A cloud-native graph implementation of the Role-Based Access Control (RBAC) authorization architecture powered by dgraph.
NOTE: This project is developed and maintained by Animeshon where it is running in production.
go build -o bin/grbac ./cmd
docker build -t grbac/grbac:latest .
Run gRPC docker-compose:
docker-compose -f examples/grpc/docker-compose.yaml up
Run integration tests:
export INTEGRATION_TEST_DGRAPH_ENDPOINT=127.0.0.1:9060
go test -tag=integration ./...
Visit https://play.dgraph.io/?latest
and connect to the endpoint http://127.0.0.1:8060
.
Run the following generic DQL query:
{
query(func:type(Resource)){
expand(_all_) {
expand(_all_) {
expand(_all_) {
expand(_all_) {
expand(_all_) {
expand(_all_)
}
}
}
}
}
}
}
The following image is an example of the expected output:
After succesfully running the gRPC docker-compose
as described in the previous paragraph, build gRBAC locally and execute a random CLI command:
go build -o bin/grbac ./cmd
./bin/grbac accesscontrol create-permission \
--address "127.0.0.1:9070" --insecure \
--permission.name="permissions/grbac.test.permission"
Keep experimenting with other commands or through a gRPC client!
- Animeshon APIs
- Animeshon APIs Client Library for Go
- Animeshon Protocol Buffers for Go
- Animeshon Compiled Protocol Buffers
- etags are not implemented
- atomic group changes (AddGroupMember and RemoveGroupMemeber) are not implemented
- resource parent transfer (TransferResource) is not implemented
- limits and quotas are not implemented
- there is no maximum distance set for
shortest
queries - groups can currently include other groups - this behavior should be discussed
- partial updates will return partial resources - complete resources should be returned instead
- resolve known issues
- remove Animeshon internal business logic
- move protobuf definitions to this organization
- generate missing grpc clients (e.g. Java, Python, C#, ...)
- publish docker image to Docker Hub
- build the project through Bazel instead of the Go toolchain
- add unit tests on top of integration tests
- add monitoring and tracing
The name gRBAC comes from g
+ RBAC
where g
stands for:
graph
as it is implemented on top of a graph database and leverages graph's propertiesgRPC
as its implementation is completely gRPC nativegoogle
as this implementation aims at mirroring the Google Cloud IAM architecture
and RBAC stands for Role-Based Access Control.