Skip to main content

Fine-Grained News - October 2025

· 5 min read
Andres Aguiar
Andres Aguiar
Product Manager

Welcome to OpenFGA's Fine-Grained News, October edition!

🎉 OpenFGA to CNCF Incubation!

The CNCF completed the Due Diligence process to approve moving OpenFGA to the CNCF Incubation stage, and it's now open for comments. Support emojis are appreciated! 🚀 ❤️!

Thanks to Grafana, Docker, Read.AI, Agicap, and Zuplo for taking the time to talk to the CNCF about their experience!

Moving to the Incubation maturity level is great news for the OpenFGA community and we are super excited about it!

🚀 What We've Shipped

OpenFGA v1.10.0 Performance Improvements

Starting with OpenFGA v1.10.0, we've included a query planner that selects resolution strategies based on runtime statistics, behind the enable-check-optimization flag. The planner can pick different strategies per-relation, and we've seen significant improvements in performance for some models/relations. In-depth engineering blog post coming soon!

Write Endpoint Enhancements

In case you missed it, we also included in v1.10.0 two new (optional) parameters to the /write endpoint that allow specifying the expected behavior when duplicated tuples are written or non-existing tuples are deleted. The Go, Java, and .NET SDK already support them, and we'll be completing support for Python, and Javascript in the next few weeks.

SDK & Tooling Updates

🌟 Community Spotlight

Read.AI, one of the earliest OpenFGA adopters, was recognized by OpenAI for processing 1 trillion tokens. They use OpenAI for RAG use cases powered by OpenFGA :).

Congrats to Luke Woloszyn, Andrew Powers, and Sam Matthews for such a great achievement!

📣 Community Updates & Events

Recent Talks & Content

Upcoming Events

OpenFGA will also have a kiosk at the KubeCon Project Pavilion. Tyler Nix and José Padilla will be there!

The OpenFGA community submitted six proposals to present at KubeCon Europe! A great way to celebrate the upcoming CNCF Incubation stage!

See you soon!

Fine-Grained News is published monthly. If you have any feedback, want to share your OpenFGA story, or have a noteworthy update, please let us know on any of our community channels or at [email protected].

Fine Grained News - September 2025

· 6 min read
Andres Aguiar
Andres Aguiar
Product Manager

After a long hiatus, we are back with Fine Grained News! The best way to keep up to date with the OpenFGA community!

First of all, we want to thank the OpenFGA community for helping the OpenFGA Repository get beyond 4k stars!

What have we been up to

OpenFGA Performance

The OpenFGA team has been mostly focused on performance improvements, and we are close to finishing a big round of improvements.

  • The /check endpoint is now up to 10x faster in some scenarios.
  • The /list-objects endpoint is up to 5x faster in some scenarios (the enhancements are still behind an experimental flag).
  • The caching implementation has a more sophisticated eviction mechanism that allows OpenFGA to cache entries for a longer time.

Improved Write API

OpenFGA v1.10 adds additional parameters to the /write endpoint that allow specifying the behavior when duplicated tuples are written or non-existing tuples are deleted. This was a much requested feature - we're looking forward for your feedback on it!

The SDKs and the CLI will add support for these options over the coming month.

Terraform Provider

Maurice Ackel contributed the official OpenFGA Terraform Provider. Take a look at it, and let Maurice know if you are using it!

SDKs and Tooling

  • We shipped several improvements across all SDKs:

    • Improved how the SDKs retry when getting 429 errors
    • BatchCheck support (.NET coming soon!)
    • .NET Standard 2.0 support for .NET is in Alpha, and will be released soon.

