Skip to main content

Modular Models

· 2 min read

Modular models aims to improve the model authoring experience when multiple teams are maintaining a model, such as:

  • A model can grow large and difficult to understand
  • As more teams begin to contribute to a model, the ownership boundaries may not be clear and code review processes might not scale

With modular models, a single model can be separated across multiple files allow grouping of types and conditions into modules. This means that a model can be organized more easily in terms of team or organizational structure. Used in conjunction with features such as GitHub, GitLab or Gitea's code owners, it should become easier to ensure the owners of a portion of your model are correctly assigned to review it.

How to use it?

Modular models is available in the latest version of OpenFGA. To use it you need to:

What's next?

Looking beyond the near term, modular models allows us to implement additional API authorization options for OpenFGA.

Reach out!

We want to learn how you use this feature and how we can improve it!

Please reach out through our community channels with any questions or feedback.

Fine Grained News - March 2024

· 3 min read
Andres Aguiar
Product Manager

Welcome to Fine Grained News, KubeCon Edition!

KubeCon Europe 2024 was super-busy!

You can now watch online:

Also, thanks to everyone who stopped by the OpenFGA Kiosk in the Project Pavilion to share their feedback about the project or learn more about it!

CNCF incubation

As you may know, the CNCF has three stages for projects: Sandbox, Incubation, and Graduation. OpenFGA is currently a Sandbox project.

We are very happy to announce that we just applied for Incubation! We are excited about this step and will keep you posted on the progress.

New Adopters

The OpenFGA community maintains a list of products/projects/companies that are using OpenFGA in production. We'd like to thank thank the following adopters for adding themselves to the list in the last month:

If you are using OpenFGA in production, please consider adding your company/project to the list.

Community News

New Releases

We just shipped a release candidate of Modular Models, that makes it easy for multiple teams to collaborate in a single OpenFGA model. It requires the following components:

We also shipped new version of our SDKs with several fixes:

Transitioning from Discord to CNCF's Slack

As we mentioned in the last edition, we transitioned out from Discord for OpenFGA and are now using the CNCF #openfga Slack channel. If you are not part of the CNCF Slack workspace, you need to join the CNCF Slack first.

See you next month!

Fine Grained News are published every month. If you have any feedback, want to share your OpenFGA story, or know about something that you think is worth mentioning, please let us know!

Fine Grained News - February 2024

· 3 min read
Andres Aguiar
Product Manager

Welcome to the 3rd edition of Fine Grained News!

KubeCon Europe 2024 is getting closer!

We'll be pretty busy during KubeCon Europe 2024:

We'll also have a kiosk in the CNCF Project Pavilion, so if you plan to attend let us know and we can schedule some time together!

Documentation Improvements

We keep improving our documentation, and added a few new documents that you might find interesting:

  • Learn how to use the FGA CLI to perform every possible operation on OpenFGA and simplify most common workflows.

  • Learn how you can test FGA models as part of your development flow or CI/CD pipelines, without the need to run an OpenFGA server.

  • Learn how you can include identity token claims contextual tuples to model ABAC-like scenarios or simplify data integrations with OpenFGA.

OpenFGA in the Java Ecosystem

OpenFGA is getting bigger on the Java world! We are working with the Spring Security team to build an Spring Security integration for OpenFGA. You can check the ideas we are exploring in this repository.

Also, the Testcontainers team added an OpenFGA integration for Java to make it simple to write integration tests for applications using OpenFGA.

We'd love to hear your feedback!

SDK Improvements

New releases with bug fixes and improvements:

Modular Models

We wrapped up the RFC for Modular Models, which will enable multiple teams to work on different parts of the model independently and we are now working on the implementation. We'd love feedback on the RFC.

Wait for a demo on our next Community Meeting!

Community News

Transitioning from Discord to CNCF's Slack

As you may know, we've been using Discord for the OpenFGA community. We’ll transition it to the CNCF OpenFGA Slack channel. If you are not part of the CNCF Slack workspace, you need to join the CNCF Slack first.

