1.根据项目去启动 配置一个 openfga 服务器
先创建一个 config.yaml文件
cd /opt/openFGA/conftouch ./config.yaml怎么配置?
根据官网来看
https://github.com/openfga/openfga/blob/main/.config-schema.json
这里讲述详细的每一个配置每一个类型
这些配置有三种形式配置方式
命令行
需要用 - 隔开每个 属性下的属性 和 properties 的 . 类似
环境变量
OpenFGA 服务器支持用于配置的环境变量,它们将优先于您的配置文件。每个变量都必须以 OPENFGA_ 为前缀,后跟大写的选项(例如,--grpc-tls-key 变为 OPENFGA_GRPC_TLS_KEY)。
官方也讲了怎么配置
config.yaml文件
需要映射数据卷
这里我们选择使用yaml配置
我们其他的用命令行配置,然后 把会变的用 yaml配置
1.配置限制单个 BatchCheck 请求中允许的检查数量。
maxChecksPerBatchCheck: 3000
2.限制可同时解决的 Check 数量
maxChecksPerBatchCheck: 3000
maxConcurrentChecksPerBatchCheck: 1003.ListObjects 将返回在分配时间内找到的结果
maxChecksPerBatchCheck: 3000
maxConcurrentChecksPerBatchCheck: 100
listObjectsDeadline: 10s4.ListObjects 最多为配置的最大结果数
maxChecksPerBatchCheck: 3000
maxConcurrentChecksPerBatchCheck: 100
listObjectsDeadline: 10s
listObjectsMaxResults: 3000
5.Listuser将返回在分配时间内找到的结果
maxChecksPerBatchCheck: 3000
maxConcurrentChecksPerBatchCheck: 100
listObjectsDeadline: 10s
listObjectsMaxResults: 3000
listUsersDeadline: 10s6.ListObjects 最多为配置的最大结果数
maxChecksPerBatchCheck: 3000
maxConcurrentChecksPerBatchCheck: 100
listObjectsDeadline: 10s
listObjectsMaxResults: 3000
listUsersDeadline: 10s
listUsersMaxResults: 30007.最大元组一次写入
maxChecksPerBatchCheck: 3000
maxConcurrentChecksPerBatchCheck: 100
listObjectsDeadline: 10s
listObjectsMaxResults: 3000
listUsersDeadline: 10s
listUsersMaxResults: 3000
maxTuplesPerWrite: 1000
8.最大每个授权模型定义的类型
maxChecksPerBatchCheck: 3000
maxConcurrentChecksPerBatchCheck: 100
listObjectsDeadline: 10s
listObjectsMaxResults: 3000
listUsersDeadline: 10s
listUsersMaxResults: 3000
maxTuplesPerWrite: 1000
maxTypesPerAuthorizationModel: 30009.持久化授权模型所允许的最大字节数(默认值为256KB)。
maxChecksPerBatchCheck: 3000
maxConcurrentChecksPerBatchCheck: 100
listObjectsDeadline: 10s
listObjectsMaxResults: 3000
listUsersDeadline: 10s
listUsersMaxResults: 3000
maxTuplesPerWrite: 1000
maxTypesPerAuthorizationModel: 3000
maxAuthorizationModelSizeInBytes: 262144
requestTimeout: 10s
常用的配置就这么多
安装
docker-compose.yaml
version: '3.8'
networks:
openfga:
services:
mysql:
image: mysql:8
container_name: mysql
restart: always
networks:
- openfga
ports:
- "3306:3306"
environment:
- MYSQL_ROOT_PASSWORD=secret
- MYSQL_DATABASE=openfga
healthcheck:
test: ["CMD", 'mysqladmin', 'ping', '-h', 'localhost', '-u', 'root', '-p$$MYSQL_ROOT_PASSWORD' ]
timeout: 20s
retries: 5
migrate:
depends_on:
mysql:
condition: service_healthy
image: openfga/openfga:latest
container_name: migrate
command: migrate
environment:
- OPENFGA_DATASTORE_ENGINE=mysql
- OPENFGA_DATASTORE_URI=root:secret@tcp(mysql:3306)/openfga?parseTime=true
networks:
- openfga
openfga:
depends_on:
migrate:
condition: service_completed_successfully
image: openfga/openfga:latest
restart: always
container_name: openfga
environment:
- OPENFGA_DATASTORE_ENGINE=mysql
- OPENFGA_DATASTORE_URI=root:secret@tcp(mysql:3306)/openfga?parseTime=true
- OPENFGA_LOG_FORMAT=json
volumes:
- /opt/openFGA/conf:/etc/openfga
command: run
networks:
- openfga
ports:
# Needed for the http server
- "8080:8080"
# Needed for the grpc server (if used)
- "8081:8081"
