OpenFGA
Relationship-based access control made fast, scalable, and easy to use. OpenFGA is less suitable when it comes to RBAC and ABAC.
OpenFGA is a scalable open source authorization system for developers that allows implementing authorization for any kind of application and smoothly evolve as complexity increases over time. It is owned by the Cloud Native Computing Foundation.
OpenFGA provides developer the following benefits:
- Move authorization logic outside of application code, making it easier to write, change and audit.
- Increase velocity by standardizing on a single authorization solution.
- Centralize authorization decisions and audit logs making it simpler to comply with security and compliance requirements.
- Help their products to move faster because it is simpler to evolve authorization policies.
docker run -p 8080:8080 -p 8081:8081 -p 3000:3000 openfga/openfga run
OPA is often used for either ABAC (Attribute) or RBAC (Roles) while OpenFGA is looking at ReBAC (Relationships). Each has their complexity tradeoffs
Configuration Language
OpenFGA takes the best ideas from Google's Zanzibar paper for Relationship-Based Access Control, and also solves problems for Role-based Access Control and Attribute-Based Access Control use cases.
model
schema 1.1
type user
type domain
relations
define member: [user]
type folder
relations
define can_share: writer
define owner: [user, domain#member] or owner from parent_folder
define parent_folder: [folder]
define viewer: [user, domain#member] or writer or viewer from parent_folder
define writer: [user, domain#member] or owner or writer from parent_folder
type document
relations
define can_share: writer
define owner: [user, domain#member] or owner from parent_folder
define parent_folder: [folder]
define viewer: [user, domain#member] or writer or viewer from parent_folder
define writer: [user, domain#member] or owner or writer from parent_folder
conditions in models
model
schema 1.1
type user
type document
relations
define viewer: [user with non_expired_grant]
condition non_expired_grant(current_time: timestamp, grant_time: timestamp, grant_duration: duration) {
current_time < grant_time + grant_duration
}
Example
model
schema 1.1
type user
type folder
relations
define parent: [folder]
define creator: [user]
define editor: [user] or creator or editor from parent
define viewer: [user] or editor or viewer from parent
define can_share: creator
define can_delete: creator
define can_edit: editor
define can_view: viewer
type document
relations
define parent: [folder]
define creator: [user]
define editor: [user] or creator or editor from parent
define viewer: [user] or editor or viewer from parent
define can_share: creator
define can_delete: creator
define can_edit: editor
define can_view: viewer
# Anne is the creator of the Product folder
- user: user:anne
relation: creator
object: folder:product
# Anne is the creator of the Planning folder
- user: user:anne
relation: creator
object: folder:planning
# The Product folder contains the Planning folder
- user: folder:product
relation: parent
object: folder:planning
# The Planning folder has been shared with Beth as an editor
- user: user:beth
relation: editor
object: folder:planning
# Anne is the creator of the Roadmap document
- user: user:beth
relation: creator
object: document:roadmap
# The Planning folder contains the Roadmap document
- user: folder:planning
relation: parent
object: document:roadmap
is user:anne related to document:roadmap as can_view?
will be transformed to
POST /stores/<store_id>/check
{
"tuple_key": {
"user": "user:anne",
"relation": "can_view",
"object": "document:roadmap"
}
}
Links & Docs
Introduction
golang client
getting-started: Perform a List Users call