See you next month!

Fine Grained News are published every month, after the OpenFGA community meeting. If you have any feedback, you want to share your OpenFGA story, or know about something that you think is worth mentioning, please let us know!

Fine Grained News - January 2024

· 4 min read
Andres Aguiar
Product Manager

Welcome to the 2nd edition of Fine Grained News!

Team News

The OpenFGA team got bigger, and we met in person in Toronto for the first time! We got to know each other better, helped new team members to get familiar with the project, hacked some code, had some fun with ax throwing, and loved Toronto's weather!

OpenFGA Team

KubeCon Europe 2024!

We got two presentations accepted in KubeCon Europe!

We'll also have a Project Kiosk, so if you plan to attend let us know and we can schedule some time together!

OpenFGA ⚡️Enlightning Session!

Our own Raghd Hamzeh will join Whitney Lee in a Tanzu ⚡️Enlightning session on February 8th at 9am PT.

Join their Youtube stream here.

Visual Studio Code Integration Enhancements

We keep investing in improving our VS Code experience. The video below shows how, in addition to validating the model, we can validate the tuple content and the tests.

We are identifying:

  • Invalid object types, user types, and relations when defining tuples.
  • Invalid object types, user types, and relations when defining tests.
  • User id or object id that was not included in any tuple in check tests.

This helps authoring/testing models, making the whole process less error prone and more fun!

VS Code

CLI improvements

We love the FGA CLI and we keep making it even better.

We had a few of contributions from new team members and the community :).

  • You can now import tuples from a CSV file. We supported JSON/YAML, but if you are exporting data from a database, producing to CSV is way simpler.
  • You can take a .fga.yaml file with a model and tuples, and get it imported in OpenFGA.
  • Added support for specifying an external tuple_file in .fga.yaml files.
  • Added support for specifying a continuation_token when calling fga tuple changes.
  • Support for configuring OAuth scopes to authenticate to OIDC servers.

Check the updated documentation in our CLI repository

Thanks to Yann D'Isanto for all your help on this!

OpenFGA v1.4.3

We just shipped OpenFGA v1.4.3, with performance improvements and one security issue fixed. We recommend everyone to upgrade to the latest release.

SDK Improvements

New releases with bug fixes and improvements:

Thanks again to Yann D'Isanto for your help on the Java SDK!

Language Improvements

The DSL language now has better support for comments and mixed operator support, where you can use parentheses to group expressions when defining relations:

DSL improvements

It's available in the VS Code extension, the CLI and the Playground.

Github Actions

We shipped a couple of Github Actions that help you deploy FGA models, and run model tests as part of your CI/CD build. Find them here.

What's Next? Check our RFCs!

We've been discussing with the OpenFGA community a couple of RFCs that we are planning to implement in the next few weeks:

Please take a look at them and let us know what you think!

OpenFGA Community

We have a very welcoming community, and we'd love to have you there! You can join us in different ways:

See you next month!

Fine Grained News are published every month, after the OpenFGA community meeting. If you have any feedback, you want to share your OpenFGA story, or know about something that you think is worth mentioning, please let us know!

Fine Grained News - December 2023

· 4 min read
Andres Aguiar
Product Manager

Hi Everyone!

We've been publishing a monthly internal newsletter we called Fine Grained News since the beginning on 2023, and we just thought it would be a good idea to share it with the community. Yeah, we are slow thinkers!

You can expect to find here a summary of what we've been up to, what we are planning to do, and some other random stuff we think you might find interesting.

Team News

We always start our Monthly Community Meetings presenting the team. If you attended the last one, you've seen that the size of the team has grown quite a bit! We are pretty excited about the impact it will have in OpenFGA and the authorization space in general.

Behavior Driven Development with OpenFGA

In our last Community Meeting, the Agicap team (Pauline and Yann) demoed how they are using OpenFGA to implement Behavior Driven Development (BDD) in their authorization system.