# Needed for the playground (Do not enable in prod!)
- "3000:3000"启动
cd /opt/openFGAdocker compose up -d检测配置文件是否生效
docker compose logs -f看日志 是生效了
2.下载fga cli
https://github.com/openfga/cli/releases
vim /etc/profile修改环境变量文件
# 在环境变量文件中末尾,添加如下内容
export OPEN_FGA_HOME=/opt/openFGA/fgacli
export PATH=$OPEN_FGA_HOME:$PATH
# 重新加载环境变量文件
source /etc/profile编辑配置文件
vim /root/.fga.yaml.fga.yaml 内容如下
api-url: http://localhost:8080 根据官网来
试着执行一下命令
fga store create --name "FGA Demo Store"
表示执行成功,也成功在数据库创建了一个Store
3.下载Visual Studio Code
下载插件
下载windows版本的 cli
配置环境变量
然后 将fga目录文件也放入环境变量中,
就可以在任何位置使用 fga命令了
vscode 使用 ctrl shift p 选中 插件中的 transform to json 可以把 .fga 转化为 .json文件
然后创建模型开始 接下来就可以开始测试了
跟着官方文档 一步一步走
GitHub - openfga/cli: A cross-platform CLI to interact with an OpenFGA server
4.测试
这里我们作为测试
为了以后逻辑更加清晰,我们以模块化开发chuangj
创建 fga.mod 模块化开发核心组装文件
schema: '1.2'
contents:
- core.fga创建 核心 core.fga 其中一个模块
module core
type user
type role
relations
define member: [user]
type application
relations
define viewer: [user,role#member]
define can_view: viewer
type menu
relations
define parent: [application]
define add: can_view from parent
整合创建模型
fga model write --file=fga.mod 测试开始
Microsoft Windows [版本 10.0.19045.5371]
(c) Microsoft Corporation。保留所有权利。
C:\Users\RJ\Documents\fgatestmodel>fga model get
model
schema 1.2
type application # module: core, file: core.fga
relations
define can_view: viewer
define viewer: [user, role#member]
type role # module: core, file: core.fga
relations
define member: [user]
type user # module: core, file: core.fga
C:\Users\RJ\Documents\fgatestmodel>fga model validate -file core.fga
Error: unknown shorthand flag: 'f' in -file
C:\Users\RJ\Documents\fgatestmodel>fga model validate --file core.fga
{
"is_valid":false,
"error":"invalid schema version"
}
C:\Users\RJ\Documents\fgatestmodel>fga tuple write user:jmj member role:admin
{
"successful": [
{
"object":"role:admin",
"relation":"member",
"user":"user:jmj"
}
]
}
C:\Users\RJ\Documents\fgatestmodel>fga tuple write user:jmj member role:admin
Error: failed to write tuple: Write validation error for POST Write with body {"code":"write_failed_due_to_invalid_input","message":"cannot write a tuple which already exists: user: 'user:jmj', relation: 'member', object: 'role:admin': tuple to be written already existed or the tuple to be deleted did not exist"}
with error code write_failed_due_to_invalid_input error message: cannot write a tuple which already exists: user: 'user:jmj', relation: 'member', object: 'role:admin': tuple to be written already existed or the tuple to be deleted did not exist
C:\Users\RJ\Documents\fgatestmodel>fga tuple write user:jmj member role:gaojimanager
{
"successful": [
{
"object":"role:gaojimanager",
"relation":"member",
"user":"user:jmj"
}
]
}
C:\Users\RJ\Documents\fgatestmodel>fga tuple write user:jmj member role:putongguanliyuan1
{
"successful": [
{
"object":"role:putongguanliyuan1",
"relation":"member",
"user":"user:jmj"
}
]
}
C:\Users\RJ\Documents\fgatestmodel>fga tuple read --user user:jmj --relation member --object role:admin
