Modular models aims to improve the model authoring experience when multiple teams are maintaining a model, such as:

• A model can grow large and difficult to understand
• As more teams begin to contribute to a model, the ownership boundaries may not be clear and code review processes might not scale

With modular models, a single model can be separated across multiple files allow grouping of types and conditions into modules. This means that a model can be organized more easily in terms of team or organizational structure. Used in conjunction with features such as GitHub, GitLab or Gitea's code owners, it should become easier to ensure the owners of a portion of your model are correctly assigned to review it.

How to use it?​

Modular models is currently shipped as an experimental feature while we gather feedback, in order for you to try it out.

• Update to the v0.3.0 release of the CLI
  • With the CLI you will be able to write your modular model and test it against a store file you have, but you will not be able to write your model to any OpenFGA server that does not enable this feature.
• Update to v0.2.20 of the VS Code Extension
• Download v1.5.1 of OpenFGA
  • As this is currently experimental, you will need to start OpenFGA with openfga run --experimental enable-modular-models.
• Check out the modular models sample store in the sample-stores repo
• Review the documentation for this feature

What's next?​

We intend to move this feature out of RC within the next few weeks, so as we gather feedback we'll deal with any issues that arise and look to improve upon any areas of the developer experience as needed.

Looking beyond the near term, modular models allows us to implement additional API authorization options for OpenFGA.

Reach out!​

We want to learn how you use this feature and how we can improve it!

Please reach out through our community channels with any questions or feedback.

Welcome to Fine Grained News, KubeCon Edition!

KubeCon Europe 2024 was super-busy!​

You can now watch online:

• An AppDeveloperCon session about Implementing Modern Cloud Native Authorization Using OpenFGA where Pauline Jamin and Andres Aguiar go over how OpenFGA is helping Agicap to implement fine-grained authorization.

• A 7-min Lightning Talk about OpenFGA: The Cloud Native way to implement Fine Grained Authorization.

• Jonathan Whitaker's talk about Federated IAM for Kubernetes with OpenFGA, demoing how to use OpenFGA and KeyCloak to implement fine-grained authorization in a Kubernetes cluster, in ways it's not possible today, like giving access to a user for 90 seconds.

• We also participated in Canonical's Operator Day sharing how Canonical is using OpenFGA, but the presentation is not online yet.

Also, thanks to everyone who stopped by the OpenFGA Kiosk in the Project Pavilion to share their feedback about the project or learn more about it!

CNCF incubation​

As you may know, the CNCF has three stages for projects: Sandbox, Incubation, and Graduation. OpenFGA is currently a Sandbox project.

We are very happy to announce that we just applied for Incubation! We are excited about this step and will keep you posted on the progress.

New Adopters​

The OpenFGA community maintains a list of products/projects/companies that are using OpenFGA in production. We'd like to thank thank the following adopters for adding themselves to the list in the last month:

• Instill AI
• Zuplo
• OpenObserve
• Datum

If you are using OpenFGA in production, please consider adding your company/project to the list.

Community News​

• Raghd Hamzeh represented OpenFGA in an episode on Authorizing Access within a series called "You Choose - Choose Your Own Adventure: The Treacherous Trek to Security”. This episode was comparing OpenFGA with Hexa and Paralus. OpenFGA was the project viewers voted for as most interested in being featured in a demo.

• Sam Bellen published a Google Drive example using OpenFGA. It's a Next.js project, written in TypeScript and ready to deploy on Vercel.

• Philipp Wagner is working on a .NET example inspired by the Github model.

• Pauline Jamin and Geoffroy Braun will present about Infuser du métier dans les autorisations avec ReBAC at Devoxx France 2024 in April 17th.

New Releases​

We just shipped a release candidate of Modular Models, that makes it easy for multiple teams to collaborate in a single OpenFGA model. It requires the following components:

• OpenFGA v.1.5.1
• CLI v0.3.0
• Visual Studio Code Extension v0.2.20

We also shipped new version of our SDKs with several fixes:

• Javascript SDK 0.3.5.
• Go SDK v0.3.5
• Java SDK v0.4.0

Transitioning from Discord to CNCF's Slack​

As we mentioned in the last edition, we transitioned out from Discord for OpenFGA and are now using the CNCF #openfga Slack channel. If you are not part of the CNCF Slack workspace, you need to join the CNCF Slack first.

See you next month!​

Fine Grained News are published every month. If you have any feedback, want to share your OpenFGA story, or know about something that you think is worth mentioning, please let us know!

Welcome to the 3rd edition of Fine Grained News!

