Gatehouse——一个可组合、异步友好的 Rust 授权策略框架

Gatehouse——一个可组合、异步友好的 Rust 授权策略框架
Gatehouse – a composable, async-friendly authorization policy framework in Rust

原始链接: https://github.com/thepartly/gatehouse

该库提供了一个灵活且强大的授权系统，支持RBAC、ABAC和ReBAC，允许多种范式访问控制。它可以使用逻辑运算符（AND、OR、NOT）组合策略，以构建复杂的授权规则。一个关键特性是详细的评估追踪，有助于调试和审计。核心是`Policy`特质及其`evaluate_access`方法。策略可以聚合在`PermissionChecker`中，它顺序地评估这些策略，默认使用OR逻辑（如果任何策略允许则授予访问权限）。`PolicyBuilder`提供了一个流畅的API，用于通过定义主体、动作、资源和上下文谓词来创建自定义策略。该库包含具体的策略实现，例如`RbacPolicy`、`AbacPolicy`、`RebacPolicy`、`AndPolicy`、`OrPolicy`和`NotPolicy`。它提供类型安全和async/await支持，用于异步操作。示例演示了使用这些功能的各种访问控制场景。

Hacker News 上出现了一个新的 Rust 授权策略框架 "Gatehouse"，它强调可组合性和异步功能，并获得了早期关注，这从文章的积分和评论中可以看出。用户 "codetrotter" 质疑 Gatehouse 中异步函数的必要性，特别是如果 I/O 操作是在预先执行的，并且策略检查本身不涉及 I/O 的情况下。他们寻求对将函数指定为异步函数的理由进行澄清。另一位用户 "esafak" 询问 Gatehouse 使用的数据持久化策略。最初的发帖人 "hardbyte" 强调了 Gatehouse 的关键特性，强调它是一个原生 Rust 库，支持异步操作，并提供授权策略的决策追踪。帖子还包含了 AI 初创公司学校的宣传。

Landrun：使用 Landlock 沙盒化任何 Linux 进程，无需 root 权限或容器 2025-03-22

Coq-of-Rust：Rust 形式验证工具 2025-03-17

IronRDP：一个使用Rust实现的微软RDP协议 2025-03-21

（评论） 2024-01-06

原文

A flexible authorization library that combines role-based (RBAC), attribute-based (ABAC), and relationship-based (ReBAC) access control policies.

Multi-paradigm Authorization: Support for RBAC, ABAC, and ReBAC patterns
Policy Composition: Combine policies with logical operators (AND, OR, NOT)
Detailed Evaluation Tracing: Complete decision trace for debugging and auditing
Fluent Builder API: Construct custom policies with a PolicyBuilder.
Type Safety: Strongly typed resources/actions/contexts
Async Ready: Built with async/await support

The foundation of the authorization system:

#[async_trait]
trait Policy<Subject, Resource, Action, Context> {
    async fn evaluate_access(
        &self,
        subject: &Subject,
        action: &Action,
        resource: &Resource,
        context: &Context,
    ) -> PolicyEvalResult;
}

Aggregates multiple policies (e.g. RBAC, ABAC) with OR logic by default: if any policy grants access, permission is granted.

let mut checker = PermissionChecker::new();
checker.add_policy(rbac_policy);
checker.add_policy(owner_policy);

// Check if access is granted
let result = checker.evaluate_access(&user, &action, &resource, &context).await;
if result.is_granted() {
    // Access allowed
} else {
    // Access denied
}

The PolicyBuilder provides a fluent API to construct custom policies by chaining predicate functions for subjects, actions, resources, and context. Once built, the policy can be added to a [PermissionChecker].

let custom_policy = PolicyBuilder::<MySubject, MyResource, MyAction, MyContext>::new("CustomPolicy")
    .subjects(|s| /* ... */)
    .actions(|a| /* ... */)
    .resources(|r| /* ... */)
    .context(|c| /* ... */)
    .when(|s, a, r, c| /* ... */)
    .build();

RbacPolicy: Role-based access control
AbacPolicy: Attribute-based access control
RebacPolicy: Relationship-based access control

AndPolicy: Grants access only if all inner policies allow access OrPolicy: Grants access if any inner policy allows access NotPolicy: Inverts the decision of an inner policy

See the examples directory for complete demonstration of:

Role-based access control (rbac_policy)
Relationship-based access control (rebac_policy)
Policy combinators (combinator_policy)

Run with:

cargo run --example rbac_policy

Gatehouse——一个可组合、异步友好的 Rust 授权策略框架 Gatehouse – a composable, async-friendly authorization policy framework in Rust

Gatehouse——一个可组合、异步友好的 Rust 授权策略框架
Gatehouse – a composable, async-friendly authorization policy framework in Rust