{
"continuation_token":"",
"tuples": [
{
"key": {
"object":"role:admin",
"relation":"member",
"user":"user:jmj"
},
"timestamp":"2025-01-25T03:06:32Z"
}
]
}
C:\Users\RJ\Documents\fgatestmodel>fga tuple changes --type admin
{
"changes": [],
"continuation_token":""
}
C:\Users\RJ\Documents\fgatestmodel>fga tuple changes --type role
{
"changes": [
{
"operation":"TUPLE_OPERATION_WRITE",
"timestamp":"2025-01-25T03:06:32Z",
"tuple_key": {
"object":"role:admin",
"relation":"member",
"user":"user:jmj"
}
},
{
"operation":"TUPLE_OPERATION_WRITE",
"timestamp":"2025-01-25T03:07:37Z",
"tuple_key": {
"object":"role:gaojimanager",
"relation":"member",
"user":"user:jmj"
}
},
{
"operation":"TUPLE_OPERATION_WRITE",
"timestamp":"2025-01-25T03:07:45Z",
"tuple_key": {
"object":"role:putongguanliyuan1",
"relation":"member",
"user":"user:jmj"
}
}
],
"continuation_token":"eyJ1bGlkIjoiMDFKSkRQVzBDRDJNVzVXNTFHQ1ZRMDQ5QzYiLCJPYmplY3RUeXBlIjoicm9sZSJ9"
}
C:\Users\RJ\Documents\fgatestmodel>fga tuple changes --type role
{
"changes": [
{
"operation":"TUPLE_OPERATION_WRITE",
"timestamp":"2025-01-25T03:06:32Z",
"tuple_key": {
"object":"role:admin",
"relation":"member",
"user":"user:jmj"
}
},
{
"operation":"TUPLE_OPERATION_WRITE",
"timestamp":"2025-01-25T03:07:37Z",
"tuple_key": {
"object":"role:gaojimanager",
"relation":"member",
"user":"user:jmj"
}
},
{
"operation":"TUPLE_OPERATION_WRITE",
"timestamp":"2025-01-25T03:07:45Z",
"tuple_key": {
"object":"role:putongguanliyuan1",
"relation":"member",
"user":"user:jmj"
}
}
],
"continuation_token":"eyJ1bGlkIjoiMDFKSkRQVzBDRDJNVzVXNTFHQ1ZRMDQ5QzYiLCJPYmplY3RUeXBlIjoicm9sZSJ9"
}
C:\Users\RJ\Documents\fgatestmodel>fga tuple changes --type role
{
"changes": [
{
"operation":"TUPLE_OPERATION_WRITE",
"timestamp":"2025-01-25T03:06:32Z",
"tuple_key": {
"object":"role:admin",
"relation":"member",
"user":"user:jmj"
}
},
{
"operation":"TUPLE_OPERATION_WRITE",
"timestamp":"2025-01-25T03:07:37Z",
"tuple_key": {
"object":"role:gaojimanager",
"relation":"member",
"user":"user:jmj"
}
},
{
"operation":"TUPLE_OPERATION_WRITE",
"timestamp":"2025-01-25T03:07:45Z",
"tuple_key": {
"object":"role:putongguanliyuan1",
"relation":"member",
"user":"user:jmj"
}
}
],
"continuation_token":"eyJ1bGlkIjoiMDFKSkRQVzBDRDJNVzVXNTFHQ1ZRMDQ5QzYiLCJPYmplY3RUeXBlIjoicm9sZSJ9"
}
C:\Users\RJ\Documents\fgatestmodel>fga tuple changes --type role --continuation-token=eyJ1bGlkIjoiMDFKSkRQVzBDRDJNVzVXNTFHQ1ZRMDQ5QzYiLCJPYmplY3RUeXBlIjoicm9sZSJ9
{
"changes": [],
"continuation_token":"eyJ1bGlkIjoiMDFKSkRQVzBDRDJNVzVXNTFHQ1ZRMDQ5QzYiLCJPYmplY3RUeXBlIjoicm9sZSJ9"
}
C:\Users\RJ\Documents\fgatestmodel>
C:\Users\RJ\Documents\fgatestmodel>fga tuple changes --type role --continuation-token=eyJ1bGlkIjoiMDFKSkRQVzBDRDJNVzVXNTFHQ1ZRMDQ5QzYiLCJPYmplY3RUeXBlIjoicm9sZSJ9
{
"changes": [],
"continuation_token":"eyJ1bGlkIjoiMDFKSkRQVzBDRDJNVzVXNTFHQ1ZRMDQ5QzYiLCJPYmplY3RUeXBlIjoicm9sZSJ9"
}
C:\Users\RJ\Documents\fgatestmodel>fga tuple changes --type role
{
"changes": [
{
"operation":"TUPLE_OPERATION_WRITE",
"timestamp":"2025-01-25T03:06:32Z",
