RBACX After Six Months: ReBAC, AI Policies, and Batch Authorization
Over the past six months, the RBACX library has evolved from a basic RBAC/ABAC engine into a comprehensive system featuring ReBAC and AI-generated policies. Critical vulnerabilities have been addressed: bypassing deny-overrides in the compiler, DoS via condition recursion, and SSRF in the HTTP source. The system now enforces MAX_CONDITION_DEPTH=50, verify_ssl, and blocks private IPs.
Batch permission checking is implemented via the evaluate_batch_async and evaluate_batch_sync methods in the Guard class. This solves the problem of multiple requests in UI applications, where parallel evaluation using asyncio.gather reduces latency.
decisions = await guard.evaluate_batch_async([
(subject, Action("read"), doc, ctx),
(subject, Action("write"), doc, ctx),
(subject, Action("delete"), doc, ctx),
])
ReBAC: Relationship Graphs Instead of Attributes
Relationship-based authorization (ReBAC) introduces a "who granted what to whom" model, similar to Google Drive or GitHub. Permissions are defined by an entity graph: a document owner delegates access. Integrations with OpenFGA and SpiceDB support synchronous/asynchronous calls, including batch gRPC for object lists. A local graph is suitable for testing.
Implementation required reworking policy evaluation based on resource specificity, with tests for equivalence between compilation and interpretation paths.
Policy Generation with LLMs
The extra rbacx[ai] package adds AIPolicy to automate policy creation from OpenAPI schemas. The pipeline: LLM generation → JSON Schema validation → retries → linter → compilation.
from rbacx.ai import AIPolicy
ai = AIPolicy(api_key="sk-...", model="gpt-4o")
result = await ai.from_schema(openapi_schema)
guard = Guard(result.policy)
Methods like refine_policy for natural language refinement and explain_decision maintain the engine's determinism. Support includes OpenAI, Ollama, Azure, and compatible providers with retry limits.
The shorthand roles: ["admin", "editor"] simplifies RBAC without losing flexibility. Combination with condition via AND, with the linter warning about overlaps.
Additional Performance Improvements
- Caching with a Redis adapter (
rbacx[cache-redis]) for multi-host deployments. - Async adapter for Django ASGI 4.1+.
- Strict types mode:
Guard(policy, strict_types=True)disables implicit type conversions. - Decision tracing with
explain=Truefor debugging rule matching.
These changes ensure scalability in production: from PyQt UI to microservices.
Key Takeaways
- Security First: Patched deny bypass, DoS recursion, and SSRF; fail-closed behavior.
- ReBAC Integrations: OpenFGA/SpiceDB with batch gRPC, local graph for development.
- AI Automation: Policies from OpenAPI without manual DSL, with validation and retries.
- Batch Permissions: Parallel evaluation for UI and object lists.
- Performance: Redis cache, async Django, strict typing.
— Editorial Team
No comments yet.