Hasty Briefsbeta

We rewrote OpenFGA in pure Postgres

18 hours ago
  • #OpenFGA
  • #Postgres
  • #authorization
  • OpenFGA was rewritten in pure Postgres to simplify synchronization between the authorization system and the main database.
  • Authentication ('authn') is a solved problem with standard solutions like OAuth, while authorization ('authz') is more complex and application-specific.
  • Common authorization systems include RBAC (Role-Based Access Control), PBAC (Policy-Based Access Control), ABAC (Attribute-Based Access Control), and ReBAC (Relationship-Based Access Control).
  • Rover, an incident prevention platform, initially considered RBAC but opted for ReBAC due to its multi-tenant SaaS nature, using OpenFGA based on Google's Zanzibar.
  • OpenFGA uses 'relationship tuples' and an authorization model to define permissions and relationships, but maintaining synchronization with the main database was challenging.
  • The solution was to replicate OpenFGA's functionality in Postgres using tables, views, and recursive functions, eliminating the need for a separate service.
  • The new system, dubbed 'pgFGA', includes an 'authz_model' table, an 'authz_relationship' view, and a 'check_permission' function to handle authorization checks.
  • This approach simplifies maintenance, leverages existing database features like cascading deletes, and avoids operational complexity.
  • The code is open-sourced on GitHub under the MIT license, with plans to share more internal tools in the future.