A high performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar
APACHE-2.0 License
Bot releases are visible (Hide)
Published by jpadilla 7 months ago
grpc-health-probe
dependency in the published Docker image to the latest release which fixes some vulnerabilities (#1507)Published by jon-whit 7 months ago
dispatch_count
histogram (#1427)request_duration_ms
histogram which has datastore_query_count
and dispatch_count
as dimensions (#1444)OPENFGA_AUTHN_OIDC_ISSUER_ALIASES
to specify oidc issuer aliases (#1354) - Thanks @le-yams!OPENFGA_EXPERIMENTALS=enable-modular-models
(#1443). This will enable writing models that are split across multiple files.request_duration_by_query_count_ms
will be removed in the next release, in favour of request_duration_ms
(#1450)Published by jon-whit 8 months ago
{allowed:false}
(#1371, #1372)The AuthorizationModelReadBackend
interface method FindLatestAuthorizationModelID
has changed to FindLatestAuthorizationModel
for performance improvements. #1387
If you implement your own data store, you will need to make the following change:
func (...) FindLatestAuthorizationModelID(ctx context.Context, storeID string) (string, error) {
//...get model ID
return modelID, nil
}
func (...) FindLatestAuthorizationModel(ctx context.Context, storeID string) (*openfgav1.AuthorizationModel, error) {
//...get model
return model.(*openfgav1.AuthorizationModel), nil
}
Published by jon-whit 8 months ago
{allowed:false}
(#1371, #1372)The AuthorizationModelReadBackend
interface method FindLatestAuthorizationModelID
has changed to FindLatestAuthorizationModel
for performance improvements. #1387
If you implement your own data store, you will need to make the following change:
func (...) FindLatestAuthorizationModelID(ctx context.Context, storeID string) (string, error) {
//...get model ID
return modelID, nil
}
func (...) FindLatestAuthorizationModel(ctx context.Context, storeID string) (*openfgav1.AuthorizationModel, error) {
//...get model
return model.(*openfgav1.AuthorizationModel), nil
}
Published by jon-whit 9 months ago
server.Stop()
(#1318)map.Clone()
calls in model validation (#1281)ListObjects
API calls that hit the --listObjects-deadline
setting can lead to an out of memory error. See the CVE report for more detailsPublished by jon-whit 10 months ago
Enable support for Conditional Relationship Tuples by default. (#1220)
⚠️ Prior to upgrading to this release please first upgrade to
v1.3.10
, and then you can proceed with upgrading to this release. Rolling back from this release to a release prior tov1.3.9
has negative side-effects because of the introduction of Conditions. If you rollback from this release to a release prior tov1.3.9
then conditional relationship tuples will be treated unconditionally, because relationship tuples prior tov1.3.9
had no concept of Conditions.
Added stricter gRPC server max message size constraints (#1222)
We changed the default gRPC max message size (4MB) to a stricter 512KB to protect the server from excessively large request context
fields. This shouldn't impact existing clients since our calculated max message size should be much smaller than 512KB given our other input constraints.
Published by jpadilla 11 months ago
Published by jon-whit 11 months ago
Experimental support for ABAC Conditional Relationships.
To enable experimental support for ABAC Conditional Relationships you can pass the enable-conditions
experimental flag. For example, openfga run --experimentals=enable-conditions
. The upcoming v1.4.0
release will introduce official support for this new feature. For more information please see our official blog post. The v1.4.0
release will have more official documentation on openfga.dev.
⚠️ If you enable experimental support for ABAC and introduce models and/or relationship tuples into the system and then choose to rollback to a prior release, then you may experience unintended side-effects. Care should be taken!
Read on for more information.
If you introduce a model with a condition defined in a relation's type restriction(s) and then rollback to a prior OpenFGA release, then the model will be treated as though the conditioned type restriction did not exist.
model
schema 1.1
type user
type document
relations
define viewer: [user with somecondition]
condition somecondition(x: int) {
x < 100
}
and then you rollback to v1.3.7
or earlier, then the model above will be treated equivalently to
model
schema 1.1
type user
type document
relations
define viewer: [user]
Likewise, if you write a relationship tuple with a condition and then rollback to a prior release, then the tuple will be treated as an unconditioned tuple.
- document:1#viewer@user:jon, {condition: "somecondition"}
will be treated equivalently to document:1#viewer@user:jon
in v1.3.7
or earlier. That is, Check(document:1#viewer@user:jon)
would return {allowed: true}
even though at the tuple was introduced it was conditioned.