KubeCon Europe 2024 is getting closer!​

We'll be pretty busy during KubeCon Europe 2024:

• Jonathan Whitaker from Okta will talk about Federated IAM for Kubernetes with OpenFGA

• Pauline Jamin from Agicap and Andres Aguiar from Okta will present on Implementing Modern Cloud Native Authorization Using OpenFGA

• OpenFGA will be present in Canonical's Operator's day, co-located at KubeCon EU. Andres Aguiar and Massimilano Gori from Canonical, will talk about how Canonical adopted OpenFGA for implementing authorization in Juju.

• Andres Aguiar will also be delivering a Lightning Talk titled OpenFGA - The Cloud Native way to implement Fine Grained Authorization (link not available yet :) ).

We'll also have a kiosk in the CNCF Project Pavilion, so if you plan to attend let us know and we can schedule some time together!

Documentation Improvements​

We keep improving our documentation, and added a few new documents that you might find interesting:

• Learn how to use the FGA CLI to perform every possible operation on OpenFGA and simplify most common workflows.

• Learn how you can test FGA models as part of your development flow or CI/CD pipelines, without the need to run an OpenFGA server.

• Learn how you can include identity token claims contextual tuples to model ABAC-like scenarios or simplify data integrations with OpenFGA.

OpenFGA in the Java Ecosystem​

OpenFGA is getting bigger on the Java world! We are working with the Spring Security team to build an Spring Security integration for OpenFGA. You can check the ideas we are exploring in this repository.

Also, the Testcontainers team added an OpenFGA integration for Java to make it simple to write integration tests for applications using OpenFGA.

We'd love to hear your feedback!

SDK Improvements​

New releases with bug fixes and improvements:

• Javascript SDK 0.3.3.
• Go SDK v0.3.5
• Python SDK v0.4.1

Modular Models​

We wrapped up the RFC for Modular Models, which will enable multiple teams to work on different parts of the model independently and we are now working on the implementation. We'd love feedback on the RFC.

Wait for a demo on our next Community Meeting!

Community News​

• Learn how stacklok is using OpenFGA to implement authorization in Minder, an open source project that makes it easier to apply and automate the enforcement of security checks and policies across multiple GitHub repositories.

• Check this OpenFGA tutorial by Alberto Coronado (in Spanish!).

• Raghd Hamzeh joined Whitney Lee in an in-depth Tanzu ⚡️Enlightning session about OpenFGA.

Transitioning from Discord to CNCF's Slack​

As you may know, we've been using Discord for the OpenFGA community. We’ll transition it to the CNCF OpenFGA Slack channel. If you are not part of the CNCF Slack workspace, you need to join the CNCF Slack first.

See you next month!​

Fine Grained News are published every month, after the OpenFGA community meeting. If you have any feedback, you want to share your OpenFGA story, or know about something that you think is worth mentioning, please let us know!

Welcome to the 2nd edition of Fine Grained News!

Team News​

The OpenFGA team got bigger, and we met in person in Toronto for the first time! We got to know each other better, helped new team members to get familiar with the project, hacked some code, had some fun with ax throwing, and loved Toronto's weather!

KubeCon Europe 2024!​

We got two presentations accepted in KubeCon Europe!

• Jonathan Whitaker from Okta will talk about Federated IAM for Kubernetes with OpenFGA

• Pauline Jamin from Agicap and Andres Aguiar from Okta will present on Implementing Modern Cloud Native Authorization Using OpenFGA

We'll also have a Project Kiosk, so if you plan to attend let us know and we can schedule some time together!

OpenFGA ⚡️Enlightning Session!​

Our own Raghd Hamzeh will join Whitney Lee in a Tanzu ⚡️Enlightning session on February 8th at 9am PT.

Join their Youtube stream here.

Visual Studio Code Integration Enhancements​

We keep investing in improving our VS Code experience. The video below shows how, in addition to validating the model, we can validate the tuple content and the tests.

We are identifying:

• Invalid object types, user types, and relations when defining tuples.
• Invalid object types, user types, and relations when defining tests.
• User id or object id that was not included in any tuple in check tests.

This helps authoring/testing models, making the whole process less error prone and more fun!

CLI improvements​

We love the FGA CLI and we keep making it even better.

We had a few of contributions from new team members and the community :).

• You can now import tuples from a CSV file. We supported JSON/YAML, but if you are exporting data from a database, producing to CSV is way simpler.
• You can take a .fga.yaml file with a model and tuples, and get it imported in OpenFGA.
• Added support for specifying an external tuple_file in .fga.yaml files.
• Added support for specifying a continuation_token when calling fga tuple changes.
• Support for configuring OAuth scopes to authenticate to OIDC servers.

Check the updated documentation in our CLI repository

Thanks to Yann D'Isanto for all your help on this!

OpenFGA v1.4.3​

We just shipped OpenFGA v1.4.3, with performance improvements and one security issue fixed. We recommend everyone to upgrade to the latest release.

