diff options
| author | mo khan <mo@mokhan.ca> | 2025-07-15 16:37:08 -0600 |
|---|---|---|
| committer | mo khan <mo@mokhan.ca> | 2025-07-17 16:30:22 -0600 |
| commit | 45df4d0d9b577fecee798d672695fe24ff57fb1b (patch) | |
| tree | 1b99bf645035b58e0d6db08c7a83521f41f7a75b /src/authorization/server.rs | |
| parent | f94f79608393d4ab127db63cc41668445ef6b243 (diff) | |
feat: migrate from Cedar to SpiceDB authorization system
This is a major architectural change that replaces the Cedar policy-based
authorization system with SpiceDB's relation-based authorization.
Key changes:
- Migrate from Rust to Go implementation
- Replace Cedar policies with SpiceDB schema and relationships
- Switch from envoy `ext_authz` with Cedar to SpiceDB permission checks
- Update build system and dependencies for Go ecosystem
- Maintain Envoy integration for external authorization
This change enables more flexible permission modeling through SpiceDB's
Google Zanzibar inspired relation-based system, supporting complex
hierarchical permissions that were difficult to express in Cedar.
Breaking change: Existing Cedar policies and Rust-based configuration
will no longer work and need to be migrated to SpiceDB schema.
Diffstat (limited to 'src/authorization/server.rs')
| -rw-r--r-- | src/authorization/server.rs | 42 |
1 files changed, 0 insertions, 42 deletions
diff --git a/src/authorization/server.rs b/src/authorization/server.rs deleted file mode 100644 index 31bf2af8..00000000 --- a/src/authorization/server.rs +++ /dev/null @@ -1,42 +0,0 @@ -use super::cedar_authorizer::CedarAuthorizer; -use super::check_service::CheckService; -use envoy_types::ext_authz::v3::pb::AuthorizationServer; -use std::sync::Arc; - -pub struct Server { - router: tonic::transport::server::Router, -} - -impl Server { - pub fn new<T: super::Authorizer>(authorizer: T) -> Result<Server, Box<dyn std::error::Error>> { - let authorization_service = - AuthorizationServer::new(CheckService::new(Arc::new(authorizer))); - - Ok(Self::new_with(|mut builder| { - builder.add_service(authorization_service) - })) - } - - pub fn new_with<F>(f: F) -> Server - where - F: FnOnce(tonic::transport::Server) -> tonic::transport::server::Router, - { - let builder = tonic::transport::Server::builder() - .trace_fn( - |req| tracing::info_span!("rpc", method = %req.method(), path = %req.uri().path()), - ) - .timeout(std::time::Duration::from_secs(30)); - let router = f(builder); - Server { router } - } - - pub async fn serve(self, addr: std::net::SocketAddr) -> Result<(), tonic::transport::Error> { - self.router.serve(addr).await - } -} - -impl Default for Server { - fn default() -> Self { - Self::new(CedarAuthorizer::default()).unwrap() - } -} |