A cloud-native graph implementation of the Role-Based Access Control (RBAC) authorization architecture powered by dgraph.

NOTE: This project is developed and maintained by Animeshon where it is running in production.

go build -o bin/grbac ./cmd

docker build -t grbac/grbac:latest .

Run gRPC docker-compose:

docker-compose -f examples/grpc/docker-compose.yaml up

Run integration tests:

export INTEGRATION_TEST_DGRAPH_ENDPOINT=127.0.0.1:9060
go test -tag=integration ./...

Visit https://play.dgraph.io/?latest and connect to the endpoint http://127.0.0.1:8060.

Run the following generic DQL query:

{
  query(func:type(Resource)){
    expand(_all_) {
      expand(_all_) {
        expand(_all_) {
          expand(_all_) {
            expand(_all_) {
              expand(_all_)
            }
          }
        }
      }
    }
  }
}

The following image is an example of the expected output:

After succesfully running the gRPC docker-compose as described in the previous paragraph, build gRBAC locally and execute a random CLI command:

go build -o bin/grbac ./cmd

./bin/grbac accesscontrol create-permission \
    --address "127.0.0.1:9070" --insecure \
    --permission.name="permissions/grbac.test.permission"

Keep experimenting with other commands or through a gRPC client!

• Animeshon APIs
• Animeshon APIs Client Library for Go
• Animeshon Protocol Buffers for Go
• Animeshon Compiled Protocol Buffers

• etags are not implemented
• atomic group changes (AddGroupMember and RemoveGroupMemeber) are not implemented
• resource parent transfer (TransferResource) is not implemented
• limits and quotas are not implemented
• there is no maximum distance set for shortest queries
• groups can currently include other groups - this behavior should be discussed
• partial updates will return partial resources - complete resources should be returned instead

• resolve known issues
• remove Animeshon internal business logic
• move protobuf definitions to this organization
• generate missing grpc clients (e.g. Java, Python, C#, ...)
• publish docker image to Docker Hub
• build the project through Bazel instead of the Go toolchain
• add unit tests on top of integration tests
• add monitoring and tracing

The name gRBAC comes from g + RBAC where g stands for:

• graph as it is implemented on top of a graph database and leverages graph's properties
• gRPC as its implementation is completely gRPC native
• google as this implementation aims at mirroring the Google Cloud IAM architecture

and RBAC stands for Role-Based Access Control.