herocode/rhailib
12
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7619e3b944
rhailib/examples/access_control/README.md
Timur Gordon 7619e3b944 move dsl's to rhailib
2025-06-25 03:22:03 +02:00

42 lines
2.4 KiB
Markdown
Raw Blame History

# Access Control Demonstration
This example demonstrates a practical access control scenario using `rhailib`. It showcases how a user, Alice, can manage her own data within her Rhai worker, grant specific access rights to another user, Bob, and deny access to an unauthorized user, Charlie.
## Overview
The example involves three key participants:
1. **Alice (`alice_pk`)**: The owner of the Rhai worker. She runs `alice.rhai` to populate her database with various objects and collections. Some of these are private, while others are explicitly shared with Bob.
2. **Bob (`bob_pk`)**: A user who has been granted some access rights by Alice. In this example, he attempts to run `bob.rhai`, which tries to write data to Alice's worker.
3. **Charlie (`charlie_pk`)**: An unauthorized user. He attempts to run `charlie.rhai`, which is identical to Bob's script.
The core of the access control mechanism lies within the `rhailib_worker`. When a script is submitted for execution, the worker automatically enforces that the `CALLER_PUBLIC_KEY` matches the worker's own `CIRCLE_PUBLIC_KEY` for any write operations. This ensures that only the owner (Alice) can modify her data.
## Scenario and Expected Outcomes
1. **Alice Populates Her Database**: Alice's script (`alice.rhai`) runs first. It successfully creates:
- A private object.
- An object shared with Bob.
- A private collection containing a private book and slides that are individually shared with Bob.
- A shared collection.
This demonstrates that the owner of the worker can freely write to her own database.
2. **Bob's Query**: Bob's script (`bob.rhai`) is executed next. The script attempts to create new objects in Alice's database. This operation fails with an `Insufficient authorization` error. The logs will show that `bob_pk` does not match the circle's public key, `alice_pk`.
3. **Charlie's Query**: Charlie's script (`charlie.rhai`) also fails with the same authorization error, as he is not the owner of the worker.
This example clearly illustrates the built-in ownership and write protection provided by the Rhai worker.
## Running the Example
Ensure Redis is running and accessible at `redis://127.0.0.1/`.
From the `rhailib` root directory, run:
```bash
cargo run --example access_control
```
Observe the logs to see Alice's script complete successfully, followed by the authorization errors for Bob and Charlie, confirming that the access control is working as expected.
Reference in New Issue View Git Blame Copy Permalink