PyAirtable Permission Service

A high-performance, fine-grained access control service built in Go. This service manages permissions across all resources in the PyAirtable ecosystem with support for both Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC).

Features

Core Capabilities

• High-Performance Permission Checks: Optimized for minimal latency with Redis caching
• Fine-Grained Access Control: Resource-level permissions (tenant → workspace → table → record)
• Role-Based Access Control (RBAC): Flexible role management with hierarchical permissions
• Attribute-Based Access Control (ABAC): Policy-based permissions with dynamic context evaluation
• Permission Inheritance: Hierarchical permission model with automatic inheritance
• Bulk Operations: Batch permission checks for improved performance
• Comprehensive Auditing: Full audit trail for compliance and security monitoring

Performance Features

• Redis Caching: Intelligent caching with automatic invalidation
• Batch Processing: Bulk permission operations to reduce database load
• Connection Pooling: Optimized database connections
• Benchmarked Performance: Sub-10ms average response times

Security Features

• JWT Authentication: Secure API access
• Rate Limiting: Protection against abuse
• Audit Logging: Complete permission change tracking
• Cache Invalidation: Immediate consistency on permission changes

API Endpoints

Permission Checks

• POST /api/v1/permissions/check - Check single permission
• POST /api/v1/permissions/bulk-check - Check multiple permissions

Permission Management

• POST /api/v1/permissions/grant - Grant permission to user
• POST /api/v1/permissions/revoke - Revoke permission from user

User Permissions

• GET /api/v1/permissions/user/:userId - Get all user permissions
• GET /api/v1/permissions/user/:userId/roles - Get user roles

Resource Permissions

• GET /api/v1/permissions/resource/:resourceId - Get resource permissions

Role Management

• GET /api/v1/permissions/roles - List all roles
• POST /api/v1/permissions/roles - Create new role
• POST /api/v1/permissions/roles/:roleId/assign - Assign role to user

Health & Monitoring

• GET /ping - Basic health check
• GET /health - Detailed health status with cache statistics

Quick Start

Prerequisites

• Go 1.21+
• PostgreSQL 13+
• Redis 6+

Installation

1. Clone the repository:

git clone https://github.com/pyairtable/permission-service.git
cd permission-service

2. Install dependencies:

go mod download

3. Set up environment variables:

export DB_HOST=localhost
export DB_PORT=5432
export DB_USER=postgres
export DB_PASSWORD=your_password
export DB_NAME=permission_service
export REDIS_HOST=localhost
export REDIS_PORT=6379
export JWT_SECRET=your_jwt_secret

4. Start the service:

go run cmd/permission-service/main.go

The service will start on port 8080 by default.

Usage Examples

Check Permission

curl -X POST http://localhost:8080/api/v1/permissions/check \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_JWT_TOKEN" \
  -d '{
    "user_id": "user_123",
    "resource_type": "table",
    "resource_id": "table_456",
    "action": "read"
  }'

Response:

{
  "allowed": true,
  "reason": "Direct permission",
  "cache_hit": false,
  "checked_at": "2024-01-15T10:30:00Z"
}

Performance

Benchmarks

• Average permission check latency: ~2ms
• Bulk permission check (10 items): ~5ms
• Cache hit ratio: >90% in typical workloads
• Database connection pool: 25 connections

Development

Running Tests

# Unit tests
go test ./test/unit/...

# Integration tests
go test ./test/integration/...

# Benchmarks
go test -bench=. ./test/unit/...

# Coverage
go test -cover ./...

License

MIT License - see LICENSE file for details.