I went through the codebase of Ubicloud. It's an open source AWS alternative built usingh Roda.
One thing I liked is their simple but powerful implementation of relationship-based access control (ReRBAC).
It stores tuples of subject, action and object. If the tuple, exists then the action is allowed. A light version of Google's Zanzibar project.