  • The CLI has several improvements:

    • Supports running tests using glob patterns (fga model test --tests *.yaml)
    • Supports jsonl format for tuples
    • Allows specifying multiple tuple files in store tests
    • Enables grouping users/objects in store tests, avoiding duplication:
    - object: group:employees
      users:
        - user:1
        - user:2
      assertions:
        member: true

    - objects:
        - group:admins
        - group:employees
      user: user:1
      assertions:
          member: true

  • We've been playing with an OpenFGA MCP to help with modeling. You can add the MCP by pointing your MCP client (e.g., VS Code) to https://mcp.openfga.dev/mcp. You can find the code here, or see it in action here. It's pretty awesome! :)

New OpenFGA Adopters

The list of companies/projects keeps increasing! These adopters were added since the last edition of Fine Grained News:

  • Headspace: Headspace uses OpenFGA to manage entitlements for its users based on their subscriptions. OpenFGA is also used to determine availability of features and content based on regionality and language.
  • EarthScope Consortium: EarthScope Consortium supports transformative global geophysical research and education. They leverage OpenFGA to authorize researcher access to hundreds of thousands of data streams from geophysical sensors located all over the world.
  • Incus: The Incus project uses OpenFGA as its primary authorization mechanism for fine grained access control to all its resources.
  • virv.ai: virv.ai uses OpenFGA as the core authorization model that enables individuals, agents and organizations to access artifacts such as data, credentials, and documents. OpenFGA allows us to meet the needs of the AI-enabled Enterprise where trust is essential.
  • X-HR LABS: X-HR is a modern HR tech platform that empowers businesses with full freedom to use and grow on their own terms. They leverage OpenFGA to implement robust, relationship-based access control across company data and organizational structures.
  • AppsCode: AppsCode uses OpenFGA to implement authorization functionality for their AppsCode Container Engine (ACE) Platform.
  • Grafana Labs: Grafana user authorization and Role Based Access Control (RBAC) are migrating to OpenFGA.

You can also learn how OpenFGA powers NeoNephos, a new Linux Foundation project that's dedicated to advancing open source projects that align with the strategic objectives of the EU's IPCEI-CIS, in this Open Source Summit presentation by Bastian Echterhölter & Aaron Schweig from SAP.

The Linux Foundation is using OpenFGA for their new platform. You can see their OpenFGA authorization model here.

Nagarro published a case study detailing how they helped Schneider Electric with an OpenFGA implementation.

OpenFGA Security Posture

All OpenFGA repositories now have a Security Insights file and are integrated with OpenSSF Scorecard.

OpenFGA is also included in the LFX Insights website, scoring an Excellent score.

OpenFGA to CNCF Incubation!

We are going through the due diligence process to be approved for the CNCF Incubation stage with the CNCF Technical Oversight Committee. They are currently interviewing OpenFGA adopters. Thanks to Canonical, Grafana, Docker, Read.AI, Agicap, Sourcegraph, Zuplo, and Custodian for agreeing to be interviewed by the CNCF!

Upcoming Events: KubeCon North America & All Things Open

OpenFGA will also have a kiosk at the KubeCon Project Pavilion. Tyler Nix and José Padilla will be there!

See you soon!

Fine Grained News used to be published every month, and we plan to go back to our monthly cadence! :) If you have any feedback, want to share your OpenFGA story, or have a noteworthy update, please let us know on any of our community channels or at [email protected].

Fine-Grained News - February 2025

· 5 min read
Andres Aguiar
Andres Aguiar
Product Manager

Welcome to the second Fine-Grained News edition of 2025!

Just Shipped!

  • We shipped 3 minor versions of OpenFGA which include:

    • Fixes for CVE-2025-25196 and CVE-2024-56323

    • Several performance improvements that are enabled with the enable-check-optimizations experimental flag.

    • Dynamic TLS certificate reloading for HTTP and gRPC servers. Thanks Rokibul Hasan for your contribution!

    • A name filter to ListStores. The name parameter instructs the API to only include results that match that name. Thanks Karl Persson for your contribution!

    • Optimized database dialect handling by setting it during initialization instead of per-call, fixing SQL syntax errors in MySQL. Thanks Siddhant Khare for your contribution!

    • Support for Go 1.24. We follow Go's version support policy and will only support the latest two major versions of Go. Now that Go 1.24 is out, we have dropped support for Go < 1.23.

  • Two minor versions of the Java SDK, with support for server-side BatchCheck. Thanks Piotr Olaszewski for your contribution!

