Skip to main content

Modeling GitHub permissions with OpenFGA

This tutorial explains how to model GitHub's Organization permission model using OpenFGA. This article from the GitHub docs has links to all other articles we are going to be exploring in this document.

What you will learn
  • Indicate relationships between a group of users and an object. See Modeling User Groups for more details.
    Used here to indicate that all members of an organization are repository admins on the organization.
  • Modeling concentric relationship to have a certain relation on an object imply another relation on the same object. See Modeling Concepts: Concentric Relationships for more.
    Used here to indicate that maintainers of a repository are also writers of that repository.
  • Using the union operator condition to indicate that a user might have a certain relation with an object if they match any of the criteria indicated.
    Used here to indicate that a user can be a reader on a repository, or can have the reader relationship implied through triager.
  • Model parent-child objects to indicate that a user having a relationship with a certain object implies having a relationship with another object in OpenFGA.
    Used here to indicate that a repository admin on a GitHub organization, is an admin on all repositories that organization owns.

Before you start

In order to understand this guide correctly you must be familiar with some OpenFGA concepts and know how to develop the things that we will list below.

OpenFGA concepts

It would be helpful to have an understanding of some concepts of OpenFGA before you start.

Modeling concentric relationships

You need to know how to update the authorization model to allow having nested relations such as all writers are readers. Learn more →

Modeling object-to-object relationships

You need to know how to create relationships between objects and how that might affect a user's relationships to those objects. Learn more →

Used here to indicate that users who have repo admin access on an organization, have admin access to all repositories owned by that organization.

Concepts & configuration language

What you will be modeling

GitHub is a system to develop and collaborate on code.

In this tutorial, you will build a subset of the GitHub permission model (detailed below) in OpenFGA, using some scenarios to validate the model.

Note: For brevity, this tutorial will not model all of GitHub's permissions. Instead, it will focus on modeling for the scenarios outlined below

Requirements

GitHub's permission model is represented in their documentation.

In this tutorial, you will be focusing on a subset of these permissions.

Requirements:

  • Users can be admins, maintainers, writers, triagers or readers of repositories (each level inherits all access of the level lower than it. e.g. admins inherit maintainer access and so forth)
  • Teams can have members
  • Organizations can have members
  • Organizations can own repositories
  • Users can have repository admin access on organizations, and thus have admin access to all repositories owned by that organization

Defined scenarios

There will be the following users:

  • Anne
  • Beth
  • Charles, a member of the contoso/engineering team
  • Diane, a member of the contoso/protocols team
  • Erik, a member of the contoso org

And these requirements:

  • members of the contoso/protocols team are members of the contoso/engineering team
  • members of the contoso org are repo_admins on the org
  • repo admins on the org are admins on all the repos the org owns

There will be a:

  • contoso/tooling repository, owned by the contoso org and of which Beth is a writer and Anne is a reader and members of the contoso/engineering team are admins

Modeling GitHub's permissions

01. Permissions For Individuals In An Org

GitHub has 5 different permission levels for repositories:

Image showing github permission levels

At the end of this section we want to end up with the following permissions represented:

Image showing permissions

To represent permissions in OpenFGA we use relations. For repository permissions we need to create the following authorization model:

model
schema 1.1

type user

type repo
relations
define reader: [user]
define triager: [user]
define writer: [user]
define maintainer: [user]
define admin: [user]

The OpenFGA service determines if a user has access to an object by checking if the user has a relation to that object. Let us examine one of those relations in detail:

model
schema 1.1

type user

type repo
relations
define reader: [user]
info

Objects of type "repo" have users related to them as "reader" if those users belong to the userset of all users related to the repo as "reader"

If we want to say anne is a reader of repository repo:contoso/tooling we create this relationship tuple:

Initialize the SDK
// ApiTokenIssuer, ApiAudience, ClientId and ClientSecret are optional.
// import the SDK
const { OpenFgaClient } = require('@openfga/sdk');

// Initialize the SDK with no auth - see "How to setup SDK client" for more options
const fgaClient = new OpenFgaClient({
apiUrl: process.env.FGA_API_URL, // required, e.g. https://api.fga.example
storeId: process.env.FGA_STORE_ID,
authorizationModelId: process.env.FGA_MODEL_ID, // Optional, can be overridden per request
});

await fgaClient.write({
writes: [
{"user":"user:anne","relation":"reader","object":"repo:contoso/tooling"}
],
}, {
authorization_model_id: "01HVMMBCMGZNT3SED4Z17ECXCA"
});

We can now ask OpenFGA "is anne a reader of repository repo:contoso/tooling?"

