Documentation
¶
Overview ¶
Command protoc-gen-servora-authz translates servora authz proto annotations into a Go file (`authz_rules.gen.go`) consumed by the runtime to enforce authorization on RPC methods.
Merge semantics (matches authn / audit):
- method-level rule with mode != AUTHZ_MODE_UNSPECIFIED replaces the service-level default in its entirety,
- method-level rule absent (or mode == AUTHZ_MODE_UNSPECIFIED) inherits the service-level default,
- only methods whose merged mode != AUTHZ_MODE_UNSPECIFIED appear in the generated map (NONE is preserved so callers can express "explicitly skip" rather than "no rule"; the runtime decides what to do with NONE).
Cross-file template scanning: rules are gathered from ALL input files (including non-generated dependencies) so authz annotations on canonical RPC protos remain visible when only their HTTP-gateway counterparts are in the generation set. Generated output groups by output directory so each directory yields one authz_rules.gen.go covering the services declared in it (resolved through the cross-file template index).
Source Files
Click to show internal directories.
Click to hide internal directories.