GitLab GLAZ Gem
[!WARNING] This gem is currently designed entirely for internal use at GitLab.
Ruby bindings for the Glaz authorization engine. A thin Magnus FFI extension exposes the Rust glaz-module engine to Ruby, so Cedar policy checks run in-process.
Installation
Requires Ruby >= 3.1 and a Rust toolchain. Add to your Gemfile:
gem 'gitlab-glaz', path: 'gems/gitlab-glaz'
Usage
require 'gitlab-glaz'
engine = Gitlab::Glaz::Engine.new(schema: cedar_schema, policies: cedar_policies)
engine.check_action(
subject_uuid: user_uuid,
object_uuid: project_uuid,
action: 'read_docs',
context: {}
)
# => { allowed: true, reason: 'permit_granted' }
# Swap the policy set at runtime; the previous set stays active if the
# new source fails to parse or validate against the schema:
engine.load_policies(new_cedar_policies)
The schema is loaded once at construction and cannot change; build a new engine to use a new schema.
Schemas must declare User and Resource entities (checks build User::"<subject_uuid>" and Resource::"<object_uuid>" UIDs), and every action's context type must include user_permissions: Set<Action>, which the engine injects with the checked action.
Development
bundle exec rake compile # build the native extension (required before rspec)
bundle exec rspec
The extension crate lives in ext/glaz/; shared Rust dependencies are declared in the root Cargo.toml.
Releasing a new version
Create a merge request using the Release template and follow its instructions. Once merged, precompiled native gems are published to RubyGems automatically.
License
Released under the MIT License.