Skip to content

arbhalerao/graphauth

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits
cmd/server
cmd/server
 
 
internal
internal
 
 
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
docker-compose.yaml
docker-compose.yaml
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 

Repository files navigation

graphauth

A graph-based relationship authorization engine written in Go. Models permissions as a graph of nodes and relationships, supporting indirect access via group membership (similar to Google Zanzibar).

Concepts

  • Nodes: User, Group, Document
  • Relations: VIEWER, EDITOR, OWNER, MEMBER_OF
  • Permission check: walks the graph via MEMBER_OF edges, so a user inherits permissions from any group they belong to (nested groups supported)

Running

With Docker (recommended):

make docker-up

This starts Neo4j and the server on port 8080.

Locally:

# Start Neo4j separately, then:
NEO4J_URI=bolt://localhost:7687 \
NEO4J_USERNAME=neo4j \
NEO4J_PASSWORD=password \
make run

Environment Variables

Variable Default Description
NEO4J_URI bolt://localhost:7687 Neo4j connection URI
NEO4J_USERNAME neo4j Neo4j username
NEO4J_PASSWORD password Neo4j password
NEO4J_DATABASE (default db) Neo4j database name
LISTEN_ADDR :8080 HTTP listen address

API

Create nodes

POST /users          {"id": "alice"}
POST /groups         {"id": "eng-team"}
POST /documents      {"id": "design-doc"}

Manage relationships

POST   /relationships   {"subject": "alice", "relation": "MEMBER_OF", "object": "eng-team"}
DELETE /relationships   {"subject": "alice", "relation": "MEMBER_OF", "object": "eng-team"}

Check permission

GET /check?subject=alice&relation=EDITOR&object=design-doc

Response:

{"allowed": true, "reason": "path exists"}

Health

GET /health

Example

# Create nodes
curl -s -X POST localhost:8080/users     -d '{"id":"alice"}'      -H 'Content-Type: application/json'
curl -s -X POST localhost:8080/groups    -d '{"id":"eng-team"}'   -H 'Content-Type: application/json'
curl -s -X POST localhost:8080/documents -d '{"id":"design-doc"}' -H 'Content-Type: application/json'

# alice is a member of eng-team, which has EDITOR access to design-doc
curl -s -X POST localhost:8080/relationships -H 'Content-Type: application/json' \
  -d '{"subject":"alice","relation":"MEMBER_OF","object":"eng-team"}'
curl -s -X POST localhost:8080/relationships -H 'Content-Type: application/json' \
  -d '{"subject":"eng-team","relation":"EDITOR","object":"design-doc"}'

# Check — returns allowed: true
curl -s "localhost:8080/check?subject=alice&relation=EDITOR&object=design-doc"

Development

make test    # run all tests
make build   # build binary to bin/graphauth
make lint    # run golangci-lint

About

A graph-based relationship authorization engine written in Go

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Contributors

Languages