The screenshot below might be enough to understand what they are doing, but if you want to know more, you can watch the full presentation here.

bdd demo

GoDaddy & OpenFGA

GoDaddy has been working with OpenFGA for a few months. They just published a document explaining why they picked OpenFGA, and how they used to address the authorization challenges they were facing.

Some interesting tidbits:

  • They implemented their own DynamoDB Storage Adapter, as they were heavy Dynamo DB users and liked the eventual consistency model it provided.
  • They needed Contextual Tuples to fully support their use case.

Read the full article here.

Canonical & OpenFGA

Canonical has also been working with OpenFGA for a while, and it's adding OpenFGA to different layers in their stack.

OpenFGA at Canonical

They just announced that OpenFGA support is included in LXD and MicroCloud.

Pretty soon, if you are using Ubuntu Pro, you will be using OpenFGA :).

OpenFGA v1.4!

Last week we released OpenFGA v1.4! This release includes our support for Conditional Relationship Tuples, which helps implementing additional Attribute-Based Access Control scenarios like temporal access, IP based access, bank transfer limits, SaaS application plans, and much more!

You can read more about it here.

SDK Improvements

  • The Java SDK has now feature parity with the rest of the our SDKs. It can be used from any language for the Java VM. You can see examples on Kotlin, Groovy and Scala here.

  • The Python SDK was updated to support synchronous clients, support custom SSL certificates, and better performance in batch checks.

Language Improvements

We've been working on the OpenFGA language with some long-due improvements. Soon, you'll be able to use parentheses to group expressions when defining relations:

DSL improvements

The syntax is still not supported in the FGA CLI, but we are pretty close. Daniel demoed it in our latest community meeting, you can see the full demo here.

VS Code Extension Improvements

We have also been improving tuple validation when writing fga.yaml files, and it's pretty cool! Works on Daniel's machine for now :).

Tuple Validation Demo

Daniel also demoed it in our latest community meeting, watch it here.

KubeCon EU 2024

We are getting ready for KubeCon Europe 2024, in Paris. We'll have a Project Kiosk, and we have submitted a few talks. We'll keep you posted!

OpenFGA Community

We have a very welcoming community, and we'd love to have you there! You can join us in different ways:

See you next month!

We'll keep publishing our Fine Grained News each month, after the OpenFGA community meeting. If you have any feedback, you want to share your OpenFGA story, or know about something that you think is worth mentioning, please let us know!

Conditional Relationship Tuples for OpenFGA

· 5 min read
Andres Aguiar
Product Manager

Relationship Tuples are the facts that the OpenFGA evaluates to determine whether a user is permitted to access a resource.

The way tuples are considered when making authorization decisions in OpenFGA is guided by an authorization model, which employs concepts from Relationship-Based Access Control (ReBAC) to establish authorization policies. For instance, you might declare that users are allowed to view a document if they have permission to view its parent folder.

Although ReBAC offers a highly flexible method for structuring permissions, it encounters difficulties with defining permissions based on attributes that are not easily represented as relationships. Attributes such as “parent folder,” “department,” “region,” and “country” can be conceptualized as relationships between two entities. However, attributes like “IP address,” “time of day,” “team size limit,” or “maximum amount for a bank transfer” cannot be easily handled.

In our ongoing efforts to expand OpenFGA’s capacity for articulating a broader range of authorization policies, we are introducing Conditional Relationship Tuples. These allow for the specification of conditions under which a particular tuple is relevant when evaluating an authorization query.

