openfga

module

v1.5.3 Latest Latest Go to latest Published: Apr 16, 2024 License: Apache-2.0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/openfga/openfga

Links

Open Source Insights

README ¶

OpenFGA

GitHub release (latest SemVer)

A high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar.

OpenFGA is designed to make it easy for developers to model their application permissions and add and integrate fine-grained authorization into their applications.

It allows in-memory data storage for quick development, as well as pluggable database modules. It currently supports PostgreSQL 14 and MySQL 8.

It offers an HTTP API and a gRPC API. It has SDKs for Java, Node.js/JavaScript, GoLang, Python and .NET. Look in our Community section for third-party SDKs and tools. It can also be used as a library (see example).

Getting Started

The following section aims to help you get started quickly. Please look at our official documentation for in-depth information.

Setup and Installation

ℹ️ The following sections setup an OpenFGA server using the default configuration values. These are for rapid development and not for a production environment. Data written to an OpenFGA instance using the default configuration with the memory storage engine will not persist after the service is stopped.

For more information on how to configure the OpenFGA server, please take a look at our official documentation on Running in Production.

Docker

OpenFGA is available on Dockerhub, so you can quickly start it using the in-memory datastore by running the following commands:

docker pull openfga/openfga
docker run -p 8080:8080 -p 3000:3000 openfga/openfga run

[!TIP] The OPENFGA_HTTP_ADDR environment variable can used to configure the address at which the playground expects the OpenFGA server to be. For example, docker run -e OPENFGA_PLAYGROUND_ENABLED=true -e OPENFGA_HTTP_ADDR=0.0.0.0:4000 -p 4000:4000 -p 3000:3000 openfga/openfga run will start the OpenFGA server on port 4000, and configure the playground too.

Docker Compose

docker-compose.yaml provides an example of how to launch OpenFGA with Postgres using docker compose.

First, either clone this repo or curl the docker-compose.yaml file with the following command:
```
curl -LO https://openfga.dev/docker-compose.yaml
```
Then, run the following command:
```
docker compose up
```

Package Managers

If you are a Homebrew user, you can install OpenFGA with the following command:

brew install openfga

Pre-compiled Binaries

Download your platform's latest release and extract it. Then run the binary with the command:

./openfga run

Building from Source

There are two recommended options for building OpenFGA from source code:

Building from source with `go install`

Make sure you have Go 1.20 or later installed. See the Go downloads page.

You can install from source using Go modules:

First, make sure $GOBIN is on your shell $PATH:
```
export PATH=$PATH:$(go env GOBIN)
```

Then use the install command:

go install github.com/openfga/openfga/cmd/openfga

Run the server with:
```
./openfga run
```

Building from source with `go build`

Alternatively you can build OpenFGA by cloning the project from this Github repo, and then building it with the go build command:

Clone the repo to a local directory, and navigate to that directory:
```
git clone https://github.com/openfga/openfga.git && cd openfga
```
Then use the build command:
```
go build -o ./openfga ./cmd/openfga
```
Run the server with:
```
./openfga run
```

Verifying the Installation

Now that you have Set up and Installed OpenFGA, you can test your installation by creating an OpenFGA Store.

curl -X POST 'localhost:8080/stores' \
--header 'Content-Type: application/json' \
--data-raw '{
    "name": "openfga-demo"
}'

If everything is running correctly, you should get a response with information about the newly created store, for example:

{
  "id": "01G3EMTKQRKJ93PFVDA1SJHWD2",
  "name": "openfga-demo",
  "created_at": "2022-05-19T17:11:12.888680Z",
  "updated_at": "2022-05-19T17:11:12.888680Z"
}

Playground

The Playground facilitates rapid development by allowing you to visualize and model your application's authorization model(s) and manage relationship tuples with a locally running OpenFGA instance.

To run OpenFGA with the Playground disabled, provide the --playground-enabled=false flag.

./openfga run --playground-enabled=false

Once OpenFGA is running, by default, the Playground can be accessed at http://localhost:3000/playground.

In the event that a port other than the default port is required, the --playground-port flag can be set to change it. For example,

./openfga run --playground-enabled --playground-port 3001

Profiler (pprof)

Profiling through pprof can be enabled on the OpenFGA server by providing the --profiler-enabled flag.

./openfga run --profiler-enabled

This will start serving profiling data on port 3001. You can see that data by visiting http://localhost:3001/debug/pprof.

If you need to serve the profiler on a different address, you can do so by specifying the --profiler-addr flag. For example,

./openfga run --profiler-enabled --profiler-addr :3002

Once the OpenFGA server is running, in another window you can run the following command to generate a compressed CPU profile:

go tool pprof -proto -seconds 60 http://localhost:3001/debug/pprof/profile
# will collect data for 60 seconds and generate a file like pprof.samples.cpu.001.pb.gz

That file can be analyzed visually by running the following command and then visiting http://localhost:8084:

go tool pprof -http=localhost:8084 pprof.samples.cpu.001.pb.gz

Next Steps

Take a look at examples of how to:

Don't hesitate to browse the official Documentation, API Reference.

Limitations

MySQL Storage engine

The MySQL storage engine has a lower length limit for some properties of a tuple compared with other storage backends. For more information see the docs.

OpenFGA's MySQL Storage Adapter was contributed to OpenFGA by @twintag. Thanks!

Production Readiness

The core OpenFGA service has been in use by Okta FGA in production since December 2021.

OpenFGA's Memory Storage Adapter was built for development purposes only and is not recommended for a production environment, because it is not designed for scalable queries and has no support for persistence.

