OpenFGA Incubation Application

v1.5

Project Repo(s): https://github.com/openfga Project Site: https://openfga.dev/ Communication: https://cloud-native.slack.com/archives/C06G1NNH47N

Project points of contacts:

Andres Aguiar, [email protected]
Tyler Nix, [email protected]

Incubation Criteria Summary for OpenFGA

Adoption Assertion

The project has been adopted by the following organizations in a testing and integration or production capacity:

A list of OpenFGA adopters can be found at openfga/community/ADOPTERS.md, plus many more that haven’t been disclosed.

Application Process Principles

Suggested

N/A

Required

[x] Give a presentation and engage with the domain specific TAG(s) to increase awareness
- This was completed and occurred on 2022-06-01 (link to meeting recording).
[x] TAG provides insight/recommendation of the project in the context of the landscape
TAG Security Meeting and Review
[x] All project metadata and resources are vendor-neutral.
Communication - OpenFGA manages our own communications channels like websites, blogs, social media accounts, and Slack.
Hosting - OpenFGA holds community meetings, events, resources, and infrastructure on vender-neutral, 3rd-party resources.
Architectural decisions - Decisions on OpenFGA's roadmap and direction are facilitated by the opportunity for contributors and adopters to receive consensus on their features, PRs, etc. that promotes shared benefits for all contributing organizations.
Governance - OpenFGA is self-governing, which follows the CNFC Code of Conduct, a documented governance model, and clearly defined roles and responsibilities for project leadership.
[x] Review and acknowledgment of expectations for Sandbox projects and requirements for moving forward through the CNCF Maturity levels.
Met during OpenFGA's application on 2024-03-15.
[x] Due Diligence Review.

Completion of this due diligence document, resolution of concerns raised, and presented for public comment satisfies the Due Diligence Review criteria.

[x] Additional documentation as appropriate for project type, e.g.: installation documentation, end user documentation, reference implementation and/or code samples.
Running OpenFGA in production
OpenFGA CLI
Repo containing some OpenFGA sample stores

Governance and Maintainers

Note: this section may be augmented by the completion of a Governance Review from TAG Contributor Strategy.

Suggested

[x] Clear and discoverable project governance documentation.
GOVERNANCE.md
[ ] Governance has continuously been iterated upon by the project as a result of their experience applying it, with the governance history demonstrating evolution of maturity alongside the project's maturity evolution.
[ ] Governance is up to date with actual project activities, including any meetings, elections, leadership, or approval processes.
[ ] Governance clearly documents vendor-neutrality of project direction.
[ ] Document how the project makes decisions on leadership, contribution acceptance, requests to the CNCF, and changes to governance or project goals.
[ ] Document how role, function-based members, or sub-teams are assigned, onboarded, and removed for specific teams (example: Security Response Committee).
[ ] Document a complete maintainer lifecycle process (including roles, onboarding, offboarding, and emeritus status).
[ ] Demonstrate usage of the maintainer lifecycle with outcomes, either through the addition or replacement of maintainers as project events have required.

Required

[x] Document complete list of current maintainers, including names, contact information, domain of responsibility, and affiliation.
OpenFGA has 22 active maintainers.
[x] A number of active maintainers which is appropriate to the size and scope of the project.
[x] Code and Doc ownership in Github and elsewhere matches documented governance roles.
[x] Document agreement that project will adopt CNCF Code of Conduct.
[x] CNCF Code of Conduct is cross-linked from other governance documents.
https://github.com/openfga/.github/blob/main/CODE_OF_CONDUCT.md

Contributors and Community

Note: this section may be augmented by the completion of a Governance Review from TAG Contributor Strategy.

