opal icon indicating copy to clipboard operation
opal copied to clipboard

Published 20 hours ago verified publisher icon permitio

Add OpenFGA as a Policy Store

Open gemanor opened this issue 1 year ago • 21 comments

An OPAL policy-store is an interface that enables OPAL to manage policy-engines that can make authorization decisions via OPAL clients.

This issue is a feature request to add OpenFGA as a policy-store in OPAL alongside the existing supported policy stores (OPA and Cedar) so developers can better manage OpenFGA services.

Acceptance criteria:

  • Ability to configure OpenFGA as a policy store in OPAL
  • OpenFGA models/policies are auto-synced from git
  • OpenFGA supports the data fetching pattern and syncing data from external data sources
  • A working end-to-end demo with example ReBAC policies and mock data
  • Docker-compose examples of running OPAL with single or multiple OpenFGA clients
  • 100% UT coverage on the code and at least one integration test

gemanor avatar Sep 18 '24 09:09 gemanor

/bounty $1500

gemanor avatar Sep 18 '24 10:09 gemanor

💎 $1,500 bounty • Permit.io

Steps to solve:

  1. Start working: Comment /attempt #661 with your implementation plan
  2. Submit work: Create a pull request including /claim #661 in the PR body to claim the bounty
  3. Receive payment: 100% of the bounty is received 2-5 days post-reward. Make sure you are eligible for payouts

Thank you for contributing to permitio/opal!

Add a bountyShare on socials

Attempt Started (GMT+0) Solution
🟢 @benya7 Sep 18, 2024, 12:14:54 PM WIP
🟢 @onyedikachi-david Sep 20, 2024, 2:55:29 PM WIP
🔴 @debaa98 Oct 15, 2024, 11:04:27 AM WIP
🟢 @zhanxini Dec 1, 2024, 7:58:29 AM WIP
🟢 @daveads #673

algora-pbc[bot] avatar Sep 18 '24 10:09 algora-pbc[bot]

Hi @gemanor! I'm very interested in working on this task. Can I be assigned? Thank you.

/attempt #661

Algora profile Completed bounties Tech Active attempts Options
@benya7 2 bounties from 2 projects
TypeScript, JavaScript,
Vue & more
Cancel attempt

benya7 avatar Sep 18 '24 12:09 benya7

Hey @benya7, sure! Please share your working plan for this, so we can expect timelines, etc.

gemanor avatar Sep 20 '24 09:09 gemanor

/attempt #661

@gemanor do you accept multiple submissions for this?

Algora profile Completed bounties Tech Active attempts Options
@onyedikachi-david 7 bounties from 4 projects
JavaScript, Shell
Cancel attempt

onyedikachi-david avatar Sep 20 '24 14:09 onyedikachi-david

Hey @benya7, sure! Please share your working plan for this, so we can expect timelines, etc.

@gemanor Thanks for that! Here is my implementation plan.

Research OpenFGA API and OPAL's Policy-Store Architecture (3 days):

  • Study OpenFGA's API and data model.
  • Review existing policy stores (OPA, Cedar) in OPAL to understand the integration points, especially for fetching, syncing, and authorization patterns.

Development (2 weeks):

  • Integrate OpenFGA as a policy store within OPAL.
  • Implement Git-based auto-sync for OpenFGA policies.
  • Enable external data fetching and provide Docker Compose setup for single/multiple clients.

Testing, Documentation & Demo (1 week):

  • Write unit tests with 100% coverage.
  • Build integration tests with example ReBAC policies and mock data.
  • Write documentation for configuring OpenFGA in OPAL and Docker Compose examples.

I hope this is acceptable to you. Please let me know if you would like any changes.

benya7 avatar Sep 20 '24 17:09 benya7

Sounds good to me! Looking forward for updates.

gemanor avatar Sep 21 '24 19:09 gemanor

Hey @benya7 I'll be happy if you can share your progress points here so we can track it :)

gemanor avatar Sep 25 '24 12:09 gemanor

@gemanor It's been a week without any visible activity from @benya7. I'd like to take over this issue. I have strong experience with Docker and have worked with Kubernetes policies, particularly with Kyverno. Additionally, I have a solid Python background and I feel confident in integrating OpenFGA into OPAL as a new policy store.

I've already reviewed the existing OPA and Cedar policy store implementations and now have a clear understanding of how to proceed with adding OpenFGA.

varshith257 avatar Sep 27 '24 15:09 varshith257

Since we haven't seen any progress from @benya7 for the last four days, we are reassigning it to @daveads, who initially asked to take this issue.

@daveads, please share your plan for this ticket, including timeframes.

@varshith257 @onyedikachi-david, we will open similar tickets soon. Keep watching.

gemanor avatar Sep 29 '24 08:09 gemanor

@gemanor Yea sure... already experimenting with OpenFGA...

will share my plan for this ticket here by Monday and constantly update you with my progress via Slack.

daveads avatar Sep 29 '24 09:09 daveads

Thanks @daveads, better to update here on the progress, to keep it open and collaborative.

gemanor avatar Sep 29 '24 09:09 gemanor

Thanks @daveads, better to update here on the progress, to keep it open and collaborative.

okayy

daveads avatar Sep 29 '24 09:09 daveads

Hey @daveads I would like to collabrate with you in this collabrations

thekumbhaj avatar Oct 12 '24 11:10 thekumbhaj

#attempt #661

thekumbhaj avatar Oct 12 '24 11:10 thekumbhaj

Hey @daveads I would like to collabrate with you in this collabrations

@thekumbhaj Am almost done.

daveads avatar Oct 12 '24 15:10 daveads

@daveads let know when it's done....

thekumbhaj avatar Oct 12 '24 16:10 thekumbhaj

hey @gemanor can i work in this issue? /attempt #661

Options

debaa98 avatar Oct 15 '24 11:10 debaa98

💡 @daveads submitted a pull request that claims the bounty. You can visit your bounty board to reward.

algora-pbc[bot] avatar Oct 24 '24 14:10 algora-pbc[bot]

can i work in this issue? /attempt #661

Options

zhanxini avatar Dec 01 '24 07:12 zhanxini

🎉🎈 @daveads has been awarded $1,500! 🎈🎊

algora-pbc[bot] avatar Dec 25 '24 13:12 algora-pbc[bot]