search

openfga / openfga

A high performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar
https://openfga.dev
Apache License 2.0
2.72k stars 182 forks source link

Configuration to share tuples across stores #1799

Open geoffroybraun opened 1 month ago

geoffroybraun commented 1 month ago

Checklist

Describe the problem you'd like to have solved

Hi there,

recently, we've been asked to test new features which would have impacted our actual Production authorization model. Therefore, we created a new "sandbox" store with the updated authorization model to allow our PMs to play with it and improve relations if required. Unfortunatly, it didn't work, as tuples are not shared across stores.

Describe the ideal solution

It could be very helpful for this kind of situations to allow tuples sharing across stores based on configuration, which could be not allowedby default for security purposes.

Alternatives and current workarounds

We developed a workaround in our code to explicitly specify which authorization model ID to use based on configuration, but a native OpenFga feature woulc be much more powerful and user-friendly IMHO, also much more secured.

Additional context

This only occures during development phases, sharing tuples should not be allowed in Production environments. This really means something at this moment when our PMs are working on the model and needs their actual data in a Development environement to ensure authorizations work the way they should.

aaguiarz commented 1 month ago

Hi @geoffroybraun

They way we designed OpenFGA is to have one store support multiple models precisely for this scenario.

We recommend that your applications always point to a specific Model ID, so whenever you update the model you can test it without impacting the application.

Let me know if this makes sense.