 Hi everyone, so we're going to start sharp because we don't have a lot of time and I'm Andres I work as a in the product side of open FGA, which is a product we're building as a cloud native in computing foundation Sandbox projects and I'm here with Marie and a software engineer also working in the open FGA projects Okay, so let's start. I guess you Everyone here understands the difference between authentication and authorization But just to be in the same page authentication is try to identify if we use the verify a user's identity Authorization we try to know if a user can perform a specific connection on a specific resource And as an industry we kind of solve authentication If you're building a new application today It's highly unlikely that you're going to start building authentication from scratch without use using a Library a framework a product a standard that helps you implement authentication However on the authorization side the story is a little more complicated Think the only product there that is widely adopted is open policy agent mainly for Infrastructure scenarios, but on the application side. They are not well adopted standards They are not widely adopted products. So we think there's a lot of work we can do there We believe like authorization now is where Authentication was like a 10 or 15 years ago and there's a lot of things we can do to help solving authorization and And there are two main things that we want to That are creating friction one is if we want to implement Find a great authorization policies and that implies like I'm building a collaboration product But I want to share the document with a specific set of users or I have certain Clinical in clinical trials certain people who can actually operate on certain studies, but not others So there might be a lot back accounts with several people can see a specific back account, right? A lot of scenarios where you need more fine-grained access control than what is easily implementable with current frameworks of building authorization And the other one is you want to have a centralized place Where you can have a single way to implement authorization across multiple apps where you can have all the centralized logs When you can have like a centralized policy that are easy to audit and understand how authorization is behaving in your product Instead of looking at the code base of all the products you've been built over time with hard-coded authorization so we try to solve that problem and We're doing it with this project that we called open FGA That is based on a concept called Relationship-based access control that you can see it as an evolution of role-based access control and attribute-based access control And it's inspired by a white paper that Google published a few years ago Where they explain how they solve this problem internally and They are using that technology that is called Google Zanzibar To implement authorization across all of their products like the Google Drive, YouTube, internal applications, Google Cloud You know Google has a chat product every five years so all of those right and the next one And then and they decided also how did they explain how to build it in a way that it can scale to Google scale And what we did is to we took some of those ideas and we packaged those with with DSLs to the final authorization models Tools and SDKs that it makes it simple for you to implement in your applications So I'm gonna stop talking and try to demo the product I'm using Maria's laptop and Maria's laptop has Scroll scrolling operates in a different way. So when I go up it goes down and things like that. So I was I'll try to cope with that. So and the way we handle authorization in OpenMCA is we need to define two things First is what we call an authorization model I'm gonna start with writing one what you have there in your in your right and then a Set of the data that we're gonna use to instantiate that model so what I'm gonna build is now an authorization model for a B2B SAS application for document management You think you can think about like a notion or Google logs, right? And in the model I'm gonna define the entities that you're gonna use when you want that Relevant for making authorization decisions in this case I'm gonna have a user and I wouldn't I would call organization each of my customers. So the tenants, right? I'm gonna say that organization has relations with and With members that are gonna be users Okay, so pretty simple organization with users and and users a separate entity and then what I need to do is I need to Instantiate the model with what we call relationship Tappels that are gonna have this shape like user and It's a member of the organization So and what this data with the model and the data we're gonna be able to start asking the system for authorization questions So what I'm gonna do now is I'm gonna start and Open a GA Let me find it here So it's running and and now I'm gonna go to another CLI window and I'm gonna use a CLI if I managed to operate this I'm gonna go to the first is I need to create a store and a store It's a container of a model and the top the data that is instantiated that model. So I'm gonna do that with a comment. It is FGA Store Create and I'm gonna send this model like model model of FGA when I do this I FGA creates a store and it gives you an ID and I'm gonna just put this ID in a Environment bevel Now so if I do FGA model get for example, I will get the model as just wrote Okay, now I need to start adding these tuples to the system and the way I can do that is I can say FGA tuple writes user and Some member of organization Okay, so I wrote that couple and now if I do FGA couple read I see that that apple stored in my system Now that I have the data in the model I can query the system if I want to know if a user can perform an action in a resource the way you do that in Relationship-based Actors-Control is is this user related to an object in a certain way So I can write something like FGA query check and say user and