Add OpenFGA hosting integration #1052
Conversation
Co-authored-by: aaronpowell <[email protected]>
Co-authored-by: aaronpowell <[email protected]>
|
@maxs-rose here's a PR started based off your issue - do you want to have a look at it and give it a try to see if it's fitting with how you'd expect it to work? |
Minimum allowed line rate is |
Thanks for doing this! Should get a chance to look over it later today |
maxs-rose
left a comment
maxs-rose
left a comment
There was a problem hiding this comment.
@aaronpowell I think this is a fine start but feel like we are going to hit some of the same issues that I did in my original version.
So for both MySQL and Postgres we also need to manually run migrations after the container has started. I do this through some callbacks to allow the user to configure the migration container (https://github.com/maxs-rose/Aspire-OpenFGA/blob/main/Aspire.Hosting.OpenFga.MySql/OpenFgaBuilderMySql.cs#L26-L34) but I dont feel like that is the best solution.
To make this useful we probably also need to have an API to setup stores and populate them with the models. The store creation is fine as that can be done through the .NET client. However, OpenFGA has their own model definition schema that the .NET client cannot parse used to populate the data in the stores. I get around this by running another container (https://github.com/maxs-rose/Aspire-OpenFGA/blob/main/Aspire.Hosting.OpenFga/OpenFgaStoreBuilderExtensions.cs#L27) after the store is created. But it would be nice I think if we could somehow get around this as I really dont like having to run this one shot container.
Any suggestions happy to make the changes.
| return builder | ||
| .WithEnvironment("OPENFGA_DATASTORE_ENGINE", "mysql") | ||
| .WithEnvironment(context => | ||
| { | ||
| context.EnvironmentVariables["OPENFGA_DATASTORE_URI"] = database.Resource.ConnectionStringExpression; | ||
| }) | ||
| .WaitFor(database); |
There was a problem hiding this comment.
this one wont quite work as the mysql connection string has an odd format (https://openfga.dev/docs/getting-started/setup-openfga/configure-openfga#mysql).
This is why in my original version I split out each storage backend into their own packages since for MySQL we would need to so something like this:
builder.OpenFgaDatastoreResource.CreateDatastore(builder)
.WaitFor(database)
.WithArgs("migrate")
.WithEnvironment("OPENFGA_DATASTORE_ENGINE", "mysql")
.WithEnvironment("OPENFGA_DATASTORE_URI",
$"mysql:{database.Resource.Parent.PasswordParameter}@tcp({database.Resource.Parent.PrimaryEndpoint.Property(EndpointProperty.HostAndPort)})/{database.Resource.DatabaseName}?parseTime=true");and as far as I am aware there isnt a common interface on the database packages in aspire so we would need an IResourceBuilder<MySqlDatabaseResource> as the database here.
| .WithEnvironment("OPENFGA_DATASTORE_ENGINE", "postgres") | ||
| .WithEnvironment(context => | ||
| { | ||
| context.EnvironmentVariables["OPENFGA_DATASTORE_URI"] = database.Resource.ConnectionStringExpression; |
There was a problem hiding this comment.
We need to either use the UriExpression expression here or build the string manually since like the MySQL store it does not use a .NET like connection string (https://openfga.dev/docs/getting-started/setup-openfga/configure-openfga#postgres)
I think the solution you have there is pretty much on the money, maybe the configuration callback could be optional, but that's pretty minimal in the design. Reading the docs (and your integration), conceptually I map it through to the design of installers for things like Node and Python - a sidecar that you run to the primary resource.
Is it a case that there is no .NET types that represent the models from OpenFGA? I'm sure it could be generated from the schema using Copilot 🤣 (but obviously that has some issues that would make it sub-optimal from a long-term maintenance). The short-lived sidecars are not uncommon in Aspire, again the analogy to installer resources is very apt here (IMO). |
Yes there is but the more idiomatic way to do things is with their DSL (https://openfga.dev/docs/configuration-language).
lol true Am I good to just send up a pr targeting the copilot branch or do you think I would be better to just make a whole new one and take what copilot has done as a base? |
Implements a hosting integration for OpenFGA, a fine-grained authorization server that supports multiple storage backends and provides both HTTP and gRPC APIs.
Implementation
OpenFgaResourceexposes HTTP (8080) and gRPC (8081) endpoints with connection string supportopenfga/openfga:v1.8.5with/healthzhealth checkUsage
Testing
Original prompt
💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.