You can learn about more organizations using OpenFGA in production here. If your organization is using OpenFGA in production please consider adding it to the list.

The OpenFGA team will do its best to address all production issues with high priority.

Contributing

See CONTRIBUTING.

Community Meetings

We hold a monthly meeting to interact with the community, collaborate and receive/provide feedback. You can find more details, including the time, our agenda, and the meeting minutes here.

Directories ¶

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL

Path	Synopsis
assets Package assets contains database migration scripts and test files	Package assets contains database migration scripts and test files
cmd Package cmd contains all the commands included in the binary file.	Package cmd contains all the commands included in the binary file.
migrate Package migrate contains the command to perform database migrations.	Package migrate contains the command to perform database migrations.
openfga Package main contains the root of all commands.	Package main contains the root of all commands.
run Package run contains the command to run an OpenFGA server.	Package run contains the command to run an OpenFGA server.
util Package util provides common utilities for spf13/cobra CLI utilities that can be used for various commands within this project.	Package util provides common utilities for spf13/cobra CLI utilities that can be used for various commands within this project.
validatemodels Package validatemodels contains the command to run validations on authorization models.	Package validatemodels contains the command to run validations on authorization models.
internal
authn
authn/oidc
authn/presharedkey
build Package build provides build information that is linked into the application.	Package build provides build information that is linked into the application.
condition
condition/eval
condition/metrics Package metrics provides various metric and telemetry definitions for OpenFGA Conditions.	Package metrics provides various metric and telemetry definitions for OpenFGA Conditions.
condition/types
graph Package graph contains code related to evaluation of authorization models through graph traversals.	Package graph contains code related to evaluation of authorization models through graph traversals.
keys
middleware/authn
mocks Package mocks is a generated GoMock package.	Package mocks is a generated GoMock package.
server/config Package config contains all knobs and defaults used to configure features of OpenFGA when running as a standalone server.	Package config contains all knobs and defaults used to configure features of OpenFGA when running as a standalone server.
test/check
test/listobjects
utils
validation
pkg
encoder Package encoder provides implementations for data encoding and continuation token encoding.	Package encoder provides implementations for data encoding and continuation token encoding.
encrypter Package encrypter contains data encryption implementations.	Package encrypter contains data encryption implementations.
gateway Package gateway provides implementations to send data through the transport (e.g.	Package gateway provides implementations to send data through the transport (e.g.
logger Package logger contains logging implementations.	Package logger contains logging implementations.
middleware/http Package http contains middleware and utility functions to modify HTTP requests and responses.	Package http contains middleware and utility functions to modify HTTP requests and responses.
middleware/logging Package logging contains logging middleware.	Package logging contains logging middleware.
middleware/requestid Package requestid contains middleware to inject and manage request id context.	Package requestid contains middleware to inject and manage request id context.
middleware/storeid Package storeid contains middleware to inject and manage the store ID context.	Package storeid contains middleware to inject and manage the store ID context.
middleware/validator Package validator contains middleware that validates API input parameters.	Package validator contains middleware that validates API input parameters.
server Package server contains the endpoint handlers.	Package server contains the endpoint handlers.
server/commands Package commands contains the code that handles each endpoint.	Package commands contains the code that handles each endpoint.
server/commands/reverseexpand Package reverseexpand contains the code that handles the ReverseExpand API	Package reverseexpand contains the code that handles the ReverseExpand API
server/errors Package errors contains custom error codes that are sent to clients.	Package errors contains custom error codes that are sent to clients.
server/health Package health contains the service that check the health of an OpenFGA server.	Package health contains the service that check the health of an OpenFGA server.
server/test
storage Package storage contains storage interfaces and implementations.	Package storage contains storage interfaces and implementations.
storage/memory Package memory contains an implementation of the storage interface that lives in memory.	Package memory contains an implementation of the storage interface that lives in memory.
storage/mysql Package mysql contains an implementation of the storage interface that works with MySQL.	Package mysql contains an implementation of the storage interface that works with MySQL.
storage/postgres Package postgres contains an implementation of the storage interface that works with Postgres.	Package postgres contains an implementation of the storage interface that works with Postgres.
storage/sqlcommon Package sqlcommon contains utility functions shared among all SQL data stores.	Package sqlcommon contains utility functions shared among all SQL data stores.
storage/storagewrappers Package storagewrappers contains decorators for storage implementations.	Package storagewrappers contains decorators for storage implementations.
storage/test
telemetry Package telemetry contains code that emits telemetry (logging, metrics, tracing).	Package telemetry contains code that emits telemetry (logging, metrics, tracing).
testfixtures/storage Package storage contains containers that can be used to test all available data stores.	Package storage contains containers that can be used to test all available data stores.
testutils Package testutils contains code that is useful in tests.	Package testutils contains code that is useful in tests.
tuple Package tuple contains code to manipulate tuples and errors related to tuples.	Package tuple contains code to manipulate tuples and errors related to tuples.
typesystem Package typesystem contains code to manipulate authorization models.	Package typesystem contains code to manipulate authorization models.
tests
check Package check contains integration tests for the Check API.	Package check contains integration tests for the Check API.
listobjects Package listobjects contains integration tests for the ListObjects and StreamedListObjects APIs.	Package listobjects contains integration tests for the ListObjects and StreamedListObjects APIs.
writemodel Package writemodel contains integration tests for the WriteAuthorizationModel API.	Package writemodel contains integration tests for the WriteAuthorizationModel API.