Relate to some member to organization And it's gonna say true of course because that's the data I just told FGA that it was true. So I'm gonna get through So these are the core components the model the data and the server that I'm operating here through a CLI To make this demo faster. What I'm gonna do is I'm instead of using The CLI to add tuples and run checks I'm gonna use one of these YAML files where I can't have the same thing I point into the model has the tuple has the checks and I can't do something like a FGA model test tests and notes FGA.yaml and it's gonna run all this test I have here which is this checks that I was doing So what I'm doing here is I'm creating a model and at the same time Testing that if the model is behaving in the way it was, okay These are the core concepts. Now. Now is let's get more fun with the really with the model here So I'm gonna define another another type here with the group It's gonna have relations It's also gonna have members and The members of a group can be users and we're gonna define that all the members of an organization Organization can also be members of a group And if I do this they can add a tuple that has this shape. I can say user organization ACME member So all the members of the ACME organization are actually members of the group Everyone and now if I create a new check here I can see if and it's actually related to group Everyone as a member So now in this at this moment I didn't explicitly add and as a member of the group, right? But even she's part of the everyone a group and all the members of the organization and members of the everyone group If I run the stats here, I'm gonna get a failure because I did something wrong and What thank you Thank you very much This means that you're paying attention and the font is size is big enough Okay, so now the tests are passing. Thank you very much Okay, so we have now organizations and groups So if you think about what we define here It's not very different from role-based access, right and actually I can define a role here. There's an admin these users I Kind of saying that the admins can be the members can be users or the admins man And I can define our admin of the of the organization here user Bob is an admin of the org. Okay, so I have now an Role-based access control that is multi tenant with groups in involved, right? but the interesting part with Relationship-based access control is in addition of you modeling your roles and groups you can start modeling your resources Yeah, you start adding definition of your application specific resources are gonna be very different from application to application Right in the model so for a document management app. I can have a folder and The folder Can have a parent folder Which would be a folder? It can have an owner which would be a user that's the one who created the owner We're gonna have an editor It could be an owner or an admin from sorry I know something to adhere the folder is gonna be owned by specific organization, right? So because it's a multi tenant app all the documents that are created belong to a tenant So I added this and now I can say that the editor is the owner or the admin from the organization Now this is more interesting, right? I'm starting to define relationship between my resources and my user groups in a way that I can start traversing hierarchies there Right and in this case is you see even the folder is hierarchical hierarchical structure a folder as a parent which is a folder right and Actually, I can say owner or maybe owner from Parent right so if you own the parent folder you own the folder But you can edit the folder and then we can say we have a definition which is another relation which is viewer Which is if you're an editor if you are an editor You can be a viewer now Now each time you create an instance an entity of folder in your system You will need to create a tuple in FGA saying there's a new a new folder now that is Related to this organization, right? So I'm gonna come here and I'm gonna do user Organization Acme It's relate Is the organization of Objects folder General okay, so I have a folder now if you remember I created Bob as an admin in the Acme org So if I check now if Bob It's related to the document general as a viewer Right, and I and right now this I also made a mistake Sorry save document instead of I'm getting a so and now this test pass right and how is this working? So we are saying look at all the steps that we need to take here in the graph, right? We ask for viewer you need to be aware you need to be an editor if we need to add editor and To be an editor you need to be The admin of the organization that owns the folder, right and and and and we assign Bob as an admin Right, so we need to traverse the graph and we tell you yes Bob is an editor of this document Let's make it a little more complex right so now we can define a document a Document has a parent which is a folder and the document here and Then and you can have an instead of saying admin from or we're gonna say just admin or editor from parents Okay, and when defining a viewer in a document I go I'm gonna also let define that use that Document to be viewed by a specific user, right? So if I want to share a document with a user or with all the members of a group I can do that Right and the last thing we're gonna do then is well. I'm going to instantiate this relationship So we're gonna say first that there's a document in the system so I need to define that a document exists and it's it's a And the parents is that folder folder general is related to Parents for a document read me Okay, and now we're gonna say that if you're a member Of the group everyone you are actually a viewer of object Document read me Okay, so members of the everyone group are our viewers of the written document if you remember Earlier we said that and was a member of the we asserted that and it was a member of the everyone group so now if I we check if and is a Can view document read me We check if she's a viewer and