SDK Improvements​

New releases with bug fixes and improvements:

• Java SDK v0.3.2. If you are using the Java SDK please upgrade to this version.
• Go SDK v0.3.4
• Python SDK v0.4.0, which has breaking changes.

Thanks again to Yann D'Isanto for your help on the Java SDK!

Language Improvements​

The DSL language now has better support for comments and mixed operator support, where you can use parentheses to group expressions when defining relations:

It's available in the VS Code extension, the CLI and the Playground.

Github Actions​

We shipped a couple of Github Actions that help you deploy FGA models, and run model tests as part of your CI/CD build. Find them here.

What's Next? Check our RFCs!​

We've been discussing with the OpenFGA community a couple of RFCs that we are planning to implement in the next few weeks:

• Support for modular models.
• ListUsers API.

Please take a look at them and let us know what you think!

OpenFGA Community​

We have a very welcoming community, and we'd love to have you there! You can join us in different ways:

• Join our community meetings, the second Thursday of every month. All the recordings are here.
• Stay up to date by following us on X.
• Join our community channels in Slack or GitHub.

See you next month!​

Fine Grained News are published every month, after the OpenFGA community meeting. If you have any feedback, you want to share your OpenFGA story, or know about something that you think is worth mentioning, please let us know!

Hi Everyone!

We've been publishing a monthly internal newsletter we called Fine Grained News since the beginning on 2023, and we just thought it would be a good idea to share it with the community. Yeah, we are slow thinkers!

You can expect to find here a summary of what we've been up to, what we are planning to do, and some other random stuff we think you might find interesting.

Team News​

We always start our Monthly Community Meetings presenting the team. If you attended the last one, you've seen that the size of the team has grown quite a bit! We are pretty excited about the impact it will have in OpenFGA and the authorization space in general.

Behavior Driven Development with OpenFGA​

In our last Community Meeting, the Agicap team (Pauline and Yann) demoed how they are using OpenFGA to implement Behavior Driven Development (BDD) in their authorization system.

The screenshot below might be enough to understand what they are doing, but if you want to know more, you can watch the full presentation here.

GoDaddy & OpenFGA​

GoDaddy has been working with OpenFGA for a few months. They just published a document explaining why they picked OpenFGA, and how they used to address the authorization challenges they were facing.

Some interesting tidbits:

• They implemented their own DynamoDB Storage Adapter, as they were heavy Dynamo DB users and liked the eventual consistency model it provided.
• They needed Contextual Tuples to fully support their use case.

Read the full article here.

Canonical & OpenFGA​

Canonical has also been working with OpenFGA for a while, and it's adding OpenFGA to different layers in their stack.

They just announced that OpenFGA support is included in LXD and MicroCloud.

Pretty soon, if you are using Ubuntu Pro, you will be using OpenFGA :).

OpenFGA v1.4!​

Last week we released OpenFGA v1.4! This release includes our support for Conditional Relationship Tuples, which helps implementing additional Attribute-Based Access Control scenarios like temporal access, IP based access, bank transfer limits, SaaS application plans, and much more!

You can read more about it here.

SDK Improvements​

• The Java SDK has now feature parity with the rest of the our SDKs. It can be used from any language for the Java VM. You can see examples on Kotlin, Groovy and Scala here.

• The Python SDK was updated to support synchronous clients, support custom SSL certificates, and better performance in batch checks.

Language Improvements​

We've been working on the OpenFGA language with some long-due improvements. Soon, you'll be able to use parentheses to group expressions when defining relations:

The syntax is still not supported in the FGA CLI, but we are pretty close. Daniel demoed it in our latest community meeting, you can see the full demo here.

VS Code Extension Improvements​

We have also been improving tuple validation when writing fga.yaml files, and it's pretty cool! Works on Daniel's machine for now :).

Daniel also demoed it in our latest community meeting, watch it here.

KubeCon EU 2024​

We are getting ready for KubeCon Europe 2024, in Paris. We'll have a Project Kiosk, and we have submitted a few talks. We'll keep you posted!

OpenFGA Community​

We have a very welcoming community, and we'd love to have you there! You can join us in different ways:

• Join our community meetings, the second Thursday of every month. All the recordings are here.
• Join our community channels in Slack or GitHub.
• Stay up to date by following us on X.
• Ask questions, submit ideas, or just say hi in our GitHub Discussions.

See you next month!​

We'll keep publishing our Fine Grained News each month, after the OpenFGA community meeting. If you have any feedback, you want to share your OpenFGA story, or know about something that you think is worth mentioning, please let us know!

Relationship Tuples are the facts that the OpenFGA evaluates to determine whether a user is permitted to access a resource.

The way tuples are considered when making authorization decisions in OpenFGA is guided by an authorization model, which employs concepts from Relationship-Based Access Control (ReBAC) to establish authorization policies. For instance, you might declare that users are allowed to view a document if they have permission to view its parent folder.

