Add OpenFGA as a Policy Store

[gemanor]

An OPAL policy-store is an interface that enables OPAL to manage policy-engines that can make authorization decisions via OPAL clients.

This issue is a feature request to add OpenFGA as a policy-store in OPAL alongside the existing supported policy stores (OPA and Cedar) so developers can better manage OpenFGA services.

Acceptance criteria:

• Ability to configure OpenFGA as a policy store in OPAL
• OpenFGA models/policies are auto-synced from git
• OpenFGA supports the data fetching pattern and syncing data from external data sources
• A working end-to-end demo with example ReBAC policies and mock data
• Docker-compose examples of running OPAL with single or multiple OpenFGA clients
• 100% UT coverage on the code and at least one integration test

[gemanor]

/bounty $1500

[algora-pbc]

💎 $1,500 bounty • Permit.io

Steps to solve:

1. Start working: Comment /attempt #661 with your implementation plan
2. Submit work: Create a pull request including /claim #661 in the PR body to claim the bounty
3. Receive payment: 100% of the bounty is received 2-5 days post-reward. Make sure you are eligible for payouts

Thank you for contributing to permitio/opal!

Add a bounty • Share on socials

Attempt	Started (GMT+0)	Solution
🟢 @benya7	Sep 18, 2024, 12:14:54 PM	WIP
🟢 @onyedikachi-david	Sep 20, 2024, 2:55:29 PM	WIP
🔴 @debaa98	Oct 15, 2024, 11:04:27 AM	WIP
🟢 @zhanxini	Dec 1, 2024, 7:58:29 AM	WIP
🟢 @daveads		#673

[enok1111]

Hi @gemanor! I'm very interested in working on this task.
Can I be assigned? Thank you.

/attempt #661

Algora profile	Completed bounties	Tech	Active attempts	Options
@benya7	2 bounties from 2 projects	TypeScript, JavaScript, Vue & more		Cancel attempt

[gemanor]

Hey @benya7, sure! Please share your working plan for this, so we can expect timelines, etc.

[onyedikachi-david]

/attempt #661

@gemanor do you accept multiple submissions for this?

Algora profile	Completed bounties	Tech	Active attempts	Options
@onyedikachi-david	7 bounties from 4 projects	JavaScript, Shell		Cancel attempt

[enok1111]

Hey @benya7, sure! Please share your working plan for this, so we can expect timelines, etc.

@gemanor Thanks for that!
Here is my implementation plan.

Research OpenFGA API and OPAL's Policy-Store Architecture (3 days):

• Study OpenFGA's API and data model.
• Review existing policy stores (OPA, Cedar) in OPAL to understand the integration points, especially for fetching, syncing, and authorization patterns.

Development (2 weeks):

• Integrate OpenFGA as a policy store within OPAL.
• Implement Git-based auto-sync for OpenFGA policies.
• Enable external data fetching and provide Docker Compose setup for single/multiple clients.

Testing, Documentation & Demo (1 week):

• Write unit tests with 100% coverage.
• Build integration tests with example ReBAC policies and mock data.
• Write documentation for configuring OpenFGA in OPAL and Docker Compose examples.

I hope this is acceptable to you. Please let me know if you would like any changes.

[gemanor]

Sounds good to me! Looking forward for updates.

[gemanor]

Hey @benya7 I'll be happy if you can share your progress points here so we can track it :)

[varshith257]

@gemanor It's been a week without any visible activity from @benya7. I'd like to take over this issue. I have strong experience with Docker and have worked with Kubernetes policies, particularly with Kyverno. Additionally, I have a solid Python background and I feel confident in integrating OpenFGA into OPAL as a new policy store.

I've already reviewed the existing OPA and Cedar policy store implementations and now have a clear understanding of how to proceed with adding OpenFGA.

[gemanor]

Since we haven't seen any progress from @benya7 for the last four days, we are reassigning it to @daveads, who initially asked to take this issue.

@daveads, please share your plan for this ticket, including timeframes.

@varshith257 @onyedikachi-david, we will open similar tickets soon. Keep watching.