we run the tests I'm gonna make another mistake which is user field is more formed user and Document read me Thank you, and another mistake you'll be some allow this friction look everyone member Members of the Okay, and now it's passing right so if you think like in 10 minutes. I created an authorization model that lets you define Role-based access control that is multi tenant right permissions on a document application That inherit from folder and from the organization and that I can assign fine-grained permissions to every document every folder To a group or to a user Okay, and that and then that's the idea of the product right so you can have a model You have the tuples and you can query the system to make authorization decisions And I demoed this with the with the CLI and I wish it could be a call integration, but actually if you If you just to turn you want to Find the right contact here When you run open FGA that you get you can access a playground Here That makes it simpler for you to learn how to use a product right so you can create the model here Are the tuples at the assertions without installing the CLI or wishes to your code, right? So and you have this neat chart under on the right that shows you the relationships Okay, so I'm gonna now kill Open FGA and And and up to now we saw how you can create a model and how you can instantiate the tuples, but you want to use this in your application, right? So now Maria is gonna help us understand how you can integrate this into your own application Thank you. Andress Hi, everyone. So yes as Andre said I'm going to tell you how you can integrate your application with open FGA And also I'm going to do a demo of how you can enable telemetry in an open FGA server Okay, so let's imagine that you have an application that has documents and you also have users, right? So those users can create those documents view them delete them update them So this this is the code that could be for the get documents and points of that application And it has authentication and media where that Authenticates the user and if it succeeds then we go to the database and we give them the documents Now we know that the user was authenticated, but they were not authorized So this is where FGA comes in we create an FGA client. We pass it the link to the open FGA server and Then we come back to the get documents and points and the first thing that we do is we call check on FGA and If check returns success then we go to the database and we give them the document Now that was how FGA checks for a permission or in FGA terms how it checks that a user has a relation with an object But FGA needs some data to arrive to a decision, right? So we need to write all the data when whenever someone creates a document what we need to do is we need to write Tuples so in this case I'm writing two tuples I'm saying this user is the owner of these documents and I'm also saying these documents is owned by this organization So just as before that we had the authentication middleware We can also create our own authorization middleware and the only thing it does is it it calls check on FGA So now we can again come back to the get documents and points We call the authentication middleware we call the authorization middleware and if they both succeed We go to the database and we give them the documents. We can do the same thing if they're trying to update a document Or if they're trying to delete it Now what is the difference in between these lights? What changes the relation, right? So this is the the cool part about FGA Your application doesn't need to care how someone got access to something Maybe they you know someone shared the document with them or they had a specific role or I don't know They were a member of a group that had access Your application doesn't need to care about that The authorization check is completely decoupled from the logic all the logic lives within FGA So now I'm going to do another quick demo the cool thing about open FGA is that it integrates with other cloud native projects like Open telemetry jr. Prometheus and Grafana All these projects what they do is they allow Observability so you will be able to troubleshoot problems and maybe even increase the performance of your model Some of the metrics that open with J emits are metrics about sequel So for example, how many database connections there are open some process metrics like CPU memory usage, you know the standards and Also some FGA specific metrics such as the latency of a check call or how many database reads were involved in one check Okay, so let's jump into the demo Okay, so the first thing That I'm gonna do is I'm going to start the open FGA server with metrics and tracing enabled So now I'm going to create a store which is which what we hold all the data So the model and the tuples Now I'm going to write the model which is the one that address share earlier Okay, so now I'm going to write the tuples Just a few tuples written and now I'm going to simulate some load on the open FGA server I'm going to issue some checks For example here. I'm checking that user and has the member relation with organization Ahmed Okay, so that finished Now I can open the Prometheus UI and I can query for metrics. For example, I'm gonna query for Connections in use. Okay, so we see the connections in use Now I'm gonna open Grafana and I have a pre-made dashboard with some metrics so you can see The request per second the latency of each check you can see Process metrics go routines garbage collections and because I enabled tracing in the open FGA server You can come to the jager UI you can filter by operation check And then find traces. Let's inspect this check So this is a high-level view of where the time was spent in a in a check call if you expand this This section you can see for example this particular check involved two reads to the database. Okay. Thank you very much Yeah if you want to find us you can look for us in the project pavilion and Please start the open FGA repo. Thank you