I am pleased to announce https://github.com/CloudAfrica/eacl (Enterprise Access ControL), an embedded https://en.wikipedia.org/wiki/Relationship-based_access_control authorization library based on SpiceDB, built in Clojure and backed by Datomic:
• The latest direct index-based traversal implemention now supports all our desired permission schemas, including both direct & arrow permissions AND relations (was not impl. in v5).
• The return order of resources from lookup-resources is now sorted AND stable during cursor-based pagination, due to heavy use of lazy-merge-depupe-sort when traversing parallel paths through the permission graph against a sorted Relationships index.
Two breaking changes:
1. Use the latest schema: @(d/transact conn eacl.datomic.schema/v6-schema)
2. The Permission schema now takes [resource_type permission spec] (breaking change), where spec has one of:
a. Self relations, e.g. (Permission :product :edit {:relation :account}) ala Spice permission edit = account
b. Self permissions, e.g. (Permission :product :edit {:permission :admin}) ala Spice permission edit = admin where admin is another permission on this resource.
c. Arrow relations, e.g. (Permission :product :edit {:arrow :account :relation :owner}) ala Spice permission edit = account->owner, where owner is a relation on account.
d. Arrow Permissions, e.g. (Permission :product :edit {:arrow :account :permission :admin}) ala Spice permission edit = account->admin where admin is a permission on the related account.
Internally, all permissions are now arrow permissions, where omitting an :arrow value just defaults to :self (reserved word). The spec map looks verbose, but we need to disambiguate between relations & permissions, which can have overlapping names. Tighter schema control in future will enable a more succinct syntax like (Permission :server :edit :account->admin), which approaches the SpiceDB syntax. Benchmarks are todo.
https://github.com/theronic/eacl-example.
(EACL currently has a Show HN.)