  • A minor release of the Go SDK, with support for the StartTime parameter in the ReadChanges method and support for specifying contextual tuples and context parameters in assertions.

  • A minor release of the FGA CLI, with support for the start-time parameter for the changes command and importing assertions during fga store import. Thanks Sujitha A V for your contribution!

Using OpenFGA for GenAI and Retrieval Augmented Generation (RAG)

We are seeing a lot of interest in using OpenFGA for RAG scenarios and we wanted to share a list of interesting articles and repositories that were published lately:

Learning OpenFGA

We've been busy creating blog posts and videos that help you adopt OpenFGA, check them out!

OpenFGA to CNCF Incubation

The CNCF Technical Oversight Committee triaged OpenFGA's application to be accepted as an "Incubation" project, decided we had provided the appropriate information and references, and moved the project to the next step. We now need to wait for a TOC member to pick the project and do their due diligence.

Thanks to Canonical, Grafana, Docker, Read.AI, Agicap, Sourcegraph, Zuplo, and Stacklok for agreeing to be interviewed by the CNCF as reference adopters!

OpenFGA in London

OpenFGA will be present in two high-profile events in London:

See You Next Month:

Fine-Grained News is published every month. If you have any feedback, want to share your OpenFGA story, or have a noteworthy update, please let us know on any of our community channels or at [email protected].

Fine-Grained News - January 2025

· 6 min read
Andres Aguiar
Andres Aguiar
Product Manager

Welcome to the first Fine-Grained News edition of 2025! January is always a good month to look back at what the OpenFGA community accomplished over the past year.

Major features

Below is a list of the major features that were shipped in 2024:

We heavily invested in OpenFGA performance, reducing latency by 90% in several cases. We'll continue improving performance in the following months.

But that's not all!

We are very grateful with the OpenFGA community, who helped shipping 126 releases and improvements across the board:

More community accomplishments

Future community presentations

Sam Bellen will present Can’t Touch This!, a talk about access control, including OpenFGA at JFokus Stockholm.

Poovamraj Thanganadar Thiagarajan from Okta will be presenting at KubeCon Europe, together with Jo Guerreiro from Grafana Labs about From Chaos To Control: Migrating Access Control To OpenFGA in a Multi-Tenant World.

Andres Aguiar from Okta was invited to present on the Maintainer’s Summit at KubeCon Europe aaout our experiences collaborating with the CNCF TAG-Security team: A Project Maintainers Guide To TAG Security.

Mark Laing from Canonical will present at FOSDEM about Fine-grained access control in LXD with OpenFGA.

See You Next Month:

Fine-Grained News is published every month. If you have any feedback, want to share your OpenFGA story, or have a noteworthy update, please let us know on any of our community channels or at [email protected].

Fine-Grained News - November 2024

· 6 min read
Caleb Hunter
Caleb Hunter
Community Engagement

Welcome to the November edition of Fine-Grained News! As we enter the final stretch of 2024, there are exciting developments in the OpenFGA to share.

🌟 We hit 3,000 stars on the OpenFGA repo!: 🌟 Because of this great community, we've just this incredible milestone! Thank you so much for all the support you've shown this project. Let's keep the momentum going! If you haven't yet, we'd greatly appreciate you starring the repo to help push us toward 4,000 stars and grow our amazing community!

Celebrating OpenFGA reaching 3,000 GitHub stars

Just Shipped

v1.8.1: This release focuses on performance and monitoring enhancements. It introduces two new flags for better control over check operations, optimizes performance for TTU relationships with set operations, and expands metrics tracking with duration measurements. Additionally, deduplication logic has been added to the BatchCheck API, along with new logging fields for authz calls. Read more in the Read more in the Changelog...

For more about the new OPENFGA_CHECK_ITERATOR_TTL and OPENFGA_CHECK_CACHE_LIMIT flags, run ./openfga run --help

Batch Check API: Introduced in v1.8.0, the BatchCheck API significantly reduces network latency by batching authorization checks in a single request. With v1.8.1, deduplication logic increasing its efficiency further. v1.8.0 also added support for Contextual Tuples in the Expand API, time-based filtering in the ReadChanges API, and additional performance improvements. Read more in the Changelog or the BatchCheck API docs.

