Forem: Yash Raj The latest articles on Forem by Yash Raj (@yashraj10). https://forem.com/yashraj10 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F930609%2F13044eea-5208-4386-84bf-5981cfd52dc9.jpeg Forem: Yash Raj https://forem.com/yashraj10 en WTH is openFGA and implementing Role-Based Access Control in GO servers. Yash Raj Wed, 15 Oct 2025 02:16:41 +0000 https://forem.com/yashraj10/wth-is-openfga-and-implementing-role-based-access-control-in-go-servers-5ahj https://forem.com/yashraj10/wth-is-openfga-and-implementing-role-based-access-control-in-go-servers-5ahj <p>While I have given a task to implement the Role-Based Access Control in the product that I am working on in my internship, I dug a bit. I looked for some open source project that can help me do this. During that period, I came across a project called openFGA, which is an open-source Fine-Grained Authorisation solution inspired by Google's Zanzibar paper, which is currently under CNCF and built by the engineers at Auth0(Okta). I looked at the docs, which instantly got my interest as the implementation was easy and straightforward. OpenFGA divides the whole Role-Based Access thing into a few components and makes it really easy to implement it in any complex project.</p> <p>So <strong>what really openFGA is?</strong><br> OpenFGA is an open source Fine-Grained Authorisation solution inspired by Google's Zanzibar paper, and helps you to implement complex Role-Based Access Control Authorisation shamelessly. Example - what we have similar in Google Docs, where the owner of a file can give view/edit access to a file/folder with one click.</p> <p><strong>Components and how they work?</strong></p> <ul> <li>OpenFGA Server: A permission engine that implements the fine-grained authorisation logic</li> <li>Authorisation Models: Define the rules and structure for permissions in the system. Consists of definitions, which specify how different objects relate to each other. Used to define roles and relationships (e.g. viewer, owner, editor). </li> <li>Relationship Tuples: Relationship tuples are the instances of relationships defined in the authorisation model (e.g. user:anne, viewer, document:1)</li> <li>Stores: The data storage for tuples, which represent relationships between users and objects. Each store contains a specific authorisation model and its associated data. </li> <li>Client SDKs: Libraries available for various programming languages to interact with the OpenFGA server. </li> </ul> <p><strong>How does it work? and Architecture!</strong><br> we will take an example of a Go server which has simple auth and the user can create-file(/create-file), view-file (/files) and share-file(/share-file) on respective routes. </p> <ul> <li>First of all we need to run the openFGA locally, and for that, we will be using Docker Compose. its the easiest way and get work done and set up in one click. (make sure to have already installed)</li> <li>Make a docker-compose.yml at the root of your Go web server, paste this and run the cmd <code>docker compose up -d</code>. this will run the openFGA server at port 8080. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">3.8'</span> <span class="na">networks</span><span class="pi">:</span> <span class="na">openfga</span><span class="pi">:</span> <span class="na">services</span><span class="pi">:</span> <span class="na">postgres</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">postgres:17</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">postgres</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">openfga</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">5432:5432"</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">POSTGRES_USER=postgres</span> <span class="pi">-</span> <span class="s">POSTGRES_PASSWORD=password</span> <span class="na">healthcheck</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="pi">[</span> <span class="s2">"</span><span class="s">CMD-SHELL"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">pg_isready</span><span class="nv"> </span><span class="s">-U</span><span class="nv"> </span><span class="s">postgres"</span> <span class="pi">]</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">5s</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">5s</span> <span class="na">retries</span><span class="pi">:</span> <span class="m">5</span> <span class="na">migrate</span><span class="pi">:</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="na">postgres</span><span class="pi">:</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">service_healthy</span> <span class="na">image</span><span class="pi">:</span> <span class="s">openfga/openfga:latest</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">migrate</span> <span class="na">command</span><span class="pi">:</span> <span class="s">migrate</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">OPENFGA_DATASTORE_ENGINE=postgres</span> <span class="pi">-</span> <span class="s">OPENFGA_DATASTORE_URI=postgres://postgres:password@postgres:5432/postgres?sslmode=disable</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">openfga</span> <span class="na">openfga</span><span class="pi">:</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="na">migrate</span><span