feat(core): add fine-grain authorization support

[alkalescent]

Proposed Changes

• adds fine-grain authorization support
• adds pluggable authorizer

Checklist

• I have added or updated unit tests
• I have added or updated integration tests (if appropriate)
• I have added or updated documentation

Testing Instructions

[gemini-code-assist]

Summary of Changes

Hello @alkalescent, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly upgrades the platform's authorization capabilities by introducing a new fine-grained system. It shifts the focus from broad path-based access to granular control based on specific RPC methods and dynamic resource attributes. This enhancement provides a more robust and flexible security model, allowing services to define and enforce access policies at a much finer level of detail, while ensuring a smooth transition and continued support for existing authorization rules.

Highlights

• Fine-Grained Authorization (v2): Introduced a new fine-grained authorization system that moves beyond path-based RBAC to incorporate RPC methods and dynamic resource dimensions, enabling more precise access control.
• Pluggable Authorizer Interface: Implemented a pluggable Authorizer interface, allowing for different authorization engines. The initial implementation uses Casbin, supporting both the legacy v1 (path-based) and the new v2 (RPC + dimensions) models.
• Authorization Resolver Registry: Added an AuthzResolverRegistry and ResolverFunc mechanism. Services can now register resolver functions for their methods to extract resource-specific authorization dimensions (e.g., namespace, attribute) from incoming requests.
• Attributes Service Integration: The Attributes service has been updated to implement AuthzResolverFunc for its methods, serving as a pilot for integrating the new fine-grained authorization pattern. This includes caching resolved data to prevent redundant database queries.
• Backward Compatibility & Extensibility: The new system maintains backward compatibility with existing path-based (v1) policies and is designed for future extensibility to support other authorization engines like AWS Cedar or Open Policy Agent (OPA).
• Enhanced Auditability: Authorization decisions are now logged with full context, including serialized resource dimensions, to improve governance and auditability.
• Architectural Documentation: New architectural documentation has been added, detailing the platform's feature development patterns (Inversion of Control, Scoped Registries) and providing a comprehensive reference for the Authorization Resolver Registry.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

---

A fine-grain net, so strong and new, Resources guarded, clear and true. No path alone, but context deep, Where access rules, the secrets keep.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This is an excellent pull request that introduces a well-designed and robust fine-grained authorization system. The use of a pluggable authorizer interface, a resolver registry for service-specific logic, and the Inversion of Control pattern are all great architectural choices that will improve the platform's extensibility and maintainability. The code is clean, well-structured, and thoroughly tested. The accompanying documentation and ADRs are very detailed and helpful for understanding the new system. I have one high-severity comment regarding an inconsistency in the ADR document that should be addressed to avoid confusion. Overall, this is a fantastic contribution.

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	202.924674ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	98.896912ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	388.064617ms
Throughput	257.69 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	39.940821362s
Average Latency	397.603981ms
Throughput	125.19 requests/second

NANOTDF Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	28.465411771s
Average Latency	283.298407ms
Throughput	175.65 requests/second

[github-actions]

X-Test Results

opentdfplatform37G10N.dockerbuild
✅ java-v0.4.34
cukes-report
✅ js-v0.4.34
✅ go-v0.4.34
bats-test-results
test-cases-mapping-report
✅ js-pull-2999
✅ java-pull-2999
✅ go-pull-2999

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	189.337674ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	103.408309ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	363.311682ms
Throughput	275.25 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	39.730761489s
Average Latency	395.42121ms
Throughput	125.85 requests/second

NANOTDF Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	28.551955853s
Average Latency	284.638035ms
Throughput	175.12 requests/second

[github-actions]

X-Test Results

opentdfplatform8XE7GK.dockerbuild
cukes-report
✅ js-v0.4.34
✅ java-v0.4.34
✅ go-v0.4.34
bats-test-results
test-cases-mapping-report
✅ js-pull-2999
✅ java-pull-2999
✅ go-pull-2999

[alkalescent]

Tests pass; changing base to stacked pr branch.

[jrschumacher]

Nice! I like the cache. How do we handle memory pressure with the cache fails?

We also have a cache manager which might be useful here to make sure we have a central management interface for all cache behavior. I'm good with making that an enhancement as another PR since it's not crucial for determining if this is the right direction.

[alkalescent]

There's no memory pressure handling since this cache is request-scoped (data is assumed to be small and cache is assumed to be short-lived). I also thought the cache manager would be an elegant approach here after reading adr/decisions/2026-01-02-authz-fine-grain-resource-support.md, but I didn't find time to revert the cache commit and try it out yesterday (Sun). Looking into a hybrid approach now.

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	180.574297ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	100.925426ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	355.943584ms
Throughput	280.94 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	38.412633759s
Average Latency	382.406707ms
Throughput	130.17 requests/second

NANOTDF Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	27.508608614s
Average Latency	274.067415ms
Throughput	181.76 requests/second

[github-actions]

X-Test Results

opentdfplatformXW34H5.dockerbuild
✅ js-v0.4.34
✅ java-v0.4.34
cukes-report
✅ go-v0.4.34
bats-test-results
test-cases-mapping-report
✅ js-pull-2999
✅ java-pull-2999
✅ go-pull-2999

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	199.197515ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	105.635047ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	371.118082ms
Throughput	269.46 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	39.126919105s
Average Latency	389.170461ms
Throughput	127.79 requests/second

NANOTDF Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	27.575414995s
Average Latency	274.853109ms
Throughput	181.32 requests/second

[github-actions]

X-Test Results

opentdfplatformL05K1F.dockerbuild
cukes-report
✅ js-v0.4.34
✅ java-v0.4.34
✅ go-v0.4.34
bats-test-results
test-cases-mapping-report
✅ js-pull-2999
✅ java-pull-2999
✅ go-pull-2999

[alkalescent]

I chose a hybrid approach, using the platform cache manager for inter-request caching and keeping the resolver context for intra-request caching. The benefit of the resolver context is that the handlers don't need knowledge of the cache keys.