Closed kdubb closed 1 year ago
FYI, I have a preliminary extension currently targeting OpenFGA. While it's in its infancy it manages to be fairly complete providing advanced features like dev-services.
@gastaldi @gsmet We're ready for some repositories to be created in Quarkiverse. We've got a working set of extensions and converted some of our projects to use them with quite a good result.
Currently we have two distinct projects that each require their own repository:
quarkus-openfga-client
for the OpenFGA reactive client.quarkus-zanzibar
for the Zanzibar filter(s) and the connector extensions as submodules.You can see this setup here. Even thought these are a bit out-of-date right now.
/cc @aloubyansky, @gsmet, @maxandersen
Done, the following repositories were created:
Thank you!
Description
Many cloud applications require authorization models that don't fit nicely into those provided by current Quarkus extensions.
Google's Zanzibar paper offers an elegant solution to complex fine grained authorization models and has spawned a few open sourced implementations.
The extension should provide an authorization filter that can check against a Zanzibar style API along with custom authorization annotations targeted at extracting the required data from incoming requests. Additionally, an API client must be provided to allow managing the authorization tuples in the Zanzibar style server.
A proper extension will allow integration with Zanzibar style authorization at a level of ease similar to what's available today for RBAC authorization in Quarkus.
Interested in this extension, please +1 via the emoji/reaction feature of GitHub (top right).
Configuration suggestion
Aside from server configuration, most of the configuration would be annotation based, similar to todays RBAC authorization.
FGA requires three basic pieces of information for a "check" to be performed. The target "object" accessed is being authorized for, a "relation" and a "user". The user is readily available through standard Quarkus security machinery, which means we required the target object and relation to be configured.
Example annotations to provide missing information required for a check:
Additional context
Google's Zanzibar has inspired a few open source implementations, including OpenFGA, SpiceDB, and Keto.
While the initial version of the extension will most likely focus on a single implementation, an extension is envisioned that would allow adapting any compatible implementation as the source of "checks".