OpenFGA
Fine-grained authorization service for relationship-based access control.
Overview
OpenFGA implements Google Zanzibar-style authorization, providing flexible relationship-based access control (ReBAC) that goes beyond traditional RBAC.
| Property | Value |
|---|---|
| Image | openfga/openfga:latest |
| Container | openfga |
| Port | 8080 (HTTP), 8081 (gRPC) |
| Status | Planned |
Architecture
┌─────────────────────────────────────────────────────────────┐
│ Application │
│ "Can user X perform action Y on resource Z?" │
└─────────────────────────────────────────────────────────────┘
↓
┌─────────────────────────────────────────────────────────────┐
│ OpenFGA │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ Check │ │ Write │ │ Read │ │
│ │ API │ │ API │ │ API │ │
│ └─────────────┘ └─────────────┘ └─────────────┘ │
│ │ │
│ ┌─────────────────────────────────────────────────┐ │
│ │ Authorization Model │ │
│ │ type user │ │
│ │ type document │ │
│ │ relations │ │
│ │ define viewer: [user] │ │
│ │ define editor: [user] │ │
│ │ define owner: [user] │ │
│ └─────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────┘
↓
┌─────────────────────────────────────────────────────────────┐
│ PostgreSQL Storage │
└─────────────────────────────────────────────────────────────┘
Concepts
Authorization Model
Defines types, relations, and how permissions derive from relationships.
model
schema 1.1
type user
type organization
relations
define member: [user]
define admin: [user]
define owner: [user]
type project
relations
define organization: [organization]
define viewer: [user] or member from organization
define editor: [user] or admin from organization
define owner: [user] or owner from organization
Relationship Tuples
Concrete relationships between objects:
user:nate is owner of organization:ravenhelm
user:nate is admin of project:norns
project:norns belongs to organization:ravenhelm
Check Queries
Ask if a relationship exists:
Can user:nate edit project:norns?
→ Yes (nate is admin of ravenhelm, norns belongs to ravenhelm)
Planned Use Cases
1. Multi-Tenant Access Control
type organization
relations
define member: [user]
define admin: [user]
type task
relations
define organization: [organization]
define assignee: [user]
define can_view: assignee or member from organization
define can_edit: assignee or admin from organization
2. Domain-Based Permissions
type domain
relations
define owner: [user]
define viewer: [user]
type task
relations
define domain: [domain]
define can_view: viewer from domain or owner from domain
3. API Authorization
type api_endpoint
relations
define caller: [user, service]
define can_call: caller
Integration Points
| Service | Use Case |
|---|---|
| Norns Agent | Task/project permissions |
| Bifrost API | MCP tool authorization |
| n8n | Workflow access control |
Quick Commands (After Deployment)
# Create store
docker exec openfga fga store create --name "ravenhelm"
# Write authorization model
docker exec openfga fga model write --store-id <store_id> --file /config/model.fga
# Write relationship tuple
docker exec openfga fga tuple write \
--store-id <store_id> \
user:nate owner organization:ravenhelm
# Check permission
docker exec openfga fga query check \
--store-id <store_id> \
user:nate editor project:norns
Deployment (Planned)
docker-compose.yml
services:
openfga:
image: openfga/openfga:latest
container_name: openfga
restart: unless-stopped
command: run
environment:
- OPENFGA_DATASTORE_ENGINE=postgres
- OPENFGA_DATASTORE_URI=postgres://ravenhelm:${POSTGRES_PASSWORD}@postgres:5432/openfga
- OPENFGA_LOG_FORMAT=json
networks:
- ravenhelm_net
depends_on:
- postgres