Minimum datastore schema revision check in the server's health check (#1166)
Each OpenFGA release from here forward will explicitly reference a minimum datastore schema version that is required to run that specific release of OpenFGA. If OpenFGA operators have not migrated up to that revision then the server's health checks will fail.
Username/password configuration overrides for the openfga migrate
entrypoint (#1133). Thanks for the contribution @martin31821!
Similar to the server's main entrypoint openfga run
, you can now override the datastore username and password with environment variables. when running the openfga migrate
utility.
Healthcheck definitions in Dockerfile (#1134). Thanks @Siddhant-K-code!
Database iterators yielded by the RelationshipTupleReader storage interface now accept a context
parameter which allows iteration to be promptly terminated (#1055)
We have noticed improvements in query performance by adding this because once a resolution path has been found we more quickly cancel any further evaluation by terminating the iterators promptly.
Improved tuple validation peformance with precomputation of TTUs (#1171)
Refactored the commands in the pkg/server/commands
package to uniformly use the Options builder pattern (#1142). Thanks for the contribution @ilaleksin!
Upgraded to Go 1.21.4
(#1143). Thanks @tranngoclam!
Published by jon-whit 12 months ago
grpc-health-probe
dependency to the latest release which fixed some vulnerabilities.Published by jon-whit 12 months ago
openfga.intoto.jsonl
) for verification of release artifacts with SLSA attestations.Removed the experimental flag check-query-cache
.
If you wish to enable the Check query cache you no longer need the experimental flag.
Published by jon-whit 12 months ago
The v1.4.0-rc1
release is an experimental release candidate that introduces new support for ABAC Conditions in OpenFGA.
For more information, take a look at our blog post Conditional Relationship Tuples for OpenFGA. This blog post talks more about the feature and how to make use of it.
Published by jpadilla 12 months ago
OPENFGA_LIST_OBJECTS_MAX_RESULTS=0
(#1067)Write Authorization Models in a single database row (#1030)
⚠️ In order to avoid downtime, we recommend upgrading to at least v1.3.3 before upgrading to v1.3.5.
This is the second of a series of releases that will progressively introduce changes via code and database migrations that will allow authorization models to be stored in a single database row.
Published by jon-whit about 1 year ago
check-query-cache
experimental flag is turned on (#1059)Published by jpadilla about 1 year ago
Configurable size limit for Authorization Models (#1032)
We've introduced a new size limit for authorization models, providing a consistent behavior across datastores, which defaults to 256KB
. This can be configured by using the --max-authorization-model-size-in-bytes
flag.
Persist Authorization Models serialized protobuf in the database (#1028)
In the next series of releases will progressively introduce changes via code and database migrations that will allow authorization models to be stored in a single database row.
Published by jon-whit about 1 year ago
Patches CVE-2023-43645 - see the CVE for more details
[BREAKING] If your model contained cycles or a relation definition that has the relation itself in its evaluation path, then Checks and queries that require evaluation will no longer be evaluated on v1.3.2+ and will return errors instead. You will need to update your models to remove the cycles.
Published by jon-whit about 1 year ago
Count datastore queries involved in Check resolution metadata (#880)
OpenFGA request logs and traces will now include a field datastore_query_count
that shows how many queries were involved in a single Check resolution.
Histogram metric to report the datastore_query_count
per Check (#924)
This new metric can be used to report percentiles of the number of database queries required to resolve Check requests.
Check request duration histogram labeled by method and datastore query count (#950)
The request_duration_by_query_count_ms
metric reports the total request duration (in ms) labelled by the RPC method and ranges of observations for the datastore_query_count
. This metrics allows operators of an OpenFGA server to report request duration percentiles for Check requests based on the number of database queries that were required to resolve the query.
Optimize Check to avoid database lookups in some scenarios (#932)
CachedCheckResolver for caching Check subproblems (#891)
This experimental feature adds new caching capabilities to the OpenFGA server. It is an "opt-in" feature and thus must be enabled. To enable this feature you must specify the experimental flag check-query-cache
and set the --check-query-cache-enabled=true
flag.
openfga run --experimentals check-query-cache --check-query-cache-enabled=true
Server request logs now include the user-agent
(#943)
Default Check and ListObjects concurrency read limits (#916)
In our last release v1.3.0 we modified the default behavior of Check and ListObjects such that it limits/restricts the degree of concurrency that is allowed for a single request. This change was unintended. This release reverts the default behavior back to unbounded concurrency limits (the prior default). The change mostly affects those using OpenFGA as a library.
Bumped up to Go 1.21 (#952)