RBAC — Aquilia Documentation
Comprehensive guide and documentation for RBAC in the Aquilia framework. View API reference, examples, and implementation patterns.
Security & Auth / Authorization / RBAC Role-Based Access Control Aquilia's Role-Based Access Control is driven by the RBACEngine . It supports explicit role definitions, permission mapping, multi-level role inheritance, and cyclic role detection. How RBAC Works Roles group users together, and permissions specify what operations are allowed on resources. Rather than checking roles directly, developers map permissions to roles and check those permissions at the route or handler level. Role Inheritance: Sub-roles inherit all permissions of parent roles recursively. The hierarchy resolver automatically prevents cyclic reference errors. Role Definition & Inheritance Define roles and their hierarchies on the RBACEngine . In this example, the `admin` role inherits from `editor`, which in turn inherits from `guest`: from aquilia.auth.authz import RBACEngine rbac = RBACEngine() # 1. Define base permissions for 'guest' rbac.define_role("guest", permissions=["posts:read"]) # 2. Define 'editor' role, inheriting from 'guest' rbac.define_role("editor", permissions=["posts:write"], inherits=["guest"]) # 3. Define 'admin' role, inheriting from 'editor' rbac.define_role("admin", permissions=["posts:delete"], inherits=["editor"]) # Recursive permission checking guest_perms = rbac.get_permissions("guest") # editor_perms = rbac.get_permissions("editor") # admin_perms = rbac.get_permissions("admin") # Enforcing Permissions Permissions can be checked dynamically by supplying a list of roles belonging to the user. This is typically invoked by the AuthzEngine : # Checks if any of the user's active roles grant a specific permission has_access = rbac.check_permission(roles=["editor"], permission="posts:write") # True # Context-based validation from aquilia.auth.authz import AuthzContext ctx = AuthzContext(identity=user, resource="posts", action="delete", roles=["editor"]) result = rbac.check(ctx, permission="posts:delete") # Returns AuthzResult(decision=Decision.DENY, reason="No role has permission: posts:delete") Overview Attribute-Based Access Control (ABAC) )
Go to Homepage