"tuple_key": {
"object":"role:admin",
"relation":"member",
"user":"user:jmj"
}
},
{
"operation":"TUPLE_OPERATION_WRITE",
"timestamp":"2025-01-25T03:07:37Z",
"tuple_key": {
"object":"role:gaojimanager",
"relation":"member",
"user":"user:jmj"
}
},
{
"operation":"TUPLE_OPERATION_WRITE",
"timestamp":"2025-01-25T03:07:45Z",
"tuple_key": {
"object":"role:putongguanliyuan1",
"relation":"member",
"user":"user:jmj"
}
}
],
"continuation_token":"eyJ1bGlkIjoiMDFKSkRQVzBDRDJNVzVXNTFHQ1ZRMDQ5QzYiLCJPYmplY3RUeXBlIjoicm9sZSJ9"
}
C:\Users\RJ\Documents\fgatestmodel>fga query check user:jmj member role:admin
{
"allowed":true,
"resolution":""
}
C:\Users\RJ\Documents\fgatestmodel>fga query check user:jmj member role:admin
{
"allowed":true,
"resolution":""
}
C:\Users\RJ\Documents\fgatestmodel>fga query list-objects user:jmj member role
{
"objects": [
"role:admin",
"role:putongguanliyuan1",
"role:gaojimanager"
]
}
C:\Users\RJ\Documents\fgatestmodel>fga tuple write user:a can_view docu
Error: failed to write tuple: Write validation error for POST Write with body {"code":"validation_error","message":"Invalid tuple 'docu#can_view@user:a'. Reason: invalid 'object' field format"}
with error code validation_error error message: Invalid tuple 'docu#can_view@user:a'. Reason: invalid 'object' field format
C:\Users\RJ\Documents\fgatestmodel>fga tuple write user:a can_view docu:aa
Error: failed to write tuple: Write validation error for POST Write with body {"code":"validation_error","message":"Invalid tuple 'docu:aa#can_view@user:a'. Reason: type 'docu' not found"}
with error code validation_error error message: Invalid tuple 'docu:aa#can_view@user:a'. Reason: type 'docu' not found
C:\Users\RJ\Documents\fgatestmodel>fga tuple write user:bzm member role:admin
{
"successful": [
{
"object":"role:admin",
"relation":"member",
"user":"user:bzm"
}
]
}
C:\Users\RJ\Documents\fgatestmodel>fga query list-relations user:jmj role:admin --relation member
{
"relations": [
"member"
]
}
C:\Users\RJ\Documents\fgatestmodel>fga query list-relations user:jmj role --relation member
{
"relations": []
}
C:\Users\RJ\Documents\fgatestmodel>fga query list-relations user:jmj --relation member
Error: accepts 2 arg(s), received 1
C:\Users\RJ\Documents\fgatestmodel>fga query list-relations role:admin --relation member
Error: accepts 2 arg(s), received 1
C:\Users\RJ\Documents\fgatestmodel>fga query list-relations role:admin user --relation member
{
"relations": []
}
C:\Users\RJ\Documents\fgatestmodel>fga query list-relations role:admin user:jmj --relation member
{
"relations": []
}
C:\Users\RJ\Documents\fgatestmodel>fga query list-relations user:jmj role:admin --relation member
{
"relations": [
"member"
]
}
C:\Users\RJ\Documents\fgatestmodel>fga query expand member role:admin
{
"tree": {
"root": {
"leaf": {
"users": {
"users": [
"user:bzm",
"user:jmj"
]
}
},
"name":"role:admin#member"
}
}
}
C:\Users\RJ\Documents\fgatestmodel>fga query list-uers --object role:admin --relation member --user0filter user
Error: unknown flag: --object