Coming Up

SDK Updates: We will be updating the SDKs next to take advantage of the new BatchCheck, starting with Python and JavaScript. If you want to see an SDK prioritized, let us know!

Check out our roadmap to see what we're working on. Feature requests and ideas can be shared in GitHub Discussions.

Community Highlights

OpenFGA at KubeCon: In November, Andres Aguiar represented OpenFGA at KubeCon/CloudNativeCon. OpenFGA had a kiosk in the Project Pavilion, where Andres delivered a lightning talk and participated in The Policy Engines Showdown with other authorization solution providers. Watch the panel discussion...

Andres Aguiar at OpenFGA&#39;s KubeCon booth Andres Aguiar participating in The Policy Engines Showdown

Andres Aguiar representing OpenFGA at KubeCon

OpenFGA in Italy: Andrea Chiarelli presented Authorize in the Cloud with OpenFGA at Cloud Day 2024 in Milan.

Andrea Chiarelli presenting OpenFGA in Milan Andrea Chiarelli during his talk at Cloud Day 2024

Andrea Chiarelli presenting at Cloud Day 2024

OpenFGA Offsite: The team that works hard to bring you OpenFGA met in Chicago this November for a fun and productive offsite, diving deep into our vision, developer needs, and the roadmap ahead.

OpenFGA team group photo in Chicago

The OpenFGA team in Chicago

New Modeling Demos Available!: Learn how to model fine-grained authorization in OpenFGA's domain-specific language step-by-step with our new demo video series! Starting with the basics and gradually adding complexity, this playlist is your guide to mastering OpenFGA modeling.

Monthly Community Meeting: Join our in depth monthly community discussions every second Thursday at 11 AM Eastern Time (US). Check out our meeting details for more information.

November's highlights included:

  • Sebastian Döll from ZEISS showcasing their Terraform/OpenFGA integration.
  • Justin Cohen demonstrating the new Batch Check functionality.

Can't make it? Catch up on our latest recording or browse previous sessions on our YouTube channel.

Blogs and Videos for AuthZ Fans:

  • Granting TTL based permissions in OpenFGA: Implement TTL-based permissions in OpenFGA for time-limited access control. Read more on Medium...
  • Overcoming Security Challenges in Protecting Shared Generative AI Environments: Explore solutions for ensuring secure, scalable, and efficient multi-tenancy in generative AI environments. Read more on Medium...
  • Fine-Grained Authorization for Backstage using OpenFGA: Learn how OpenFGA enables dynamic fine-grained authorization in Backstage through ReBAC models and seamless policy updates. See the webinar on YouTube...

New Adopters

  • Are you using OpenFGA in production? Join our growing community of adopters! Add your company to our ADOPTERS.md file with a quick PR.

  • Do you offer OpenFGA implementation services? Get listed in our Implementation Services directory. Note: Listings are community-contributed and not officially endorsed by the OpenFGA project.

Announcements

OpenFGA Ranked #5 in CNCF Project Contributions! Thanks to our amazing community, OpenFGA soared to become the 5th most active CNCF project during Hacktoberfest in October! Your contributions made this possible, and hope to continue the engagement!

Ready to join our community of contributors? We have opportunities for every skill level:

CNCF projects ranked by commits during Hacktoberfest

CNCF Projects Ranked by Commits during Hacktoberfest

Follow OpenFGA on LinkedIn Connect with a growing community of fine-grained authorization enthusiasts and expand your professional network by following our new OpenFGA LinkedIn page!

OpenFGA&#39;s LinkedIn page

See You Next Month:

Fine-Grained News is published every month. If you have any feedback, want to share your OpenFGA story, or have a noteworthy update, please let us know on any of our community channels or at [email protected].

