hodei-authz-sdk
| Crates.io | hodei-authz-sdk |
| lib.rs | hodei-authz-sdk |
| version | 0.1.0 |
| created_at | 2025-10-17 21:22:10.682261+00 |
| updated_at | 2025-10-17 21:22:10.682261+00 |
| description | Complete Cedar Policy-based authorization SDK with auto-discovery and builder pattern |
| homepage | https://github.com/Rubentxu/hodei-policies |
| repository | https://github.com/Rubentxu/hodei-policies |
| max_upload_size | |
| id | 1888456 |
| size | 105,970 |
Ruben Dario (Rubentxu)
documentation
https://docs.rs/hodei-authz-sdk
README
Hodei Authorization Framework
Cedar Policy-based authorization framework for Rust applications, inspired by AWS IAM.
Overview
Hodei is a complete authorization framework that provides:
- Cedar Policy Engine: Policy-based access control using Amazon's Cedar
- Multi-Tenancy: Built-in tenant isolation with HRN (Hodei Resource Name)
- Derive Macros: Automatic code generation for entities and actions
- Database Adapters: PostgreSQL and Redis support out of the box
- Web Integration: Axum middleware and extractors
- Type-Safe: Leverages Rust's type system for compile-time safety
Quick Start
Installation
[dependencies]
hodei-authz-sdk = { version = "0.1", features = ["full"] }
Define Your Domain
use hodei-authz-sdk::prelude::*;
use serde::{Serialize, Deserialize};
#[derive(HodeiEntity, Serialize, Deserialize, Clone)]
#[hodei-authz-sdk(entity_type = "MyApp::User")]
struct User {
id: Hrn,
email: String,
role: String,
}
#[derive(HodeiEntity, Serialize, Deserialize, Clone)]
#[hodei-authz-sdk(entity_type = "MyApp::Document")]
struct Document {
id: Hrn,
#[entity_type = "MyApp::User"]
owner_id: Hrn,
title: String,
}
#[derive(HodeiAction)]
#[hodei-authz-sdk(namespace = "MyApp")]
enum DocumentCommand {
#[hodei-authz-sdk(principal = "User", resource = "Document")]
Read { id: Hrn },
#[hodei-authz-sdk(principal = "User", resource = "Document")]
Update { id: Hrn },
#[hodei-authz-sdk(principal = "User", resource = "Document", creates_resource)]
Create { title: String },
}
Write Cedar Policies
// Only document owner can read
permit(
principal,
action == Action::"Document::Read",
resource
) when {
resource.owner_id == principal
};
// Admins can do anything
permit(
principal,
action,
resource
) when {
principal.role == "admin"
};
Use in Your Application
use hodei_postgres::PostgresPolicyStore;
use hodei_redis::RedisCacheInvalidation;
use hodei_authz::{PolicyStore, CacheInvalidation};
use sqlx::PgPool;
#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
// Setup database
let pool = PgPool::connect("postgres://...").await?;
let store = PostgresPolicyStore::new(pool);
store.migrate().await?;
// Setup cache invalidation
let cache = RedisCacheInvalidation::new("redis://...").await?;
// Load policies
let policy_set = store.load_all_policies().await?;
// Check authorization
use cedar_policy::{Authorizer, Request, Entities};
let authorizer = Authorizer::new();
let decision = authorizer.is_authorized(&request, &policy_set, &entities);
if decision.decision() == Decision::Allow {
println!("Access granted!");
}
Ok(())
}
Features
Core Features
default- Core functionality (kernel + core + derive)postgres- PostgreSQL adapterredis- Redis cache invalidationaxum- Axum web framework integrationfull- All features enabled
# Minimal installation
[dependencies]
hodei-authz-sdk = "0.1"
# With database support
[dependencies]
hodei-authz-sdk = { version = "0.1", features = ["postgres", "redis"] }
# Everything
[dependencies]
hodei-authz-sdk = { version = "0.1", features = ["full"] }
Architecture
Hodei is composed of several crates:
- hodei-authz-sdk-hrn: Core types (HRN)
- hodei-authz-sdk-derive: Derive macros
- hodei-authz-sdk-authz: Traits and logic
- hodei-authz-sdk-authz-postgres: PostgreSQL adapter
- hodei-authz-sdk-authz-redis: Redis adapter
- hodei-authz-sdk-authz-axum: Axum integration
- hodei-authz-sdk: Meta-crate (this crate)
Examples
Basic Authorization
use hodei-authz-sdk::prelude::*;
let user = User {
id: Hrn::builder()
.service("myapp")
.tenant_id("tenant-1")
.resource("user/alice")
.unwrap()
.build()
.unwrap(),
email: "alice@example.com".to_string(),
role: "user".to_string(),
};
// Check if user can read document
let can_read = check_authorization(
&user,
DocumentCommand::Read { id: document.id.clone() },
&document,
).await?;
With Axum
use hodei_axum::AuthenticatedUser;
use axum::{Router, routing::get, Json};
async fn get_document(
AuthenticatedUser(user): AuthenticatedUser<User>,
Path(id): Path<String>,
) -> Result<Json<Document>, StatusCode> {
// Authorization is handled by middleware
let document = fetch_document(&id).await?;
Ok(Json(document))
}
let app = Router::new()
.route("/documents/:id", get(get_document))
.layer(middleware::from_fn(authorize_middleware));
Documentation
License
MIT OR Apache-2.0