class="pi">:</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">service_completed_successfully</span> <span class="na">image</span><span class="pi">:</span> <span class="s">openfga/openfga:latest</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">openfga</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">OPENFGA_DATASTORE_ENGINE=postgres</span> <span class="pi">-</span> <span class="s">OPENFGA_DATASTORE_URI=postgres://postgres:password@postgres:5432/postgres?sslmode=disable</span> <span class="pi">-</span> <span class="s">OPENFGA_LOG_FORMAT=json</span> <span class="na">command</span><span class="pi">:</span> <span class="s">run</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">openfga</span> <span class="na">ports</span><span class="pi">:</span> <span class="c1"># Needed for the http server</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">8080:8080"</span> <span class="c1"># Needed for the grpc server (if used)</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">8081:8081"</span> <span class="c1"># Needed for the playground (Do not enable in prod!)</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">3000:3000"</span> </code></pre> </div> <ul> <li><p>Now when server is running we need to create the Authorisation Models that Define the rules and structure for permissions in the system. (e.g. viewer, owner, editor) for this Go to <a href="http://localhost:3000/playground" rel="noopener noreferrer">http://localhost:3000/playground</a> and create a store and make the models<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqgu3a7l2zhr65mpvjxn7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqgu3a7l2zhr65mpvjxn7.png" alt=" " width="796" height="472"></a><br> Here, there are two types, user and file and defined respective relations.</p></li> <li><p>Now, during the api calls, we will be creating tuples and saving them through the openFGA server while we save the file data into the database. example.<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuw6lwfyzu5snmyr1hqhv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuw6lwfyzu5snmyr1hqhv.png" alt=" " width="392" height="174"></a></p></li> <li><p>The architecture of our app will look something like this.</p></li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fevkkmfspu0z3el13ie2q.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fevkkmfspu0z3el13ie2q.png" alt=" " width="800" height="349"></a></p> <p><strong>Code implementation</strong></p> <ul> <li>Install the Go client Sdk with <code>go get -u github.com/openfga/go-sdk</code> and import it in the file.</li> <li>initialise the openFGA client and mongoDB </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">init</span><span class="p">()</span> <span class="p">{</span> <span class="c">// initialize MongoDB</span> <span class="n">mongoURL</span> <span class="o">:=</span> <span class="s">"mongodb+srv://........"</span> <span class="n">client</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">mongo</span><span class="o">.</span><span class="n">Connect</span><span class="p">(</span><span class="n">options</span><span class="o">.</span><span class="n">Client</span><span class="p">()</span><span class="o">.</span><span class="n">ApplyURI</span><span class="p">(</span><span class="n">mongoURL</span><span class="p">))</span> <span class="n">filesCollection</span> <span class="o">=</span> <span class="n">client</span><span class="o">.</span><span class="n">Database</span><span class="p">(</span><span class="s">"api"</span><span class="p">)</span><span class="o">.</span><span class="n">Collection</span><span class="p">(</span><span class="s">"Files"</span><span class="p">)</span> <span class="c">// initialize OpenFGA client</span> <span class="k">var</span> <span class="n">err</span> <span class="kt">error</span> <span class="n">fgaClient</span><span class="p">,</span> <span class="n">err</span> <span class="o">=</span> <span class="n">fgaclient</span><span class="o">.</span><span class="n">NewSdkClient</span><span class="p">(</span><span class="o">&amp;</span><span class="n">fgaclient</span><span class="o">.</span><span class="n">ClientConfiguration</span><span class="p">{</span> <span class="n">ApiUrl</span><span class="o">:</span> <span class="s">"http://localhost:8080"</span><span class="p">,</span> <span class="n">StoreId</span><span class="o">:</span> <span class="s">"01K7J7Y4NTKW4W2RJNG6HRTQC1"</span><span class="p">,</span> <span class="n">AuthorizationModelId</span><span class="o">:</span> <span class="s">"01K7J8F5X3EKXPPZ931M2ZKNW8"</span><span class="p">,</span> <span class="p">})</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">fgaClient</span> <span class="o">=</span> <span class="no">nil</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <ul> <li>The code is using a simple JWT token to sign up and an Auth middleware to protect other routes. and basic struct for file and user struct. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">User</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Username</span> <span class="kt">string</span> <span class="s">`json:"username"`</span> <span class="n">Email</span> <span class="kt">string</span> <span class="s">`json:"email"`</span> <span class="p">}</span> <span class="k">type</span> <span class="n">FileRecord</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">ID</span> <span class="kt">string</span> <span class="s">`json:"id" bson:"_id"`</span> <span class="n">Filename</span> <span class="kt">string</span> <span class="s">`json:"filename" bson:"filename"`</span> <span class="p">}</span> <span class="k">func</span> <span class="n">authMiddleware</span><span class="p">()</span> <span class="n">gin</span><span class="o">.</span><span class="n">HandlerFunc</span> <span class="p">{</span> <span class="k">return</span> <span class="k">func</span><span class="p">(</span><span class="n">c</span> <span class="o">*</span><span class="n">gin</span><span class="o">.</span><span class="n">Context</span><span class="p">)</span> <span class="p">{</span> <span class="n">authHeader</span> <span class="o">:=</span> <span class="n">c</span><span class="o">.</span><span class="n">GetHeader</span><span class="p">(</span><span class="s">"Authorization"</span><span class="p">)</span> <span class="k">if</span> <span class="n">authHeader</span> <span class="o">==</span> <span class="s">""</span> <span class="p">{</span> <span class="n">c</span><span class="o">.</span><span class="n">Next</span><span class="p">()</span> <span class="k">return</span> <span class="p">}</span> <span class="n">parts</span> <span class="o">:=</span> <span class="n">strings</span><span class="o">.</span><span class="n">Split</span><span class="p">(</span><span class="n">authHeader</span><span class="p">,</span> <span class="s">"Bearer "</span><span class="p">)</span> <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">parts</span><span class="p">)</span> <span class="o">!=</span> <span class="m">2</span> <span class="p">{</span> <span class="n">c</span><span class="o">.</span><span class="n">Next</span><span class="p">()</span> <span class="k">return</span> <span class="p">}</span> <span class="n">token</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">jwt</span><span class="o">.</span><span class="n">Parse</span><span class="p">(</span><span class="n">strings</span><span class="o">.</span><span class="n">TrimSpace</span><span class="p">(</span><span class="n">parts</span><span class="p">[</span><span class="m">1</span><span class="p">]),</span> <span class="k">func</span><span class="p">(</span><span class="n">token</span> <span class="o">*</span><span class="n">jwt</span><span class="o">.</span><span class="n">Token</span><span class="p">)</span> <span class="p">(</span><span class="k">interface</span><span class="p">{},</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="n">jwtSecret</span><span class="p">,</span> <span class="no">nil</span> <span class="p">})</span> <span class="k">if</span> <span class="n">err</span> <span class="o">==</span> <span class="no">nil</span> <span class="o">&amp;&amp;</span> <span class="n">token</span><span class="o">.</span><span class="n">Valid</span> <span class="p">{</span> <span class="k">if</span> <span class="n">claims</span><span class="p">,</span> <span class="n">ok</span> <span class="o">:=</span> <span class="n">token</span><span class="o">.</span><span class="n">Claims</span><span class="o">.</span><span class="p">(</span><span class="n">jwt</span><span class="o">.</span><span class="n">MapClaims</span><span class="p">);</span> <span class="n">ok</span> <span class="p">{</span> <span class="n">c</span><span class="o">.</span><span class="n">Set</span><span class="p">(</span><span class="s">"user"</span><span class="p">,</span> <span class="n">User</span><span class="p">{</span> <span class="n">Username</span><span class="o">:</span> <span class="n">claims</span><span class="p">[</span><span class="s">"username"</span><span class="p">]</span><span class="o">.</span><span class="p">(</span><span class="kt">string</span><span class="p">),</span> <span class="n">Email</span><span class="o">:</span> <span class="n">claims</span><span class="p">[</span><span class="s">"email"</span><span class="p">]</span><span class="o">.</span><span class="p">(</span><span class="kt">string</span><span class="p">),</span> <span class="p">})</span> <span class="p">}</span> <span class="p">}</span> <span class="n">c</span><span class="o">.</span><span class="n">Next</span><span class="p">()</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <ul> <li>/create-file will store the file in the DB(mongodb), and using the openFGA client, it will create a tuple in the OpenFGA PostgreSQL DB through the openFGA server, with an owner relation to the user with the file. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">createFile</span><span class="p">(</span><span class="n">c</span> <span class="o">*</span><span class="n">gin</span><span class="o">.</span><span class="n">Context</span><span class="p">)</span> <span class="p">{</span> <span class="n">userVal</span><span class="p">,</span> <span class="n">exists</span> <span class="o">:=</span> <span class="n">c</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="s">"user"</span><span class="p">)</span> <span class="k">if</span> <span class="o">!</span><span class="n">exists</span> <span class="p">{</span> <span class="n">c</span><span class="o">.</span><span class="n">JSON</span><span class="p">(</span><span class="m">401</span><span class="p">,</span> <span class="n">gin</span><span class="o">.