Fine-Grained News - October 2024

· 6 min read
Caleb Hunter
Caleb Hunter
Community Engagement

Welcome to the October edition of Fine-Grained News! As we approach the end of the year, we're excited to bring you the latest updates, improvements, and community contributions shaping the future of OpenFGA.

As always, if you’re finding the OpenFGA project to be a valuable resource, we would greatly appreciate if you would star our repo on GitHub to show your support!⭐

Just Shipped

  • OpenFGA v1.7.0: In our latest release, we’ve introduced Access Control. This experimental feature allows you to control access to your OpenFGA server, and of course, we built it using OpenFGA! We’ve updated our Docs to show you how to enable this feature; please share your feedback in the GitHub Discussions!

  • This month, we’ve also added documentation of our OpenFGA release process.

  • We’ve improved performance for checks involving nested tuple-to-userset relations. This is commonly used when implementing nested groups. Users can enable this with the experimental flag enable-check-optimizations.

  • Following last month’s launch of OpenFGA SDK support for telemetry data using OpenTelemetry, we’ve also updated our Docs to guide users through configuration to collect tracing data and metrics.

In Progress

Batch Check API Endpoint: We’re close to releasing a new feature to enable sending multiple check operations in a single network request.

Check out our roadmap to see what’s in the works. Feature requests and ideas can be shared in GitHub Discussions.

Community Highlights

  • OpenFGA at Open Source Strategy Forum 2024: Kiah Imani presented “Role-Based Access Is So Yesterday: Revolutionizing Authorization with OpenFGA” at the OSSF 2024 earlier this month. The presentation is now available in Youtube Kiah Imani

  • OpenFGA at KubeCon: Andres Aguiar will participate in KubeCon/CloudNativeCon in November! OpenFGA will have a Kiosk in the Project Pavilion. He'll present a lightning talk on OpenFGA and participate in The Policy Engines Showdown.
    Andres Aguiar

  • OpenFGA in Italy: Andrea Chiarelli will present Authorize in the Cloud with OpenFGA at Cloud Day 2024 in Milan on November 20, 2024.
    Andrea Chiarelli

  • New Demp Flask App Added: To complement our OpenFGA examples and guides, we have published an example app demonstrating the integration of OpenFGA. This app utilizes several FGA features to provide a multi-user system for folder and text file sharing. Thanks to @ryanpq for your contribution!
    Ryan Quinn

  • Monthly Community Meeting: Join us for our monthly Community Meetings, held on the second Thursday of every month at 11 AM Eastern Time (US). Our next meeting is on Thursday, November 14, 2024. Our community meetings are a great way to stay updated with the latest developments, ask questions, and engage with the OpenFGA community. If you can’t join the meetings live, our latest month's video will always be posted on our YouTube channel!

    As always, we welcome community members to demo their use cases. If you want to demo your implementation of OpenFGA, please contact any of the OpenFGA team on our community channels linked below.

New Adopters

  • This month, we welcome Gillion and Flex as OpenFGA adopters! If you or your company have implemented OpenFGA, we would love to hear about it! Please add your name as an adopter by updating the ADOPTERS.md file and sending us a PR.

  • If you or your company provides implementation services for OpenFGA, we invite you to share your information with the community in our Implementation Services section of the ADOPTERS.md file by sending us a PR! However, please note that the OpenFGA project has not evaluated or endorsed the individuals and companies listed, and inclusion does not imply endorsement.

Announcements

  • Hacktoberfest Highlights: This Hacktoberfest, we welcomed 13 new contributors making their first commit to OpenFGA! Thanks to the incredible community participation, we saw a 28% increase in pull requests compared to September and a remarkable 260% increase in PRs on the SDK Generator. A huge thanks to this community for your continued participation and contributions!

  • OpenFGA Community Meeting Updates: We are adding chapters to our YouTube channel videos to simplify content navigation. We’ve begun with the most recent videos and will add chapters as time goes on. We have also begun releasing demos as individual videos for easier content consumption. You can catch this month’s demos on Modular Authorization and Client-Side Caching, with Materialize Integration coming soon!

