diff --git a/.github/workflows/openfga-app-test.yml b/.github/workflows/openfga-app-test.yml
new file mode 100644
index 000000000..dcab9eb2b
--- /dev/null
+++ b/.github/workflows/openfga-app-test.yml
@@ -0,0 +1,37 @@
+name: OpenFGA Tests
+
+on:
+ push:
+ branches: [ test ]
+ pull_request:
+ branches: [ test ]
+
+jobs:
+ test:
+ runs-on: ubuntu-latest
+
+ steps:
+ - uses: actions/checkout@v3
+
+ - name: Set up Python
+ uses: actions/setup-python@v4
+ with:
+ python-version: '3.x'
+
+ - name: Install dependencies
+ run: |
+ python -m pip install --upgrade pip
+ pip install pytest pytest-asyncio aiohttp docker
+
+ - name: Start services
+ run: |
+ ./app-tests/run-openfga-services.sh
+
+ - name: Run tests
+ run: |
+ pytest app-tests/openfga-test.py -v
+
+ - name: Cleanup
+ if: always() # Run cleanup even if tests fail
+ run: |
+ ./app-tests/clean-openfga-services.sh
diff --git a/Makefile b/Makefile
index 6755b4d5f..505396ca6 100644
--- a/Makefile
+++ b/Makefile
@@ -6,6 +6,7 @@ OPAL_SERVER_URL ?= http://host.docker.internal:7002
OPAL_AUTH_PRIVATE_KEY ?= /root/ssh/opal_rsa
OPAL_AUTH_PUBLIC_KEY ?= /root/ssh/opal_rsa.pub
OPAL_POLICY_STORE_URL ?= http://host.docker.internal:8181
+OPENFGA_STORE_ID ?= 01JAT34GM6T5WRVMXXDYWGSYKN #change id
# python packages (pypi)
clean:
@@ -64,6 +65,8 @@ docker-build-next:
@docker build -t permitio/opal-client-standalone:next --target client-standalone -f docker/Dockerfile .
@docker build -t permitio/opal-client:next --target client -f docker/Dockerfile .
@docker build -t permitio/opal-server:next --target server -f docker/Dockerfile .
+ @docker build -t permitio/opal-client-openfga:next --target client-openfga -f docker/Dockerfile .
+
docker-run-server:
@if [[ -z "$(OPAL_POLICY_REPO_SSH_KEY)" ]]; then \
@@ -87,3 +90,22 @@ docker-run-server-secure:
-e "OPAL_POLICY_REPO_URL=$(OPAL_POLICY_REPO_URL)" \
-p 7002:7002 \
permitio/opal-server
+
+
+# OpenFGA related
+docker-build-client-openfga:
+ @docker build -t permitio/opal-client-openfga --target client-openfga -f docker/Dockerfile .
+
+docker-run-client-openfga: create-openfga-volume
+ @docker run -it \
+ -e "OPAL_SERVER_URL=$(OPAL_SERVER_URL)" \
+ -e "OPAL_POLICY_STORE_TYPE=OPENFGA" \
+ -e "OPAL_POLICY_STORE_URL=http://0.0.0.0:8080" \
+ -e "OPAL_OPENFGA_STORE_ID=$(OPENFGA_STORE_ID)" \
+ -e "OPAL_INLINE_OPENFGA_ENABLED=true" \
+ -e "OPAL_LOG_FORMAT_INCLUDE_PID=true" \
+ -v openfga_backup:/opal/backup:rw \
+ -p 7766:7000 \
+ -p 8080:8080 \
+ -p 3000:3000 \
+ permitio/opal-client-openfga
diff --git a/README.md b/README.md
index f65032177..3ade9e952 100644
--- a/README.md
+++ b/README.md
@@ -34,7 +34,7 @@ Open Policy Administration Layer
## What is OPAL?
-OPAL is an administration layer for Policy Engines such as Open Policy Agent (OPA), and AWS' Cedar Agent detecting changes to both policy and policy data in realtime and pushing live updates to your agents. OPAL brings open-policy up to the speed needed by live applications.
+OPAL is an administration layer for Policy Engines such as Open Policy Agent (OPA), AWS' Cedar Agent and OpenFGA detecting changes to both policy and policy data in realtime and pushing live updates to your agents. OPAL brings open-policy up to the speed needed by live applications.
As your app's data state changes (whether it's via your APIs, DBs, git, S3 or 3rd-party SaaS services), OPAL will make sure your services are always in sync with the authorization data and policy they need (and only those they need).
@@ -68,6 +68,11 @@ This is where [Cedar-Agent](https://github.com/permitio/cedar-agent) and OPAL co
This [video](https://youtu.be/tG8jrdcc7Zo) briefly explains OPAL and how it works with OPA, and a deeper dive into it at [this OWASP DevSlop talk](https://www.youtube.com/watch?v=1_Iz0tRQCH4).
+
+### OpenFGA + OPAL == 🔑
+
+OpenFGA provides a high-performance implementation of Google's Zanzibar authorization model, and OPAL makes it easy to keep your OpenFGA instances up-to-date in real-time. Whether you're managing complex relationship-based permissions or implementing fine-grained access control, OPAL ensures your OpenFGA agents stay synchronized with your application's state changes.
+
## Who's Using OPAL?
OPAL is being used as the core engine of Permit.io Authorization Service and serves in production:
* \> 10,000 policy engines deployment
diff --git a/app-tests/clean-openfga-services.sh b/app-tests/clean-openfga-services.sh
new file mode 100755
index 000000000..a901849ee
--- /dev/null
+++ b/app-tests/clean-openfga-services.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+# Stop and remove containers, networks, volumes
+echo "Cleaning up services..."
+docker compose -f docker-compose-app-tests-openfga.yml down -v
+
+echo "Cleanup complete"
diff --git a/app-tests/docker-compose-app-tests-openfga.yml b/app-tests/docker-compose-app-tests-openfga.yml
new file mode 100644
index 000000000..e57217c9c
--- /dev/null
+++ b/app-tests/docker-compose-app-tests-openfga.yml
@@ -0,0 +1,56 @@
+version: '3'
+services:
+ broadcast_channel:
+ image: postgres:alpine
+ environment:
+ - POSTGRES_DB=postgres
+ - POSTGRES_USER=postgres
+ - POSTGRES_PASSWORD=postgres
+ networks:
+ - opal-network
+
+ opal_server:
+ image: permitio/opal-server:latest
+ environment:
+ - OPAL_BROADCAST_URI=postgres://postgres:postgres@broadcast_channel:5432/postgres
+ - UVICORN_NUM_WORKERS=4
+ - OPAL_POLICY_REPO_URL=https://github.com/daveads/opal-example-policy-openfga
+ - OPAL_POLICY_REPO_POLLING_INTERVAL=30
+ - OPAL_DATA_CONFIG_SOURCES={"config":{"entries":[{"url":"http://opal_server:7002/policy-data","topics":["policy_data"],"dst_path":"/static"}]}}
+ - OPAL_LOG_FORMAT_INCLUDE_PID=true
+ ports:
+ - "7002:7002"
+ depends_on:
+ - broadcast_channel
+ networks:
+ - opal-network
+
+ opal_client_openfga:
+ image: permitio/opal-client-openfga:latest
+ environment:
+ - OPAL_SERVER_URL=http://opal_server:7002
+ - OPAL_LOG_FORMAT_INCLUDE_PID=true
+ - OPAL_POLICY_STORE_TYPE=OPENFGA
+ - OPAL_POLICY_STORE_URL=http://0.0.0.0:8080
+ - OPAL_OPENFGA_STORE_ID=01JAT34GM6T5WRVMXXDYWGSYKN
+ - OPAL_INLINE_OPENFGA_ENABLED=true
+ #- OPAL_LOG_LEVEL=DEBUG
+
+ ports:
+ - "7766:7000"
+ - "8080:8080"
+ - "3000:3000"
+ networks:
+ - opal-network
+ depends_on:
+ - opal_server
+ command: sh -c "exec ./wait-for.sh opal_server:7002 --timeout=40 -- ./start.sh"
+ volumes:
+ - openfga_backup:/opal/backup:rw
+
+networks:
+ opal-network:
+ driver: bridge
+
+volumes:
+ openfga_backup:
diff --git a/app-tests/openfga-test.py b/app-tests/openfga-test.py
new file mode 100644
index 000000000..1d380f664
--- /dev/null
+++ b/app-tests/openfga-test.py
@@ -0,0 +1,239 @@
+import json
+from typing import Any, Dict, List, Tuple
+
+import aiohttp
+import pytest
+
+# Constants
+FGA_URL = "http://localhost:8080"
+STORE_ID = "01JAT34GM6T5WRVMXXDYWGSYKN"
+
+# Test cases
+TEST_CASES = [
+ # Format: (user, relation, obj, expected_result, description)
+ # Positive cases
+ ("user:anne", "owner", "document:budget", True, "Anne owns budget document"),
+ ("user:beth", "viewer", "document:budget", True, "Beth can view budget document"),
+ ("user:charles", "owner", "project:alpha", True, "Charles owns project alpha"),
+ ("user:david", "editor", "project:alpha", True, "David can edit project alpha"),
+ (
+ "user:emily",
+ "viewer",
+ "document:requirements",
+ True,
+ "Emily can view requirements",
+ ),
+ (
+ "user:emily",
+ "owner",
+ "document:requirements",
+ True,
+ "Emily owns requirements document",
+ ),
+ ("user:frank", "owner", "task:write-report", True, "Frank owns write-report task"),
+ (
+ "user:george",
+ "assignee",
+ "task:write-report",
+ True,
+ "George is assigned to write-report",
+ ),
+ ("user:harry", "member", "team:devops", True, "Harry is member of devops team"),
+ # Negative cases
+ (
+ "user:beth",
+ "owner",
+ "document:budget",
+ False,
+ "Beth should not own budget document",
+ ),
+ (
+ "user:george",
+ "owner",
+ "task:write-report",
+ False,
+ "George should not own write-report task",
+ ),
+ (
+ "user:david",
+ "owner",
+ "project:alpha",
+ False,
+ "David should not own project alpha",
+ ),
+ (
+ "user:frank",
+ "member",
+ "team:devops",
+ False,
+ "Frank should not be member of devops team",
+ ),
+ (
+ "user:anne",
+ "editor",
+ "project:alpha",
+ False,
+ "Anne should not edit project alpha",
+ ),
+]
+
+# Expected relationships for verification
+EXPECTED_RELATIONS = [
+ ("user:anne", "owner", "document:budget"),
+ ("user:beth", "viewer", "document:budget"),
+ ("user:emily", "owner", "document:requirements"),
+ ("user:david", "editor", "project:alpha"),
+ ("user:harry", "member", "team:devops"),
+]
+
+# Expected types in authorization model
+EXPECTED_TYPES = {"user", "document", "project", "task", "team"}
+
+
+@pytest.fixture
+async def http_client() -> aiohttp.ClientSession:
+ """Provides an aiohttp client session."""
+ async with aiohttp.ClientSession() as client:
+ yield client
+
+
+class OpenFGAClient:
+ """Helper class for OpenFGA API interactions."""
+
+ def __init__(self, client: aiohttp.ClientSession):
+ self.client = client
+
+ async def check_permission(
+ self, user: str, relation: str, obj: str
+ ) -> Dict[str, Any]:
+ """Check a user's permission."""
+ url = f"{FGA_URL}/stores/{STORE_ID}/check"
+ payload = {"tuple_key": {"user": user, "relation": relation, "object": obj}}
+
+ async with self.client.post(
+ url, json=payload, headers={"Content-Type": "application/json"}
+ ) as response:
+ response.raise_for_status()
+ result = await response.json()
+ print(f"\nChecking permission for: {user} {relation} {obj}")
+ print(f"Response: {json.dumps(result, indent=2)}")
+ return result
+
+ async def get_relationships(self) -> Dict[str, Any]:
+ """Get all relationship tuples."""
+ url = f"{FGA_URL}/stores/{STORE_ID}/read"
+ async with self.client.post(
+ url, json={}, headers={"Content-Type": "application/json"}
+ ) as response:
+ response.raise_for_status()
+ return await response.json()
+
+ async def get_authorization_model(self) -> Dict[str, Any]:
+ """Get the current authorization model."""
+ url = f"{FGA_URL}/stores/{STORE_ID}/authorization-models"
+ async with self.client.get(
+ url, headers={"Content-Type": "application/json"}
+ ) as response:
+ response.raise_for_status()
+ return await response.json()
+
+
+@pytest.mark.asyncio
+class TestOpenFGAPermissions:
+ """Test suite for OpenFGA permissions."""
+
+ @pytest.fixture
+ async def fga_client(self, http_client: aiohttp.ClientSession) -> OpenFGAClient:
+ return OpenFGAClient(http_client)
+
+ @pytest.mark.parametrize(
+ "user, relation, obj, expected_result, description", TEST_CASES
+ )
+ async def test_permissions(
+ self,
+ fga_client: OpenFGAClient,
+ user: str,
+ relation: str,
+ obj: str,
+ expected_result: bool,
+ description: str,
+ ):
+ """Test permission checks."""
+ result = await fga_client.check_permission(user, relation, obj)
+ assert result.get("allowed") == expected_result, (
+ f"Test failed: {description}\n"
+ f"User: {user}, Relation: {relation}, Object: {obj}\n"
+ f"Expected: {expected_result}, Got: {result.get('allowed')}"
+ )
+
+ async def test_list_relationships(self, fga_client: OpenFGAClient):
+ """Test relationship retrieval and verification."""
+ result = await fga_client.get_relationships()
+ print("\nAll relationships:")
+ print(json.dumps(result, indent=2))
+
+ assert "tuples" in result, "No tuples field in response"
+ tuples = result["tuples"]
+ assert tuples, "No relationships found"
+
+ # Verify expected relationships
+ for user, relation, obj in EXPECTED_RELATIONS:
+ assert any(
+ t["key"]["user"] == user
+ and t["key"]["relation"] == relation
+ and t["key"]["object"] == obj
+ for t in tuples
+ ), f"Expected relationship not found: {user} {relation} {obj}"
+
+ async def test_relationship_inheritance(self, fga_client: OpenFGAClient):
+ """Test relationship inheritance rules."""
+ # Test owner privileges
+ owner_tests = [
+ ("user:anne", "document:budget"),
+ ("user:emily", "document:requirements"),
+ ("user:charles", "project:alpha"),
+ ]
+
+ for user, obj in owner_tests:
+ owner_result = await fga_client.check_permission(user, "owner", obj)
+ viewer_result = await fga_client.check_permission(user, "viewer", obj)
+ assert owner_result.get(
+ "allowed"
+ ), f"{user} should have owner access to {obj}"
+ assert viewer_result.get(
+ "allowed"
+ ), f"Owner {user} should have viewer access to {obj}"
+
+ # Test editor privileges
+ editor_result = await fga_client.check_permission(
+ "user:david", "editor", "project:alpha"
+ )
+ viewer_result = await fga_client.check_permission(
+ "user:david", "viewer", "project:alpha"
+ )
+ assert editor_result.get("allowed"), "Editor should have editor access"
+ assert viewer_result.get("allowed"), "Editor should have viewer access"
+
+ async def test_authorization_model(self, fga_client: OpenFGAClient):
+ """Test authorization model validation."""
+ result = await fga_client.get_authorization_model()
+ print("\nAuthorization model:")
+ print(json.dumps(result, indent=2))
+
+ assert "authorization_models" in result, "No authorization models found"
+ models = result["authorization_models"]
+ assert models, "No authorization model configured"
+
+ # Verify latest model types
+ latest_model = models[-1]
+ type_definitions = latest_model.get("type_definitions", [])
+ actual_types = {td["type"] for td in type_definitions}
+ assert EXPECTED_TYPES.issubset(actual_types), (
+ f"Authorization model missing expected types.\n"
+ f"Expected: {EXPECTED_TYPES}\n"
+ f"Found: {actual_types}"
+ )
+
+
+if __name__ == "__main__":
+ pytest.main([__file__, "-v", "--asyncio-mode=auto"])
diff --git a/app-tests/pytest.ini b/app-tests/pytest.ini
new file mode 100644
index 000000000..c8c9c7579
--- /dev/null
+++ b/app-tests/pytest.ini
@@ -0,0 +1,3 @@
+[pytest]
+asyncio_mode = auto
+asyncio_default_fixture_loop_scope = function
diff --git a/app-tests/run-openfga-services.sh b/app-tests/run-openfga-services.sh
new file mode 100755
index 000000000..f1e6bc9f2
--- /dev/null
+++ b/app-tests/run-openfga-services.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# Start the services in detached mode
+echo "Starting OpenFGA and OPAL services..."
+docker compose -f docker-compose-app-tests-openfga.yml up -d
+
+# Wait for services to initialize (adjust time if needed)
+echo "Waiting for services to initialize..."
+sleep 15
+
+echo "Services started in detached mode"
diff --git a/docker/Dockerfile b/docker/Dockerfile
index a14953117..a89e70462 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -142,6 +142,49 @@ ENV OPAL_POLICY_STORE_URL=http://localhost:8180
EXPOSE 8180
USER opal
+
+# OPENFGA CLIENT IMAGE --------------------------------
+# Using standalone image as base --------------------
+# ---------------------------------------------------
+ FROM client-standalone AS client-openfga
+
+ # Temporarily move back to root for additional setup
+ USER root
+
+ # Install wget, supervisor and OpenFGA, then cleanup
+ RUN apt-get update && \
+ apt-get install -y wget supervisor && \
+ wget https://github.com/openfga/openfga/releases/download/v1.6.2/openfga_1.6.2_linux_amd64.tar.gz && \
+ tar xzf openfga_1.6.2_linux_amd64.tar.gz && \
+ mv openfga /usr/local/bin/ && \
+ chmod +x /usr/local/bin/openfga && \
+ rm openfga_1.6.2_linux_amd64.tar.gz && \
+ apt-get clean && \
+ rm -rf /var/lib/apt/lists/*
+
+ # Add supervisord configuration
+ COPY ./scripts/supervisord.conf /etc/supervisor/conf.d/supervisord.conf
+
+ # Enable inline OpenFGA
+ ENV OPAL_POLICY_STORE_TYPE=OPENFGA
+ ENV OPAL_INLINE_OPENFGA_ENABLED=true
+ ENV OPAL_INLINE_OPENFGA_CONFIG='{"addr": "0.0.0.0:8080"}'
+ ENV OPAL_INLINE_OPENFGA_EXEC_PATH=/usr/local/bin/openfga
+ ENV OPAL_POLICY_STORE_URL=http://localhost:8080
+
+ # Create necessary directories with proper permissions
+ RUN mkdir -p /var/log/supervisor /var/run/supervisor && \
+ chown -R opal:opal /var/log/supervisor /var/run/supervisor /etc/supervisor/conf.d
+
+ # Expose OpenFGA ports
+ EXPOSE 8080 3000
+
+ USER opal
+
+ # Override CMD to use supervisord
+ CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"]
+
+
# SERVER IMAGE --------------------------------------
# ---------------------------------------------------
FROM common AS server
diff --git a/docker/docker-compose-example-openfga.yml b/docker/docker-compose-example-openfga.yml
new file mode 100644
index 000000000..7e298f2fe
--- /dev/null
+++ b/docker/docker-compose-example-openfga.yml
@@ -0,0 +1,78 @@
+name: opal-openfga-example
+
+services:
+ # When scaling the opal-server to multiple nodes and/or multiple workers, we use
+ # a *broadcast* channel to sync between all the instances of opal-server.
+ # Under the hood, this channel is implemented by encode/broadcaster.
+ # At the moment, the broadcast channel can be either: postgresdb, redis or kafka.
+ broadcast_channel:
+ image: postgres:alpine
+ environment:
+ - POSTGRES_DB=postgres
+ - POSTGRES_USER=postgres
+ - POSTGRES_PASSWORD=postgres
+ networks:
+ - opal-network
+
+ # OPAL server configuration
+ # Handles policy updates and coordinates with the broadcast channel
+ opal_server:
+ image: permitio/opal-server:latest
+ environment:
+ # the broadcast backbone uri used by opal server workers
+ - OPAL_BROADCAST_URI=postgres://postgres:postgres@broadcast_channel:5432/postgres
+ # number of uvicorn workers to run inside the opal-server container
+ - UVICORN_NUM_WORKERS=4
+ # the git repo hosting our OpenFGA policy
+ - OPAL_POLICY_REPO_URL=https://github.com/daveads/opal-example-policy-openfga
+ # polling interval of 30 seconds to check for policy updates
+ - OPAL_POLICY_REPO_POLLING_INTERVAL=30
+ # configures initial data sources for the opal client
+ - OPAL_DATA_CONFIG_SOURCES={"config":{"entries":[{"url":"http://opal_server:7002/policy-data","topics":["policy_data"],"dst_path":"/static"}]}}
+ - OPAL_LOG_FORMAT_INCLUDE_PID=true
+ ports:
+ # exposes opal server on the host machine at: http://localhost:7002
+ - "7002:7002"
+ depends_on:
+ - broadcast_channel
+ networks:
+ - opal-network
+
+ # OPAL client configured specifically for OpenFGA integration
+ opal_client_openfga:
+ image: permitio/opal-client-openfga:latest
+ environment:
+ - OPAL_SERVER_URL=http://opal_server:7002
+ - OPAL_LOG_FORMAT_INCLUDE_PID=true
+ # Configure OpenFGA as the policy engine
+ - OPAL_POLICY_STORE_TYPE=OPENFGA
+ - OPAL_POLICY_STORE_URL=http://0.0.0.0:8080
+ - OPAL_OPENFGA_STORE_ID=01JAT34GM6T5WRVMXXDYWGSYKN
+ # Enable inline OpenFGA mode
+ - OPAL_INLINE_OPENFGA_ENABLED=true
+ #- OPAL_LOG_LEVEL=DEBUG
+
+ ports:
+ # exposes opal client API at: http://localhost:7766
+ - "7766:7000"
+ # exposes OpenFGA API at: http://localhost:8080
+ - "8080:8080"
+ # Additional port exposure
+ - "3000:3000"
+ networks:
+ - opal-network
+ depends_on:
+ - opal_server
+ # Ensures opal-server is ready before starting the client
+ command: sh -c "exec ./wait-for.sh opal_server:7002 --timeout=20 -- ./start.sh"
+ volumes:
+ - openfga_backup:/opal/backup:rw
+
+# Network configuration for service communication
+networks:
+ opal-network:
+ driver: bridge
+
+# Volume for persisting OpenFGA data
+volumes:
+ openfga_backup:
diff --git a/documentation/docs/getting-started/configuration.mdx b/documentation/docs/getting-started/configuration.mdx
index 8b47606e7..62e900871 100644
--- a/documentation/docs/getting-started/configuration.mdx
+++ b/documentation/docs/getting-started/configuration.mdx
@@ -142,6 +142,10 @@ Please use this table as a reference.
| INLINE_CEDAR_EXEC_PATH | The path to the Cedar agent executable. | |
| INLINE_CEDAR_CONFIG | If inline Cedar is indeed enabled, provide options for running the Cedar agent | |
| INLINE_CEDAR_LOG_FORMAT | | |
+| INLINE_OPENFGA_ENABLED | Whether or not OPAL should run OpenFGA by itself in the same container | true |
+| INLINE_OPENFGA_EXEC_PATH | The path to the OpenFGA executable | /usr/local/bin/openfga |
+| INLINE_OPENFGA_CONFIG | If inline OpenFGA is enabled, provide options for running the OpenFGA server | {} |
+| INLINE_OPENFGA_LOG_FORMAT | | | | |
| KEEP_ALIVE_INTERVAL | | |
| OFFLINE_MODE_ENABLED | If set, opal client will try to load policy store from backup file and operate even if server is unreachable. Ignored if INLINE_OPA_ENABLED=False | |
| STORE_BACKUP_PATH | Path to backup policy store's data to | |
diff --git a/documentation/docs/tutorials/openfga.mdx b/documentation/docs/tutorials/openfga.mdx
new file mode 100644
index 000000000..f25a65f0b
--- /dev/null
+++ b/documentation/docs/tutorials/openfga.mdx
@@ -0,0 +1,389 @@
+# OpenFGA and OPAL
+
+[OpenFGA](https://openfga.dev) is an open-source [Fine-Grained Authorization (FGA)](https://www.permit.io/blog/what-is-fine-grained-authorization-fga) engine implementing the [Zanzibar authorization model created by Google](https://www.permit.io/blog/what-is-google-zanzibar). OPAL provides realtime synchronization and management capabilities for OpenFGA, helping you keep your authorization data and relationships up-to-date across distributed OpenFGA instances.
+
+## Why Use OPAL with OpenFGA?
+
+While OpenFGA provides powerful authorization capabilities on its own, managing authorization at scale across distributed environments presents several challenges:
+
+- **Consistency**: Keeping authorization models and relationship data synchronized across multiple instances
+- **Data Sync**: Integrating authorization data from various sources and systems
+- **Deployment**: Managing updates and changes across distributed OpenFGA deployments
+- **Monitoring**: Tracking the health and status of your authorization infrastructure
+
+OPAL solves these challenges by providing a centralized management layer that handles synchronization, data integration, and monitoring.
+
+## Key Features
+
+By integrating OpenFGA with OPAL, you get:
+
+- **Real-time Authorization Model Updates**:
+ - Automatically synchronize authorization models across multiple OpenFGA instances
+ - Push model changes instantly through OPAL's pub/sub system
+ - Version control your authorization models through Git
+
+- **Distributed Deployment Support**:
+ - Scale authorization across multiple regions/clusters while maintaining consistency
+ - Each OPAL client can manage its own OpenFGA instance
+ - Central management through OPAL server reduces operational complexity
+ - Support for blue/green deployments and gradual rollouts
+
+- **Data Source Integration**:
+ - Pull relationship data from multiple sources:
+ - REST APIs
+ - Databases
+ - Message queues
+ - Custom data sources [via OPAL fetchers](https://opal.ac/fetch-providers)
+ - Keep relationship tuples synchronized in real-time
+ - Transform data automatically to OpenFGA format
+
+- **Git Integration**:
+ - Store authorization models in version control
+ - Track changes and rollback when needed
+ - Use Git workflows for authorization model updates
+ - Support for multiple branches and environments
+
+- **Health Monitoring**:
+ - Built-in health checks for OpenFGA instances
+ - Monitor synchronization status
+ - Track authorization model updates
+ - Alert on issues or inconsistencies
+
+- **Transaction Tracking**:
+ - Detailed logging of all model changes
+ - Audit trail for authorization updates
+ - Performance metrics and analytics
+
+## Quick Start
+
+1. Run OpenFGA with OPAL using docker-compose:
+
+```bash
+git clone https://github.com/permitio/opal.git
+cd opal
+docker-compose -f docker/docker-compose-example-openfga.yml up -d
+
+or
+
+curl -L https://raw.githubusercontent.com/permitio/opal/master/docker/docker-compose-example-openfga.yml -o docker-compose-example-openfga.yml
+docker-compose -f docker-compose-example-openfga.yml up -d
+```
+
+This will start:
+
+- OpenFGA server on port 8080
+- OPAL server on port 7002
+- OPAL client configured for OpenFGA
+
+2. Verify the setup:
+
+```bash
+# Check OPAL server health
+curl http://localhost:7002/healthcheck
+
+# Check OpenFGA API
+curl http://localhost:8080/stores
+
+# Check OPAL client health
+curl http://localhost:7000/healthcheck
+```
+
+Common setup issues:
+- If services don't start, check Docker logs: `docker-compose logs`
+- Ensure ports 7000, 7002, and 8080 are available
+- Verify network connectivity between containers
+
+## Writing OpenFGA Authorization Models
+
+OPAL can track your authorization models directly from Git. Here's how to set it up:
+
+1. Create an authorization model repository with this structure:
+```
+.
+├── authorization_model.json # Main authorization model
+├── relationships/ # Relationship data
+│ ├── defaults.json
+│ └── seed_data.json
+└── .manifest # OPAL manifest file
+```
+
+2. Define your authorization model in `authorization_model.json` or `authorization_model.yaml`:
+
+```json
+{
+ "schema_version": "1.1",
+ "type_definitions": [
+ {
+ "type": "user"
+ },
+ {
+ "type": "document",
+ "relations": {
+ "viewer": {
+ "union": {
+ "child": [
+ {"this": {}},
+ {
+ "computedUserset": {
+ "relation": "owner"
+ }
+ }
+ ]
+ }
+ },
+ "owner": {
+ "this": {}
+ }
+ },
+ "metadata": {
+ "relations": {
+ "viewer": {
+ "directly_related_user_types": [
+ { "type": "user" }
+ ]
+ },
+ "owner": {
+ "directly_related_user_types": [
+ { "type": "user" }
+ ]
+ }
+ }
+ }
+ }
+ ]
+}
+```
+
+Using yaml format
+```yaml
+schema_version: "1.1"
+type_definitions:
+ - type: user
+ - type: document
+ relations:
+ viewer:
+ union:
+ child:
+ - this: {}
+ - computedUserset:
+ relation: owner
+ owner:
+ this: {}
+ metadata:
+ relations:
+ viewer:
+ directly_related_user_types:
+ - type: user
+ owner:
+ directly_related_user_types:
+ - type: user
+```
+
+
+3. Configure OPAL to track your repository by setting these environment variables:
+
+```yaml
+environment:
+ - OPAL_POLICY_REPO_URL=https://github.com/daveads/opal-example-policy-openfga
+ - OPAL_POLICY_REPO_MAIN_BRANCH=main
+ - OPAL_POLICY_REPO_POLLING_INTERVAL=30
+```
+
+Best practices:
+- Use separate branches for development and production
+- Include clear documentation in your model files
+- Follow a consistent naming convention for types and relations
+- Use OPAL's manifest file to control loading order
+
+## Using Data Fetchers
+
+OPAL can fetch relationship tuples from external sources and keep them synchronized with OpenFGA. Here's an example using the HTTP fetcher:
+
+1. Configure data sources in OPAL server's `OPAL_DATA_CONFIG_SOURCES`:
+
+```json
+{
+ "config": {
+ "entries": [
+ {
+ "url": "https://api.example.com/policy-data",
+ "topics": ["policy_data"],
+ "config": {
+ "fetcher": "HttpFetchProvider",
+ "headers": {
+ "Authorization": "Bearer ${API_TOKEN}"
+ },
+ "method": "GET"
+ },
+ "dst_path": "/static"
+ }
+ ]
+ }
+}
+```
+
+2. Ensure your API returns data in OpenFGA tuple format:
+
+```json
+{
+ "tuples": [
+ {
+ "user": "user:anne",
+ "relation": "viewer",
+ "object": "document:budget"
+ },
+ {
+ "user": "user:bob",
+ "relation": "owner",
+ "object": "document:roadmap"
+ }
+ ]
+}
+```
+
+3. Handle errors and data validation:
+
+```json
+{
+ "config": {
+ "entries": [
+ {
+ "url": "https://api.example.com/policy-data",
+ "topics": ["policy-data"],
+ "config": {
+ "fetcher": "HttpFetchProvider",
+ "headers": {
+ "Authorization": "Bearer ${API_TOKEN}"
+ },
+ "method": "GET",
+ "retry": {
+ "max_attempts": 3,
+ "backoff_seconds": 1
+ },
+ "validate_schema": true
+ },
+ "dst_path": "/static"
+ }
+ ]
+ }
+}
+```
+
+## Running OpenFGA with OPAL
+
+Once your configuration is ready, you can manage OpenFGA through OPAL:
+
+1. **Initialize the Store**:
+```bash
+# Create a new store
+curl -X POST http://localhost:8080/stores \
+ -H "Content-Type: application/json"
+```
+
+2. **Apply Authorization Model**:
+```bash
+# OPAL will automatically sync your model from Git
+# Verify it was applied:
+curl http://localhost:8080/stores/{store_id}/authorization-models
+```
+
+3. **Write Relationship Tuples**:
+```bash
+curl -X POST http://localhost:8080/stores/{store_id}/write \
+-H "Content-Type: application/json" \
+-d '{
+ "writes": {
+ "tuple_keys": [
+ {
+ "user": "user:anne",
+ "relation": "viewer",
+ "object": "document:budget"
+ }
+ ]
+ }
+}'
+```
+
+4. **Check Permissions**:
+```bash
+curl -X POST http://localhost:8080/stores/{store_id}/check \
+-H "Content-Type: application/json" \
+-d '{
+ "tuple_key": {
+ "user": "user:anne",
+ "relation": "viewer",
+ "object": "document:budget"
+ }
+}'
+```
+
+Benefits over standalone OpenFGA:
+- Centralized management of multiple instances
+- Automatic synchronization of models and data
+- Built-in monitoring and health checks
+- Simplified deployment and updates
+
+## Monitoring
+
+OPAL provides comprehensive monitoring for your OpenFGA deployment:
+
+### Health Checks
+
+```bash
+# OPAL Server health
+curl http://localhost:7002/healthcheck
+
+# OPAL Client health
+curl http://localhost:7000/healthcheck
+
+# OpenFGA store status
+curl http://localhost:8080/stores/{store_id}/health
+```
+
+### Metrics
+
+Enable metrics collection by setting:
+```yaml
+environment:
+ - OPAL_STATISTICS_ENABLED=true
+```
+
+Access metrics at:
+```bash
+curl http://localhost:7002/metrics
+```
+
+### Logging
+
+View detailed logs:
+
+```bash
+# OPAL Server logs
+docker-compose logs opal_server
+
+# OPAL Client logs
+docker-compose logs opal_client
+
+# OpenFGA logs
+docker-compose logs openfga
+```
+
+Configure log levels:
+```yaml
+environment:
+ - OPAL_LOG_LEVEL=DEBUG
+```
+
+### Transaction Tracking
+
+View recent transactions:
+```bash
+curl http://localhost:7002/statistics
+```
+
+## Additional Resources
+
+- [OpenFGA Documentation](https://openfga.dev)
+- [OPAL Documentation](https://docs.opal.ac)
+- [Google Zanzibar Paper](https://research.google/pubs/pub48190/)
+- [OPAL GitHub Repository](https://github.com/permitio/opal)
diff --git a/packages/opal-client/opal_client/client.py b/packages/opal-client/opal_client/client.py
index 03c7f9e25..19fe7fe97 100644
--- a/packages/opal-client/opal_client/client.py
+++ b/packages/opal-client/opal_client/client.py
@@ -22,8 +22,12 @@
from opal_client.data.api import init_data_router
from opal_client.data.fetcher import DataFetcher
from opal_client.data.updater import DataUpdater
-from opal_client.engine.options import CedarServerOptions, OpaServerOptions
-from opal_client.engine.runner import CedarRunner, OpaRunner
+from opal_client.engine.options import (
+ CedarServerOptions,
+ OpaServerOptions,
+ OpenFGAServerOptions,
+)
+from opal_client.engine.runner import CedarRunner, OpaRunner, OpenFGARunner
from opal_client.limiter import StartupLoadLimiter
from opal_client.policy.api import init_policy_router
from opal_client.policy.updater import PolicyUpdater
@@ -84,6 +88,8 @@ def __init__(
policy_updater: PolicyUpdater = None,
inline_opa_enabled: bool = None,
inline_opa_options: OpaServerOptions = None,
+ inline_openfga_enabled: bool = None,
+ inline_openfga_options: OpenFGAServerOptions = None,
inline_cedar_enabled: bool = None,
inline_cedar_options: CedarServerOptions = None,
verifier: Optional[JWTVerifier] = None,
@@ -113,6 +119,11 @@ def __init__(
inline_opa_enabled: bool = (
inline_opa_enabled or opal_client_config.INLINE_OPA_ENABLED
)
+
+ inline_openfga_enabled: bool = (
+ inline_openfga_enabled or opal_client_config.INLINE_OPENFGA_ENABLED
+ )
+
inline_cedar_enabled: bool = (
inline_cedar_enabled or opal_client_config.INLINE_CEDAR_ENABLED
)
@@ -194,8 +205,10 @@ def __init__(
self.engine_runner = self._init_engine_runner(
inline_opa_enabled,
inline_cedar_enabled,
+ inline_openfga_enabled,
inline_opa_options,
inline_cedar_options,
+ inline_openfga_options,
)
custom_ssl_context = get_custom_ssl_context()
@@ -235,37 +248,44 @@ def _init_engine_runner(
self,
inline_opa_enabled: bool,
inline_cedar_enabled: bool,
+ inline_openfga_enabled: bool,
inline_opa_options: Optional[OpaServerOptions] = None,
inline_cedar_options: Optional[CedarServerOptions] = None,
- ) -> Union[OpaRunner, CedarRunner, Literal[False]]:
- if inline_opa_enabled and self.policy_store_type == PolicyStoreTypes.OPA:
- inline_opa_options = (
- inline_opa_options or opal_client_config.INLINE_OPA_CONFIG
+ inline_openfga_options: Optional[OpenFGAServerOptions] = None,
+ ) -> Union[OpaRunner, CedarRunner, OpenFGARunner, Literal[False]]:
+ """Initialize appropriate engine runner based on policy store type."""
+
+ # Setup rehydration callbacks for all policy store types
+ rehydration_callbacks = []
+ if self.policy_updater:
+ rehydration_callbacks.append(
+ # refetches policy code and static data from server
+ functools.partial(
+ self.policy_updater.trigger_update_policy,
+ force_full_update=True,
+ ),
)
- rehydration_callbacks = []
- if self.policy_updater:
- rehydration_callbacks.append(
- # refetches policy code (e.g: rego) and static data from server
- functools.partial(
- self.policy_updater.trigger_update_policy,
- force_full_update=True,
- ),
- )
- if self.data_updater:
- rehydration_callbacks.append(
- functools.partial(
- self.data_updater.get_base_policy_data,
- data_fetch_reason="policy store rehydration",
- )
+ if self.data_updater:
+ rehydration_callbacks.append(
+ functools.partial(
+ self.data_updater.get_base_policy_data,
+ data_fetch_reason="policy store rehydration",
)
+ )
+ # OPA Runner
+ if inline_opa_enabled and self.policy_store_type == PolicyStoreTypes.OPA:
+ inline_opa_options = (
+ inline_opa_options or opal_client_config.INLINE_OPA_CONFIG
+ )
return OpaRunner.setup_opa_runner(
options=inline_opa_options,
piped_logs_format=opal_client_config.INLINE_OPA_LOG_FORMAT,
rehydration_callbacks=rehydration_callbacks,
)
+ # Cedar Runner
elif inline_cedar_enabled and self.policy_store_type == PolicyStoreTypes.CEDAR:
inline_cedar_options = (
inline_cedar_options or opal_client_config.INLINE_CEDAR_CONFIG
@@ -275,6 +295,20 @@ def _init_engine_runner(
piped_logs_format=opal_client_config.INLINE_CEDAR_LOG_FORMAT,
)
+ # OpenFGA Runner
+ elif (
+ inline_openfga_enabled
+ and self.policy_store_type == PolicyStoreTypes.OPENFGA
+ ):
+ inline_openfga_options = (
+ inline_openfga_options or opal_client_config.INLINE_OPENFGA_CONFIG
+ )
+ return OpenFGARunner.setup_openfga_runner(
+ options=inline_openfga_options,
+ piped_logs_format=opal_client_config.INLINE_OPENFGA_LOG_FORMAT,
+ rehydration_callbacks=rehydration_callbacks,
+ )
+
return False
def _init_fast_api_app(self):
diff --git a/packages/opal-client/opal_client/config.py b/packages/opal-client/opal_client/config.py
index b5d94fb3a..45c0212b7 100644
--- a/packages/opal-client/opal_client/config.py
+++ b/packages/opal-client/opal_client/config.py
@@ -1,6 +1,10 @@
from enum import Enum
-from opal_client.engine.options import CedarServerOptions, OpaServerOptions
+from opal_client.engine.options import (
+ CedarServerOptions,
+ OpaServerOptions,
+ OpenFGAServerOptions,
+)
from opal_client.policy.options import ConnRetryOptions
from opal_client.policy_store.schemas import PolicyStoreAuth, PolicyStoreTypes
from opal_common.confi import Confi, confi
@@ -31,12 +35,24 @@ class OpalClientConfig(Confi):
description="The URL of the policy store (e.g., OPA agent).",
)
+ # openfga
+ OPENFGA_URL = confi.str(
+ "OPENFGA_URL",
+ "http://localhost:8080",
+ description="The URL of the policy store",
+ )
+
+ OPENFGA_STORE_ID = confi.str(
+ "OPENFGA_STORE_ID", None, description="The OpenFGA store ID to use"
+ )
+
POLICY_STORE_AUTH_TYPE = confi.enum(
"POLICY_STORE_AUTH_TYPE",
PolicyStoreAuth,
PolicyStoreAuth.NONE,
description="The authentication type to use for the policy store (e.g., NONE, TOKEN, etc.)",
)
+
POLICY_STORE_AUTH_TOKEN = confi.str(
"POLICY_STORE_AUTH_TOKEN",
None,
@@ -201,6 +217,33 @@ def load_policy_store():
description="The log format to use for inline Cedar logs",
)
+ # OpenFGA runner configuration
+ INLINE_OPENFGA_ENABLED = confi.bool(
+ "INLINE_OPENFGA_ENABLED",
+ True,
+ description="Whether or not OPAL should run OPENFGA by itself in the same container",
+ )
+
+ INLINE_OPENFGA_EXEC_PATH = confi.str(
+ "INLINE_OPENFGA_EXEC_PATH",
+ None,
+ description="Path to the OpenFGA executable. Defaults to searching for 'openfga' binary in PATH if not specified.",
+ )
+
+ INLINE_OPENFGA_CONFIG = confi.model(
+ "INLINE_OPENFGA_CONFIG",
+ OpenFGAServerOptions,
+ {}, # defaults are being set according to OpenFGAServerOptions pydantic definitions (see class)
+ description="cli options used when running OpenFGA inline",
+ )
+
+ INLINE_OPENFGA_LOG_FORMAT: EngineLogFormat = confi.enum(
+ "INLINE_OPENFGA_LOG_FORMAT",
+ EngineLogFormat,
+ EngineLogFormat.NONE,
+ description="The log format to use for inline OpenFGA logs", # Added description
+ )
+
# configuration for fastapi routes
ALLOWED_ORIGINS = ["*"]
@@ -346,6 +389,20 @@ def load_policy_store():
description="Path to OPA document that stores the OPA write transactions",
)
+ # OpenFGA health check configurations
+ OPENFGA_HEALTH_CHECK_POLICY_ENABLED = confi.bool(
+ "OPENFGA_HEALTH_CHECK_POLICY_ENABLED",
+ False,
+ description="Should we load a special healthcheck policy into OpenFGA that checks "
+ + "that OpenFGA was synced correctly and is ready to answer to authorization queries",
+ )
+
+ OPENFGA_HEALTH_CHECK_TRANSACTION_LOG_PATH = confi.str(
+ "OPENFGA_HEALTH_CHECK_TRANSACTION_LOG_PATH",
+ "system/opal/transactions",
+ description="Path to OpenFGA document that stores the OpenFGA write transactions",
+ )
+
OPAL_CLIENT_STAT_ID = confi.str(
"OPAL_CLIENT_STAT_ID",
None,
@@ -354,6 +411,8 @@ def load_policy_store():
OPA_HEALTH_CHECK_POLICY_PATH = "engine/healthcheck/opal.rego"
+ OPENFGA_HEALTH_CHECK_POLICY_PATH = "engine/healthcheck/openfga.json"
+
SCOPE_ID = confi.str("SCOPE_ID", "default", description="OPAL Scope ID")
STORE_BACKUP_PATH = confi.str(
@@ -384,6 +443,19 @@ def on_load(self):
opal_common_config.LOG_MODULE_EXCLUDE_LIST
)
+ # Add OpenFGA logger handling
+ if self.INLINE_OPENFGA_LOG_FORMAT == EngineLogFormat.NONE:
+ opal_common_config.LOG_MODULE_EXCLUDE_LIST.append(
+ "opal_client.openfga.logger"
+ )
+ opal_common_config.LOG_MODULE_EXCLUDE_LIST = (
+ opal_common_config.LOG_MODULE_EXCLUDE_LIST
+ )
+
+ # Set the appropriate URL based on the policy store type
+ if self.POLICY_STORE_TYPE == PolicyStoreTypes.OPENFGA:
+ self.POLICY_STORE_URL = self.OPENFGA_URL
+
if self.DATA_STORE_CONN_RETRY is not None:
# You should use `DATA_UPDATER_CONN_RETRY`, but that's for backwards compatibility
self.DATA_UPDATER_CONN_RETRY = self.DATA_STORE_CONN_RETRY
diff --git a/packages/opal-client/opal_client/engine/options.py b/packages/opal-client/opal_client/engine/options.py
index f552cb6c1..ac0018ce9 100644
--- a/packages/opal-client/opal_client/engine/options.py
+++ b/packages/opal-client/opal_client/engine/options.py
@@ -87,6 +87,86 @@ def get_cli_options_dict(self):
return self.dict(exclude_none=True, by_alias=True, exclude={"files"})
+class OpenFGAServerOptions(BaseModel):
+ """Options to configure the OpenFGA server (apply when choosing to run
+ OpenFGA inline)."""
+
+ addr: str = Field(
+ ":8080",
+ description="listening address of the OpenFGA server (e.g., [ip]: for TCP)",
+ )
+ authentication: AuthenticationScheme = Field(
+ AuthenticationScheme.off,
+ description="OpenFGA authentication scheme (default off)",
+ )
+ authentication_token: Optional[str] = Field(
+ None,
+ description="If authentication is 'token', this specifies the token to use.",
+ )
+ store_id: Optional[str] = Field(
+ None,
+ description="The OpenFGA store ID to use.",
+ )
+
+ class Config:
+ use_enum_values = True
+ allow_population_by_field_name = True
+
+ @classmethod
+ def alias_generator(cls, string: str) -> str:
+ return "--{}".format(string.replace("_", "-"))
+
+ @validator("authentication")
+ def validate_authentication(cls, v: AuthenticationScheme):
+ if v not in [AuthenticationScheme.off, AuthenticationScheme.token]:
+ raise ValueError("Invalid AuthenticationScheme for OpenFGA.")
+ return v
+
+ @validator("authentication_token")
+ def validate_authentication_token(cls, v: Optional[str], values: dict[str, Any]):
+ if values["authentication"] == AuthenticationScheme.token and v is None:
+ raise ValueError(
+ "A token must be specified for AuthenticationScheme.token."
+ )
+ return v
+
+ def get_cmdline(self) -> str:
+ result = [
+ "openfga-server", # Assuming there's an openfga-server command
+ ]
+ if (
+ self.authentication == AuthenticationScheme.token
+ and self.authentication_token is not None
+ ):
+ result += [
+ "--token",
+ self.authentication_token,
+ ]
+ addr = self.addr.split(":", 1)
+ port = None
+ if len(addr) == 1:
+ listen_address = addr[0]
+ elif len(addr) == 2:
+ listen_address, port = addr
+ if len(listen_address) == 0:
+ listen_address = "0.0.0.0"
+ result += [
+ "--addr",
+ listen_address,
+ ]
+ if port is not None:
+ result += [
+ "--port",
+ port,
+ ]
+ if self.store_id is not None:
+ result += [
+ "--store-id",
+ self.store_id,
+ ]
+ return " ".join(result)
+
+
class CedarServerOptions(BaseModel):
"""Options to configure the Cedar agent (apply when choosing to run Cedar
inline)."""
diff --git a/packages/opal-client/opal_client/engine/runner.py b/packages/opal-client/opal_client/engine/runner.py
index 8ef3cfcc5..5c2f19395 100644
--- a/packages/opal-client/opal_client/engine/runner.py
+++ b/packages/opal-client/opal_client/engine/runner.py
@@ -9,7 +9,11 @@
import psutil
from opal_client.config import EngineLogFormat, opal_client_config
from opal_client.engine.logger import log_engine_output_opa, log_engine_output_simple
-from opal_client.engine.options import CedarServerOptions, OpaServerOptions
+from opal_client.engine.options import (
+ CedarServerOptions,
+ OpaServerOptions,
+ OpenFGAServerOptions,
+)
from opal_client.logger import logger
from tenacity import retry, wait_random_exponential
@@ -306,6 +310,77 @@ def setup_opa_runner(
return opa_runner
+class OpenFGARunner(PolicyEngineRunner):
+ """OpenFGA runner implementation that manages OpenFGA server process."""
+
+ def __init__(
+ self,
+ options: Optional[OpenFGAServerOptions] = None,
+ piped_logs_format: EngineLogFormat = EngineLogFormat.NONE,
+ ):
+ super().__init__(piped_logs_format)
+ self._options = options or OpenFGAServerOptions()
+
+ async def handle_log_line(self, line: bytes) -> bool:
+ """Handle OpenFGA log output.
+
+ Currently no panic detection implemented.
+ """
+ await log_engine_output_simple(line)
+ return False
+
+ def get_executable_path(self) -> str:
+ """Gets the path to OpenFGA executable, preferring configured path."""
+ if opal_client_config.INLINE_OPENFGA_EXEC_PATH:
+ return opal_client_config.INLINE_OPENFGA_EXEC_PATH
+ else:
+ logger.warning(
+ "OpenFGA executable path not set, looking for 'openfga' binary in PATH. "
+ "It is recommended to set the INLINE_OPENFGA_EXEC_PATH configuration."
+ )
+ path = shutil.which("openfga")
+ if path is None:
+ raise FileNotFoundError("OpenFGA executable not found in PATH")
+ return path
+
+ def get_arguments(self) -> list[str]:
+ """Build command line arguments for OpenFGA server."""
+ return ["run", "--http-addr=0.0.0.0:8080", "--playground-enabled=false"]
+
+ @staticmethod
+ def setup_openfga_runner(
+ options: Optional[OpenFGAServerOptions] = None,
+ piped_logs_format: EngineLogFormat = EngineLogFormat.NONE,
+ initial_start_callbacks: Optional[List[AsyncCallback]] = None,
+ rehydration_callbacks: Optional[List[AsyncCallback]] = None,
+ ):
+ """Factory for OpenFGARunner, accept optional callbacks to run in
+ certain lifecycle events.
+
+ Initial Start Callbacks:
+ The first time we start the engine, we might want to do certain actions (like launch tasks)
+ that are dependent on the policy store being up (such as PolicyUpdater, DataUpdater).
+
+ Rehydration Callbacks:
+ when the engine restarts, its cache is clean and it does not have the state necessary
+ to handle authorization queries. therefore it is necessary that we rehydrate the
+ cache with fresh state fetched from the server.
+ """
+ openfga_runner = OpenFGARunner(
+ options=options, piped_logs_format=piped_logs_format
+ )
+
+ if initial_start_callbacks:
+ openfga_runner.register_process_initial_start_callbacks(
+ initial_start_callbacks
+ )
+
+ if rehydration_callbacks:
+ openfga_runner.register_process_restart_callbacks(rehydration_callbacks)
+
+ return openfga_runner
+
+
class CedarRunner(PolicyEngineRunner):
def __init__(
self,
diff --git a/packages/opal-client/opal_client/policy/updater.py b/packages/opal-client/opal_client/policy/updater.py
index 998b9b608..21092a1da 100644
--- a/packages/opal-client/opal_client/policy/updater.py
+++ b/packages/opal-client/opal_client/policy/updater.py
@@ -1,7 +1,9 @@
import asyncio
+import json
from typing import List, Optional
import pydantic
+import yaml
from fastapi_websocket_pubsub import PubSubClient
from fastapi_websocket_pubsub.pub_sub_client import PubSubOnConnectCallback
from fastapi_websocket_rpc.rpc_channel import OnDisconnectCallback, RpcChannel
@@ -13,6 +15,7 @@
from opal_client.policy.fetcher import PolicyFetcher
from opal_client.policy.topics import default_subscribed_policy_directories
from opal_client.policy_store.base_policy_store_client import BasePolicyStoreClient
+from opal_client.policy_store.openfga_client import OpenFGAClient
from opal_client.policy_store.policy_store_client_factory import (
DEFAULT_POLICY_STORE_GETTER,
)
@@ -151,6 +154,39 @@ async def _update_policy_callback(
)
await self.trigger_update_policy(directories)
+ async def _handle_openfga_policy_modules(self, store_transaction, policy_modules):
+ """Handle policy modules specifically for OpenFGA policy store.
+
+ Args:
+ store_transaction: The current store transaction
+ policy_modules: List of policy modules to process
+ """
+ for policy_module in policy_modules:
+ if policy_module.path.endswith(".json"):
+ try:
+ policy_data = json.loads(policy_module.rego)
+ await store_transaction.set_policy(
+ policy_module.path, json.dumps(policy_data)
+ )
+ except json.JSONDecodeError:
+ logger.error(
+ f"Invalid JSON in OpenFGA policy file: {policy_module.path}"
+ )
+ elif policy_module.path.endswith(".yaml"):
+ try:
+ policy_data = yaml.safe_load(policy_module.rego)
+ await store_transaction.set_policy(
+ policy_module.path, json.dumps(policy_data)
+ )
+ except yaml.YAMLError as e:
+ logger.error(
+ f"Invalid YAML in OpenFGA policy file: {policy_module.path} - Error: {str(e)}"
+ )
+ else:
+ logger.warning(
+ f"Skipping non-JSON file for OpenFGA: {policy_module.path}"
+ )
+
async def trigger_update_policy(
self, directories: List[str] = None, force_full_update: bool = False
):
@@ -338,7 +374,14 @@ async def update_policy(
error=bundle_error,
)
if bundle:
- await store_transaction.set_policies(bundle)
+ if isinstance(self._policy_store, OpenFGAClient):
+ await self._handle_openfga_policy_modules(
+ store_transaction, bundle.policy_modules
+ )
+
+ else:
+ await store_transaction.set_policies(bundle)
+
# if we got here, we did not throw during the transaction
if self._should_send_reports:
# spin off reporting (no need to wait on it)
diff --git a/packages/opal-client/opal_client/policy_store/openfga_client.py b/packages/opal-client/opal_client/policy_store/openfga_client.py
new file mode 100644
index 000000000..cbeeebfb8
--- /dev/null
+++ b/packages/opal-client/opal_client/policy_store/openfga_client.py
@@ -0,0 +1,908 @@
+import asyncio
+import json
+import uuid
+from datetime import datetime
+from typing import Any, Dict, List, Optional, Set, Union
+
+import aiohttp
+from aiofiles.threadpool.text import AsyncTextIOWrapper
+from fastapi import Response, status
+from opal_client.config import opal_client_config
+from opal_client.logger import logger
+from opal_client.policy_store.base_policy_store_client import (
+ BasePolicyStoreClient,
+ JsonableValue,
+)
+from opal_client.policy_store.opa_client import (
+ RETRY_CONFIG,
+ affects_transaction,
+ fail_silently,
+ proxy_response_unless_invalid,
+ should_ignore_path,
+)
+from opal_client.policy_store.schemas import PolicyStoreAuth
+from opal_common.schemas.policy import PolicyBundle
+from opal_common.schemas.store import StoreTransaction, TransactionType
+from tenacity import retry
+
+
+class OpenFGATransactionLogState:
+ """State tracker for OpenFGA transactions and health checks."""
+
+ def __init__(
+ self,
+ data_updater_enabled: bool = True,
+ policy_updater_enabled: bool = True,
+ ):
+ self._data_updater_disabled = not data_updater_enabled
+ self._policy_updater_disabled = not policy_updater_enabled
+
+ # Transaction tracking
+ self._num_successful_policy_transactions = 0
+ self._num_failed_policy_transactions = 0
+ self._num_successful_data_transactions = 0
+ self._num_failed_data_transactions = 0
+ self._last_policy_transaction: Optional[StoreTransaction] = None
+ self._last_failed_policy_transaction: Optional[StoreTransaction] = None
+ self._last_data_transaction: Optional[StoreTransaction] = None
+ self._last_failed_data_transaction: Optional[StoreTransaction] = None
+
+ @property
+ def ready(self) -> bool:
+ """System is ready if it has had successful transactions or updaters
+ are disabled."""
+ is_ready = (
+ self._policy_updater_disabled
+ or self._num_successful_policy_transactions > 0
+ ) and (
+ self._data_updater_disabled or self._num_successful_data_transactions > 0
+ )
+ return is_ready
+
+ @property
+ def healthy(self) -> bool:
+ """System is healthy if latest transactions were successful."""
+ if not self.ready:
+ return False
+
+ policy_healthy = self._policy_updater_disabled or (
+ self._last_policy_transaction is not None
+ and self._last_policy_transaction.success
+ )
+
+ data_healthy = self._data_updater_disabled or (
+ self._last_data_transaction is not None
+ and self._last_data_transaction.success
+ )
+
+ is_healthy = policy_healthy and data_healthy
+
+ if is_healthy:
+ logger.debug(
+ f"OpenFGA client health: healthy=True (policy={policy_healthy}, data={data_healthy})"
+ )
+ else:
+ logger.warning(
+ f"OpenFGA client health: healthy=False (policy={policy_healthy}, data={data_healthy})"
+ )
+
+ return is_healthy
+
+ def process_transaction(self, transaction: StoreTransaction):
+ """Process and track transaction state."""
+ logger.debug(
+ "processing store transaction: {transaction}",
+ transaction=transaction.dict(),
+ )
+
+ if transaction.transaction_type == TransactionType.policy:
+ self._last_policy_transaction = transaction
+ if transaction.success:
+ self._num_successful_policy_transactions += 1
+ else:
+ self._last_failed_policy_transaction = transaction
+ self._num_failed_policy_transactions += 1
+
+ elif transaction.transaction_type == TransactionType.data:
+ self._last_data_transaction = transaction
+ if transaction.success:
+ self._num_successful_data_transactions += 1
+ else:
+ self._last_failed_data_transaction = transaction
+ self._num_failed_data_transactions += 1
+
+
+# Defines the authorization model for healthcheck data
+HEALTHCHECK_AUTHORIZATION_MODEL = {
+ "schema_version": "1.1",
+ "type_definitions": [
+ {
+ "type": "healthcheck",
+ "relations": {"reader": {"this": {}}, "writer": {"this": {}}},
+ },
+ {
+ "type": "transaction_state",
+ "relations": {"reader": {"this": {}}, "writer": {"this": {}}},
+ },
+ ],
+}
+
+
+class OpenFGATransactionLogPolicyWriter:
+ """Manages transaction logs for OpenFGA policy store."""
+
+ def __init__(
+ self,
+ policy_store: BasePolicyStoreClient,
+ store_id: str,
+ ):
+ self._store = policy_store
+ self._store_id = store_id
+
+ async def initialize(self):
+ """Initialize the authorization model for healthcheck."""
+ try:
+ await self._store.set_policy(
+ "healthcheck_model", json.dumps(HEALTHCHECK_AUTHORIZATION_MODEL)
+ )
+ except Exception as e:
+ logger.error(f"Failed to initialize healthcheck model: {str(e)}")
+ raise
+
+ async def persist(self, state: OpenFGATransactionLogState):
+ """Persist the transaction state using OpenFGA's authorization model
+ format."""
+ logger.info(
+ "persisting health check state: ready={ready}, healthy={healthy}",
+ ready=state.ready,
+ healthy=state.healthy,
+ )
+ logger.info(
+ "Policy and data statistics: policy: (successful {success_policy}, failed {failed_policy});\t"
+ "data: (successful {success_data}, failed {failed_data})",
+ success_policy=state._num_successful_policy_transactions,
+ failed_policy=state._num_failed_policy_transactions,
+ success_data=state._num_successful_data_transactions,
+ failed_data=state._num_failed_data_transactions,
+ )
+
+ # Structure transaction state data
+ state_data = {
+ "ready": state.ready,
+ "healthy": state.healthy,
+ "last_policy_transaction": self._get_transaction_data(
+ state._last_policy_transaction
+ ),
+ "last_failed_policy_transaction": self._get_transaction_data(
+ state._last_failed_policy_transaction
+ ),
+ "last_data_transaction": self._get_transaction_data(
+ state._last_data_transaction
+ ),
+ "last_failed_data_transaction": self._get_transaction_data(
+ state._last_failed_data_transaction
+ ),
+ "transaction_statistics": {
+ "policy": {
+ "successful": state._num_successful_policy_transactions,
+ "failed": state._num_failed_policy_transactions,
+ },
+ "data": {
+ "successful": state._num_successful_data_transactions,
+ "failed": state._num_failed_data_transactions,
+ },
+ },
+ }
+
+ # Create OpenFGA tuples
+ tuples = [
+ {
+ "user": self._store_id,
+ "relation": "writer",
+ "object": "transaction_state:current",
+ "condition": {"context": state_data},
+ },
+ {
+ "user": self._store_id,
+ "relation": "reader",
+ "object": "transaction_state:current",
+ },
+ ]
+
+ try:
+ await self._store.set_policy_data({"tuples": tuples})
+ logger.debug("Successfully persisted transaction state")
+ return True
+ except Exception as e:
+ logger.error(f"Failed to persist transaction state: {str(e)}")
+ return False
+
+ def _get_transaction_data(self, transaction: Optional[StoreTransaction]) -> Dict:
+ """Helper to extract data from a transaction object."""
+ if transaction is None:
+ return {}
+
+ return {
+ "id": transaction.id,
+ "transaction_type": transaction.transaction_type.value
+ if transaction.transaction_type
+ else None,
+ "actions": transaction.actions,
+ "success": transaction.success,
+ "error": transaction.error,
+ "creation_time": transaction.creation_time,
+ "end_time": transaction.end_time,
+ }
+
+ async def get_transaction_state(self) -> Dict:
+ """Retrieve the current transaction state."""
+ try:
+ state = await self._store.get_data("transaction_state:current")
+ if state and "tuples" in state:
+ for tuple in state["tuples"]:
+ if tuple.get("relation") == "writer":
+ return tuple.get("condition", {}).get("context", {})
+ return {}
+ except Exception as e:
+ logger.error(f"Failed to retrieve transaction state: {str(e)}")
+ return {}
+
+
+class OpenFGAStaticDataCache:
+ """Cache for OpenFGA relationship tuples."""
+
+ def __init__(self):
+ self._tuples = []
+
+ def set(self, tuples: List[Dict[str, str]]):
+ """Set relationship tuples in cache."""
+ self._tuples = [tuple.copy() for tuple in tuples]
+
+ def patch(self, tuples: List[Dict[str, str]]):
+ """Add or update tuples in cache."""
+ existing_keys = set(
+ (t["user"], t["relation"], t["object"]) for t in self._tuples
+ )
+
+ for new_tuple in tuples:
+ key = (new_tuple["user"], new_tuple["relation"], new_tuple["object"])
+ if key not in existing_keys:
+ self._tuples.append(new_tuple.copy())
+ else:
+ # Replace existing tuple
+ self._tuples = [
+ t
+ for t in self._tuples
+ if not (
+ t["user"] == key[0]
+ and t["relation"] == key[1]
+ and t["object"] == key[2]
+ )
+ ]
+ self._tuples.append(new_tuple.copy())
+
+ def delete(self, tuples: List[Dict[str, str]]):
+ """Remove tuples from cache."""
+ delete_keys = set((t["user"], t["relation"], t["object"]) for t in tuples)
+ self._tuples = [
+ t
+ for t in self._tuples
+ if not ((t["user"], t["relation"], t["object"]) in delete_keys)
+ ]
+
+ def get_data(self) -> Dict[str, List[Dict[str, str]]]:
+ """Get all cached tuples."""
+ return {"tuples": self._tuples.copy()}
+
+
+class OpenFGAClient(BasePolicyStoreClient):
+ """OpenFGA client implementation."""
+
+ def __init__(
+ self,
+ openfga_server_url=None,
+ openfga_auth_token: Optional[str] = None,
+ auth_type: PolicyStoreAuth = PolicyStoreAuth.NONE,
+ store_id: Optional[str] = None,
+ data_updater_enabled: bool = True,
+ policy_updater_enabled: bool = True,
+ cache_policy_data: bool = False,
+ ):
+ # Base initialization
+ base_url = openfga_server_url or opal_client_config.POLICY_STORE_URL
+ self._openfga_url = base_url.rstrip("/")
+ self._store_id = store_id or opal_client_config.OPENFGA_STORE_ID
+ self._base_url = f"{self._openfga_url}/stores/{self._store_id}"
+ self._policy_version: Optional[str] = None
+ self._token = openfga_auth_token
+ self._auth_type: PolicyStoreAuth = auth_type
+ self._session: Optional[aiohttp.ClientSession] = None
+ self._lock = asyncio.Lock()
+
+ # Initialize transaction logging
+ self._transaction_state = OpenFGATransactionLogState(
+ data_updater_enabled=data_updater_enabled,
+ policy_updater_enabled=policy_updater_enabled,
+ )
+
+ self._transaction_state_writer = None
+
+ # Initialize data cache if enabled
+ self._policy_data_cache: Optional[OpenFGAStaticDataCache] = None
+ if cache_policy_data:
+ self._policy_data_cache = OpenFGAStaticDataCache()
+
+ # Validate auth configuration
+ if auth_type == PolicyStoreAuth.OAUTH:
+ raise ValueError("OpenFGA doesn't support OAuth authentication")
+ if auth_type == PolicyStoreAuth.TOKEN and not openfga_auth_token:
+ raise ValueError("Authentication token required when using TOKEN auth type")
+
+ logger.info(f"Authentication mode for policy store: {auth_type}")
+
+ async def setup(self):
+ """Async setup that must be called after initialization."""
+ self._transaction_state_writer = OpenFGATransactionLogPolicyWriter(
+ policy_store=self, store_id=self._store_id
+ )
+ await self._transaction_state_writer.initialize()
+
+ await self._transaction_state_writer.persist(self._transaction_state)
+
+ async def init_healthcheck_policy(self, store_id: str):
+ """Initialize the healthcheck policy tracking."""
+ self._transaction_state_writer = OpenFGATransactionLogPolicyWriter(
+ policy_store=self, store_id=store_id
+ )
+ await self._transaction_state_writer.initialize()
+ return await self._transaction_state_writer.persist(self._transaction_state)
+
+ # Add method to initialize if not already initialized
+ async def _ensure_initialized(self):
+ """Ensure client is properly initialized."""
+ if self._transaction_state_writer is None:
+ await self.setup()
+
+ async def _get_session(self) -> aiohttp.ClientSession:
+ """Get or create an authenticated session."""
+ if self._session is None or self._session.closed:
+ headers = {"Content-Type": "application/json"}
+ if self._auth_type == PolicyStoreAuth.TOKEN and self._token:
+ headers["Authorization"] = f"Bearer {self._token}"
+ self._session = aiohttp.ClientSession(headers=headers)
+ return self._session
+
+ @affects_transaction
+ @retry(**RETRY_CONFIG)
+ async def set_policy(
+ self,
+ policy_id: str,
+ policy_code: str,
+ transaction_id: Optional[str] = None,
+ ):
+ """Write authorization model to OpenFGA."""
+ start_time = datetime.utcnow().isoformat()
+ try:
+ policy = json.loads(policy_code)
+ session = await self._get_session()
+
+ async with session.post(
+ f"{self._base_url}/authorization-models", json=policy
+ ) as response:
+ if response.status == 201:
+ data = await response.json()
+ self._policy_version = data["authorization_model_id"]
+
+ # Create successful transaction
+ transaction = StoreTransaction(
+ id=transaction_id or str(uuid.uuid4()),
+ actions=["set_policy"],
+ transaction_type=TransactionType.policy,
+ success=True,
+ creation_time=start_time,
+ end_time=datetime.utcnow().isoformat(),
+ )
+
+ await self.log_transaction(transaction)
+ logger.info(
+ f"Successfully set policy with model ID: {self._policy_version}"
+ )
+ return data
+ else:
+ error_body = await response.text()
+ raise Exception(
+ f"Failed to set policy: HTTP {response.status} - {error_body}"
+ )
+
+ except Exception as e:
+ logger.error(f"Error setting policy: {str(e)}")
+
+ # Create failed transaction
+ transaction = StoreTransaction(
+ id=transaction_id or str(uuid.uuid4()),
+ actions=["set_policy"],
+ transaction_type=TransactionType.policy,
+ success=False,
+ error=str(e),
+ creation_time=start_time,
+ end_time=datetime.utcnow().isoformat(),
+ )
+ await self.log_transaction(transaction)
+ raise
+
+ async def _write_tuple(self, tuple_data: Dict[str, str]) -> bool:
+ """Write a single tuple to OpenFGA.
+
+ Args:
+ tuple_data: Dict containing user, relation, and object
+
+ Returns:
+ bool: True if write was successful
+
+ Raises:
+ aiohttp.ClientError: For network/connection errors
+ Exception: For other failures
+ """
+ try:
+ session = await self._get_session()
+ writes = {
+ "writes": {
+ "tuple_keys": [
+ {
+ "user": tuple_data["user"],
+ "relation": tuple_data["relation"],
+ "object": tuple_data["object"],
+ }
+ ]
+ }
+ }
+
+ async with session.post(f"{self._base_url}/write", json=writes) as response:
+ if response.status == 200:
+ return True
+
+ # Handle duplicate tuple error gracefully
+ if response.status == 400:
+ error_data = await response.json()
+ if error_data.get(
+ "code"
+ ) == "write_failed_due_to_invalid_input" and "already exists" in error_data.get(
+ "message", ""
+ ):
+ return True
+
+ response.raise_for_status()
+ return False
+
+ except Exception as e:
+ # Let client errors propagate
+ if isinstance(e, aiohttp.ClientError):
+ raise
+ # Re-raise other errors
+ raise Exception(f"Failed to write tuple: {str(e)}")
+
+ @affects_transaction
+ @retry(**RETRY_CONFIG)
+ async def set_policy_data(
+ self,
+ policy_data: JsonableValue,
+ path: str = "",
+ transaction_id: Optional[str] = None,
+ ):
+ """Set relationship tuples in OpenFGA."""
+ start_time = datetime.utcnow().isoformat()
+ try:
+ # Transform data into tuples format
+ if isinstance(policy_data, dict) and "tuples" in policy_data:
+ tuples = policy_data["tuples"]
+ elif isinstance(policy_data, list):
+ tuples = policy_data
+ else:
+ raise ValueError(f"Invalid policy data format: {policy_data}")
+
+ # Process tuples
+ for tuple in tuples:
+ await self._write_tuple(tuple) # Let ClientError propagate
+
+ # Create successful transaction
+ transaction = StoreTransaction(
+ id=transaction_id or str(uuid.uuid4()),
+ actions=["set_policy_data"],
+ transaction_type=TransactionType.data,
+ success=True,
+ creation_time=start_time,
+ end_time=datetime.utcnow().isoformat(),
+ )
+ await self.log_transaction(transaction)
+
+ except aiohttp.ClientError:
+ # Create failed transaction before re-raising
+ transaction = StoreTransaction(
+ id=transaction_id or str(uuid.uuid4()),
+ actions=["set_policy_data"],
+ transaction_type=TransactionType.data,
+ success=False,
+ error="Network error occurred",
+ creation_time=start_time,
+ end_time=datetime.utcnow().isoformat(),
+ )
+ await self.log_transaction(transaction)
+ raise # Re-raise original ClientError
+
+ except Exception as e:
+ logger.error(f"Error in set_policy_data: {str(e)}")
+ raise
+
+ @fail_silently()
+ @retry(**RETRY_CONFIG)
+ async def get_policy(self, policy_id: str) -> Optional[str]:
+ """Get an authorization model by ID.
+
+ Args:
+ policy_id (str): The authorization model ID to retrieve
+
+ Returns:
+ Optional[str]: The authorization model as a JSON string, or None if not found/error
+ """
+ try:
+ if not policy_id:
+ logger.warning("Invalid empty policy_id provided")
+ return None
+
+ session = await self._get_session()
+ async with session.get(
+ f"{self._base_url}/authorization-models/{policy_id}",
+ **self._get_request_args(),
+ ) as response:
+ if response.status == 200:
+ data = await response.json()
+ if "authorization_model" not in data:
+ logger.error(
+ f"Invalid response format from OpenFGA - missing authorization_model key: {data}"
+ )
+ return None
+
+ # Update policy version if this is the latest model
+ if self._is_latest_model(data["authorization_model"]):
+ self._policy_version = policy_id
+
+ return json.dumps(data["authorization_model"])
+ elif response.status == 404:
+ logger.info(f"Authorization model with ID {policy_id} not found")
+ return None
+ else:
+ error_body = await response.text()
+ logger.error(
+ f"Failed to get authorization model {policy_id}: HTTP {response.status} - {error_body}"
+ )
+ return None
+
+ except aiohttp.ClientError as e:
+ logger.error(
+ f"Network error getting authorization model {policy_id}: {str(e)}"
+ )
+ raise
+ except json.JSONDecodeError as e:
+ logger.error(
+ f"Invalid JSON response for authorization model {policy_id}: {str(e)}"
+ )
+ return None
+ except Exception as e:
+ logger.error(
+ f"Unexpected error getting authorization model {policy_id}: {str(e)}"
+ )
+ return None
+
+ @fail_silently()
+ @retry(**RETRY_CONFIG)
+ async def get_policies(self) -> Optional[Dict[str, str]]:
+ """Get all authorization models."""
+ try:
+ session = await self._get_session()
+ async with session.get(
+ f"{self._base_url}/authorization-models"
+ ) as response:
+ if response.status == 200:
+ data = await response.json()
+ return {
+ model["id"]: json.dumps(model)
+ for model in data.get("authorization_models", [])
+ }
+ return None
+ except Exception as e:
+ logger.error(f"Error in get_policies: {str(e)}")
+ return None
+
+ async def get_policy_module_ids(self) -> List[str]:
+ """Get all authorization model IDs."""
+ policies = await self.get_policies()
+ return list(policies.keys()) if policies else []
+
+ @affects_transaction
+ async def set_policies(
+ self, bundle: PolicyBundle, transaction_id: Optional[str] = None
+ ):
+ """Set policies from a bundle."""
+ async with self._lock:
+ start_time = datetime.utcnow().isoformat()
+ try:
+ # Set new/updated policies
+ for policy in bundle.policy_modules:
+ await self.set_policy(policy.path, policy.rego)
+
+ # Handle deleted modules
+ deleted_modules: Union[List[str], Set[str]] = []
+ if bundle.old_hash is None:
+ # For complete bundle, remove policies that aren't in bundle
+ existing_modules = set(await self.get_policy_module_ids())
+ bundle_modules = set(
+ policy.path for policy in bundle.policy_modules
+ )
+ deleted_modules = existing_modules - bundle_modules
+ elif bundle.deleted_files is not None:
+ # For delta bundle, only remove explicitly deleted modules
+ deleted_modules = [
+ str(module) for module in bundle.deleted_files.policy_modules
+ ]
+
+ # Log deletion attempts even though OpenFGA doesn't support deletion
+ for module_id in deleted_modules:
+ logger.warning(
+ f"Attempted to delete policy {module_id} - OpenFGA doesn't support policy deletion"
+ )
+
+ self._policy_version = bundle.hash
+
+ # Create successful transaction
+ transaction = StoreTransaction(
+ id=transaction_id or str(uuid.uuid4()),
+ actions=["set_policies"],
+ transaction_type=TransactionType.policy,
+ success=True,
+ creation_time=start_time,
+ end_time=datetime.utcnow().isoformat(),
+ )
+ await self.log_transaction(transaction)
+
+ except Exception as e:
+ logger.error(f"Error setting policies from bundle: {str(e)}")
+ # Create failed transaction
+ transaction = StoreTransaction(
+ id=transaction_id or str(uuid.uuid4()),
+ actions=["set_policies"],
+ transaction_type=TransactionType.policy,
+ success=False,
+ error=str(e),
+ creation_time=start_time,
+ end_time=datetime.utcnow().isoformat(),
+ )
+ await self.log_transaction(transaction)
+ raise
+
+ async def delete_policy(self, policy_id: str, transaction_id: Optional[str] = None):
+ """OpenFGA doesn't support deletion of authorization models."""
+ logger.warning(
+ f"Attempted to delete policy {policy_id} - OpenFGA doesn't support policy deletion"
+ )
+ return None
+
+ @fail_silently()
+ @retry(**RETRY_CONFIG)
+ async def get_data(self, path: str = "") -> Dict:
+ """Get relationship tuples, optionally filtered by path/object."""
+ try:
+ session = await self._get_session()
+ async with session.post(
+ f"{self._base_url}/read",
+ json={"tuple_key": {"object": path} if path else {}},
+ ) as response:
+ if response.status == 200:
+ data = await response.json()
+ return {
+ "tuples": [
+ {
+ "user": tuple["key"]["user"],
+ "relation": tuple["key"]["relation"],
+ "object": tuple["key"]["object"],
+ }
+ for tuple in data.get("tuples", [])
+ ]
+ }
+ return {}
+ except Exception as e:
+ logger.error(f"Error in get_data: {str(e)}")
+ return {}
+
+ @retry(**RETRY_CONFIG)
+ async def get_data_with_input(self, path: str, input_model: Any) -> Dict:
+ """Check authorization with context."""
+ try:
+ input_data = input_model.dict()
+ session = await self._get_session()
+ async with session.post(
+ f"{self._base_url}/check",
+ json={
+ "tuple_key": {
+ "user": input_data.get("user"),
+ "relation": input_data.get("relation"),
+ "object": path,
+ },
+ "authorization_model_id": self._policy_version, # Add this
+ "context": input_data.get("context", {}),
+ "contextual_tuples": input_data.get(
+ "contextual_tuples", {"tuple_keys": []}
+ ),
+ "consistency": "MINIMIZE_LATENCY", # Add consistency preference
+ },
+ ) as response:
+ if response.status == 200:
+ data = await response.json()
+ return {
+ "allowed": data.get("allowed", False),
+ "resolution": data.get("resolution"),
+ }
+ return {"allowed": False}
+ except Exception as e:
+ logger.error(f"Error in get_data_with_input: {str(e)}")
+ return {"allowed": False}
+
+ @affects_transaction
+ @retry(**RETRY_CONFIG)
+ async def delete_policy_data(
+ self, path: str = "", transaction_id: Optional[str] = None
+ ):
+ """Delete relationship tuples in OpenFGA."""
+ start_time = datetime.utcnow().isoformat()
+ try:
+ # First get existing tuples
+ existing_tuples = await self.get_data(path)
+ if not existing_tuples.get("tuples"):
+ return
+
+ # Delete tuples by writing empty set
+ session = await self._get_session()
+ async with session.post(
+ f"{self._base_url}/write",
+ json={
+ "deletes": {
+ "tuple_keys": [
+ {
+ "user": tuple["user"],
+ "relation": tuple["relation"],
+ "object": tuple["object"],
+ }
+ for tuple in existing_tuples["tuples"]
+ ]
+ }
+ },
+ ) as response:
+ if response.status == 200:
+ if self._policy_data_cache:
+ self._policy_data_cache.delete(existing_tuples["tuples"])
+
+ # Create successful transaction
+ transaction = StoreTransaction(
+ id=transaction_id or str(uuid.uuid4()),
+ actions=["delete_policy_data"],
+ transaction_type=TransactionType.data,
+ success=True,
+ creation_time=start_time,
+ end_time=datetime.utcnow().isoformat(),
+ )
+ await self.log_transaction(transaction)
+ else:
+ error_body = await response.text()
+ raise Exception(f"Failed to delete policy data: {error_body}")
+
+ except Exception as e:
+ logger.error(f"Error in delete_policy_data: {str(e)}")
+ # Create failed transaction
+ transaction = StoreTransaction(
+ id=transaction_id or str(uuid.uuid4()),
+ actions=["delete_policy_data"],
+ transaction_type=TransactionType.data,
+ success=False,
+ error=str(e),
+ creation_time=start_time,
+ end_time=datetime.utcnow().isoformat(),
+ )
+ await self.log_transaction(transaction)
+ raise
+
+ def _get_request_args(self) -> Dict[str, Any]:
+ """Get common request arguments including any custom headers."""
+ args = {}
+ if hasattr(self, "_ssl_context_kwargs"):
+ args.update(self._ssl_context_kwargs)
+ return args
+
+ def _is_latest_model(self, model: Dict[str, Any]) -> bool:
+ """Check if this authorization model is the latest version.
+
+ Args:
+ model (Dict[str, Any]): The authorization model response
+
+ Returns:
+ bool: True if this appears to be the latest model version
+ """
+ try:
+ # Could add additional checks here based on timestamps or version numbers
+ # For now just validate the model appears valid
+ return all(
+ key in model for key in ("id", "schema_version", "type_definitions")
+ )
+ except Exception:
+ return False
+
+ async def log_transaction(self, transaction: StoreTransaction):
+ """Process and log a transaction, updating state."""
+ try:
+ # Update state
+ self._transaction_state.process_transaction(transaction)
+
+ # Persist if we have a writer
+ if self._transaction_state_writer:
+ await self._transaction_state_writer.persist(self._transaction_state)
+
+ # Log transaction details
+ success_str = "succeeded" if transaction.success else "failed"
+ action_str = (
+ ", ".join(transaction.actions)
+ if transaction.actions
+ else "unknown action"
+ )
+ transaction_type = (
+ transaction.transaction_type.value
+ if transaction.transaction_type
+ else "unknown type"
+ )
+
+ log_msg = f"OpenFGA transaction {success_str} - Type: {transaction_type}, Actions: {action_str}"
+ if transaction.success:
+ logger.info(log_msg)
+ else:
+ error_msg = (
+ f"{log_msg}, Error: {transaction.error}"
+ if transaction.error
+ else log_msg
+ )
+ logger.error(error_msg)
+
+ except Exception as e:
+ logger.error(f"Error logging transaction: {str(e)}")
+
+ async def is_ready(self) -> bool:
+ """Check if OpenFGA client is ready to handle requests."""
+ return self._transaction_state.ready
+
+ async def is_healthy(self) -> bool:
+ """Check overall health of OpenFGA client."""
+ return self._transaction_state.healthy
+
+ async def get_policy_version(self) -> Optional[str]:
+ """Get current authorization model ID."""
+ return self._policy_version
+
+ async def full_export(self, writer: AsyncTextIOWrapper) -> None:
+ """Export full state to a file."""
+ policies = await self.get_policies()
+ if self._policy_data_cache:
+ data = self._policy_data_cache.get_data()
+ else:
+ data = await self.get_data()
+
+ await writer.write(
+ json.dumps({"policies": policies, "data": data}, default=str)
+ )
+
+ async def full_import(self, reader: AsyncTextIOWrapper) -> None:
+ """Import full state from a file."""
+ import_data = json.loads(await reader.read())
+
+ # Import policies
+ for policy_id, policy_code in import_data.get("policies", {}).items():
+ await self.set_policy(policy_id, policy_code)
+
+ # Import data
+ if "data" in import_data:
+ await self.set_policy_data(import_data["data"])
diff --git a/packages/opal-client/opal_client/policy_store/policy_store_client_factory.py b/packages/opal-client/opal_client/policy_store/policy_store_client_factory.py
index 848925af1..2186aaaf0 100644
--- a/packages/opal-client/opal_client/policy_store/policy_store_client_factory.py
+++ b/packages/opal-client/opal_client/policy_store/policy_store_client_factory.py
@@ -152,6 +152,20 @@ def create(
cedar_auth_token=store_token,
auth_type=auth_type,
)
+
+ # Openfga
+ elif PolicyStoreTypes.OPENFGA == store_type:
+ from opal_client.policy_store.openfga_client import OpenFGAClient
+
+ res = OpenFGAClient(
+ openfga_server_url=url,
+ openfga_auth_token=store_token,
+ auth_type=auth_type,
+ store_id=opal_client_config.OPENFGA_STORE_ID,
+ data_updater_enabled=data_updater_enabled,
+ policy_updater_enabled=policy_updater_enabled,
+ )
+
# MOCK
elif PolicyStoreTypes.MOCK == store_type:
from opal_client.policy_store.mock_policy_store_client import (
diff --git a/packages/opal-client/opal_client/policy_store/schemas.py b/packages/opal-client/opal_client/policy_store/schemas.py
index f2a0514a4..c88cd8010 100644
--- a/packages/opal-client/opal_client/policy_store/schemas.py
+++ b/packages/opal-client/opal_client/policy_store/schemas.py
@@ -7,6 +7,7 @@
class PolicyStoreTypes(Enum):
OPA = "OPA"
CEDAR = "CEDAR"
+ OPENFGA = "OPENFGA"
MOCK = "MOCK"
@@ -19,7 +20,7 @@ class PolicyStoreAuth(Enum):
class PolicyStoreDetails(BaseModel):
"""
- represents a policy store endpoint - contains the policy store's:
+ Represents a policy store endpoint - contains the policy store's:
- location (url)
- type
- credentials
@@ -37,12 +38,10 @@ class PolicyStoreDetails(BaseModel):
token: Optional[str] = Field(
None, description="optional access token required by the policy store"
)
-
auth_type: PolicyStoreAuth = Field(
PolicyStoreAuth.NONE,
description="the type of authentication is supported for the policy store.",
)
-
oauth_client_id: Optional[str] = Field(
None, description="optional OAuth client id required by the policy store"
)
diff --git a/packages/opal-client/opal_client/tests/openfga_client_test.py b/packages/opal-client/opal_client/tests/openfga_client_test.py
new file mode 100644
index 000000000..77f38b173
--- /dev/null
+++ b/packages/opal-client/opal_client/tests/openfga_client_test.py
@@ -0,0 +1,272 @@
+import aiohttp
+import pytest
+from aiohttp import ClientError, ClientResponseError, ClientSession
+from opal_client.policy_store.openfga_client import OpenFGAClient
+from opal_client.policy_store.schemas import PolicyStoreAuth
+from opal_common.schemas.store import StoreTransaction, TransactionType
+from tenacity import RetryError, stop_after_attempt
+
+
+@pytest.fixture
+def mock_response():
+ class MockResponse:
+ def __init__(self, status=200, data=None):
+ self.status = status
+ self._data = data or {}
+
+ def raise_for_status(self):
+ if self.status >= 400:
+ raise aiohttp.ClientResponseError(
+ request_info=None,
+ history=None,
+ status=self.status,
+ message=str(self._data),
+ )
+
+ async def json(self):
+ return self._data
+
+ async def text(self):
+ return str(self._data)
+
+ async def __aenter__(self):
+ return self
+
+ async def __aexit__(self, exc_type, exc_val, exc_tb):
+ pass
+
+ return MockResponse
+
+
+@pytest.fixture
+def mock_session(mocker, mock_response):
+ mock = mocker.patch("aiohttp.ClientSession", autospec=True)
+ session = mock.return_value
+ session.__aenter__.return_value = session
+ session.__aexit__.return_value = None
+
+ default_response = mock_response(status=200, data={})
+ session.post.return_value.__aenter__.return_value = default_response
+ session.get.return_value.__aenter__.return_value = default_response
+
+ return session
+
+
+@pytest.fixture
+def openfga_client(mock_session):
+ return OpenFGAClient(
+ openfga_server_url="http://localhost:8080",
+ store_id="test-store",
+ auth_type=PolicyStoreAuth.NONE,
+ )
+
+
+def test_constructor_with_valid_token_auth():
+ client = OpenFGAClient(
+ openfga_server_url="http://example.com",
+ openfga_auth_token="test-token",
+ auth_type=PolicyStoreAuth.TOKEN,
+ )
+ assert client._token == "test-token"
+ assert client._auth_type == PolicyStoreAuth.TOKEN
+
+
+def test_constructor_fails_with_token_auth_missing_token():
+ with pytest.raises(
+ ValueError, match="Authentication token required when using TOKEN auth type"
+ ):
+ OpenFGAClient(
+ openfga_server_url="http://example.com", auth_type=PolicyStoreAuth.TOKEN
+ )
+
+
+def test_constructor_fails_with_oauth():
+ with pytest.raises(
+ ValueError, match="OpenFGA doesn't support OAuth authentication"
+ ):
+ OpenFGAClient(
+ openfga_server_url="http://example.com", auth_type=PolicyStoreAuth.OAUTH
+ )
+
+
+@pytest.mark.asyncio
+async def test_set_policy_success(openfga_client, mock_session, mock_response):
+ response = mock_response(status=201, data={"authorization_model_id": "test-id"})
+ mock_session.post.return_value.__aenter__.return_value = response
+
+ result = await openfga_client.set_policy(
+ policy_id="test-model", policy_code='{"schema_version":"1.1"}'
+ )
+
+ assert result["authorization_model_id"] == "test-id"
+ assert openfga_client._policy_version == "test-id"
+ mock_session.post.assert_called_once()
+
+
+@pytest.mark.asyncio
+async def test_set_policy_data_success(openfga_client, mock_session, mock_response):
+ response = mock_response(status=200)
+ mock_session.post.return_value.__aenter__.return_value = response
+
+ test_tuple = {
+ "user": "user:anne",
+ "relation": "reader",
+ "object": "document:budget",
+ }
+
+ await openfga_client.set_policy_data([test_tuple])
+
+ # Verify request format
+ mock_session.post.assert_called_once()
+ call_kwargs = mock_session.post.call_args[1]
+ assert "writes" in call_kwargs["json"]
+
+
+@pytest.mark.asyncio
+async def test_get_data_with_input(openfga_client, mock_session, mock_response):
+ response = mock_response(status=200, data={"allowed": True, "resolution": "direct"})
+ mock_session.post.return_value.__aenter__.return_value = response
+
+ class TestInput:
+ def dict(self):
+ return {
+ "user": "user:anne",
+ "relation": "reader",
+ "context": {"time": "business_hours"},
+ }
+
+ result = await openfga_client.get_data_with_input(
+ path="document:budget", input_model=TestInput()
+ )
+
+ assert result["allowed"] is True
+ assert result["resolution"] == "direct"
+
+
+@pytest.mark.asyncio
+async def test_retry_behavior(openfga_client, mock_session, mock_response):
+ responses = [
+ mock_response(status=500, data={"error": "Server Error"}),
+ mock_response(status=500, data={"error": "Server Error"}),
+ mock_response(status=200),
+ ]
+
+ mock_session.post.return_value.__aenter__.side_effect = responses
+
+ # Override retry config for faster test
+ from tenacity import stop_after_attempt
+
+ openfga_client.set_policy_data.retry.stop = stop_after_attempt(3)
+
+ await openfga_client.set_policy_data(
+ [{"user": "user:anne", "relation": "reader", "object": "document:budget"}]
+ )
+
+ assert mock_session.post.call_count == 3
+
+
+@pytest.mark.asyncio
+async def test_network_error(openfga_client, mock_session):
+ from tenacity import RetryError
+
+ mock_session.post.return_value.__aenter__.side_effect = aiohttp.ClientError()
+
+ # Override retry config for faster test
+ from tenacity import stop_after_attempt
+
+ openfga_client.set_policy_data.retry.stop = stop_after_attempt(1)
+
+ with pytest.raises(RetryError):
+ await openfga_client.set_policy_data(
+ [{"user": "user:anne", "relation": "reader", "object": "document:budget"}]
+ )
+
+
+@pytest.mark.asyncio
+async def test_log_transaction(openfga_client):
+ state = openfga_client._transaction_state
+ state._policy_updater_disabled = False
+ state._data_updater_disabled = False
+
+ # Initial successful transactions
+ tx1 = StoreTransaction(
+ id="tx1",
+ transaction_type=TransactionType.policy,
+ success=True,
+ actions=["set_policy"],
+ )
+ await openfga_client.log_transaction(tx1)
+
+ tx2 = StoreTransaction(
+ id="tx2",
+ transaction_type=TransactionType.data,
+ success=True,
+ actions=["set_data"],
+ )
+ await openfga_client.log_transaction(tx2)
+
+ assert await openfga_client.is_ready()
+ assert await openfga_client.is_healthy()
+
+ # Failed transaction makes system unhealthy
+ tx3 = StoreTransaction(
+ id="tx3",
+ transaction_type=TransactionType.data,
+ success=False,
+ actions=["set_data"],
+ error="Test failure",
+ )
+ await openfga_client.log_transaction(tx3)
+
+ assert await openfga_client.is_ready()
+ assert not await openfga_client.is_healthy()
+
+
+@pytest.mark.asyncio
+async def test_health_check_states(openfga_client):
+ state = openfga_client._transaction_state
+ state._policy_updater_disabled = False
+ state._data_updater_disabled = False
+
+ # Initially neither ready nor healthy
+ assert not await openfga_client.is_ready()
+ assert not await openfga_client.is_healthy()
+
+ # Add successful policy transaction
+ tx1 = StoreTransaction(
+ id="tx1",
+ transaction_type=TransactionType.policy,
+ success=True,
+ actions=["set_policy"],
+ )
+ await openfga_client.log_transaction(tx1)
+
+ # Still not ready/healthy without data transaction
+ assert not await openfga_client.is_ready()
+ assert not await openfga_client.is_healthy()
+
+ # Add successful data transaction
+ tx2 = StoreTransaction(
+ id="tx2",
+ transaction_type=TransactionType.data,
+ success=True,
+ actions=["set_data"],
+ )
+ await openfga_client.log_transaction(tx2)
+
+ # Now ready and healthy
+ assert await openfga_client.is_ready()
+ assert await openfga_client.is_healthy()
+
+ # Failed transaction makes unhealthy but still ready
+ tx3 = StoreTransaction(
+ id="tx3",
+ transaction_type=TransactionType.policy,
+ success=False,
+ actions=["set_policy"],
+ error="Test failure",
+ )
+ await openfga_client.log_transaction(tx3)
+
+ assert await openfga_client.is_ready()
+ assert not await openfga_client.is_healthy()
diff --git a/packages/opal-client/requires.txt b/packages/opal-client/requires.txt
index 4acb85cb6..73ab11ced 100644
--- a/packages/opal-client/requires.txt
+++ b/packages/opal-client/requires.txt
@@ -4,6 +4,7 @@ psutil>=5.9.1,<6
tenacity>=8.0.1,<9
dpath>=2.1.5,<3
jsonpatch>=1.33,<2
+PyYAML==6.0.2
prometheus_client
opentelemetry-api>=1.28.2
opentelemetry-sdk>=1.28.2
diff --git a/packages/opal-common/opal_common/config.py b/packages/opal-common/opal_common/config.py
index d83dc8394..cc7453749 100644
--- a/packages/opal-common/opal_common/config.py
+++ b/packages/opal-common/opal_common/config.py
@@ -188,7 +188,7 @@ class OpalCommonConfig(Confi):
)
POLICY_REPO_POLICY_EXTENSIONS = confi.list(
"POLICY_REPO_POLICY_EXTENSIONS",
- [".rego"],
+ [".rego", ".json", ".yaml"],
description="List of extensions to serve as policy modules",
)
diff --git a/packages/opal-common/opal_common/engine/tests/paths_test.py b/packages/opal-common/opal_common/engine/tests/paths_test.py
index b683b57e4..2224101b3 100644
--- a/packages/opal-common/opal_common/engine/tests/paths_test.py
+++ b/packages/opal-common/opal_common/engine/tests/paths_test.py
@@ -43,8 +43,9 @@ def test_is_policy_module():
assert is_policy_module(Path("some/dir/to/file.rego")) == True
assert is_policy_module(Path("rbac.rego")) == True
- # files with other extensions are not rego modules
- assert is_policy_module(Path("rbac.json")) == False
+ # openfga supports both .yaml and .json files
+ assert is_policy_module(Path("authorization.json")) == True
+ assert is_policy_module(Path("authorization.yaml")) == True
# directories are not data modules
assert is_policy_module(Path(".")) == False
diff --git a/packages/opal-common/opal_common/git_utils/tests/bundle_maker_test.py b/packages/opal-common/opal_common/git_utils/tests/bundle_maker_test.py
index 5e77ad0e5..2fb97bdb7 100644
--- a/packages/opal-common/opal_common/git_utils/tests/bundle_maker_test.py
+++ b/packages/opal-common/opal_common/git_utils/tests/bundle_maker_test.py
@@ -23,7 +23,10 @@
from opal_common.git_utils.commit_viewer import CommitViewer
from opal_common.schemas.policy import PolicyBundle, RegoModule
-OPA_FILE_EXTENSIONS = (".rego", ".json")
+# Support both OPA and OpenFGA policy files
+OPA_FILE_EXTENSIONS = [".rego"]
+OPENFGA_FILE_EXTENSIONS = [".json", ".yaml"]
+ALL_POLICY_EXTENSIONS = [".rego", ".json", ".yaml"]
def assert_is_complete_bundle(bundle: PolicyBundle):
@@ -35,102 +38,87 @@ def test_bundle_maker_only_includes_opa_files(local_repo: Repo, helpers):
"""Test bundle maker on a repo with non-opa files."""
repo: Repo = local_repo
+ # Using ALL_POLICY_EXTENSIONS to support both OPA and OpenFGA
maker = BundleMaker(
- repo, in_directories=set([Path(".")]), extensions=OPA_FILE_EXTENSIONS
+ repo, in_directories=set([Path(".")]), extensions=ALL_POLICY_EXTENSIONS
)
commit: Commit = repo.head.commit
bundle: PolicyBundle = maker.make_bundle(commit)
- # assert the bundle is a complete bundle (no old hash, etc)
+
assert_is_complete_bundle(bundle)
- # assert the commit hash is correct
assert bundle.hash == commit.hexsha
- # assert the manifest only includes opa files
- # the source repo contains 3 rego files and 1 data.json file
- # the bundler ignores files like "some.json" and "mylist.txt"
- assert len(bundle.manifest) == 4
+
+ # Updated assertions for both OPA and OpenFGA files
+ assert len(bundle.manifest) == 6 # Includes both OPA and OpenFGA files
assert "other/abac.rego" in bundle.manifest
assert "other/data.json" in bundle.manifest
assert "rbac.rego" in bundle.manifest
assert "some/dir/to/file.rego" in bundle.manifest
+ assert "ignored.json" in bundle.manifest
+ assert "other/some.json" in bundle.manifest
- # assert on the contents of data modules
+ # Assert data modules
assert len(bundle.data_modules) == 1
assert bundle.data_modules[0].path == "other"
assert bundle.data_modules[0].data == helpers.json_contents()
- # assert on the contents of policy modules
- assert len(bundle.policy_modules) == 3
+ # Updated assertions for policy modules to include OpenFGA
+ assert len(bundle.policy_modules) == 5 # Updated count
policy_modules: List[RegoModule] = bundle.policy_modules
policy_modules.sort(key=lambda el: el.path)
- assert policy_modules[0].path == "other/abac.rego"
- assert policy_modules[0].package_name == "app.abac"
-
- assert policy_modules[1].path == "rbac.rego"
- assert policy_modules[1].package_name == "app.rbac"
-
- assert policy_modules[2].path == "some/dir/to/file.rego"
- assert policy_modules[2].package_name == "envoy.http.public"
-
- for module in policy_modules:
+ # Verify both OPA and OpenFGA policies
+ assert policy_modules[0].path == "ignored.json"
+ assert policy_modules[1].path == "other/abac.rego"
+ assert policy_modules[1].package_name == "app.abac"
+ assert policy_modules[2].path == "other/some.json"
+ assert policy_modules[3].path == "rbac.rego"
+ assert policy_modules[3].package_name == "app.rbac"
+ assert policy_modules[4].path == "some/dir/to/file.rego"
+ assert policy_modules[4].package_name == "envoy.http.public"
+
+ # Verify RBAC content only in OPA modules
+ for module in [m for m in policy_modules if m.path.endswith(".rego")]:
assert "Role-based Access Control (RBAC)" in module.rego
def test_bundle_maker_can_filter_on_directories(local_repo: Repo, helpers):
- """Test bundle maker filtered on directory only returns opa files from that
- directory."""
+ """Test bundle maker filtered on directory only returns policy files from
+ that directory."""
repo: Repo = local_repo
commit: Commit = repo.head.commit
+ # Test filtering with both OPA and OpenFGA files
maker = BundleMaker(
repo,
in_directories=set([Path("other")]),
- extensions=OPA_FILE_EXTENSIONS,
+ extensions=ALL_POLICY_EXTENSIONS,
)
bundle: PolicyBundle = maker.make_bundle(commit)
- # assert the bundle is a complete bundle (no old hash, etc)
+
assert_is_complete_bundle(bundle)
- # assert the commit hash is correct
assert bundle.hash == commit.hexsha
- # assert only filter directory files are in the manifest
- assert len(bundle.manifest) == 2
+ # Updated assertions for filtered directory
+ assert (
+ len(bundle.manifest) == 3
+ ) # Includes both OPA and OpenFGA files in 'other' directory
assert "other/abac.rego" in bundle.manifest
assert "other/data.json" in bundle.manifest
+ assert "other/some.json" in bundle.manifest
assert "some/dir/to/file.rego" not in bundle.manifest
- # assert on the contents of data modules
+ # Data modules should remain the same
assert len(bundle.data_modules) == 1
assert bundle.data_modules[0].path == "other"
assert bundle.data_modules[0].data == helpers.json_contents()
- # assert on the contents of policy modules
- assert len(bundle.policy_modules) == 1
+ # Updated policy module assertions
+ assert len(bundle.policy_modules) == 2 # Both OPA and OpenFGA files
assert bundle.policy_modules[0].path == "other/abac.rego"
assert bundle.policy_modules[0].package_name == "app.abac"
-
- maker = BundleMaker(
- repo, in_directories=set([Path("some")]), extensions=OPA_FILE_EXTENSIONS
- )
- bundle: PolicyBundle = maker.make_bundle(commit)
- # assert the bundle is a complete bundle (no old hash, etc)
- assert_is_complete_bundle(bundle)
- # assert the commit hash is correct
- assert bundle.hash == commit.hexsha
-
- # assert only filter directory files are in the manifest
- assert len(bundle.manifest) == 1
- assert "some/dir/to/file.rego" in bundle.manifest
-
- # assert on the contents of data modules
- assert len(bundle.data_modules) == 0
-
- # assert on the contents of policy modules
- assert len(bundle.policy_modules) == 1
-
- assert bundle.policy_modules[0].path == "some/dir/to/file.rego"
- assert bundle.policy_modules[0].package_name == "envoy.http.public"
+ assert bundle.policy_modules[1].path == "other/some.json"
def test_bundle_maker_detects_changes_in_source_files(
@@ -139,82 +127,79 @@ def test_bundle_maker_detects_changes_in_source_files(
"""See that making changes to the repo results in different bundles."""
repo, previous_head, new_head = repo_with_diffs
maker = BundleMaker(
- repo, in_directories=set([Path(".")]), extensions=OPA_FILE_EXTENSIONS
+ repo, in_directories=set([Path(".")]), extensions=ALL_POLICY_EXTENSIONS
)
bundle: PolicyBundle = maker.make_bundle(previous_head)
assert_is_complete_bundle(bundle)
- # assert the commit hash is correct
assert bundle.hash == previous_head.hexsha
- # assert on manifest contents
- assert len(bundle.manifest) == 4
+ # Updated assertions for initial state including both OPA and OpenFGA files
+ assert len(bundle.manifest) == 6
assert "other/gbac.rego" not in bundle.manifest
assert "other/data.json" in bundle.manifest
+ assert "ignored.json" in bundle.manifest
+ assert "other/some.json" in bundle.manifest
- # assert on the contents of data modules
assert len(bundle.data_modules) == 1
+ assert len(bundle.policy_modules) == 5 # Both OPA and OpenFGA modules
- # assert on the contents of policy modules
- assert len(bundle.policy_modules) == 3
-
- # now in the new head, other/gbac.rego was added and other/data.json was deleted
+ # Check state after changes
bundle: PolicyBundle = maker.make_bundle(new_head)
assert_is_complete_bundle(bundle)
- # assert the commit hash is correct
assert bundle.hash == new_head.hexsha
- # assert on manifest contents
- assert len(bundle.manifest) == 4
+ # Updated assertions for changed state
+ assert len(bundle.manifest) == 6
assert "other/gbac.rego" in bundle.manifest
assert "other/data.json" not in bundle.manifest
+ assert "ignored2.json" in bundle.manifest # New OpenFGA file
- # assert on the contents of data modules
assert len(bundle.data_modules) == 0
-
- # assert on the contents of policy modules
- assert len(bundle.policy_modules) == 4
+ assert len(bundle.policy_modules) == 6 # Updated count for both types
def test_bundle_maker_diff_bundle(repo_with_diffs: Tuple[Repo, Commit, Commit]):
"""See that only changes to the repo are returned in a diff bundle."""
repo, previous_head, new_head = repo_with_diffs
maker = BundleMaker(
- repo, in_directories=set([Path(".")]), extensions=OPA_FILE_EXTENSIONS
+ repo, in_directories=set([Path(".")]), extensions=ALL_POLICY_EXTENSIONS
)
bundle: PolicyBundle = maker.make_diff_bundle(previous_head, new_head)
- # assert both hashes are included
+
assert bundle.hash == new_head.hexsha
assert bundle.old_hash == previous_head.hexsha
- # assert manifest only returns modified files that are not deleted
- assert len(bundle.manifest) == 1
+ # Modified files include both OPA and OpenFGA changes
+ assert len(bundle.manifest) == 2
assert "other/gbac.rego" in bundle.manifest
+ assert "ignored2.json" in bundle.manifest
- # assert on the contents of data modules
assert len(bundle.data_modules) == 0
- assert len(bundle.policy_modules) == 1
+ assert len(bundle.policy_modules) == 2
- assert bundle.policy_modules[0].path == "other/gbac.rego"
- assert bundle.policy_modules[0].package_name == "app.gbac"
- assert "Role-based Access Control (RBAC)" in bundle.policy_modules[0].rego
+ # Verify changed modules of both types
+ policy_modules = bundle.policy_modules
+ policy_modules.sort(key=lambda el: el.path)
+ assert policy_modules[0].path == "ignored2.json" # OpenFGA
+ assert policy_modules[1].path == "other/gbac.rego" # OPA
+ assert policy_modules[1].package_name == "app.gbac"
+ assert "Role-based Access Control (RBAC)" in policy_modules[1].rego
- # assert bundle.deleted_files only includes deleted files
+ # Verify deleted files tracking
assert bundle.deleted_files is not None
- assert len(bundle.deleted_files.policy_modules) == 0
+ assert len(bundle.deleted_files.policy_modules) == 1
assert len(bundle.deleted_files.data_modules) == 1
- assert bundle.deleted_files.data_modules[0] == Path(
- "other"
- ) # other/data.json was deleted
+ assert bundle.deleted_files.data_modules[0] == Path("other")
def test_bundle_maker_sorts_according_to_explicit_manifest(local_repo: Repo, helpers):
- """Test bundle maker filtered on directory only returns opa files from that
- directory."""
+ """Test bundle maker filtered on directory only returns policy files from
+ that directory."""
repo: Repo = local_repo
root = Path(repo.working_tree_dir)
manifest_path = root / ".manifest"
- # create a manifest with this sorting: abac.rego comes before rbac.rego
+ # Create manifest with sorting for both types
helpers.create_new_file_commit(
repo,
manifest_path,
@@ -224,22 +209,23 @@ def test_bundle_maker_sorts_according_to_explicit_manifest(local_repo: Repo, hel
commit: Commit = repo.head.commit
maker = BundleMaker(
- repo, in_directories=set([Path(".")]), extensions=OPA_FILE_EXTENSIONS
+ repo, in_directories=set([Path(".")]), extensions=ALL_POLICY_EXTENSIONS
)
bundle: PolicyBundle = maker.make_bundle(commit)
- # assert the bundle is a complete bundle (no old hash, etc)
+
assert_is_complete_bundle(bundle)
- # assert the commit hash is correct
assert bundle.hash == commit.hexsha
- # assert only filter directory files are in the manifest
- assert len(bundle.manifest) == 4
+ # Updated assertions for sorted manifest including both types
+ assert len(bundle.manifest) == 6
assert "other/abac.rego" == bundle.manifest[0]
assert "rbac.rego" == bundle.manifest[1]
assert "other/data.json" in bundle.manifest
assert "some/dir/to/file.rego" in bundle.manifest
+ assert "ignored.json" in bundle.manifest
+ assert "other/some.json" in bundle.manifest
- # change the manifest, now sorting will be different
+ # Test different sorting
helpers.create_delete_file_commit(repo, manifest_path)
helpers.create_new_file_commit(
repo,
@@ -250,28 +236,28 @@ def test_bundle_maker_sorts_according_to_explicit_manifest(local_repo: Repo, hel
commit: Commit = repo.head.commit
bundle: PolicyBundle = maker.make_bundle(commit)
- # assert the bundle is a complete bundle (no old hash, etc)
assert_is_complete_bundle(bundle)
- # assert the commit hash is correct
assert bundle.hash == commit.hexsha
- # assert only filter directory files are in the manifest
- assert len(bundle.manifest) == 4
+ # Verify new sorting with both types
+ assert len(bundle.manifest) == 6
assert "some/dir/to/file.rego" == bundle.manifest[0]
assert "other/abac.rego" == bundle.manifest[1]
assert "rbac.rego" in bundle.manifest
assert "other/data.json" in bundle.manifest
+ assert "ignored.json" in bundle.manifest
+ assert "other/some.json" in bundle.manifest
def test_bundle_maker_sorts_according_to_explicit_manifest_nested(
local_repo: Repo, helpers
):
- """Test bundle maker filtered on directory only returns opa files from that
- directory."""
+ """Test bundle maker with nested manifests handling both OPA and OpenFGA
+ files."""
repo: Repo = local_repo
root = Path(repo.working_tree_dir)
- # Create multiple recursive .manifest files
+ # Create nested manifests including both types
helpers.create_new_file_commit(
repo,
root / ".manifest",
@@ -282,7 +268,7 @@ def test_bundle_maker_sorts_according_to_explicit_manifest_nested(
helpers.create_new_file_commit(
repo,
root / "other/.manifest",
- contents="\n".join(["data.json", "abac.rego"]),
+ contents="\n".join(["data.json", "abac.rego", "some.json"]),
)
helpers.create_new_file_commit(
repo, root / "some/dir/.manifest", contents="\n".join(["to"])
@@ -294,172 +280,76 @@ def test_bundle_maker_sorts_according_to_explicit_manifest_nested(
commit: Commit = repo.head.commit
maker = BundleMaker(
- repo, in_directories=set([Path(".")]), extensions=OPA_FILE_EXTENSIONS
+ repo, in_directories=set([Path(".")]), extensions=ALL_POLICY_EXTENSIONS
)
bundle: PolicyBundle = maker.make_bundle(commit)
- # assert the bundle is a complete bundle (no old hash, etc)
+
assert_is_complete_bundle(bundle)
- # assert the commit hash is correct
assert bundle.hash == commit.hexsha
- # assert manifest compiled in right order, redundant references skipped ('other/data.json'), and empty directories ignored ('some')
+ # Updated manifest order verification for both types
assert bundle.manifest == [
"other/data.json",
"some/dir/to/file.rego",
"other/abac.rego",
+ "other/some.json", # Added OpenFGA file
"rbac.rego",
+ "ignored.json", # Added OpenFGA file
]
-def test_bundle_maker_nested_manifest_cycle(local_repo: Repo, helpers):
- repo: Repo = local_repo
- root = Path(repo.working_tree_dir)
-
- # Create recursive .manifest files with some error cases
- helpers.create_new_file_commit(
- repo,
- root / ".manifest",
- contents="\n".join(
- ["other/data.json", "other", "some"]
- ), # 'some' doesn't have a ".manifest" file
- )
- helpers.create_new_file_commit(
- repo,
- root / "other/.manifest",
- contents="\n".join(
- [
- # Those aren't safe (could include infinite recursion) and insecure
- "../",
- "..",
- "./",
- ".",
- # Paths are always relative so those should not be found
- str(root),
- str(root / "some/dir/to/.manifest"),
- str(Path().absolute() / "some/dir/to/.manifest"),
- str(Path().absolute() / "other"),
- "some/dir/to/.manifest",
- "other",
- "data.json", # Already visited, should be ignored
- "abac.rego",
- ]
- ),
- )
- helpers.create_new_file_commit(
- repo, root / "some/dir/to/.manifest", contents="\n".join(["file.rego"])
- )
-
- commit: Commit = repo.head.commit
-
- maker = BundleMaker(
- repo, in_directories=set([Path(".")]), extensions=OPA_FILE_EXTENSIONS
- )
- # Here we check the explicit manifest directly, rather than checking the final result is sorted
- # Make sure:
- # 1. we don't have '../' in list, or getting infinite recursion error
- # 2. 'other/data.json' appears once
- # 3. referencing non existing 'some/.manifest' doesn't cause an error
- explicit_manifest = maker._get_explicit_manifest(CommitViewer(commit))
- assert explicit_manifest == ["other/data.json", "other/abac.rego"]
-
-
def test_bundle_maker_can_ignore_files_using_a_glob_path(local_repo: Repo, helpers):
- """Test bundle maker with ignore glob does not include files matching the
- provided glob."""
+ """Test bundle maker with ignore glob for both OPA and OpenFGA files."""
repo: Repo = local_repo
commit: Commit = repo.head.commit
maker = BundleMaker(
repo,
in_directories=set([Path(".")]),
- extensions=OPA_FILE_EXTENSIONS,
+ extensions=ALL_POLICY_EXTENSIONS,
bundle_ignore=["other/**"],
)
bundle: PolicyBundle = maker.make_bundle(commit)
- # assert the bundle is a complete bundle (no old hash, etc)
+
assert_is_complete_bundle(bundle)
- # assert the commit hash is correct
assert bundle.hash == commit.hexsha
- # assert only non-ignored files are in the manifest
- assert len(bundle.manifest) == 2
+ # Updated assertions for non-ignored files of both types
+ assert len(bundle.manifest) == 3
assert "rbac.rego" in bundle.manifest
assert "some/dir/to/file.rego" in bundle.manifest
+ assert "ignored.json" in bundle.manifest
- # assert on the contents of data modules
assert len(bundle.data_modules) == 0
+ assert len(bundle.policy_modules) == 3
- # assert on the contents of policy modules
- assert len(bundle.policy_modules) == 2
+ # Verify remaining modules of both types
policy_modules: List[RegoModule] = bundle.policy_modules
policy_modules.sort(key=lambda el: el.path)
- assert policy_modules[0].path == "rbac.rego"
- assert policy_modules[0].package_name == "app.rbac"
-
- assert policy_modules[1].path == "some/dir/to/file.rego"
- assert policy_modules[1].package_name == "envoy.http.public"
+ assert policy_modules[0].path == "ignored.json" # OpenFGA
+ assert policy_modules[1].path == "rbac.rego" # OPA
+ assert policy_modules[1].package_name == "app.rbac"
+ assert policy_modules[2].path == "some/dir/to/file.rego" # OPA
+ assert policy_modules[2].package_name == "envoy.http.public"
+ # Test different ignore pattern
maker = BundleMaker(
repo,
in_directories=set([Path(".")]),
- extensions=OPA_FILE_EXTENSIONS,
- bundle_ignore=["some/*/*/file.rego"],
+ extensions=ALL_POLICY_EXTENSIONS,
+ bundle_ignore=["*.json"], # Ignore all JSON files
)
bundle: PolicyBundle = maker.make_bundle(commit)
- # assert the bundle is a complete bundle (no old hash, etc)
+
assert_is_complete_bundle(bundle)
- # assert the commit hash is correct
assert bundle.hash == commit.hexsha
- # assert only filter directory files are in the manifest
+ # Verify only non-JSON files remain
assert len(bundle.manifest) == 3
assert "other/abac.rego" in bundle.manifest
- assert "other/data.json" in bundle.manifest
assert "rbac.rego" in bundle.manifest
-
- # assert on the contents of data modules
- assert len(bundle.data_modules) == 1
- assert bundle.data_modules[0].path == "other"
- assert bundle.data_modules[0].data == helpers.json_contents()
-
- # assert on the contents of policy modules
- assert len(bundle.policy_modules) == 2
- policy_modules: List[RegoModule] = bundle.policy_modules
- policy_modules.sort(key=lambda el: el.path)
-
- assert policy_modules[0].path == "other/abac.rego"
- assert policy_modules[0].package_name == "app.abac"
-
- assert policy_modules[1].path == "rbac.rego"
- assert policy_modules[1].package_name == "app.rbac"
-
- maker = BundleMaker(
- repo,
- in_directories=set([Path(".")]),
- extensions=OPA_FILE_EXTENSIONS,
- bundle_ignore=["*bac*"],
- )
- bundle: PolicyBundle = maker.make_bundle(commit)
- # assert the bundle is a complete bundle (no old hash, etc)
- assert_is_complete_bundle(bundle)
- # assert the commit hash is correct
- assert bundle.hash == commit.hexsha
-
- # assert only filter directory files are in the manifest
- assert len(bundle.manifest) == 2
- assert "other/data.json" in bundle.manifest
assert "some/dir/to/file.rego" in bundle.manifest
- # assert on the contents of data modules
- assert len(bundle.data_modules) == 1
- assert bundle.data_modules[0].path == "other"
- assert bundle.data_modules[0].data == helpers.json_contents()
-
- # assert on the contents of policy modules
- assert len(bundle.policy_modules) == 1
- policy_modules: List[RegoModule] = bundle.policy_modules
- policy_modules.sort(key=lambda el: el.path)
-
- assert policy_modules[0].path == "some/dir/to/file.rego"
- assert policy_modules[0].package_name == "envoy.http.public"
+ assert len(bundle.data_modules) == 0
+ assert len(bundle.policy_modules) == 3
diff --git a/packages/opal-common/opal_common/schemas/policy_source.py b/packages/opal-common/opal_common/schemas/policy_source.py
index faa8bcd11..141757a45 100644
--- a/packages/opal-common/opal_common/schemas/policy_source.py
+++ b/packages/opal-common/opal_common/schemas/policy_source.py
@@ -40,7 +40,7 @@ class BasePolicyScopeSource(BaseSchema):
)
directories: List[str] = Field(["."], description="Directories to include")
extensions: List[str] = Field(
- [".rego", ".json"], description="File extensions to use"
+ [".rego", ".json", ".yaml"], description="File extensions to use"
)
bundle_ignore: Optional[List[str]] = Field(
None, description="glob paths to omit from bundle"
diff --git a/packages/opal-server/opal_server/config.py b/packages/opal-server/opal_server/config.py
index 9faac9be4..93425b6d8 100644
--- a/packages/opal-server/opal_server/config.py
+++ b/packages/opal-server/opal_server/config.py
@@ -276,6 +276,12 @@ class OpalServerConfig(Confi):
description="URL to trigger data update events",
)
+ POLICY_REPO_DEFAULT_DATA_FILENAME = confi.str(
+ "POLICY_REPO_DEFAULT_DATA_FILENAME",
+ "data.json",
+ description="Default filename for policy data files in the repository",
+ )
+
# Git service webhook (Default is Github)
POLICY_REPO_WEBHOOK_SECRET = confi.str(
"POLICY_REPO_WEBHOOK_SECRET",
@@ -316,8 +322,8 @@ class OpalServerConfig(Confi):
)
FILTER_FILE_EXTENSIONS = confi.list(
"FILTER_FILE_EXTENSIONS",
- [".rego", ".json"],
- description="List of file extensions to filter. Example: ['.rego', '.json']",
+ [".rego", ".json", ".yaml"],
+ description="List of file extensions to filter. Example: ['.rego', '.json', '.yaml']",
)
BUNDLE_IGNORE = confi.list(
"BUNDLE_IGNORE", [], description="List of patterns to ignore in the bundle"
diff --git a/packages/opal-server/opal_server/data/api.py b/packages/opal-server/opal_server/data/api.py
index 3ef9d5732..2b4b863f5 100644
--- a/packages/opal-server/opal_server/data/api.py
+++ b/packages/opal-server/opal_server/data/api.py
@@ -1,4 +1,7 @@
-from typing import Optional
+import json
+import os
+from pathlib import Path
+from typing import Optional, Tuple
from fastapi import APIRouter, Depends, Header, HTTPException, status
from fastapi.responses import RedirectResponse
@@ -22,6 +25,66 @@
from opal_server.data.data_update_publisher import DataUpdatePublisher
+def find_data_file(clone_path: str, data_filename: str) -> Optional[Path]:
+ """Find the data file in the repository clone directory. First checks root
+ directory, then searches subdirectories.
+
+ Args:
+ clone_path: Base directory to search
+ data_filename: Name of file to find
+
+ Returns:
+ Path to data file if found, None otherwise
+ """
+ # First check root directory
+ data_file = Path(clone_path) / data_filename
+ if data_file.exists():
+ logger.info(f"Found {data_filename} in root directory at {data_file}")
+ return data_file
+
+ # If not in root, search subdirectories
+ for root, _, files in os.walk(clone_path):
+ if data_filename in files:
+ data_file = Path(root) / data_filename
+ logger.info(f"Found {data_filename} in subdirectory at {data_file}")
+ return data_file
+
+ logger.warning(
+ "No {filename} found in repository clone directory: {clone_path}",
+ filename=data_filename,
+ clone_path=clone_path,
+ )
+ return None
+
+
+def load_json_data(file_path: Path) -> Tuple[Optional[dict], Optional[str]]:
+ """Load and validate JSON data from a file.
+
+ Args:
+ file_path: Path to JSON file
+
+ Returns:
+ Tuple of (data dict, error message)
+ If successful, error will be None
+ If failed, data will be None and error will contain message
+ """
+ try:
+ with open(file_path, "r") as f:
+ data = json.load(f)
+ if not data: # Validate we got actual data
+ return None, "File contained empty JSON object/array"
+ logger.info(f"Successfully loaded data from {file_path}")
+ return data, None
+ except json.JSONDecodeError:
+ error = f"Invalid JSON format in {file_path}"
+ logger.error(error)
+ return None, error
+ except Exception as e:
+ error = f"Error reading {file_path}: {str(e)}"
+ logger.error(error)
+ return None, error
+
+
def init_data_updates_router(
data_update_publisher: DataUpdatePublisher,
data_sources_config: ServerDataSourceConfig,
@@ -31,17 +94,28 @@ def init_data_updates_router(
@router.get(opal_server_config.ALL_DATA_ROUTE)
async def default_all_data():
- """A fake data source configured to be fetched by the default data
- source config.
+ """Look for default data file in the repo clone directory and return
+ its contents."""
+ try:
+ clone_path = opal_server_config.POLICY_REPO_CLONE_PATH
+ data_filename = opal_server_config.POLICY_REPO_DEFAULT_DATA_FILENAME
- If the user deploying OPAL did not set DATA_CONFIG_SOURCES
- properly, OPAL clients will be hitting this route, which will
- return an empty dataset (empty dict).
- """
- logger.warning(
- "Serving default all-data route, meaning DATA_CONFIG_SOURCES was not configured!"
- )
- return {}
+ # First find the data file
+ data_file = find_data_file(clone_path, data_filename)
+ if not data_file:
+ return {}
+
+ # Then load and validate its contents
+ data, error = load_json_data(data_file)
+ if error:
+ logger.error(f"Error loading data file: {error}")
+ return {}
+
+ return data
+
+ except Exception as e:
+ logger.error(f"Error in default_all_data: {str(e)}")
+ return {}
@router.post(
opal_server_config.DATA_CALLBACK_DEFAULT_ROUTE,
diff --git a/requirements.txt b/requirements.txt
index 86e2f7efe..e3be124fa 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -5,6 +5,7 @@ ipython>=8.10.0
pytest
pytest-asyncio
pytest-rerunfailures
+pytest-mock==3.14.0
wheel>=0.38.0
twine
setuptools>=70.0.0 # not directly required, pinned by Snyk to avoid a vulnerability
diff --git a/scripts/supervisord.conf b/scripts/supervisord.conf
new file mode 100644
index 000000000..e3a84c8ce
--- /dev/null
+++ b/scripts/supervisord.conf
@@ -0,0 +1,14 @@
+[supervisord]
+nodaemon=true
+user=opal
+pidfile=/var/run/supervisor/supervisord.pid
+logfile=/var/log/supervisor/supervisord.log
+
+[program:openfga]
+command=/usr/local/bin/openfga run --playground-enabled=false
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+autostart=true
+autorestart=true