Back to Home

RBACX updates: ReBAC and AI policies

RBACX library updated: added ReBAC with SpiceDB/OpenFGA integrations, AI policy generation from OpenAPI, batch permission evaluation. Fixed DoS and SSRF vulnerabilities, added Redis cache and async Django.

Evolution of RBACX: from RBAC to ReBAC with AI
Advertisement 728x90

RBACX After Six Months: ReBAC, AI Policies, and Batch Authorization

Over the past six months, the RBACX library has evolved from a basic RBAC/ABAC engine into a comprehensive system featuring ReBAC and AI-generated policies. Critical vulnerabilities have been addressed: bypassing deny-overrides in the compiler, DoS via condition recursion, and SSRF in the HTTP source. The system now enforces MAX_CONDITION_DEPTH=50, verify_ssl, and blocks private IPs.

Batch permission checking is implemented via the evaluate_batch_async and evaluate_batch_sync methods in the Guard class. This solves the problem of multiple requests in UI applications, where parallel evaluation using asyncio.gather reduces latency.

decisions = await guard.evaluate_batch_async([
    (subject, Action("read"),   doc, ctx),
    (subject, Action("write"),  doc, ctx),
    (subject, Action("delete"), doc, ctx),
])

ReBAC: Relationship Graphs Instead of Attributes

Relationship-based authorization (ReBAC) introduces a "who granted what to whom" model, similar to Google Drive or GitHub. Permissions are defined by an entity graph: a document owner delegates access. Integrations with OpenFGA and SpiceDB support synchronous/asynchronous calls, including batch gRPC for object lists. A local graph is suitable for testing.

Google AdInline article slot

Implementation required reworking policy evaluation based on resource specificity, with tests for equivalence between compilation and interpretation paths.

Policy Generation with LLMs

The extra rbacx[ai] package adds AIPolicy to automate policy creation from OpenAPI schemas. The pipeline: LLM generation → JSON Schema validation → retries → linter → compilation.

from rbacx.ai import AIPolicy

ai = AIPolicy(api_key="sk-...", model="gpt-4o")
result = await ai.from_schema(openapi_schema)
guard = Guard(result.policy)

Methods like refine_policy for natural language refinement and explain_decision maintain the engine's determinism. Support includes OpenAI, Ollama, Azure, and compatible providers with retry limits.

Google AdInline article slot

The shorthand roles: ["admin", "editor"] simplifies RBAC without losing flexibility. Combination with condition via AND, with the linter warning about overlaps.

Additional Performance Improvements

  • Caching with a Redis adapter (rbacx[cache-redis]) for multi-host deployments.
  • Async adapter for Django ASGI 4.1+.
  • Strict types mode: Guard(policy, strict_types=True) disables implicit type conversions.
  • Decision tracing with explain=True for debugging rule matching.

These changes ensure scalability in production: from PyQt UI to microservices.

Key Takeaways

  • Security First: Patched deny bypass, DoS recursion, and SSRF; fail-closed behavior.
  • ReBAC Integrations: OpenFGA/SpiceDB with batch gRPC, local graph for development.
  • AI Automation: Policies from OpenAPI without manual DSL, with validation and retries.
  • Batch Permissions: Parallel evaluation for UI and object lists.
  • Performance: Redis cache, async Django, strict typing.

— Editorial Team

Google AdInline article slot
Advertisement 728x90

Read Next