See you Next Month

Fine-Grained News is published every month. If you have any feedback, want to share your OpenFGA story, or have a noteworthy update, please let us know on any of our community channels or at [email protected].

Fine-Grained News - September 2024

· 5 min read
Caleb Hunter
Caleb Hunter
Community Engagement

Welcome to the September edition of Fine-Grained News! As we transition into the fall season, we’re excited to bring you the latest updates on the progress of OpenFGA.

Just Shipped

In Progress

  • Authorization for OpenFGA: OpenFGA currently supports global pre-shared keys and OIDC for API authentication, but we’re exploring more granular authorization options, such as store-specific credentials and varying permissions for stores, modules, and types.

  • Batch Check: OpenFGA SDKs currently implement BatchCheck by issuing multiple parallel request to the OpenFGA server. We'll be implementing a BatchCheck server endpoint to improve performance and reduce network overhead.

Check out our roadmap to see what’s in the works. Feature requests and ideas can be shared in GitHub Discussions.

Community Highlights

New Adopters

  • If you or your company have implemented OpenFGA, we would love to hear about it! Please add your name as yourself as an adopter by updating the Adopters.md file and send us a PR.
  • If you or your company provides implementation services for OpenFGA, we invite you to share your information with the community in our Implementation Services section of the Adopters.md file by sending us a PR! However, please note that the listed individuals and companies have not been evaluated or endorsed by the OpenFGA project, and inclusion on the list does not imply endorsement.

Announcements

  • Hacktoberfest 2024: Hacktoberfest is a month long celebration of open source software which encourages new and experienced developers alike to contribute code to open source projects during the month of October. This makes October a great time to become an OpenFGA contributor! We have labeled a number of issues on GitHub with "Hacktoberfest" and "Good First Issue" labels making it easy to find a way to get involved and have your code included in OpenFGA.
  • Monthly Community Meeting: Join us for our monthly Community Meetings, held on the second Thursday of every month at 11 AM Eastern Time (US). Our next meeting is on Thursday, October 10, 2024. Our community meetings are a great way to stay updated with the latest developments, ask questions, and engage with the OpenFGA community. If you would like to demo your implementation of OpenFGA, please reach out to us on any of our community channels or at [email protected]. You can find the link to the meeting invite here. We look forward to seeing you there!

See You Next Month!

Fine-Grained News is published every month. If you have any feedback, want to share your OpenFGA story, or have a noteworthy update, please let us know on any of our community channels or at [email protected].

Fine-Grained News - August 2024

· 6 min read
Caleb Hunter
Caleb Hunter
Community Engagement

Welcome to the August 2024 edition of Fine-Grained News! We are excited to bring you the latest updates, features, and community highlights from OpenFGA.

Just Shipped!

Security Advisory

We recently addressed a security issue, identified as GHSA-3f6g-m4hr-59h8, that was present in OpenFGA v1.5.7 and v1.5.8. This issue has been fixed starting v1.5.9, and we strongly recommend all users update to the latest version to ensure their systems remain secure. For more details, please refer to the security advisory on our GitHub page.

In Progress

Curious about what’s coming next for OpenFGA? Check out our roadmap to see what’s in store. We also welcome your feature requests and ideas in GitHub Discussions.

Community Highlights

  • CNCF Security TAG: This month, Andrés Aguiar presented OpenFGA to the CNCF Security Technical Advisory Group (TAG), where he discussed the project's current status and showcased various use cases. You can see the presentation deck here. It’s a great way to see how OpenFGA is being utilized and what’s on the horizon for the project.
  • API Security: APISIX + OpenFGA: Check out this blog post by Kaan Kahraman on enhancing API security by integrating APISIX with OpenFGA.

Upcoming Events

New Adopters

We want to welcome Patika Global Technology as an OpenFGA adopter! If you're using OpenFGA in production, we encourage you to add your company or project to our Adopters list by opening a PR. Please include a short description of your use case in your submission. If you’ve previously added your company or project to the adopter's list, we would appreciate you updating it to include a short description. Your contributions help the community, and we greatly appreciate your support!