Suggested

[x] Contributor ladder with multiple roles for contributors.
https://github.com/openfga/.github/blob/main/GOVERNANCE.md#roles-and-responsibilities

Required

[x] Clearly defined and discoverable process to submit issues or changes.
https://github.com/openfga/openfga/blob/main/CONTRIBUTING.md
[x] Project must have, and document, at least one public communications channel for users and/or contributors.
https://openfga.dev/blog
[x] List and document all project communication channels, including subprojects (mail list/slack/etc.). List any non-public communications channels and what their special purpose is.
https://openfga.dev/docs/community
[x] Up-to-date public meeting schedulers and/or integration with CNCF calendar.
https://openfga.dev/docs/community#monthly-community-meetings
[x] Documentation of how to contribute, with increasing detail as the project matures.
https://github.com/openfga/.github/blob/main/CONTRIBUTING.md
[x] Demonstrate contributor activity and recruitment.
OpenFGA had 109 committers in the last 12 months

Engineering Principles

Suggested

[x] Roadmap change process is documented.
OpenFGA follows an RFC (Request for Comments) process for substantial changes to the project or roadmap
[x] History of regular, quality releases.

Detailed statistics can be found in the following openfga.devstats.cncf.io links:

Contribution activity: 1450 average contributions per month
Issues open/closed: average 46.5 issues opened and 28 issues closed per month
PRs open/closed since sandbox: average 159 PRs opened and 144 PRs closed per month
Open PR Age: 5 hours 1 min median 7 day moving average

Required

[x] Document project goals and objectives that illustrate the project’s differentiation in the Cloud Native landscape as well as outlines how this project fulfills an outstanding need and/or solves a problem differently.

As the world continues to move to a more digital, collaborative ecosystem of applications with ever-increasing objects, developers are scrambling to keep up and evolve their authorization systems to be more relationship-focused. But authorization is difficult to get right. OWASP's Top 10 security risks include 3 on Authorization, with the top vulnerability being Broken Object Level Authorization.

Just like Open Policy Agent for cloud infrastructure, application developers want a cloud-native option to add fine grained access control to their application logic without recreating a new solution every time they need to protect a new object type. Centralizing authorization enables application developers to build against a single predictable pattern regardless of their authorization needs. This approach to authorization will continue to serve them regardless of scale or pivoting through a digital transformation journey.

A list of CNCF projects that target solving access control in different ways can be found at openfga/community/related-projects.md.

[x] Document what the project does, and why it does it - including viable cloud native use cases.

OpenFGA is a high-performance and flexible authorization solution that allows developers to build fine-grained access control using an easy-to-read modeling language and friendly APIs.

Inspired by Google Zanzibar, OpenFGA is a centralized authorization engine that evaluates decisions by determining whether a relationship exists between an object and a user. Each check request references the authorization model against the known object relationships and returns an authorization decision (i.e. true or false).

Model any authorization system - OpenFGA is inspired by the Google Zanzibar paper for Relationship-Based Access Control, and also solves problems for Role-based Access Control and some Attribute-Based Access Control use cases. The modeling language is powerful enough for engineers to create complex relationships but friendly enough for other stakeholders on the team to read and understand.
Blazing fast - OpenFGA is designed to answer authorization check calls in milliseconds across billions of relationships, which lets it scale with projects of any size. It works just as well for small startups building single applications as it does for enterprise companies building platforms on a global scale.
Works with existing code - SDKs for several of the most popular languages have already been written, making it easy to integrate and grow alongside your applications.
[x] Document and maintain a public roadmap or other forward looking planning document or tracking mechanism.
OpenFGA Roadmap
[x] Document overview of project architecture and software design that demonstrates viable cloud native use cases, as part of the project's documentation.
Product Architecture
[x] Document the project's release process.
OpenFGA Release Process

Security

Note: this section may be augmented by a joint-assessment performed by TAG Security.

