Documentation
¶
Overview ¶
Package openfga implements the engine.AuthorizationEngine SPI by embedding the OpenFGA server in-process (openfga v1.17.1). It supports an in-memory datastore (dev/tests) and persistent SQL datastores (SQLite single-node, Postgres/MySQL for HA) per the migration plan's deployment modes (§2.1).
The principal-pinning, admin-gating, audit, and caching policy described in the plan live in the callers of this engine — this package is the thin, fail-closed adapter over OpenFGA.
Index ¶
Constants ¶
const ( // StoreMemory selects the in-memory datastore (dev/tests only; non-durable). StoreMemory = "memory" // StoreSQLite selects the embedded SQLite datastore (single-node/dev). StoreSQLite = "sqlite" // StorePostgres selects an external Postgres datastore (HA). StorePostgres = "postgres" // StoreMySQL selects an external MySQL datastore (HA). StoreMySQL = "mysql" )
Store kinds for the embedded datastore.
Variables ¶
This section is empty.
Functions ¶
func New ¶
func New(cfg *Config, deps *Dependencies) (engine.AuthorizationEngine, error)
New constructs the embedded OpenFGA engine.
Migrations are deliberately NOT run unconditionally: they run only when cfg.RunMigrations is true (single-node/dev). HA and serverless deployments must run migrate.RunMigrations as a separate init job and leave RunMigrations=false so engine boot assumes the schema already exists (§2.1).
If cfg.StoreID is empty the engine binds to the existing store matching cfg.StoreName (restart continuity) or creates one when none exists. If cfg.ModelID is empty the latest written model in the store is adopted; when the store has no model yet, callers must WriteModel before checks.
Types ¶
type Config ¶
type Config struct {
// Store selects the datastore kind: memory|sqlite|postgres|mysql.
Store string
// StoreURL is the datastore connection URI (file: URI for sqlite, DSN for
// postgres/mysql). Ignored for the memory store.
StoreURL string
// StoreName is the OpenFGA store name used when bootstrapping a new store.
StoreName string
// StoreID, when set, targets an existing OpenFGA store (skips CreateStore).
StoreID string
// ModelID, when set, targets an existing authorization model (skips the
// need to write one before checks).
ModelID string
// RunMigrations, when true, runs the datastore migrations during Init for
// SQL stores. For HA/serverless this MUST be false — migrations run as a
// separate init job (§2.1) to avoid races and cold-start latency.
RunMigrations bool
}
Config holds the parameters needed to construct the embedded OpenFGA engine.
StoreID and ModelID are the OpenFGA-assigned ULIDs. They normally stay empty: on boot the engine recovers the existing store by name (StoreName) and adopts the latest written authorization model, so persistent datastores survive restarts without the caller persisting any IDs. Set them only to pin a specific store/model explicitly. Note: the store is found by exact name, so changing StoreName (organization name) starts a fresh store.
type Dependencies ¶
Dependencies carries shared resources for constructing the engine.
Source Files