Documentation
¶
Overview ¶
Package authz provides a generic Kratos middleware for authorization. It is engine-agnostic: any Authorizer implementation can be injected.
Example usage:
import (
pkgauthz "github.com/Servora-Kit/servora/pkg/authz"
fgaengine "github.com/Servora-Kit/servora/pkg/authz/openfga"
)
mw = append(mw, pkgauthz.Server(
fgaengine.NewAuthorizer(fgaClient),
pkgauthz.WithRulesFunc(iamv1.AuthzRules),
))
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func MergeRules ¶
MergeRules merges multiple AuthzRule maps into one new map. Later maps take precedence on key conflicts (which should not occur in practice). Useful when a server registers services from multiple generated packages.
func Server ¶
func Server(authorizer Authorizer, opts ...Option) middleware.Middleware
Server returns a Kratos middleware that performs authorization checks.
Behavior:
- No transport in context → passthrough (non-server calls)
- No rule for operation → fail-closed (403 AUTHZ_NO_RULE)
- AUTHZ_MODE_NONE → skip (public endpoint)
- AUTHZ_MODE_CHECK, no actor or anonymous actor → 403 AUTHZ_DENIED
- AUTHZ_MODE_CHECK, nil authorizer → 503 AUTHZ_UNAVAILABLE
- AUTHZ_MODE_CHECK, allowed → handler called
- AUTHZ_MODE_CHECK, denied → 403 AUTHZ_DENIED
The OpenFGA principal is constructed as "<actor.Type()>:<actor.ID()>".
Types ¶
type Authorizer ¶
type Authorizer interface {
IsAuthorized(ctx context.Context, subject, relation, objectType, objectID string) (allowed bool, err error)
}
Authorizer is the interface for checking authorization. Implementations are responsible for performing the actual permission check, including any caching or backend communication.
type AuthzRule ¶
type AuthzRule struct {
Mode authzpb.AuthzMode
Relation string
ObjectType string
// IDField is the proto field name to extract object ID from the request.
// When empty, "default" is used as the object ID (singleton/platform-level checks).
IDField string
}
AuthzRule describes the authorization requirement for a single RPC operation.
type DecisionDetail ¶
type DecisionDetail struct {
Operation string
Subject string
Relation string
ObjectType string
ObjectID string
Allowed bool
CacheHit bool
Err error
}
DecisionDetail describes the result of a single authorization check. It is passed to the DecisionLogger callback after every check.
type Option ¶
type Option func(*serverConfig)
Option configures the Server middleware.
func WithDecisionLogger ¶
func WithDecisionLogger(fn func(ctx context.Context, detail DecisionDetail)) Option
WithDecisionLogger sets a callback invoked after every authorization check. Use this to bridge to audit.Recorder or any other audit sink. Replaces the old WithAuditRecorder; keeps pkg/authz free of pkg/audit dependency.
func WithDefaultObjectID ¶
WithDefaultObjectID overrides the fallback object ID used when IDField is empty. Defaults to "default".
func WithRulesFunc ¶
WithRulesFunc sets the operation→rule mapping via a single function (e.g. generated AuthzRules()). The function is called once during middleware construction. To merge rules from multiple packages, prefer WithRulesFuncs.
func WithRulesFuncs ¶
WithRulesFuncs merges the rule maps returned by one or more generator functions (e.g. userpb.AuthzRules, authnpb.AuthzRules) into a single rule set. Later entries take precedence on key conflicts (which should not occur in practice). This is the preferred alternative to combining WithRules + MergeRules.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
Package noop provides a no-op Authorizer that always permits all requests.
|
Package noop provides a no-op Authorizer that always permits all requests. |
|
Package openfga provides an OpenFGA-based Authorizer implementation for pkg/authz.
|
Package openfga provides an OpenFGA-based Authorizer implementation for pkg/authz. |