Initialize the SDK
// ApiTokenIssuer, ApiAudience, ClientId and ClientSecret are optional.
// import the SDK
const { OpenFgaClient } = require('@openfga/sdk');

// Initialize the SDK with no auth - see "How to setup SDK client" for more options
const fgaClient = new OpenFgaClient({
apiUrl: process.env.FGA_API_URL, // required, e.g. https://api.fga.example
storeId: process.env.FGA_STORE_ID,
authorizationModelId: process.env.FGA_MODEL_ID, // Optional, can be overridden per request
});

// Run a check
const { allowed } = await fgaClient.check({
user: 'user:anne',
relation: 'reader',
object: 'repo:contoso/tooling',
}, {
authorization_model_id: '01HVMMBCMGZNT3SED4Z17ECXCA',
});

// allowed = true

We could also say that beth is a writer of the same repository:

Initialize the SDK
// ApiTokenIssuer, ApiAudience, ClientId and ClientSecret are optional.
// import the SDK
const { OpenFgaClient } = require('@openfga/sdk');

// Initialize the SDK with no auth - see "How to setup SDK client" for more options
const fgaClient = new OpenFgaClient({
apiUrl: process.env.FGA_API_URL, // required, e.g. https://api.fga.example
storeId: process.env.FGA_STORE_ID,
authorizationModelId: process.env.FGA_MODEL_ID, // Optional, can be overridden per request
});

await fgaClient.write({
writes: [
{"user":"user:beth","relation":"writer","object":"repo:contoso/tooling"}
],
}, {
authorization_model_id: "01HVMMBCMGZNT3SED4Z17ECXCA"
});

And ask some questions to OpenFGA:

Initialize the SDK
// ApiTokenIssuer, ApiAudience, ClientId and ClientSecret are optional.
// import the SDK
const { OpenFgaClient } = require('@openfga/sdk');

// Initialize the SDK with no auth - see "How to setup SDK client" for more options
const fgaClient = new OpenFgaClient({
apiUrl: process.env.FGA_API_URL, // required, e.g. https://api.fga.example
storeId: process.env.FGA_STORE_ID,
authorizationModelId: process.env.FGA_MODEL_ID, // Optional, can be overridden per request
});

// Run a check
const { allowed } = await fgaClient.check({
user: 'user:beth',
relation: 'writer',
object: 'repo:contoso/tooling',
}, {
authorization_model_id: '01HVMMBCMGZNT3SED4Z17ECXCA',
});

// allowed = true
Initialize the SDK
// ApiTokenIssuer, ApiAudience, ClientId and ClientSecret are optional.
// import the SDK
const { OpenFgaClient } = require('@openfga/sdk');

// Initialize the SDK with no auth - see "How to setup SDK client" for more options
const fgaClient = new OpenFgaClient({
apiUrl: process.env.FGA_API_URL, // required, e.g. https://api.fga.example
storeId: process.env.FGA_STORE_ID,
authorizationModelId: process.env.FGA_MODEL_ID, // Optional, can be overridden per request
});

// Run a check
const { allowed } = await fgaClient.check({
user: 'user:beth',
relation: 'reader',
object: 'repo:contoso/tooling',
}, {
authorization_model_id: '01HVMMBCMGZNT3SED4Z17ECXCA',
});

// allowed = false

The first reply makes sense but the second one does not. Intuitively, if beth was writer, she was also be a reader. In fact, GitHub explains this in their documentation Showing various GitHub repo access level

To make OpenFGA aware of this "concentric" permission model we need to update our definitions:

model
schema 1.1

type user

type repo
relations
define reader: [user] or triager
define triager: [user] or writer
define writer: [user] or maintainer
define maintainer: [user] or admin
define admin: [user]

Let us examine one of those relations in detail:


type repo
relations
define reader: [user] or triager
info

The users with a reader relationship to a certain object of type "repo" are any of:

  • the "readers": the set of users who are directly related to the repo as a "reader"
  • the "triagers": the set of users who are related to the object as "triager"

With this simple update our model now supports nested definitions and now:

Initialize the SDK
// ApiTokenIssuer, ApiAudience, ClientId and ClientSecret are optional.
// import the SDK
const { OpenFgaClient } = require('@openfga/sdk');

// Initialize the SDK with no auth - see "How to setup SDK client" for more options
const fgaClient = new OpenFgaClient({
apiUrl: process.env.FGA_API_URL, // required, e.g. https://api.fga.example
storeId: process.env.FGA_STORE_ID,
authorizationModelId: process.env.FGA_MODEL_ID, // Optional, can be overridden per request
});

// Run a check
const { allowed } = await fgaClient.check({
user: 'user:beth',
relation: 'writer',
object: 'repo:contoso/tooling',
}, {
authorization_model_id: '01HVMMBCMGZNT3SED4Z17ECXCA',
});