</span><span class="n">H</span><span class="p">{</span><span class="s">"error"</span><span class="o">:</span> <span class="s">"Please login"</span><span class="p">})</span> <span class="k">return</span> <span class="p">}</span> <span class="n">user</span> <span class="o">:=</span> <span class="n">userVal</span><span class="o">.</span><span class="p">(</span><span class="n">User</span><span class="p">)</span> <span class="k">var</span> <span class="n">req</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">ID</span> <span class="kt">string</span> <span class="s">`json:"id"`</span> <span class="c">// file id</span> <span class="n">Filename</span> <span class="kt">string</span> <span class="s">`json:"filename"`</span> <span class="p">}</span> <span class="n">c</span><span class="o">.</span><span class="n">ShouldBindJSON</span><span class="p">(</span><span class="o">&amp;</span><span class="n">req</span><span class="p">)</span> <span class="n">existingFile</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">getFileRecordById</span><span class="p">(</span><span class="n">req</span><span class="o">.</span><span class="n">ID</span><span class="p">)</span> <span class="k">if</span> <span class="n">existingFile</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">c</span><span class="o">.</span><span class="n">JSON</span><span class="p">(</span><span class="m">400</span><span class="p">,</span> <span class="n">gin</span><span class="o">.</span><span class="n">H</span><span class="p">{</span><span class="s">"error"</span><span class="o">:</span> <span class="s">"file with id "</span> <span class="o">+</span> <span class="n">req</span><span class="o">.</span><span class="n">ID</span> <span class="o">+</span> <span class="s">" already exists!"</span><span class="p">})</span> <span class="k">return</span> <span class="p">}</span> <span class="n">createFileRecord</span><span class="p">(</span><span class="n">FileRecord</span><span class="p">{</span><span class="n">ID</span><span class="o">:</span> <span class="n">req</span><span class="o">.</span><span class="n">ID</span><span class="p">,</span> <span class="n">Filename</span><span class="o">:</span> <span class="n">req</span><span class="o">.</span><span class="n">Filename</span><span class="p">})</span> <span class="c">// Use OpenFGA SDK </span> <span class="k">if</span> <span class="n">fgaClient</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">body</span> <span class="o">:=</span> <span class="n">fgaclient</span><span class="o">.</span><span class="n">ClientWriteRequest</span><span class="p">{</span> <span class="n">Writes</span><span class="o">:</span> <span class="p">[]</span><span class="n">fgaclient</span><span class="o">.</span><span class="n">ClientTupleKey</span><span class="p">{{</span> <span class="n">User</span><span class="o">:</span> <span class="s">"user:"</span> <span class="o">+</span> <span class="n">user</span><span class="o">.</span><span class="n">Username</span><span class="p">,</span> <span class="n">Relation</span><span class="o">:</span> <span class="s">"owner"</span><span class="p">,</span> <span class="n">Object</span><span class="o">:</span> <span class="s">"file:"</span> <span class="o">+</span> <span class="n">req</span><span class="o">.</span><span class="n">ID</span><span class="p">,</span> <span class="p">}},</span> <span class="p">}</span> <span class="n">_</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">fgaClient</span><span class="o">.</span><span class="n">Write</span><span class="p">(</span><span class="n">context</span><span class="o">.</span><span class="n">Background</span><span class="p">())</span><span class="o">.</span><span class="n">Body</span><span class="p">(</span><span class="n">body</span><span class="p">)</span><span class="o">.</span><span class="n">Execute</span><span class="p">()</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">c</span><span class="o">.</span><span class="n">JSON</span><span class="p">(</span><span class="m">500</span><span class="p">,</span> <span class="n">gin</span><span class="o">.</span><span class="n">H</span><span class="p">{</span><span class="s">"error"</span><span class="o">:</span> <span class="s">"Failed to set file ownership"</span><span class="p">})</span> <span class="k">return</span> <span class="p">}</span> <span class="p">}</span> <span class="n">c</span><span class="o">.</span><span class="n">JSON</span><span class="p">(</span><span class="m">201</span><span class="p">,</span> <span class="n">gin</span><span class="o">.</span><span class="n">H</span><span class="p">{</span><span class="s">"message"</span><span class="o">:</span> <span class="s">"File created success!"</span><span class="p">})</span> <span class="p">}</span> </code></pre> </div> <ul> <li>/files will filter out the IDs of files associated with the user with view access (owner or can_view) and return the files associated with these IDs. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">getFiles</span><span class="p">(</span><span class="n">c</span> <span class="o">*</span><span class="n">gin</span><span class="o">.