OpenFGA Service Providers

We’ve added a new section within the Adopters list for those offering OpenFGA implementation services. If your organization wants help adopting OpenFGA, this resource can connect you with professionals specializing in our technology. If your company provides implementation services for OpenFGA, we invite you to add your details by sending us a PR! Please note that the listed companies have not been individually evaluated or endorsed by the OpenFGA project, and inclusion on the list does not imply endorsement.

Announcements

  • OpenFGA Joins Docker-Sponsored Open Source Program: We’re excited to share that OpenFGA has been accepted into the Docker-Sponsored Open Source Program! This partnership allows us to distribute our container image more efficiently and securely, ensuring that our community can easily access and trust the latest versions of OpenFGA on Docker Hub with higher rate limits.
  • 2024 Community Survey Participation: A huge thank you to everyone who participated in the 2024 Community Survey! Your insights are invaluable in helping us shape the future of OpenFGA. We truly appreciate the time and thought you put into sharing your experiences and suggestions. Remember, we always welcome feedback across our community channels — your input is what drives us forward.
  • Monthly Community Meeting: Join us for our monthly Community Meetings, held on the second Thursday of every month at 11 AM Eastern Time (US). Our next meeting is on Thursday, September 12, 2024. These meetings are a fantastic opportunity to stay updated with the latest developments, ask questions, and engage with the OpenFGA community. You can find the link to the meeting invite here. We look forward to seeing you there!

See You Next Month!

Fine-Grained News is published every month. Although we have transitioned from Discord to the CNCF Slack channel, we want to continue to hear from you! Whether you have questions or feedback or just want to connect with others using OpenFGA, our community channels are the best place to do so. You can reach us at:

  • CNCF Slack: Join the conversation in the #openfga channel. Please note: If you are not currently part of the CNCF Slack channel, you will need to click here to join the channel first.
  • GitHub Discussions: Share your feedback, ask questions, and engage with the community on GitHub Discussions.
  • Twitter: Follow us @openfga for updates and news.

Visit our community page for more details and to join these channels. We look forward to your contributions and conversations!

Fine-Grained News - July 2024

· 5 min read
Caleb Hunter
Caleb Hunter
Community Engagement

Welcome to the July 2024 edition of Fine-Grained News! We are thrilled to bring you the latest updates, features, and community highlights from OpenFGA. This month has included releases, performance improvements, and insights shared through our community meetings and presentations.

We value your feedback and invite you to participate in our 2024 OpenFGA Community Survey. Your insights help us understand your needs better and improve our offerings. Please take a few minutes to complete the survey and let your voice be heard.

Improvements

Latest Features

  • We’ve introduced consistency options for query requests. This new, experimental, feature provides more flexibility and control over how queries are executed, enhancing the accuracy and reliability of query results. Learn more about this update.

  • We’re now publishing images to ghcr.io/openfga/openfga as an alternative to DockerHub, thanks to the contribution from @JAORMX. This provides an additional option for accessing and deploying our containers. Read more.

Performance Improvements

  • We've improved our Check latency up to 20X in some scenarios in OpenFGA v1.5.7 and v1.5.6.

If you have any feedback, or want to try a feature early, or are interested to learn more, please reach out!

Breaking Changes

Several breaking changes related to the storage interface have been introduced. These changes should not impact your usage of OpenFGA unless you are implementing a custom storage adapter for OpenFGA.

In Progress

  • Additional Consistency Options for OpenFGA queries: We've just shipped the first iteration of this feature, we're working on adding support for it in more SDKs. We’ll also be working on adding a consistency token in the future.

  • Telemetry for SDKs: We shipped OpenTelemetry Metrics support for Python and Javascript. We’ll be adding metrics support to the rest of the SDKs and then add support for tracing and logging. If you have feedback regarding our OpenTelemetry support, please do reach out on any of our community channels.

  • We’ll keep working on Performance Improvements for Check, List Objects and List Users APIs.

  • We’ll be adding additional authorization options for OpenFGA to restrict API credentials to performing specific actions in OpenFGA stores.