C:\Users\RJ\Documents\fgatestmodel>fga query list-uers --object role:admin --relation member --userfilter user
Error: unknown flag: --object
C:\Users\RJ\Documents\fgatestmodel>fga query list-uers --object role:admin --relation member --user-filter user
Error: unknown flag: --object
C:\Users\RJ\Documents\fgatestmodel>fga query list-uers --object role:admin --relation member --user-filter user
Error: unknown flag: --object
C:\Users\RJ\Documents\fgatestmodel>fga query list-users --object role:admin --relation member --user-filter user
{
"users": [
{
"object": {
"id":"jmj",
"type":"user"
}
},
{
"object": {
"id":"bzm",
"type":"user"
}
}
]
}
C:\Users\RJ\Documents\fgatestmodel>fga tuple write role:admin#member viewer application:tigeriotapp
{
"successful": [
{
"object":"application:tigeriotapp",
"relation":"viewer",
"user":"role:admin#member"
}
]
}
C:\Users\RJ\Documents\fgatestmodel>fga tuple changes --type application
{
"changes": [
{
"operation":"TUPLE_OPERATION_WRITE",
"timestamp":"2025-01-25T03:22:43Z",
"tuple_key": {
"object":"application:tigeriotapp",
"relation":"viewer",
"user":"role:admin#member"
}
}
],
"continuation_token":"eyJ1bGlkIjoiMDFKSkRRUUQyQkozQ1M2RDE2NzY4MTBDSloiLCJPYmplY3RUeXBlIjoiYXBwbGljYXRpb24ifQ=="
}
C:\Users\RJ\Documents\fgatestmodel>fga tuple write role:admin#1member viewer application:tigeriotapp
Error: failed to write tuple: Write validation error for POST Write with body {"code":"validation_error","message":"Invalid tuple 'application:tigeriotapp#viewer@role:admin#1member'. Reason: relation 'role#1member' not found"} with error code validation_error error message: Invalid tuple 'application:tigeriotapp#viewer@role:admin#1member'. Reason: relation 'role#1member' not found
C:\Users\RJ\Documents\fgatestmodel>fga query check user:jmj can_view application:tigeriotapp
{
"allowed":true,
"resolution":""
}
C:\Users\RJ\Documents\fgatestmodel>fga query check user:bzm can_view application:tigeriotapp
{
"allowed":true,
"resolution":""
}
C:\Users\RJ\Documents\fgatestmodel>fga query check user:cc can_view application:tigeriotapp
{
"allowed":false,
"resolution":""
}
C:\Users\RJ\Documents\fgatestmodel>fga query check user:cc can_view application:tigeriotapp --contextual-tuple "user:cc member role:admin"
{
"allowed":true,
"resolution":""
}
C:\Users\RJ\Documents\fgatestmodel>fga model list
{
"authorization_models": [
{
"id":"01JJDP39W07DXX87KS937GKK9S",
"created_at":"2025-01-25T02:54:15.936Z"
}
]
}
C:\Users\RJ\Documents\fgatestmodel>fga tuple write application:tigeriotapp parent menu:erwangpingheng
Error: failed to write tuple: Write validation error for POST Write with body {"code":"validation_error","message":"Invalid tuple 'menu:erwangpingheng#parent@application:tigeriotapp'. Reason: type 'menu' not found"}
with error code validation_error error message: Invalid tuple 'menu:erwangpingheng#parent@application:tigeriotapp'. Reason: type 'menu' not found
C:\Users\RJ\Documents\fgatestmodel>fga model write --file =fga.mod
Error: failed to read file =fga.mod due to open =fga.mod: The system cannot find the file specified.
