Grbac
Graph Role-Based Access Control by Animeshon
Install / Use
/learn @grbac/GrbacREADME
gRBAC - Graph Role-Based Access Control
A cloud-native graph implementation of the Role-Based Access Control (RBAC) authorization architecture powered by dgraph.
NOTE: This project is developed and maintained by Animeshon where it is running in production.
Build with Golang
go build -o bin/grbac ./cmd
Build with Docker
docker build -t grbac/grbac:latest .
Run examples (gRPC only)
Run gRPC docker-compose:
docker-compose -f examples/grpc/docker-compose.yaml up
Run integration tests:
export INTEGRATION_TEST_DGRAPH_ENDPOINT=127.0.0.1:9060
go test -tag=integration ./...
Visit https://play.dgraph.io/?latest and connect to the endpoint http://127.0.0.1:8060.
Run the following generic DQL query:
{
query(func:type(Resource)){
expand(_all_) {
expand(_all_) {
expand(_all_) {
expand(_all_) {
expand(_all_) {
expand(_all_)
}
}
}
}
}
}
}
The following image is an example of the expected output:
Play with gRBAC
After succesfully running the gRPC docker-compose as described in the previous paragraph, build gRBAC locally and execute a random CLI command:
go build -o bin/grbac ./cmd
./bin/grbac accesscontrol create-permission \
--address "127.0.0.1:9070" --insecure \
--permission.name="permissions/grbac.test.permission"
Keep experimenting with other commands or through a gRPC client!
Resources
- Animeshon APIs
- Animeshon APIs Client Library for Go
- Animeshon Protocol Buffers for Go
- Animeshon Compiled Protocol Buffers
Known Issues
- etags are not implemented
- atomic group changes (AddGroupMember and RemoveGroupMemeber) are not implemented
- resource parent transfer (TransferResource) is not implemented
- limits and quotas are not implemented
- there is no maximum distance set for
shortestqueries - groups can currently include other groups - this behavior should be discussed
- partial updates will return partial resources - complete resources should be returned instead
Roadmap
- [ ] resolve known issues
- [ ] remove Animeshon internal business logic
- [ ] move protobuf definitions to this organization
- [ ] generate missing grpc clients (e.g. Java, Python, C#, ...)
- [ ] publish docker image to Docker Hub
- [ ] build the project through Bazel instead of the Go toolchain
- [ ] add unit tests on top of integration tests
- [ ] add monitoring and tracing
Off-topic: gRBAC meaning
The name gRBAC comes from g + RBAC where g stands for:
graphas it is implemented on top of a graph database and leverages graph's propertiesgRPCas its implementation is completely gRPC nativegoogleas this implementation aims at mirroring the Google Cloud IAM architecture
and RBAC stands for Role-Based Access Control.