// allowed = true
Initialize the SDK
// ApiTokenIssuer, ApiAudience, ClientId and ClientSecret are optional.
// import the SDK
const { OpenFgaClient } = require('@openfga/sdk');

// Initialize the SDK with no auth - see "How to setup SDK client" for more options
const fgaClient = new OpenFgaClient({
apiUrl: process.env.FGA_API_URL, // required, e.g. https://api.fga.example
storeId: process.env.FGA_STORE_ID,
authorizationModelId: process.env.FGA_MODEL_ID, // Optional, can be overridden per request
});

// Run a check
const { allowed } = await fgaClient.check({
user: 'user:beth',
relation: 'reader',
object: 'repo:contoso/tooling',
}, {
authorization_model_id: '01HVMMBCMGZNT3SED4Z17ECXCA',
});

// allowed = true

02. Permissions for teams in an org

GitHub also supports creating teams in an organization, adding members to a team and granting teams permissions, rather than individuals.

At the end of this section we want to end up with the following permissions represented:

Image showing permissions

To add support for teams and memberships all we need to do is add this object to the OpenFGA authorization model:

model
schema 1.1

type team
relations
define member: [user, team#member]

In addition, the repo's relations should have team member as a directly related user types.

model
schema 1.1

type user

type repo
relations
define reader: [user, team#member] or triager
define triager: [user, team#member] or writer
define writer: [user, team#member] or maintainer
define maintainer: [user, team#member] or admin
define admin: [user, team#member]

Let us now create a team, add a member to it and make it an admin of repo:contoso/tooling by adding the following relationship tuples:

Initialize the SDK
// ApiTokenIssuer, ApiAudience, ClientId and ClientSecret are optional.
// import the SDK
const { OpenFgaClient } = require('@openfga/sdk');

// Initialize the SDK with no auth - see "How to setup SDK client" for more options
const fgaClient = new OpenFgaClient({
apiUrl: process.env.FGA_API_URL, // required, e.g. https://api.fga.example
storeId: process.env.FGA_STORE_ID,
authorizationModelId: process.env.FGA_MODEL_ID, // Optional, can be overridden per request
});

await fgaClient.write({
writes: [
// make charles a member of the contoso/engineering team
{"_description":"make charles a member of the contoso/engineering team","user":"user:charles","relation":"member","object":"team:contoso/engineering"},
// make members of contoso/engineering team admins of contoso/tooling
{"_description":"make members of contoso/engineering team admins of contoso/tooling","user":"team:contoso/engineering#member","relation":"admin","object":"repo:contoso/tooling"}
],
}, {
authorization_model_id: "01HVMMBCMGZNT3SED4Z17ECXCA"
});

The last relationship tuple introduces a new OpenFGA concept. A userset. When the value of a user is formatted like this type:objectId#relation, OpenFGA will automatically expand the userset into all its individual user identifiers:

Initialize the SDK
// ApiTokenIssuer, ApiAudience, ClientId and ClientSecret are optional.
// import the SDK
const { OpenFgaClient } = require('@openfga/sdk');

// Initialize the SDK with no auth - see "How to setup SDK client" for more options
const fgaClient = new OpenFgaClient({
apiUrl: process.env.FGA_API_URL, // required, e.g. https://api.fga.example
storeId: process.env.FGA_STORE_ID,
authorizationModelId: process.env.FGA_MODEL_ID, // Optional, can be overridden per request
});

// Run a check
const { allowed } = await fgaClient.check({
user: 'user:charles',
relation: 'admin',
object: 'repo:contoso/tooling',
}, {
authorization_model_id: '01HVMMBCMGZNT3SED4Z17ECXCA',
});

// allowed = true

03. Permissions for child teams in an org

GitHub also supports team nesting, known as "child teams". Child teams inherit the access permissions of the parent team. Let's say we have a protocols team that is part of the engineering. The simplest way to achieve the aforementioned requirement is just adding this relationship tuple:

Initialize the SDK
// ApiTokenIssuer, ApiAudience, ClientId and ClientSecret are optional.
// import the SDK
const { OpenFgaClient } = require('@openfga/sdk');

// Initialize the SDK with no auth - see "How to setup SDK client" for more options
const fgaClient = new OpenFgaClient({
apiUrl: process.env.FGA_API_URL, // required, e.g. https://api.fga.example
storeId: process.env.FGA_STORE_ID,
authorizationModelId: process.env.FGA_MODEL_ID, // Optional, can be overridden per request
});

await fgaClient.write({
writes: [
{"user":"team:contoso/protocols#member","relation":"member","object":"team:contoso/engineering"}
],
}, {
authorization_model_id: "01HVMMBCMGZNT3SED4Z17ECXCA"
});