Skip to main content

Module rbac

rmcp_server_kit

Module rbac 

Source
Expand description

Role-based access control policy engine and middleware. Role-Based Access Control (RBAC) policy engine.

Evaluates (role, operation, host) tuples against a set of role definitions loaded from config. Deny-overrides-allow semantics: an explicit deny entry always wins over a wildcard allow.

Includes an axum middleware that inspects MCP JSON-RPC tool calls and enforces RBAC and per-IP tool rate limiting before the request reaches the handler.

Structs§

ArgumentAllowlist
Per-tool argument allowlist entry.
RbacConfig
Top-level RBAC configuration (deserializable from TOML).
RbacPolicy
Compiled RBAC policy for fast lookup.
RbacPolicySummary
Summary of the whole RBAC policy, produced by RbacPolicy::summary.
RbacRoleSummary
Summary of a single role, produced by RbacPolicy::summary.
RoleConfig
A single role definition.

Enums§

RbacDecision
Result of an RBAC policy check.

Functions§

current_identity
Get the current caller’s identity name (set by RBAC middleware). Returns None outside an RBAC-scoped request context.
current_role
Get the current caller’s RBAC role (set by RBAC middleware). Returns None outside an RBAC-scoped request context.
current_sub
Get the JWT sub claim (stable user ID, e.g. Keycloak UUID). Returns None outside a request context or for non-JWT auth. Use for stable per-user keying (token store, etc.).
current_token
Get the raw bearer token for the current request as a SecretString. Returns None outside a request context or when auth used mTLS/API-key. Tool handlers use this for downstream token passthrough.
with_rbac_scope
Run a future with all task-locals (CURRENT_ROLE, CURRENT_IDENTITY, CURRENT_TOKEN, CURRENT_SUB) set. Use this when re-establishing the full RBAC context in spawned tasks (e.g. rmcp session tasks) where the middleware’s scope is no longer active.
with_token_scope
Run a future with CURRENT_TOKEN set so that current_token() returns the given value inside the future. Useful when MCP tool handlers need the raw bearer token but run in a spawned task where the RBAC middleware’s task-local scope is no longer active.