We rewrote OpenFGA in pure Postgres
18 hours ago
- #OpenFGA
- #Postgres
- #authorization
- OpenFGA was rewritten in pure Postgres to simplify synchronization between the authorization system and the main database.
- Authentication ('authn') is a solved problem with standard solutions like OAuth, while authorization ('authz') is more complex and application-specific.
- Common authorization systems include RBAC (Role-Based Access Control), PBAC (Policy-Based Access Control), ABAC (Attribute-Based Access Control), and ReBAC (Relationship-Based Access Control).
- Rover, an incident prevention platform, initially considered RBAC but opted for ReBAC due to its multi-tenant SaaS nature, using OpenFGA based on Google's Zanzibar.
- OpenFGA uses 'relationship tuples' and an authorization model to define permissions and relationships, but maintaining synchronization with the main database was challenging.
- The solution was to replicate OpenFGA's functionality in Postgres using tables, views, and recursive functions, eliminating the need for a separate service.
- The new system, dubbed 'pgFGA', includes an 'authz_model' table, an 'authz_relationship' view, and a 'check_permission' function to handle authorization checks.
- This approach simplifies maintenance, leverages existing database features like cascading deletes, and avoids operational complexity.
- The code is open-sourced on GitHub under the MIT license, with plans to share more internal tools in the future.