feat: add RFCs for unique store and model names

[aaguiarz]

Description

References

Review Checklist

• I have clicked on "allow edits by maintainers".
• I have added documentation for new/changed functionality in this PR or in a PR to openfga.dev [Provide a link to any relevant PRs in the references section above]
• The correct base branch is being used, if not main
• I have added tests to validate that the change in functionality is working as expected

If you haven't done so yet, we would appreciate it if you could star the OpenFGA repository. :)

[kalleep]

Having the option to run openFGA with unique store names would be great.

For us the first motivation would apply and without it we would need to implement mapping from our internal tenant id to store id. We never want to get to a scenario where multiple stores shares the same name

[kalleep]

Suggested change

	- OpenFGA [GetStores endpoint](https://openfga.dev/api/service#/Stores/GetStore) endpoint should support filtering by name. Given it's possible that there could be more than one store with the same name, it needs to return an array. If the store name is unique, it will return an array with a single element.
	- OpenFGA [ListStores endpoint](https://openfga.dev/api/service#/Stores/ListStores) endpoint should support filtering by name. Given it's possible that there could be more than one store with the same name, it needs to return an array. If the store name is unique, it will return an array with a single element.

[3schwartz]

Suggested change

	- Add a `name` parameter to the (https://openfga.dev/api/service#/Authorization%20Models/WriteAuthorizationModel).
	- Add a `version` parameter to the (https://openfga.dev/api/service#/Authorization%20Models/WriteAuthorizationModel).

A suggestion for improvement: consider using “version” instead of “name” for identifying authorization models. While stores benefit from having unique names tied to their domain, authorization models are better suited to identification through meaningful versions, such as 1.0.1 → 1.0.2 or Git commit hashes. The store already provides the domain context.

[OsmanMElsayed]

Hi @aaguiarz,

I'm thinking - instead of constraining the API with one extra name property - it could be more flexible to make it possible for the consumers to add any number of tags (inspired by k8s labels).

This can open the possibility for multiple use-cases. E.g:

• Use the tag to uniquely filter the authZ models by a unique tag known to the consumer. In this case the consumer can tag the model with the commit hash: commit-hash:1374e4b
• Use the tag for rolling out an authZ model to a specific environment. In this case the tag can be release_approved. For this to work though, I'd imagine extra changes are needed to select the latest model that has a specific tag, instead of selecting the latest available model - in case the user does not specify the model ID when calling the check/list users/list resources APIs.

This will also address the comment above by letting the consumer decide how to structure/call the tags (version vs name etc..).

Wdyt?

[couling]

I think this current proposal gets us 90% of what we need. We can implement something akin to multiple tags simply by copying a model under multiple names. However for the last 10% we would (also?) need a tags model. Some requirements for a tags model are not met by this name model:

• We need a way to roll out a model without restarting all services that reference it:

  • Tags should be (optionally) mutable, meaning a single tag may be moved to point to a different model at a later date. This allows multiple "latest" tags for blue-green deployments or feature flagging. Eg: models could be tagged with latest, stable, beta. And those tags would be expected to move.
  • check / read / write endpoints should support specifying a tag instead of an authorization model id. So when the tag moves, the corresponding requests would begin to use the new model.
  • consistency rules should ensure results to batch requests must only return results for a single authorization model.
  • consistency rules may allow delayed use of new models in check requests.

• We need to be able to trace the origin(s) of an authorization model. We need to know which git commit, which PR, and which build generated a specific model. And currently json in ≠ json out, meaning we can't even to a text comparison.

  • Tags sharing the same authorization model should be discoverable. Eg: I might separately tag a model with the name of a git tag and a release number. I need to be able to find one tag using the other.
  • There should be a mechanism to retrospectivly tag a model. This enables flow from release-candidate to release without changing the model itself.

[couling]

To be clear: I think this proposal would be great step forwards. I think a tags feature would also be useful. So I don't think the need for a tags feature would get in the way of proceeding with this unique name feature.

It's worth mentioning that openfga/roadmap#80 is titled "tagging" and references this RFC.

[danielloader]

I'll echo above, I appreciate the concept of tags that can track a model in a way that means services don't need to be rolling reloaded to get model updates - this would make my kubernetes stack a tonne happier.

In fact anything that allows me to junk off the fragile and complicated CI system I have to use:

• Model changes trigger pipeline
• Pipeline pushes model to OpenFGA with a kubectl port-forward.
• Takes the resulting new random model ID and writes it into a secret in the openfga namespace.
• github.com/mittwald/kubernetes-replicator then replicates this annotated secret into multiple namespaces for applications to pickup (we have a monolithic model used by multiple microservices).
• github.com/stakater/Reloader then detects the secret change and triggers a deployment rolling restart
• Applications across the cluster restart and we hope all of the above worked so they point to the correct model id.

This is really unpleasant to deal with.

It's not much better in a docker compose local development stack either:

• Start Postgres
• Run OpenFGA migrations
• Start OpenFGA
• Run a custom init container with fga cli and jq in and a bash script with the model embedded
• Create a store, then add the model to OpenFGA
• Work out how to then take those FGA_MODEL_ID and FGA_STORE_ID values and use them in 4 other containers that get this configured via environment variables.

Anything that makes this somewhat less painful would be great - I was nearly going to implement a startup init script for each application to deduce these things via FGA CLI calls but stopped myself because that felt even worse.