Suggested

N/A

Required

[x] Clearly defined and discoverable process to report security issues.
OpenFGA vulnerability management is described in the official project security policy.
[x] Enforcing Access Control Rules to secure the code base against attacks (Example: two factor authentication enforcement, and/or use of ACL tools.)
All the members of the OpenFGA organization must have two factor authentication enabled.
[x] Document assignment of security response roles and how reports are handled.
https://github.com/openfga/.github/blob/main/GOVERNANCE.md
https://github.com/openfga/community/security/policy
[x] Document Security Self-Assessment.
https://github.com/cncf/tag-security/blob/main/community/assessments/projects/openfga/joint-assessment.md
https://github.com/cncf/tag-security/blob/main/community/assessments/projects/openfga/self-assessment.md
[x] Achieve the Open Source Security Foundation (OpenSSF) Best Practices passing badge.
OpenSSF Best Practices Badge

Ecosystem

Suggested

N/A

Required

[x] Publicly documented list of adopters, which may indicate their adoption level (dev/trialing, prod, etc.)
A list of OpenFGA adopters can be found at openfga/community/ADOPTERS.md, plus many more that haven’t been disclosed.
[x] Used in appropriate capacity by at least 3 independent + indirect/direct adopters, (these are not required to be in the publicly documented list of adopters)

Three production examples to highlight:

Canonical They are embedding OpenFGA into several different layers of their Ubuntu Pro stack.

LXD - a container and virtual machine manager
MicroCloud - a deployment center for computing clusters with shared distributed data storage and a secure virtual network
JAAS - a managed Juju orchestration engine as a service

Stacklok Stacklok recently revamped their authorization model and engine in Minder, an open source software supply chain security platform. They switched from a database-backed authorization implementation using Open Policy Agent to a multi-tenant, relationship-based authorization model using OpenFGA.
Configu Configu is an open source software for streamlining, testing, and automating application configurations across environments. They specifically picked OpenFGA because it was a CNCF backed third-party authorization system that allows them to build upon battle-tested authorization standards saving them valuable implementation time not recreating the wheel for a problem that has already been solved for developers.
Docker Docker is using it for handling authorization for Docker Hub.

[x] TOC verification of adopters.

The project provided the TOC with a list of adopters for verification of use of the project at the level expected, i.e. production use for graduation, dev/test for incubation.

Refer to the Adoption portion of this document.

[x] Clearly documented integrations and/or compatibility with other CNCF projects as well as non-CNCF projects.
OpenTelemetry
Kubernetes / Helm
Grafana
Prometheus
ArtifactHUB

Additional Information

Apr 02 '24 22:04 tylernix

OpenFGA Presented to TAG Security on August 14th, and a recommendation consensus was formed at that time:

No security concerns were raised by the STAG during the presentation. The project's security hygiene appears to meet or exceed the requirements of an Incubating project.

https://github.com/cncf/tag-security/issues/1339

Aug 23 '24 17:08 eddie-knight

In preparation for OpenFGA to be picked up by a TOC member, please:

complete the application checklist, cleanup TODOs and make sure all the required items answered.
review the definition of an adopter
verify 5-7 project adopters that can and are willing to be interviewed by the TOC reviewer(s) and submit information for each adopter to the Adopter Interview Questionnaire form

Dec 25 '24 07:12 kevin-wangzefeng

@tylernix please ensure the project has included affiliation in the MAINTAINERS file:

Document complete list of current maintainers, including names, contact information, domain of responsibility, and affiliation.

OpenFGA has 23 active maintainers.

Also, this required item has still not been completed:

Document overview of project architecture and software design that demonstrates viable cloud native use cases, as part of the project's documentation.

TODO

Feb 07 '25 22:02 angellk

@angellk

Is this format correct https://github.com/open-policy-agent/opa/blob/main/MAINTAINERS.md?

We are close to merge the architecture diagram https://github.com/openfga/openfga/pull/2266

Feb 07 '25 22:02 aaguiarz

thanks @aaguiarz - yes to the first and fantastic to the second. Once it is merged, please adjust on the issue.

Feb 07 '25 23:02 angellk

@angellk

We updated the maintainer list https://github.com/openfga/community/blob/main/MAINTAINERS.md and merged the architecture diagram.

