PHPackages mmtech/iam-rbac - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. mmtech/iam-rbac ActiveLibrary[Authentication & Authorization](/categories/authentication) mmtech/iam-rbac =============== Portable RBAC module for Laravel microservices using Kafka snapshots with IAM fallback. v1.11(2w ago)053↓11.8%proprietaryPHPPHP ^8.3 Since Apr 28Pushed 2w agoCompare [ Source](https://github.com/MMTech-Solutions/MMT-IAM-RBAC)[ Packagist](https://packagist.org/packages/mmtech/iam-rbac)[ RSS](/packages/mmtech-iam-rbac/feed)WikiDiscussions main Synced 1w ago READMEChangelogDependencies (3)Versions (13)Used By (0) MMT IAM RBAC package ==================== [](#mmt-iam-rbac-package) Portable RBAC package for Laravel microservices. What it provides ---------------- [](#what-it-provides) - Permission checks by gateway `sub` with `request()->user()->can('permission.slug')` - Effective roles from the same snapshot with `request()->user()->rbacRoles()` / `rbacRole()` (or `request()->rbacRoles()`) - Kafka snapshot consumer (`iam.rbac.snapshots.v1`) always enabled in the command worker - Reusable Kafka publisher service to emit events to any topic - Multi-topic consumer with per-topic handlers (class-map) - Local materialized store in database (`rbac_user_permission_snapshots`) with permissions and per-surface roles (`id` + `name`) - IAM fallback endpoint support when local snapshot is missing Installation in a Laravel microservice -------------------------------------- [](#installation-in-a-laravel-microservice) ### 1) Require package (private repository) [](#1-require-package-private-repository) In the microservice install: ``` composer require mmtech/iam-rbac:^1.0 ``` ### 2) Publish package files [](#2-publish-package-files) ``` php artisan vendor:publish --tag=rbac-config php artisan vendor:publish --tag=rbac-migrations php artisan migrate --no-interaction ``` ### 3) Middleware aliases [](#3-middleware-aliases) The package registers these aliases automatically when `RbacServiceProvider` boots: AliasPurpose`rbac.trusted.internal`Validate `X-Internal-Token` + `X-Internal-Source` when present`rbac.internal.token`Require valid internal credentials (internal-only routes)`rbac.auth.user`Validate gateway headers (skipped when trusted internal)`rbac.auth.user.info`Fetch full IAM user profile and merge into `gateway_auth_user_info``rbac.bind.gateway.user`Bind `GatewayUser` (skipped when trusted internal)`rbac.authorize.or.internal``Gate` check or bypass for trusted internal (`:ability`)You may still declare custom names in `bootstrap/app.php` if needed (e.g. map `auth.user` to `ResolveGatewayUserInfo`). ### 4) Configure env [](#4-configure-env) ``` RBAC_KAFKA_ENABLED=true KAFKA_BROKERS=kafka.mmtech-solutions.com:9092 KAFKA_SECURITY_PROTOCOL=PLAINTEXT RBAC_KAFKA_GROUP_ID=rbac-materializer RBAC_KAFKA_ON_UNHANDLED_TOPIC=skip RBAC_IAM_FALLBACK_ENABLED=true RBAC_IAM_BASE_URL=http://iam-service RBAC_IAM_INTERNAL_TOKEN=secret RBAC_IAM_TIMEOUT_MS=1500 RBAC_FAIL_MODE=deny RBAC_STRICT_DENY=true RBAC_GATEWAY_INTERNAL_SECRET=apisix RBAC_INTERNAL_TOKEN=shared-secret-between-ms RBAC_INTERNAL_CALLER_SOURCE=mmt-orders-service # RBAC_INTERNAL_LOG_TRUSTED=true RBAC_IAM_USER_ENRICH_ENABLED=true RBAC_IAM_BASE_URL=http://iam-service # RBAC_IAM_USER_FAIL_OPEN=true # RBAC_IAM_USER_LOG_FAILURES=false ``` The package publishes `config/rbac.php` and also publishes `config/kafka.php`from `mateusjunges/laravel-kafka` in the same `rbac-config` tag. This keeps Kafka connection config and RBAC module config clearly separated. ### 5) Run consumer [](#5-run-consumer) ``` php artisan rbac:consume-snapshots ``` By default, the command first performs an **initial sync** (consume until last available message in Kafka for the consumer group) and then stays running to process future events. It always subscribes `iam.rbac.snapshots.v1` and will additionally subscribe to any topics configured in `rbac.consumer.handlers`. Optional flags: - `--skip-initial-sync`: starts directly in continuous consume mode. - `--stop-after-last-message`: run one catch-up pass and stop. Multi-topic handlers (custom microservice logic) ------------------------------------------------ [](#multi-topic-handlers-custom-microservice-logic) In your microservice, implement handlers that process business logic for a topic: ```