Consider the following example, where we utilize Conditional Tuples to grant access for a user over a specified time duration. We stipulate that a user may be granted either unconditional access or access constrained to a certain time period:

model
schema 1.1

type user

type document
relations
define viewer: [user, user with non_expired_grant]

condition non_expired_grant(current_time: timestamp, grant_time: timestamp, grant_duration: duration) {
current_time < grant_time + grant_duration
}

If we write the following tuples:

userrelationobjectcondition
user:bobviewerdocument:1
user:anneviewerdocument:1name : non_expired_grant, context : { grant_time : 2023-01-01T00:00:00Z, grant_duration : 1h }

You'll get the following results for the Check operations below:

userrelationobjectcontextresult
user:bobviewerdocument:1allowed : true
user:anneviewerdocument:1current_time : 2023-01-01T00:10:00Zallowed : true
user:anneviewerdocument:1current_time : 2023-01-01T02:00:00Zallowed : false
user:anneviewerdocument:1error : "failed to evaluate relationship condition 'non_expired_grant': context is missing parameters '[current_time]'

You'll get the following results for the ListObjects operations below:

userrelationobjectcontextresult
user:anneviewerdocument:1current_time : 2023-01-01T00:10:00Zobjects: [ "document:1"]
user:anneviewerdocument:1error: "failed to evaluate relationship condition 'non_expired_grant': tuple 'document:1#viewer@user:anne' is missing context parameters '[current_time]'

Note that:

  • user:bob will always get allowed:true as we have assigned as viewer unconditionally.
  • user:anne will get allowed:true if the current_time is before the grant_time + grant_duration and allowed:false otherwise.
  • If you don't provide the current_time in the context, the Check and ListObjects operations will fail.

Use Cases

The OpenFGA Sample Stores repository has several examples that take advantage of this new feature:

How to use it?

Conditional Relationship Tuples are included in OpenFGA 1.4.0-rc1 version. You can run it by pulling it from docker:

docker pull openfga/openfga:v1.4.0-rc1
docker run -p 8080:8080 -p 8081:8081 -p 3000:3000 openfga/openfga:v1.4.0-rc1 run`

OpenFGA has a rich ecosystem of developer tools. The following have been updated to support Conditional Relationship Tuples:

What’s Next?

We’ll address some limitations of the current implementation:

  • The Expand API does not consider conditions.
  • The Visual Studio Code integration is not validating the expressions in conditions.
  • The Playground does not let you add context for tuples and assertions. You should use the VS Code Extension + the FGA CLI to test your models for now.

We'll also improve ListObjects scenarios when it's called with missing context. For example, consider the following model that enables access only to documents with a specific status:

model
schema 1.1

type user

type document
relations
define can_access: [user with docs_in_draft_status]

condition docs_in_draft_status(status: string) {
status == "draft"
}

If you want to list all the documents a user can view, you'll need to know the status of all of those documents. Given you don't know the documents the user has access too, you can't send the status of those as a parameter to ListObjects.

Our goal is to return a structure that you can use to filter documents on your side, similar to: (document.id = ‘1’ and document.status = ‘draft’) or (document.id = ‘2’ and.status = draft)
This won’t scale to a large number of documents, but would be useful in some scenarios.

Reach out!

We want to learn how you use this feature and how we can improve it!

Please reach out through our community channels with any questions or feedback.

Join the OpenFGA team at KubeCon NA 2023

· One min read
Andres Aguiar
Product Manager

As you'd expect, the OpenFGA team will be at KubeCon NA 2023 in Chicago, IL!

We'll have a packed agenda for the week:

  • Jonathan Whitaker and Lucas Käldström will be presenting in Could_Native Rejects on how to use OpenFGA to manage and extend authorization in Kubernetes. Learn more here.

  • Maria Ines Parnisari and Andres Aguiar will be presenting in AppDeveloperCon about modernizing authorization for cloud native applications using OpenFGA. Learn more here.

  • We'll host a Project Meeting on Monday 9.30 AM in the Hudson room at the Hilton Garden Inn. We'll share how the product is being used, demo the latests features like our new CLI, the VS Code Extension, Conditional Relationships, the Java SDK... and more!

  • We'll be in the CNCF Project Pavilion during the afternoons.

  • We'll host our OpenFGA community meeting directly from KubeCon on Thursday 9th at 3PM UTC (8AM PST/11AM EST).

If you want to meet with the team outside of these events, please pick any spot that works for you in our calendar.

See you in Chicago!