C:\Users\RJ\Documents\fgatestmodel>fga model write --file=fga.mod
{
"authorization_model_id":"01JJDRB8QK912Y0EW06BMT7VG4"
}
C:\Users\RJ\Documents\fgatestmodel>fga tuple write application:tigeriotapp parent menu:erwangpingheng
{
"successful": [
{
"object":"menu:erwangpingheng",
"relation":"parent",
"user":"application:tigeriotapp"
}
]
}
C:\Users\RJ\Documents\fgatestmodel>fga query check user:jmj member role:admin
{
"allowed":true,
"resolution":""
}
C:\Users\RJ\Documents\fgatestmodel>fga query check role:admin#rember viewer application:tigeriotapp
Error: check failed: Check validation error for POST Check with body {"code":"validation_error","message":"relation 'role#rember' not found"}
with error code validation_error error message: relation 'role#rember' not found
C:\Users\RJ\Documents\fgatestmodel>fga query check role:admin#member viewer application:tigeriotapp
{
"allowed":true,
"resolution":""
}
C:\Users\RJ\Documents\fgatestmodel>fga query check role:admin#member can_view application:tigeriotapp
{
"allowed":true,
"resolution":""
}
C:\Users\RJ\Documents\fgatestmodel>fga query check role:admin add menu:erwangpingheng
{
"allowed":false,
"resolution":""
}
C:\Users\RJ\Documents\fgatestmodel>fga query check application:tigeriotapp add menu:erwangpingheng
{
"allowed":false,
"resolution":""
}
C:\Users\RJ\Documents\fgatestmodel>fga query check application:tigeriotapp parent menu:erwangpingheng
{
"allowed":true,
"resolution":""
}
C:\Users\RJ\Documents\fgatestmodel>fga query expand add menu:erwangpingheng
{
"tree": {
"root": {
"leaf": {
"tupleToUserset": {
"computed": [
{
"userset":"application:tigeriotapp#can_view"
}
],
"tupleset":"menu:erwangpingheng#parent"
}
},
"name":"menu:erwangpingheng#add"
}
}
}
C:\Users\RJ\Documents\fgatestmodel>fga query user:jmj add menu:erwangpingheng
Run queries (Check, Expand, ListObjects, ListRelations, ListUsers) that are evaluated according to a particular model.
Usage:
fga query [command]
Available Commands:
check Check
expand Expand
list-objects List Objects
list-relations List Relations
list-users List users
Flags:
--consistency string Consistency preference for the request. Valid options are HIGHER_CONSISTENCY and MINIMIZE_LATENCY.
--context string Query context (as a JSON string)
--contextual-tuple stringArray Contextual Tuple, output: "user relation object"
-h, --help help for query
--model-id string Model ID
--store-id string Store ID
Global Flags:
--api-audience string API Audience. Used when performing the Client Credentials flow
--api-scopes stringArray API Scopes (repeat option for multiple values). Used in the Client Credentials flow
--api-token string API Token. Will be sent in as a Bearer in the Authorization header
--api-token-issuer string API Token Issuer. API responsible for issuing the API Token. Used in the Client Credentials flow
--api-url string OpenFGA API URI e.g. https://api.fga.example:8080 (default "http://localhost:8080")
--client-id string Client ID. Sent to the Token Issuer during the Client Credentials flow
--client-secret string Client Secret. Sent to the Token Issuer during the Client Credentials flow
--config string config file (default is $HOME/.fga.yaml)
Use "fga query [command] --help" for more information about a command.
