A high performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar
The v1.5.4-rc1
release is an experimental release candidate that introduces support for the ListUsers API. This endpoint answers the question "what users have relation X with object Y?". This can be used for use cases like share dialogues and notifying users on document changes.
This API can be enabled in the server by passing the --experimentals enable-list-users
flag. Also note the OPENFGA_LIST_USERS_MAX_RESULTS
, OPENFGA_LIST_USERS_DEADLINE
and OPENFGA_MAX_CONCURRENT_READS_FOR_LIST_USERS
configuration options.
Note: This is not ready for production use. Currently outstanding issues:
user:*
) with exclusion (e.g. but not
)but not
) operands may not return accurate set of resultsRelated resources:
grpc-health-probe
dependency in the published Docker image to the latest release which fixes some vulnerabilities (#1507)dispatch_count
histogram (#1427)request_duration_ms
histogram which has datastore_query_count
and dispatch_count
as dimensions (#1444)OPENFGA_AUTHN_OIDC_ISSUER_ALIASES
to specify oidc issuer aliases (#1354) - Thanks @le-yams!OPENFGA_EXPERIMENTALS=enable-modular-models
(#1443). This will enable writing models that are split across multiple files.request_duration_by_query_count_ms
will be removed in release v1.5.4, in favour of request_duration_ms
(#1450){allowed:false}
(#1371, #1372)The AuthorizationModelReadBackend
interface method FindLatestAuthorizationModelID
has changed to FindLatestAuthorizationModel
for performance improvements. #1387
If you implement your own data store, you will need to make the following change:
Before | After |
---|---|
|
|
server.Stop()
(#1318)map.Clone()
calls in model validation (#1281)ListObjects
API calls that hit the --listObjects-deadline
setting can lead to an out of memory error. See the CVE report for more detailsReduce goroutine overhead in ListObjects (#1173)
Added openfga
prefix to custom exported Prometheus metrics
⚠️ This change may impact existing deployments of OpenFGA if you're integrating with the metrics reported by OpenFGA.
Custom metrics reported by the OpenFGA server are now prefixed with openfga_
. For example, request_duration_by_query_count_ms
is now exported as openfga_request_duration_by_query_count_ms
.
Enable support for Conditional Relationship Tuples by default. (#1220)
⚠️ Prior to upgrading to this release please first upgrade to
v1.3.10
, and then you can proceed with upgrading to this release. Rolling back from this release to a release prior tov1.3.9
has negative side-effects because of the introduction of Conditions. If you rollback from this release to a release prior tov1.3.9
then conditional relationship tuples will be treated unconditionally, because relationship tuples prior tov1.3.9
had no concept of Conditions.
Added stricter gRPC server max message size constraints (#1222)
We changed the default gRPC max message size (4MB) to a stricter 512KB to protect the server from excessively large request context
fields. This shouldn't impact existing clients since our calculated max message size should be much smaller than 512KB given our other input constraints.