Although ReBAC offers a highly flexible method for structuring permissions, it encounters difficulties with defining permissions based on attributes that are not easily represented as relationships. Attributes such as “parent folder,” “department,” “region,” and “country” can be conceptualized as relationships between two entities. However, attributes like “IP address,” “time of day,” “team size limit,” or “maximum amount for a bank transfer” cannot be easily handled.

In our ongoing efforts to expand OpenFGA’s capacity for articulating a broader range of authorization policies, we are introducing Conditional Relationship Tuples. These allow for the specification of conditions under which a particular tuple is relevant when evaluating an authorization query.

Consider the following example, where we utilize Conditional Tuples to grant access for a user over a specified time duration. We stipulate that a user may be granted either unconditional access or access constrained to a certain time period:

model
  schema 1.1

type user

type document
  relations
    define viewer: [user, user with non_expired_grant]

condition non_expired_grant(current_time: timestamp, grant_time: timestamp, grant_duration: duration) {
  current_time < grant_time + grant_duration
}

If we write the following tuples:

You'll get the following results for the Check operations below:

You'll get the following results for the ListObjects operations below:

Note that:

• user:bob will always get allowed:true as we have assigned as viewer unconditionally.
• user:anne will get allowed:true if the current_time is before the grant_time + grant_duration and allowed:false otherwise.
• If you don't provide the current_time in the context, the Check and ListObjects operations will fail.

Use Cases​

The OpenFGA Sample Stores repository has several examples that take advantage of this new feature:

• Granting access during a specific period of time (the use case explained above).
• Allow access based on the user’s IP Address.
• Granting access based on group membership and resource attributes.
• Allow access to specific features based on usage.
• Determine if a user can make a bank transfer based .on the transaction amount.
• Data types and operations supported in conditions.

How to use it?​

Conditional Relationship Tuples are included in OpenFGA 1.4.0-rc1 version. You can run it by pulling it from docker:

docker pull openfga/openfga:v1.4.0-rc1
docker run -p 8080:8080 -p 8081:8081 -p 3000:3000 openfga/openfga:v1.4.0-rc1 run`

OpenFGA has a rich ecosystem of developer tools. The following have been updated to support Conditional Relationship Tuples:

• Visual Studio Code integration which provides syntax highlighting and model validations for conditions.

• Beta versions of the Javascript SDK and the Go SDK, which allows using the additional parameters.

• The OpenFGA CLI allows validating models and runing tests that use conditional tuples. You can use it to test the new features by pointing to a “.fga.yaml” file that defines the tests you want to run, without having to deploy OpenFGA.

What’s Next?​

We’ll address some limitations of the current implementation:

• The Expand API does not consider conditions.
• The Visual Studio Code integration is not validating the expressions in conditions.
• The Playground does not let you add context for tuples and assertions. You should use the VS Code Extension + the FGA CLI to test your models for now.

We'll also improve ListObjects scenarios when it's called with missing context. For example, consider the following model that enables access only to documents with a specific status:

model
  schema 1.1

type user

type document
  relations
    define can_access: [user with docs_in_draft_status]

condition docs_in_draft_status(status: string) {
  status == "draft"
}

If you want to list all the documents a user can view, you'll need to know the status of all of those documents. Given you don't know the documents the user has access too, you can't send the status of those as a parameter to ListObjects.

Our goal is to return a structure that you can use to filter documents on your side, similar to: (document.id = ‘1’ and document.status = ‘draft’) or (document.id = ‘2’ and.status = draft)
This won’t scale to a large number of documents, but would be useful in some scenarios.

Reach out!​

We want to learn how you use this feature and how we can improve it!

Please reach out through our community channels with any questions or feedback.

As you'd expect, the OpenFGA team will be at KubeCon NA 2023 in Chicago, IL!

We'll have a packed agenda for the week:

• Jonathan Whitaker and Lucas Käldström will be presenting in Could_Native Rejects on how to use OpenFGA to manage and extend authorization in Kubernetes. Learn more here.

• Maria Ines Parnisari and Andres Aguiar will be presenting in AppDeveloperCon about modernizing authorization for cloud native applications using OpenFGA. Learn more here.

• We'll host a Project Meeting on Monday 9.30 AM in the Hudson room at the Hilton Garden Inn. We'll share how the product is being used, demo the latests features like our new CLI, the VS Code Extension, Conditional Relationships, the Java SDK... and more!

• We'll be in the CNCF Project Pavilion during the afternoons.

• We'll host our OpenFGA community meeting directly from KubeCon on Thursday 9th at 3PM UTC (8AM PST/11AM EST).

If you want to meet with the team outside of these events, please pick any spot that works for you in our calendar.

See you in Chicago!