Skip to content

Instantly share code, notes, and snippets.

@katallaxie

katallaxie/cockroach-openfga.md

Last active June 14, 2024 18:52
Show Gist options
  • Save katallaxie/5555de1a3842bc7d1c95296a0a8ab880 to your computer and use it in GitHub Desktop.
Save katallaxie/5555de1a3842bc7d1c95296a0a8ab880 to your computer and use it in GitHub Desktop.
Download ZIP
OpenFGA + CockroachDB
Raw
cockroach-openfga.md

CockroachDB + OpenFGA

CockroachDB is a source-available distributed SQL database management system developed by Cockroach Labs The relational functionality is built on top of a distributed, transactional, consistent key-value store that can survive a variety of different underlying infrastructure failures, and is wire-compatible with PostgreSQL which means users can take advantage of a wide range of drivers and tools from the extensive PostgreSQL ecosystem.

OpenFGA is an open-source authorization solution that allows developers to build granular access control using an easy-to-read modeling language and friendly APIs. It is modelled after the Google Zanzibar authorization model.

Combining both of these technologies provide a strongly consistent authorization system. It seperates authentication (AuthN) from authorization (AuthZ).

Quickstart

docker compose up

Access OpenFGA Playground

Open localhost:3000/playground

Raw
docker-compose.yml
services:
crdb:
image: cockroachdb/cockroach:latest-v24.1
ports:
- "26257:26257"
- "8082:8080"
networks:
- openfga
command: start-single-node --insecure
volumes:
- "${PWD}/cockroach-data/crdb:/cockroach/cockroach-data"
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:8080/health?ready=1"]
interval: 3s
timeout: 3s
retries: 5
migrate:
depends_on:
crdb:
condition: service_healthy
image: openfga/openfga:latest
container_name: migrate
command: migrate
environment:
- OPENFGA_DATASTORE_ENGINE=postgres
- OPENFGA_DATASTORE_URI=postgres://root@crdb:26257/defaultdb?sslmode=disable
networks:
- openfga
openfga:
depends_on:
migrate:
condition: service_completed_successfully
image: openfga/openfga:latest
container_name: openfga
environment:
- OPENFGA_DATASTORE_ENGINE=postgres
- OPENFGA_DATASTORE_URI=postgres://root@crdb:26257/defaultdb?sslmode=disable
- OPENFGA_LOG_FORMAT=json
command: run
networks:
- openfga
ports:
# Needed for the http server
- "8080:8080"
# Needed for the grpc server (if used)
- "8081:8081"
# Needed for the playground (Do not enable in prod!)
- "3000:3000"
networks:
openfga:
Raw
model
model
schema 1.1
type user
type team
relations
define admin: [user]
define can_add_admin: can_add_owner
define can_add_editor: can_add_admin or admin
define can_add_owner: owner
define can_add_viewer: can_add_editor or editor
define can_create_environment: editor
define can_create_lens: editor
define can_create_profile: editor
define can_create_workload: editor
define can_delete: owner
define can_delete_owner: can_add_owner
define editor: [user] or admin
define owner: [user]
define viewer: [user] or editor or admin
type resource
relations
define admin: admin from team
define can_delete: editor or admin
define can_read: viewer
define can_share: admin
define can_write: editor or admin
define editor: editor from team or admin
define team: [team]
define viewer: viewer from team or editor
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment