This experiment adds support for querying relations from OpenFGA via GRPC to check resource level permissions as custom builtin commands for Open Policy Agent.
Currently only one command is supported:
openfga.check_permission("SUBJECT","PERMISSION","RESOURCE_ID") -> bool
Note this example uses Go 1.19
go get
go build
Start openfga demo environment
docker compose -f demo/docker-compose.yml up -d --remove-orphans
Run custom Open Policy Agent with openfga plugin enabled
./custom-opa-openfga run \
--set plugins.openfga.apiScheme=http \
--set plugins.openfga.apiHost=localhost:8080 \
--set plugins.openfga.apiToken=foobar \
--set plugins.openfga.storeId=ABCD12345678901234567890XX
Create store and import the example data
FGA_API_URL="http://localhost:8080"
FGA_STORE_ID=ABCD12345678901234567890XX
FGA_BEARER_TOKEN=foobar
curl -X POST $FGA_API_URL/stores/$FGA_STORE_ID/authorization-models \
-H "Authorization: Bearer $FGA_BEARER_TOKEN" \
-H "content-type: application/json" \
-d @./demo/schema.json
curl -X POST $FGA_API_URL/stores/$FGA_STORE_ID/write \
-H "Authorization: Bearer $FGA_BEARER_TOKEN" \
-H "content-type: application/json" \
-d '{"writes": { "tuple_keys" : [{"user":"tom","relation":"writer","object":"document:firstdoc"},{"user":"fred","relation":"reader","object":"document:firstdoc"}] }}'
Query relations against openfga See the example schema for reference.
> openfga.check_permission("tom", "view", "document:firstdoc")
true
> openfga.check_permission("tom", "edit", "document:firstdoc")
true
> openfga.check_permission("fred", "edit", "document:firstdoc")
false
> exit
Stop demo environment
docker compose -f demo/docker-compose.yml down