RBAC-powered CRUD service for MongoDB — Schema to API in minutes
A high-performance Backend-as-a-Service that gives you:
- REST API — Full CRUD operations with batch support
- Fine-grained RBAC — Role-based access with hierarchical permissions
- Schema validation — Types, constraints, computed fields
- Document versioning — Track changes, diff, and restore
- Hooks — Pre/post triggers with HTTP webhook support
- Prometheus metrics — Full observability with Grafana dashboards
- 50K+ QPS — Optimized for high throughput
- Go 1.21+
- MongoDB 6.0+
- Redis 7.0+ (optional, for caching)
# Clone the repository
git clone https://github.com/yourusername/permission-mongo.git
cd permission-mongo
# Install dependencies
go mod download
# Build
go build -o bin/permission-mongo ./cmd/server
# Run tests
go test -race ./...Create config.yaml:
version: "1.0"
server:
host: "0.0.0.0"
port: 8080
read_timeout: 30s
write_timeout: 30s
mongodb:
uri: "mongodb://localhost:27017"
database: "permission_mongo"
max_pool_size: 100
redis:
url: "localhost:6379"
pool_size: 500./bin/permission-mongo --config config.yaml| Method | Endpoint | Description |
|---|---|---|
GET |
/health |
Health check |
GET |
/ready |
Readiness check |
GET |
/metrics |
Prometheus metrics |
| Method | Endpoint | Description |
|---|---|---|
POST |
/{collection} |
Create document |
GET |
/{collection} |
List documents |
GET |
/{collection}/{id} |
Get document |
PUT |
/{collection}/{id} |
Update document |
DELETE |
/{collection}/{id} |
Delete document |
| Method | Endpoint | Description |
|---|---|---|
POST |
/{collection}/batch |
Batch create |
PUT |
/{collection}/batch |
Batch update |
DELETE |
/{collection}/batch |
Batch delete |
| Method | Endpoint | Description |
|---|---|---|
POST |
/{collection}/count |
Count documents |
POST |
/{collection}/aggregate |
Aggregation pipeline |
| Method | Endpoint | Description |
|---|---|---|
GET |
/{collection}/{id}/versions |
List versions |
GET |
/{collection}/{id}/versions/{v} |
Get specific version |
GET |
/{collection}/{id}/diff/{v1}/{v2} |
Diff between versions |
POST |
/{collection}/{id}/restore/{v} |
Restore to version |
Define role-based policies:
policies:
orders:
admin:
actions: [create, read, update, delete]
when: doc.company_id == user.tenant_id
manager:
actions: [create, read, update]
when: |
doc.company_id == user.tenant_id &&
(doc.created_by == user.id || doc.created_by in user.$subordinates)
employee:
actions: [create, read]
when: doc.company_id == user.tenant_id && doc.created_by == user.id
fields:
deny: [internal_notes]
mask:
email: email- Comparisons:
==,!=,>,>=,<,<= - Logical:
&&,||,! - Membership:
in,not in - References:
doc.field,user.id,user.roles,user.$subordinates
Start the full monitoring stack:
docker-compose -f docker-compose.monitoring.yaml up -dAccess:
- Prometheus: http://localhost:9090
- Grafana: http://localhost:3000 (admin/admin)
| Metric | Type | Description |
|---|---|---|
permission_mongo_http_requests_total |
Counter | HTTP requests by method, path, status |
permission_mongo_http_request_duration_seconds |
Histogram | Request latency |
permission_mongo_mongo_operations_total |
Counter | MongoDB operations by collection |
permission_mongo_mongo_operation_duration_seconds |
Histogram | MongoDB latency |
permission_mongo_cache_hits_total |
Counter | Cache hits by type |
permission_mongo_cache_misses_total |
Counter | Cache misses by type |
permission_mongo_rbac_evaluations_total |
Counter | RBAC evaluations (allowed/denied) |
permission_mongo_audit_logs_total |
Counter | Audit log entries |
Pre-built Grafana dashboard included with panels for HTTP, MongoDB, Cache, RBAC, and Audit metrics.
See monitoring/README.md for full documentation.
permission-mongo/
├── cmd/
│ ├── server/ # Main server binary
│ └── pmctl/ # CLI management tool
├── pkg/
│ ├── api/ # HTTP handlers, router, middleware
│ ├── audit/ # Async audit logging with batching
│ ├── auth/ # JWT authentication
│ ├── cache/ # Redis caching layer
│ ├── config/ # Configuration loading
│ ├── hierarchy/ # User hierarchy resolution
│ ├── hooks/ # Pre/post operation hooks
│ ├── logging/ # Structured logging (slog)
│ ├── metrics/ # Prometheus metrics
│ ├── rbac/ # RBAC engine and expression compiler
│ ├── schema/ # Schema validation
│ ├── store/ # MongoDB data layer
│ └── version/ # Document versioning
├── monitoring/ # Prometheus, Grafana configs, dashboards
├── docker-compose.monitoring.yaml
└── README.md
- Lock-free router using atomic operations
- Connection pooling for MongoDB (100 conns) and Redis (500 conns)
- Async audit logging with batched MongoDB inserts
- AST caching for RBAC expression parsing
- Fasthttp tuned for 256K concurrent connections
# Run all tests with race detector
go test -race ./...
# Run with coverage
go test -coverprofile=coverage.out ./...
go tool cover -html=coverage.out
# Build for production
CGO_ENABLED=0 go build -ldflags="-s -w" -o bin/permission-mongo ./cmd/server┌─────────────────┐ ┌─────────────────────────────────┐
│ Your App / │────▶│ Permission Mongo Service │
│ Mobile / Web │ │ │
└─────────────────┘ │ ┌───────────┐ ┌─────────────┐ │
│ │ Schema │ │ Policy │ │
│ └───────────┘ └─────────────┘ │
│ │
│ CRUD + RBAC + Hooks + Metrics │
└────────────────┬────────────────┘
│
┌───────────────┴───────────────┐
▼ ▼
┌─────────┐ ┌─────────┐
│ Redis │ │ MongoDB │
│ (cache) │ │ (data) │
└─────────┘ └─────────┘
│
▼
┌──────────┐ ┌─────────┐
│Prometheus│────▶│ Grafana │
└──────────┘ └─────────┘
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Run tests (
go test -race ./...) - Commit changes (
git commit -m 'Add amazing feature') - Push to branch (
git push origin feature/amazing-feature) - Open a Pull Request
MIT License - see LICENSE for details.