knobs for the auth subsystem.

Session

An ephemeral session created by login.

User

A registered user in the RedDB auth system.

UserId

Composite identity key: (tenant_id, username).

Enums

AuthError

Errors produced by auth operations.

Role

Access role within the RedDB authorization model.