https://github.com/inferadb/engine
The Authorization Database. High-performance, fine-grained access control at scale.
https://github.com/inferadb/engine
access-control authorization caching fine-grained-access-control graph-database grpc inferadb permissions policy-engine rebac rest-api rust wasm zanzibar
Last synced: 19 days ago
JSON representation
The Authorization Database. High-performance, fine-grained access control at scale.
- Host: GitHub
- URL: https://github.com/inferadb/engine
- Owner: inferadb
- License: apache-2.0
- Created: 2025-10-28T03:15:29.000Z (5 months ago)
- Default Branch: main
- Last Pushed: 2026-03-03T03:05:16.000Z (29 days ago)
- Last Synced: 2026-03-03T07:14:01.625Z (29 days ago)
- Topics: access-control, authorization, caching, fine-grained-access-control, graph-database, grpc, inferadb, permissions, policy-engine, rebac, rest-api, rust, wasm, zanzibar
- Language: Rust
- Homepage: https://inferadb.com
- Size: 2.95 MB
- Stars: 2
- Watchers: 0
- Forks: 0
- Open Issues: 5
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- Contributing: CONTRIBUTING.md
- License: LICENSE-APACHE
- Code of conduct: CODE_OF_CONDUCT.md
- Codeowners: .github/CODEOWNERS
- Security: SECURITY.md
- Agents: AGENTS.md
Awesome Lists containing this project
README
InferaDB Authorization Engine
ReBAC engine with declarative policies, graph evaluation, and sub-millisecond latency
> [!IMPORTANT]
> Under active development. Not production-ready.
Inspired by [Google Zanzibar](https://research.google/pubs/zanzibar-googles-consistent-global-authorization-system/). [AuthZEN](https://openid.net/wg/authzen/) compliant.
## Quick Start
```bash
git clone https://github.com/inferadb/engine && cd engine
mise trust && mise install
cargo run --bin inferadb-engine
```
Check a permission:
```bash
curl -X POST http://localhost:8080/v1/evaluate \
-H "Content-Type: application/json" \
-d '{"evaluations": [{"subject": "user:alice", "resource": "doc:readme", "permission": "viewer"}]}'
```
## Features
| Feature | Description |
|---------|-------------|
| **Complete API** | Check, Expand, ListResources, ListSubjects, Watch |
| **Multi-Tenant** | Data isolation via Organizations and Vaults |
| **Wildcards** | Model public resources with `user:*` |
| **Observable** | Prometheus, OpenTelemetry, structured logs |
| **Storage** | Memory (dev) or Ledger (prod) |
| **Extensible** | WASM modules for custom logic |
## Architecture
```mermaid
graph TD
Bin[inferadb-engine] --> API[inferadb-engine-api]
API --> Core[inferadb-engine-core]
API --> Auth[inferadb-engine-auth]
Core --> Repo[inferadb-engine-repository]
Core --> Cache[inferadb-engine-cache]
Repo --> Store[inferadb-engine-store]
Store --> Memory[(Memory)]
Store --> Ledger[(InferaDB Ledger)]
```
| Crate | Purpose |
|-------|---------|
| inferadb-engine | Binary entrypoint |
| inferadb-engine-api | REST and gRPC endpoints |
| inferadb-engine-core | Permission evaluation, IPL parser |
| inferadb-engine-auth | JWT validation, JWKS, OAuth |
| inferadb-engine-repository | Domain repositories |
| inferadb-engine-store | Storage trait definitions |
| inferadb-engine-cache | Result caching |
| inferadb-engine-config | Configuration and secrets |
| inferadb-engine-types | Shared type definitions |
| inferadb-engine-const | Shared constants |
| inferadb-engine-observe | Metrics, tracing, logging |
| inferadb-engine-wasm | WebAssembly sandbox |
## Configuration
Configure via `config.yaml` or environment variables (`INFERADB__ENGINE__` prefix):
```yaml
engine:
listen:
http: "127.0.0.1:8080"
grpc: "127.0.0.1:8081"
storage: "ledger" # or "memory" for dev
ledger:
endpoint: "http://ledger.inferadb:50051"
client_id: "engine-prod-001"
namespace_id: 1
cache:
enabled: true
capacity: 100000
ttl: 300
```
## Development
```bash
just test # Standard tests
just lint # Clippy
just fmt # Format
```
See `just --list` for all commands and [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.
## License
Dual-licensed under [MIT](LICENSE-MIT) or [Apache 2.0](LICENSE-APACHE).