@tylernix will update the ticket soon

Feb 12 '25 22:02 aaguiarz

@angellk it's updated! Are we ready??? :)

@kevin-wangzefeng we submitted 7 adopters, please let me know if that's OK.

Feb 12 '25 23:02 aaguiarz

Confirmed adopters have been added - moving OpenFGA project to 'Ready for assignment'. As a TOC member is available, they will self-assign and reach out for next steps @aaguiarz @tylernix

Feb 19 '25 00:02 angellk

HI @aaguiarz and @tylernix -- I will be taking on the Due Diligence for OpenFGA. I will set up a slack channel for us as we go through the Due Diligence process as well as reach out early this week to set up a Kick-Off meeting.

Jun 01 '25 22:06 angellk

Update: Meeting with the project maintainers Friday, June 6 for a Due Diligence Kick-off call.

Jun 05 '25 07:06 angellk

Update: Kickoff meeting was moved to July 18 to allow for maintainers from multiple Orgs to join.

Jun 26 '25 12:06 angellk

Update:

Meeting with the project team August 8
Using the OpenFGA project as an example in the Project Reviews Subproject for a tech review.
- Thank you to the project for being so flexible and easy to work with!
- A tech review is non-blocking for Incubation, however, it helps inform the technical due diligence and surface any additional recommendations

Aug 07 '25 16:08 angellk

Update: Reaching out to potential adopters for interviews

Sep 03 '25 11:09 kfaseela

Status 9/8/2025: Two adopter interviews scheduled for this week!

Sep 08 '25 09:09 kfaseela

Status 9/15/2025: Two interviews are completed, and the reports are sent for final approval from the adopters. Two more adopter interviews scheduled for this week.

Sep 15 '25 13:09 kfaseela

Status 9/22/2025 : All adopter interviews are completed. The final reports are sent for approval from the adopters, some of them are already approved and good to go. Waiting for the two pending ones.

Sep 22 '25 07:09 kfaseela

Status 10/6/2025 : All adopter interviews are approved, and the DD is being worked on to include all the details and some final inputs from the project maintainers and initial reviewers.

Oct 06 '25 13:10 kfaseela

/dd in-comment-period

Oct 09 '25 13:10 angellk

Status update 10/10/2025: The DD report has been sent to TOC members for TOC internal review, period open until end-of-day Oct. 16th.

Oct 10 '25 10:10 kfaseela

We'll go ahead and move this to public comment today 👍

Oct 14 '25 15:10 mrbobbytables

Status: Public Comment for OpenFGA's Incubation application is open until 27 October 2025. Refer https://lists.cncf.io/g/cncf-toc/message/8796 for more details

Oct 14 '25 22:10 kfaseela

lets go! +1

Oct 14 '25 22:10 rajibmitra

Awesome to see this happening, kudos to the OpenFGA community!

Oct 15 '25 13:10 caniszczyk

/vote

Oct 28 '25 11:10 angellk

Vote created

@angellk has called for a vote on [Incubation] OpenFGA Incubation Application (#1287).

The members of the following teams have binding votes:

Team
@cncf/cncf-toc-voters

Non-binding votes are also appreciated as a sign of support!

How to vote

You can cast your vote by reacting to this comment. The following reactions are supported:

In favor	Against	Abstain
👍	👎	👀

Please note that voting for multiple options is not allowed and those votes won't be counted.

The vote will be open for 5months 29days 19h 12m. It will pass if at least 66% of the users with binding votes vote In favor 👍. Once it's closed, results will be published here as a new comment.

Oct 28 '25 11:10 git-vote[bot]

/check-vote

Oct 28 '25 20:10 angellk

Vote status

So far 72.73% of the users with binding vote are in favor and 0.00% are against (passing threshold: 66%).

