Skip to main content

Crate typesec_rbac

Crate typesec_rbac 

Source
Expand description

§typesec-rbac

Role-Based Access Control from YAML → typed policy enforcement.

§YAML → Types → Compile-time Safety

The pipeline has two phases:

  1. Runtime: Parse the YAML policy, build an RbacEngine that implements [PolicyEngine]. This handles dynamic role assignments and resource globs that can’t be known at compile time.

  2. Codegen (optional, via typesec generate): Emit Rust source code with concrete role structs and Permission impls. These let the compiler verify that your code uses permissions that actually exist in the policy file.

§YAML Schema

roles:
  - name: analyst
    permissions: [read, read_sensitive]
    resources: ["reports/*", "metrics/*"]
  - name: admin
    inherits: [analyst]
    permissions: [write, delete, delegate]
    resources: ["*"]

assignments:
  - subject: "agent:data-pipeline"
    roles: [analyst]

Re-exports§

pub use engine::RbacEngine;
pub use graph_policy::GraphPolicyEngine;
pub use model::Assignment;
pub use model::RbacPolicy;
pub use model::RoleDefinition;

Modules§

codegen
Code generator: RBAC YAML → Rust source.
engine
RBAC policy engine — implements PolicyEngine for RbacPolicy.
graph_policy
Graph-aware policy definitions backed by Grust graphs.
model
Serde data model for RBAC YAML policies.