This repo contains some OpenFGA sample stores configurations.
OpenFGA is an open source Fine-Grained Authorization solution based on Google's Zanzibar. It was created by the Auth0 FGA team and welcomes community contribution. OpenFGA is designed to make it easy for application builders to quickly add fine-grained authorization to their applications. It offers an HTTP API and has SDKs for programming languages including JavaScript, GoLang and .NET. More SDKs and integrations such as Rego are planned for the future. OpenFGA is designed and optimized for reliability and low latency at a high scale.
Some sample stores are:
To try this out, you need the following tools installed:
docker
git
curl
jq
- Ensure you have openfga up and running.
docker pull openfga/openfga # Ensure you have the latest openfga version
docker run -p 127.0.0.1:8080:8080 openfga/openfga run # run openfga server
- Clone this repository
git clone https://github.com/openfga/sample-stores.git openfga-sample-stores && cd openfga-sample-stores
- Navigate into the sample store you choose (e.g.
github
,custom-roles
, etc..)
SAMPLE_STORE=github
cd stores/$SAMPLE_STORE_NAME
- Loading data into your store
FGA_API_URI=http://localhost:8080
# Create the store
STORE_ID=$(curl -X POST $FGA_API_URI/stores -d @store.json | jq -r '.id')
# Post the authorization model
AUTHORIZATION_MODEL_ID=$(curl -X POST $FGA_API_URI/stores/$STORE_ID/authorization-models -d @authorization-model.json | jq -r '.authorization_model_id')
# Write the tuples (Note: max tuples per write request = 10)
cat tuples.json | jq -c '. | _nwise(10) | { "writes": { "tuple_keys": . } }' | (
while read id; do
curl -X POST $FGA_API_URI/stores/$STORE_ID/write -d $id
done
)
# Update the assertions for that authorization model
cat assertions.json | jq '. |= { "assertions": . }' | curl -X PUT $FGA_API_URI/stores/$STORE_ID/assertions/$AUTHORIZATION_MODEL_ID -d @-
# Run a sample check
cat assertions.json | jq '.[0] | { "tuple_key": { "user": .tuple_key.user, "relation": .tuple_key.relation, "object": .tuple_key.object } }' | curl -X POST $FGA_API_URI/stores/$STORE_ID/check -d @-# Run sample checks (here we are just looping through our assertions and issuing checks for them)
# Run checks for all assertions
cat assertions.json | jq -c '. | _nwise(1) | { "tuple_key": { "user": .[0].tuple_key.user, "relation": .[0].tuple_key.relation, "object": .[0].tuple_key.object } }' | (
while read body; do
FGA_ALLOWED=$(curl -s -X POST $FGA_API_URI/stores/$STORE_ID/check -d $body | jq '.allowed')
FGA_USER=$(echo $body | jq -rc '.tuple_key.user')
FGA_RELATION=$(echo $body | jq -rc '.tuple_key.relation')
FGA_OBJECT=$(echo $body | jq -rc '.tuple_key.object')
echo "check(user=$FGA_USER, relation=$FGA_RELATION, object=$FGA_OBJECT); allowed: $FGA_ALLOWED"
done
)