Summary

In favor	Against	Abstain	Not voted
8	0	0	3

Binding votes (8)

User	Vote	Timestamp
TheFoxAtWork	In favor	2025-10-28 15:22:40.0 +00:00:00
angellk	In favor	2025-10-28 11:45:31.0 +00:00:00
chira001	In favor	2025-10-28 13:04:14.0 +00:00:00
jeremyrickard	In favor	2025-10-28 14:46:30.0 +00:00:00
kevin-wangzefeng	In favor	2025-10-28 14:46:45.0 +00:00:00
kfaseela	In favor	2025-10-28 12:49:51.0 +00:00:00
kgamanji	In favor	2025-10-28 15:07:56.0 +00:00:00
linsun	In favor	2025-10-28 15:05:06.0 +00:00:00
@dims	Pending
@rochaporto	Pending
@chadbeaudin	Pending

Non-binding votes (10)

User	Vote	Timestamp
jpadilla	In favor	2025-10-28 17:27:43.0 +00:00:00
poovamraj	In favor	2025-10-28 17:28:12.0 +00:00:00
yissellokta	In favor	2025-10-28 17:28:26.0 +00:00:00
rhamzeh	In favor	2025-10-28 17:29:49.0 +00:00:00
tdigby	In favor	2025-10-28 17:38:09.0 +00:00:00
SoulPancake	In favor	2025-10-28 17:40:00.0 +00:00:00
Harrisonbro	In favor	2025-10-28 17:41:25.0 +00:00:00
aaguiarz	In favor	2025-10-28 17:47:47.0 +00:00:00
Sambego	In favor	2025-10-28 18:22:22.0 +00:00:00
tylernix	In favor	2025-10-28 18:25:41.0 +00:00:00

Oct 28 '25 20:10 git-vote[bot]

Congratulations to @tylernix, the OpenFGA maintainers and OpenFGA community! Moving to press coordination. cc: @krook @kfaseela @raravena80

Oct 28 '25 20:10 angellk

Vote closed

The vote passed! 🎉

81.82% of the users with binding vote were in favor and 0.00% were against (passing threshold: 66%).

Summary

In favor	Against	Abstain	Not voted
9	0	0	2

Binding votes (9)

User	Vote	Timestamp
@TheFoxAtWork	In favor	2025-10-28 15:22:40.0 +00:00:00
@angellk	In favor	2025-10-28 11:45:31.0 +00:00:00
@chira001	In favor	2025-10-28 13:04:14.0 +00:00:00
@dims	In favor	2025-10-28 20:54:07.0 +00:00:00
@jeremyrickard	In favor	2025-10-28 14:46:30.0 +00:00:00
@kevin-wangzefeng	In favor	2025-10-28 14:46:45.0 +00:00:00
@kfaseela	In favor	2025-10-28 12:49:51.0 +00:00:00
@kgamanji	In favor	2025-10-28 15:07:56.0 +00:00:00
@linsun	In favor	2025-10-28 15:05:06.0 +00:00:00

Non-binding votes (11)

User	Vote	Timestamp
@jpadilla	In favor	2025-10-28 17:27:43.0 +00:00:00
@poovamraj	In favor	2025-10-28 17:28:12.0 +00:00:00
@yissellokta	In favor	2025-10-28 17:28:26.0 +00:00:00
@rhamzeh	In favor	2025-10-28 17:29:49.0 +00:00:00
@tdigby	In favor	2025-10-28 17:38:09.0 +00:00:00
@SoulPancake	In favor	2025-10-28 17:40:00.0 +00:00:00
@Harrisonbro	In favor	2025-10-28 17:41:25.0 +00:00:00
@aaguiarz	In favor	2025-10-28 17:47:47.0 +00:00:00
@Sambego	In favor	2025-10-28 18:22:22.0 +00:00:00
@tylernix	In favor	2025-10-28 18:25:41.0 +00:00:00
@dyeam0	In favor	2025-10-28 21:12:59.0 +00:00:00

Oct 29 '25 06:10 git-vote[bot]

On-boarding completed

Nov 04 '25 21:11 riaankleinhans