From 1374e4bd31459139ae8c3b33fb1ff2fe5de4fbf8 Mon Sep 17 00:00:00 2001 From: Andres Aguiar Date: Mon, 28 Oct 2024 09:41:18 -0300 Subject: [PATCH 1/2] feat: add RFCs for unique store and model names --- 20241028-unique-model-names.md | 35 +++++++++++++++++++++++++++++++ 20241028-unique-store-names.md | 38 ++++++++++++++++++++++++++++++++++ 2 files changed, 73 insertions(+) create mode 100644 20241028-unique-model-names.md create mode 100644 20241028-unique-store-names.md diff --git a/20241028-unique-model-names.md b/20241028-unique-model-names.md new file mode 100644 index 0000000..018cf06 --- /dev/null +++ b/20241028-unique-model-names.md @@ -0,0 +1,35 @@ +# Unique Model Names + +## Meta + +- **Name**: Unique Model Names +- **Start Date**: 2024-10-25 +- **Last Updated Date**: 2024-10-25 +- **Author(s)**: [aaguiarz](https://github.com/aaguiarz) +- **Status**: Draft +- **PR Link**: +- **Relevant Issues**: +- **Supersedes**: N/A + +## Summary + +When [creating a model](https://openfga.dev/api/service#/Authorization%20Models/WriteAuthorizationModel), OpenFGA does not allow to provide a name,and it will return a unique id. + +This RFC proposes a way to specify a unique name when writing a model. + +## Motivation + +In some cases, developers would benefit from having an external identifier for the model. + +For example, when deploying applications in development/staging environments a new model needs to be created in each deployment, and it desirable to have a predictable identifier for the model. Given OpenFGA creates a different Model ID each time, it's not possible. It needs to be stored in a secret storage vault, and retrieved at runtime, which adds friction. Some OpenFGA developers, for example, keep a database table that has a Github commit hash and the equivalent Model ID. + +## Requirements + + - It should be possible to upgrade to OpenFGA version that implements this feature without downtime. + - The OpenFGA [ReadAuthorizationModels endpoint](https://openfga.dev/api/service#/Authorization%20Models/ReadAuthorizationModels) endpoint should support filtering by name. + +## Proposed Solution + + - Add a `name` parameter to the (https://openfga.dev/api/service#/Authorization%20Models/WriteAuthorizationModel). + - Validate that the name is unique. If a database constraint is used, a migration should be created that sets the Model Name = Model ID. + - Add a `name` parameter to the [ReadAuthorizationModels endpoint](https://openfga.dev/api/service#/Authorization%20Models/ReadAuthorizationModels). \ No newline at end of file diff --git a/20241028-unique-store-names.md b/20241028-unique-store-names.md new file mode 100644 index 0000000..4d3669e --- /dev/null +++ b/20241028-unique-store-names.md @@ -0,0 +1,38 @@ +# Unique Store Names + +## Meta + +- **Name**: Unique Store Names +- **Start Date**: 2024-10-25 +- **Last Updated Date**: 2024-10-25 +- **Author(s)**: [aaguiarz](https://github.com/aaguiarz) +- **Status**: Draft +- **PR Link**: +- **Relevant Issues**: +- **Supersedes**: N/A + +## Summary + +When [creating a store](https://openfga.dev/api/service#/Stores/CreateStore), OpenFGA allows providing a store name, and it will return a unique id. + +This RFC proposes a way to configure OpenFGA in a way that the store name can be unique. + +## Motivation + +In some cases, developers would benefit from having an external identifier for the store. Some examples are: + + - The application is architected to use one store per tenant, and they need to map the internal tenant ID to the store ID. + + - When deploying applications in development/staging environments a new store needs to be created in each deploy, and it desirable to have a predictable identifier for the store. Given OpenFGA creates a different Store ID each time, it's not possible. It needs to be stored in a secret storage vault, and retrieved at runtime, which adds friction + +## Requirements + + - Existing OpenFGA deployments that have duplicated names should still work. + - OpenFGA [GetStores endpoint](https://openfga.dev/api/service#/Stores/GetStore) endpoint should support filtering by name. Given it's possible that there could be more than one store with the same name, it needs to return an array. If the store name is unique, it will return an array with a single element. + +## Proposed Solution + + - Add a configuration option to OpenFGA to enable unique store names. + - Add a `name` parameter to the [GetStores endpoint](https://openfga.dev/api/service#/Stores/GetStore) that returns an array of stores. + - Modify the storage adapters to validate that store names are unique when creating them. Given it is required to also support duplicated store names, we can't rely on database constraints. + From 70619b3f0910384ed5da8a1aa40aee68d9e83afb Mon Sep 17 00:00:00 2001 From: Andres Aguiar Date: Tue, 29 Oct 2024 09:54:55 -0300 Subject: [PATCH 2/2] chore: added clarification --- 20241028-unique-model-names.md | 1 + 1 file changed, 1 insertion(+) diff --git a/20241028-unique-model-names.md b/20241028-unique-model-names.md index 018cf06..13d7615 100644 --- a/20241028-unique-model-names.md +++ b/20241028-unique-model-names.md @@ -27,6 +27,7 @@ For example, when deploying applications in development/staging environments a n - It should be possible to upgrade to OpenFGA version that implements this feature without downtime. - The OpenFGA [ReadAuthorizationModels endpoint](https://openfga.dev/api/service#/Authorization%20Models/ReadAuthorizationModels) endpoint should support filtering by name. + - The model name should be unique per store, not unique per OpenFGA instance. ## Proposed Solution