  • We collaborated with members of the CNCF TAG-Security team for a few weeks to get it wrapped up (thanks Krishna Krishna and Eddie for your help).

Community Highlights

  • Check out July’s Community Meeting! It's a great opportunity to stay updated with the latest developments, ask questions, and engage with the OpenFGA community.

  • Maria Ines Parnisari from the OpenFGA team and Evan Anderson from Stacklok presented on Implementing a Multi-Tenant, Relationship-Based Authorization Model with OpenFGA at CloudNative SecurityCon North America. If you didn’t attend the conference in June, the presentation recording is now live.

  • This month, Andres Aguiar and Damian Schenkelman appeared in the Identerati Office Hours livestream for an in-depth exploration of OpenFGA. This video covers advanced topics and provides valuable insights into the capabilities and implementation of OpenFGA. Whether you're a seasoned user or new to OpenFGA, this deep dive is packed with information that will enhance your understanding and usage of the platform.

  • Andres Aguiar sat down with Open at Intel host Katherine Druckman during KubeCon Europe to discuss OpenFGA. You can hear that podcast here.

New Adopters

We’re happy to share that Bump is now an OpenFGA adopter! If you are using OpenFGA in production, please consider adding your company or project to our list. Your contribution will be greatly appreciated!

Announcements

Join us for our monthly Community Meetings, held on the second Thursday of every month at 11am Eastern Time (US). Our next meeting is on Thursday, August 8, 2024. These meetings are a fantastic opportunity to stay updated with the latest developments, ask questions, and engage with the OpenFGA community. You can find the link to the meeting invite here. We look forward to seeing you there!

Transitioning from Discord to CNCF's Slack

As a reminder, we transitioned out from Discord for OpenFGA and are now using the CNCF #openfga Slack channel. If you are not part of the CNCF Slack workspace, you need to join the CNCF Slack first.

See You Next Month!

Fine-Grained News is published every month. If you have any feedback, want to share your OpenFGA story, or have a noteworthy update, please let us know on any of our community channels or at [email protected].

Query Consistency Options in OpenFGA

· 2 min read
Andres Aguiar
Andres Aguiar
Product Manager

OpenFGA query APIs now allow specifying the desired consistency of query results. By default, OpenFGA does not use a cache. However, when caching is enabled, it applies to all requests. This means that any changes in permissions won't be reflected in authorization checks during the cache TTL period.

The community expressed the need for flexibility in using the cache on a per-request basis. In response, starting with OpenFGA v1.5.7, all query APIs can accept a consistency parameter with the following values:

NameDescription
MINIMIZE_LATENCY (default)OpenFGA will try to minimize latency (e.g. by making use of the cache)
HIGHER_CONSISTENCYOpenFGA will try to optimize for stronger consistency (e.g. by bypassing cache)

When HIGHER_CONSISTENCY is specified, OpenFGA reads directly from the database, even when the cache is enabled.

How to use it?

The new consistency parameter is available in OpenFGA starting v1.5.7.

The parameter is supported by all OpenFGA SDKs.

For more information on enabling the cache and best practices for specifying consistency values, refer to the documentation.

Custom database adapter implementations

For those with a custom database adapter for a multi-region database, the behavior of the HIGHER_CONSISTENCY parameter can be defined according to your needs. With an eventually consistent database (e.g., Dynamo DB) in a multi-region setup, there will be replication lag even if the cache is bypassed. If the database supports strong reads, you can choose to perform those at an extra cost. Otherwise, you can perform an eventually consistent read without providing full consistency semantics to the caller. In some other databases where you have Read/Write replicas, you may choose to go to the Write replica when the HIGHER_CONSISTENCY preference is selected.

Future work

Google Zanzibar features a consistency token called Zookies, returned from write operations. This token can be stored in a resource table and specified in subsequent query API calls. We are considering introducing a similar feature in future releases.

We want your feedback!

We want to learn how you use this API and how we can improve it!

Please reach out through our community channels with any questions or feedback.