README
¶
OpenFGA
A high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar.
OpenFGA is designed to make it easy for developers to model their application permissions and add and integrate fine-grained authorization into their applications.
It allows in-memory data storage for quick development, as well as pluggable database modules. It currently supports PostgreSQL and MySQL.
It offers an HTTP API and a gRPC API. It has SDKs for Node.js/JavaScript, GoLang, Python and .NET. Look in our Community section for third-party SDKs and tools.
Getting Started
The following section aims to help you get started quickly. Please look at our official documentation for in-depth information.
Setup and Installation
ℹ️ The following sections setup an OpenFGA server using the default configuration values. These are for rapid development and not for a production environment. Data written to an OpenFGA instance using the default configuration with the memory storage engine will not persist after the service is stopped.
For more information on how to configure the OpenFGA server, please take a look at our official documentation on Configuring OpenFGA or our Production Checklist.
Docker
OpenFGA is available on Dockerhub, so you can quickly start it using the in-memory datastore by running the following commands:
docker pull openfga/openfga
docker run -p 8080:8080 -p 3000:3000 openfga/openfga run
Docker Compose
docker-compose.yaml provides an example of how to launch OpenFGA with Postgres using docker compose.
-
First, either clone this repo or curl the
docker-compose.yamlfile with the following command:curl -LO https://openfga.dev/docker-compose.yaml -
Then, run the following command:
docker compose up
Pre-compiled Binaries
Download your platform's latest release and extract it. Then run the binary with the command:
./openfga run
Building from Source
There are two recommended options for building OpenFGA from source code:
Building from source with go install
Make sure you have Go 1.18 or later installed. See the Go downloads page.
You can install from source using Go modules:
-
First, make sure
$GOBINis on your shell$PATH:export PATH=$PATH:$(go env GOBIN) -
Then use the install command:
go install github.com/openfga/openfga/cmd/openfga -
Run the server with:
./openfga run
Building from source with go build
Alternatively you can build OpenFGA by cloning the project from this Github repo, and then building it with the go build command:
-
Clone the repo to a local directory, and navigate to that directory:
git clone https://github.com/openfga/openfga.git && cd openfga -
Then use the build command:
go build cmd/openfga/openfga.go -
Run the server with:
./openfga run
Verifying the Installation
Now that you have Set up and Installed OpenFGA, you can test your installation by creating an OpenFGA Store.
curl -X POST 'localhost:8080/stores' \
--header 'Content-Type: application/json' \
--data-raw '{
"name": "openfga-demo"
}'
If everything is running correctly, you should get a response with information about the newly created store, for example:
{
"id": "01G3EMTKQRKJ93PFVDA1SJHWD2",
"name": "openfga-demo",
"created_at": "2022-05-19T17:11:12.888680Z",
"updated_at": "2022-05-19T17:11:12.888680Z"
}
Playground
The Playground facilitates rapid development by allowing you to visualize and model your application's authorization model(s) and manage relationship tuples with a locally running OpenFGA instance.
To run OpenFGA with the Playground disabled, provide the --playground-enabled=false flag.
./openfga run --playground-enabled=false
Once OpenFGA is running, by default, the Playground can be accessed at http://localhost:3000/playground.
In the event that a port other than the default port is required, the --playground-port flag can be set to change it. For example,
./openfga run --playground-enabled --playground-port 3001
Profiler (pprof)
Profiling through pprof can be enabled on the OpenFGA server by providing the --profiler-enabled flag.
./openfga run --profiler-enabled
If you need to serve the profiler on a different address than the default :3001, you can do so by specifying the --profiler-addr flag. For example,
./openfga run --profiler-enabled --profiler-addr :3002
Next Steps
Take a look at examples of how to:
- Write an Authorization Model
- Write Relationship Tuples
- Perform Authorization Checks
- Add Authentication to your OpenFGA server
Don't hesitate to browse the official Documentation, API Reference.
Limitations
MySQL Storage engine
The MySQL storage engine has a lower length limit for some properties of a tuple compared with other storage backends. For more information see the docs
Production Readiness
The core OpenFGA service has been in use by Auth0 FGA in production since December 2021.
OpenFGA's PostgreSQL Storage Adapter was purposely built for OpenFGA. Auth0 is not using it in a production environment.
OpenFGA's MySQL Storage Adapter was contributed to OpenFGA by @twintag. Auth0 is not using it in a production environment.
The OpenFGA team will do its best to address all production issues with high priority.
Contributing
See CONTRIBUTING.
Directories
¶
| Path | Synopsis |
|---|---|
|
util
Package util provides common utilities for spf13/cobra CLI utilities that can be used for various commands within this project.
|
Package util provides common utilities for spf13/cobra CLI utilities that can be used for various commands within this project. |
|
internal
|
|
|
build
Package build provides build information that is linked into the application.
|
Package build provides build information that is linked into the application. |
|
pkg
|
|
|
mocks
Package mocks is a generated GoMock package.
|
Package mocks is a generated GoMock package. |