OpenFGA setup

OpenFGA setup and seeding

Below is a set of steps to get anyone up and running with a working OpenFGA model containing a meaningful dataset

Requirements

make sure you have OpenFGA APIs accessible, in this case we will refer them as http://127.0.0.1:8080
have fga cli installed
have jq installed

Store and Model creation

There are 2 ways to have this setup:

via UI
- you can connect to the playground/ui and create a store and model
- make sure to patch the model with the content of the identity model

via CLI

run the fga cli to create a store

shipperizer in ~/shipperizer/identity-platform-admin-ui.wiki on IAM-781 ● λ fga --api-url http://127.0.0.1:8080 store create --name admin`
{
  "store": {
    "created_at":"2024-04-04T08:06:45.910906119Z",
    "id":"01HTM2ARCP9FFNWVC3R3ASB09E",
    "name":"admin",
    "updated_at":"2024-04-04T08:06:45.910906119Z"
  }
}

create the model using the identity model

shipperizer in ~/shipperizer/identity-platform-admin-ui.wiki on IAM-781 ● λ fga --api-url http://127.0.0.1:8080 model write --file ../identity-platform-admin-ui/internal/authorization/schema.openfga --store-id 01HTM2ARCP9FFNWVC3R3ASB09E
{
  "authorization_model_id":"01HTM2CKWTB2D0Y7F05ZSQXACE"
}

Seeding

fetch MODEL_ID and STORE_ID from openfga server, the following will pick the latest model from the first store (hopefully you dont have more than 1, otherwise you will have to inspect the response and choose)

STORE_ID=$(fga --api-url http://127.0.0.1:8080 store list | jq '.stores[0].id' -r)

MODEL_ID=$(fga --api-url http://127.0.0.1:8080 model list --store-id $STORE_ID | jq '.authorization_models[0].id' -r)

populate the model with data

fga --api-url http://127.0.0.1:8080 tuple write --model-id $MODEL_ID --store-id $STORE_ID --file openfga-tuples.yml

where openfga-tuples.yaml can be found below in the details

# tuples
- object: privileged:superuser
  user: user:johndoe
  relation: admin
- object: privileged:superuser
  user: user:shipperizer
  relation: admin
- object: role:administrator
  user: privileged:superuser
  relation: privileged
- object: role:administrator
  user: user:joe
  relation: assignee
- object: group:c-level
  user: user:joe
  relation: member
- object: group:c-level
  user: privileged:superuser
  relation: privileged
- object: identity:user-1
  user: privileged:superuser
  relation: privileged
- object: identity:user-2
  user: privileged:superuser
  relation: privileged
- object: scheme:identity-social
  user: privileged:superuser
  relation: privileged
- object: client:github-canonical
  user: privileged:superuser
  relation: privileged
- object: identity:user-1
  user: user:joe
  relation: can_delete
- object: client:github-canonical
  user: role:administrator#assignee
  relation: can_view
- object: client:okta
  user: role:administrator#assignee
  relation: can_delete
- object: client:github-canonical
  user: group:c-level#member
  relation: can_edit
- object: client:okta
  user: group:c-level#member
  relation: can_delete  
- object: client:okta
  user: group:c-level#member
  relation: can_view  
- object: client:okta
  user: group:c-level#member
  relation: can_edit    
- object: role:administrator
  user: group:c-level#member
  relation: assignee
- object: role:janitor
  user: group:c-level#member
  relation: assignee
#### global view  
- user: user:*
  relation: can_view
  object: provider:global
- user: user:*
  relation: can_view
  object: role:global
- user: user:*
  relation: can_view
  object: group:global
- user: user:*
  relation: can_view
  object: client:global
- user: user:*
  relation: can_view
  object: identity:global
- user: user:*
  relation: can_view
  object: scheme:global
#### privileged permissions  
- user: privileged:superuser
  relation: privileged
  object: provider:global
- user: privileged:superuser
  relation: privileged
  object: role:global
- user: privileged:superuser
  relation: privileged
  object: group:global
- user: privileged:superuser
  relation: privileged
  object: client:global
- user: privileged:superuser
  relation: privileged
  object: identity:global
- user: privileged:superuser
  relation: privileged
  object: scheme:global

API Authorization

Current API authorization is rudimentary at best, work will go into it in the next 6 months to make it acceptable

for the time being what is needed to be authorized is the header X-Authorization with a base64 encoded user value

shipperizer in ~/shipperizer/identity-platform-admin-ui on IAM-726 ● λ echo -n shipperizer | base64     
c2hpcHBlcml6ZXI=

PRIVILEGED_USER=c2hpcHBlcml6ZXI=
http :8000/api/v0/roles X-Authorization:$PRIVILEGED_USER

the tuples involved in this are all those matching a user to a privileged type

- object: privileged:superuser
  user: user:shipperizer
  relation: admin

setting the header will enable to get the full list of roles and groups as an admin user, otherwise anonymous user will be used

Provide feedback

Saved searches