C:\Users\RJ\Documents\fgatestmodel>fga query check user:jmj add menu:erwangpingheng
{
"allowed":true,
"resolution":""
}
C:\Users\RJ\Documents\fgatestmodel>fga query check user:jmj add menu:erwangpingheng
{
"allowed":true,
"resolution":""
}
C:\Users\RJ\Documents\fgatestmodel>fga query check user:cc add menu:erwangpingheng
{
"allowed":false,
"resolution":""
}
C:\Users\RJ\Documents\fgatestmodel>fga query check user:jmj add menu:erwangpingheng
{
"allowed":true,
"resolution":""
}
C:\Users\RJ\Documents\fgatestmodel>fga query check role:admin add menu:erwangpingheng
{
"allowed":false,
"resolution":""
}
C:\Users\RJ\Documents\fgatestmodel>fga query check role:admin#member add menu:erwangpingheng
{
"allowed":true,
"resolution":""
}
C:\Users\RJ\Documents\fgatestmodel>fga query check user:jmj add menu:erwangpingheng
{
"allowed":true,
"resolution":""
}
把我的测试记录保存下来了
测试没问题,下一章节我们将 实战入我们自己的项目
5.整合Java SDK
<dependency>
<groupId>dev.openfga</groupId>
<artifactId>openfga-sdk</artifactId>
<version>0.3.1</version>
</dependency>6.创建一个新的项目
7.导入依赖
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>3.4.2</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.jmj</groupId>
<artifactId>openFGA-snap</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>openFGA-snap</name>
<description>openFGA-snap</description>
<url/>
<licenses>
<license/>
</licenses>
<developers>
<developer/>
</developers>
<scm>
<connection/>
<developerConnection/>
<tag/>
<url/>
</scm>
<properties>
<java.version>21</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>dev.openfga</groupId>
<artifactId>openfga-sdk</artifactId>
<version>0.3.1</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<configuration>
<annotationProcessorPaths>
<path>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
</path>
</annotationProcessorPaths>
</configuration>
</plugin>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<configuration>
<excludes>
<exclude>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
</exclude>
</excludes>
</configuration>
</plugin>
</plugins>
</build>
</project>
8.从头开始 创建Store
模型 store -> authmodel -> tuple
一个store 里的 授权模型 是以版本号迭代的 ,也就是一个 store 就一个 授权模型,你可以使用不同版本
我们以模块化开发授权模型
1.fga.mod 归纳模块
schema: '1.2'
contents:
- core.fga
2.core.fga 核心模块
module core
#核心模块
#用户类型
type user
#角色类型
#关系
# 成员 :member :用户类型
type role
relations
define member: [user]
#应用类型
#关系
# can_access:能否访问: 角色成员用户集
type application
relations
define can_access: [role#member]
#页面模块分组
#关系
#parent_model父模型
#可见身份: 用户成员组绑定
#访问身份: 用户成员组绑定 且 必须父模型要有访问权限
#能否查看 查看者 与 访问者 都可以访问
#能否访问 只有访问者可以访问
type page_module_group
relations
define parent_model: [application]
define viewer: [role#member]
define accesser: [role#member] and can_access from parent_model
define can_viewer: viewer or accesser
define can_access: accesser
#页面模块
#关系
#parent_model父模型
#可见身份: 用户成员组绑定
#访问身份: 用户成员组绑定 且 必须父模型要有访问权限
#能否查看 查看者 与 访问者 都可以访问
#能否访问 只有访问者可以访问
type page_module
relations
define parent_model: [page_module_group]
define viewer: [role#member]
define accesser: [role#member] and can_access from parent_model
define can_viewer: viewer or accesser
define can_access: accesser
#页面菜单
#关系
#parent_model父模型
#可见身份: 用户成员组绑定
#访问身份: 用户成员组绑定 且 必须父模型要有访问权限
#能否查看 查看者 与 访问者 都可以访问
#能否访问 只有访问者可以访问
type page_menu
relations
define parent_model: [page_module]
define viewer: [role#member]
define accesser: [role#member] and can_access from parent_model
define can_viewer: viewer or accesser
define can_access: accesser
#页面界面
#关系
#parent_model父模型
#可见身份: 用户成员组绑定
#访问身份: 用户成员组绑定 且 必须父模型要有访问权限
#能否查看 查看者 与 访问者 都可以访问
#能否访问 只有访问者可以访问
type page_view
relations
define parent_model: [page_menu]
define viewer: [role#member]
define accesser: [role#member] and can_access from parent_model
define can_viewer: viewer or accesser
define can_access: accesser
配好环境变量
fga model write --file=fga.mod 一个store 就专注于一个 授权模型,由版本进行迭代维护升级,而不是 多个授权模型
