I went through the codebase of Ubicloud. It's an open source AWS alternative built using Roda.
One thing I liked is their simple but powerful implementation of relationship-based access control (ReRBAC).
It stores tuples of subject, action, and object. If the tuple exists, then the action is allowed. A light version of Google's Zanzibar project.