Skip to content

feat: RBAC/OPA authorization with Regorus policy engine#993

Open
serene-kitfisto-8899 wants to merge 2 commits into
developfrom
feat_rbac_is_back
Open

feat: RBAC/OPA authorization with Regorus policy engine#993
serene-kitfisto-8899 wants to merge 2 commits into
developfrom
feat_rbac_is_back

Conversation

@serene-kitfisto-8899

@serene-kitfisto-8899 serene-kitfisto-8899 commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

Summary

Implement opt-in NIST-compatible RBAC with in-process Rego policy evaluation via the Regorus engine (pure-Rust, no external OPA dependency).

Key Features

  • 4-level role hierarchy: super-admin > admin > operator > auditor
  • Tenant isolation: enforced at DB query level (WHERE tenant_id = ?)
  • JWT-based role assignment: configurable claim paths (dot-notation)
  • Three-tier enforcement:
    • Tier 1: dispatch.rs pre-dispatch for non-object ops
    • Tier 2: retrieve_object_utils.rs for object-targeting ops
    • Tier 3: /access/grant and /access/revoke endpoints
  • Auditable decisions: structured tracing events with bundle hash (OTEL)
  • Hot-reload: notify crate file watcher + remote URL polling
  • Default policies: algorithm-only (non-RBAC) + full RBAC bundle embedded
  • Fail-closed: policy errors → deny; missing bundle → refuse startup
  • Migration tooling: ckms server migrate-tenants CLI + REST endpoint

Design Decisions

16 design decisions documented in CONTEXT.md via structured design review:

  • Intentional break for ACL migration (no automatic expansion)
  • Privileged users as advisory is_privileged flag to policy
  • ArcSwap for atomic hot-reload
  • Content-only bundle hash (filenames excluded)
  • Super-admin role for cross-tenant break-glass
  • Algorithm enforcement always via Rego (legacy bypassed)
  • DiscoverVersions/Query exempt from RBAC
  • And more...

ADRs

  • ADR 0003: Always-Rego algorithm enforcement
  • ADR 0004: Super-admin role for cross-tenant access

Testing

  • 31 unit tests covering policy logic, bundle management, evaluator, input builder, audit
  • Zero clippy errors (--all-features)

Files Changed

  • New: crate/server/src/core/rbac/ (8 modules + 2 Rego policies)
  • New: crate/server/src/config/command_line/rbac_config.rs
  • New: crate/server/src/config/params/rbac_params.rs
  • New: crate/server/src/config/wizard/rbac_wizard.rs
  • New: crate/server/src/routes/admin.rs
  • New: crate/clients/clap/src/actions/migrate_tenants.rs
  • Modified: dispatch.rs, retrieve_object_utils.rs, routes/kmip.rs, routes/access.rs, KMS struct, JWT middleware, DB schema

serene-kitfisto-8899 and others added 2 commits June 8, 2026 12:34
docs: add RBAC/OPA design — CONTEXT, ADRs, diagrams, and deliverables
5cf4691 
- CONTEXT.md: problem statement, user stories, implementation decisions,
  OPA input contract, default Rego policy skeleton, and NIST/KMIP references
- docs/adr/0001: Regorus chosen as sole in-process Rego engine (OPA WASM rejected)
- docs/adr/0002: OPA is sole gatekeeper in RBAC mode; DB ACL checks bypassed
- docs/diagrams/: module architecture, role hierarchy, request flow, and
  bundle loading diagrams (SVG source + PNG renders)
- docs/rbac-design.pdf: full design document (TOC, intro, diagrams, references)
- docs/rbac-design.odt: OpenDocument version for editing in LibreOffice
- docs/rbac-design.pptx: 27-slide PowerPoint presentation

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
feat: implement RBAC/OPA authorization with Regorus policy engine
ad4da4c 
Implement opt-in NIST-compatible RBAC with in-process Rego policy evaluation
via the Regorus engine. The system supports a 4-level role hierarchy
(super-admin > admin > operator > auditor), tenant isolation, JWT-based role
assignment, and auditable policy decisions.

Key components:
- RbacConfig/RbacParams with startup cross-validation
- Policy Bundle Manager (load, validate, hash .rego bundles)
- Policy Evaluator (ArcSwap-backed, fail-closed, atomic hot-reload)
- Policy Input Builder (OPA input contract structs)
- Three-tier enforcement: dispatch (Tier 1), retrieve (Tier 2), access endpoints (Tier 3)
- RBAC Audit Logger (structured tracing events for OTEL)
- Default policies: algorithm-only (non-RBAC) and full RBAC bundle
- Hot-reload file watcher (notify crate, cross-platform)
- Remote bundle polling with JSON manifest support
- CLI: ckms server migrate-tenants command
- Server: POST /admin/migrate-tenants endpoint
- Config wizard: interactive RBAC setup step
- Legacy algorithm_policy.rs bypassed when Rego evaluator is active
- JWT UserClaim extended with dynamic claim extraction (dot-notation)
- Database: tenant_id column added to objects table (migration)

Design decisions documented in CONTEXT.md (16 resolved decisions).
ADRs: 0003 (always-Rego algorithm enforcement), 0004 (super-admin role).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@serene-kitfisto-8899