</span><span class="n">Context</span><span class="p">)</span> <span class="p">{</span> <span class="n">userVal</span><span class="p">,</span> <span class="n">exists</span> <span class="o">:=</span> <span class="n">c</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="s">"user"</span><span class="p">)</span> <span class="k">if</span> <span class="o">!</span><span class="n">exists</span> <span class="p">{</span> <span class="n">c</span><span class="o">.</span><span class="n">JSON</span><span class="p">(</span><span class="m">401</span><span class="p">,</span> <span class="n">gin</span><span class="o">.</span><span class="n">H</span><span class="p">{</span><span class="s">"error"</span><span class="o">:</span> <span class="s">"Please login"</span><span class="p">})</span> <span class="k">return</span> <span class="p">}</span> <span class="n">user</span> <span class="o">:=</span> <span class="n">userVal</span><span class="o">.</span><span class="p">(</span><span class="n">User</span><span class="p">)</span> <span class="c">// Use OpenFGA SDK </span> <span class="k">if</span> <span class="n">fgaClient</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">body</span> <span class="o">:=</span> <span class="n">fgaclient</span><span class="o">.</span><span class="n">ClientListObjectsRequest</span><span class="p">{</span> <span class="n">User</span><span class="o">:</span> <span class="s">"user:"</span> <span class="o">+</span> <span class="n">user</span><span class="o">.</span><span class="n">Username</span><span class="p">,</span> <span class="n">Relation</span><span class="o">:</span> <span class="s">"can_view"</span><span class="p">,</span> <span class="n">Type</span><span class="o">:</span> <span class="s">"file"</span><span class="p">,</span> <span class="p">}</span> <span class="n">allowedFiles</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">fgaClient</span><span class="o">.</span><span class="n">ListObjects</span><span class="p">(</span><span class="n">context</span><span class="o">.</span><span class="n">Background</span><span class="p">())</span><span class="o">.</span><span class="n">Body</span><span class="p">(</span><span class="n">body</span><span class="p">)</span><span class="o">.</span><span class="n">Execute</span><span class="p">()</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">c</span><span class="o">.</span><span class="n">JSON</span><span class="p">(</span><span class="m">500</span><span class="p">,</span> <span class="n">gin</span><span class="o">.</span><span class="n">H</span><span class="p">{</span><span class="s">"error"</span><span class="o">:</span> <span class="s">"Failed to get allowed files"</span><span class="p">})</span> <span class="k">return</span> <span class="p">}</span> <span class="c">// Extract file IDs from objects</span> <span class="k">var</span> <span class="n">allowedFileIds</span> <span class="p">[]</span><span class="kt">string</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">obj</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">allowedFiles</span><span class="o">.</span><span class="n">Objects</span> <span class="p">{</span> <span class="n">parts</span> <span class="o">:=</span> <span class="n">strings</span><span class="o">.</span><span class="n">Split</span><span class="p">(</span><span class="n">obj</span><span class="p">,</span> <span class="s">":"</span><span class="p">)</span> <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">parts</span><span class="p">)</span> <span class="o">==</span> <span class="m">2</span> <span class="p">{</span> <span class="n">allowedFileIds</span> <span class="o">=</span> <span class="nb">append</span><span class="p">(</span><span class="n">allowedFileIds</span><span class="p">,</span> <span class="n">parts</span><span class="p">[</span><span class="m">1</span><span class="p">])</span> <span class="p">}</span> <span class="p">}</span> <span class="c">// Only fetch allowed files from database (much more efficient!)</span> <span class="k">var</span> <span class="n">allowed</span> <span class="p">[]</span><span class="n">FileRecord</span> <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">allowedFileIds</span><span class="p">)</span> <span class="o">&gt;</span> <span class="m">0</span> <span class="p">{</span> <span class="c">// Use MongoDB $in operator to fetch only allowed files</span> <span class="n">filter</span> <span class="o">:=</span> <span class="n">bson</span><span class="o">.</span><span class="n">M</span><span class="p">{</span><span class="s">"_id"</span><span class="o">:</span> <span class="n">bson</span><span class="o">.</span><span class="n">M</span><span class="p">{</span><span class="s">"$in"</span><span class="o">:</span> <span class="n">allowedFileIds</span><span class="p">}}</span> <span class="n">cursor</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">filesCollection</span><span class="o">.</span><span class="n">Find</span><span class="p">(</span><span class="n">context</span><span class="o">.</span><span class="n">Background</span><span class="p">(),</span> <span class="n">filter</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">==</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">defer</span> <span class="n">cursor</span><span class="o">.</span><span class="n">Close</span><span class="p">(</span><span class="n">context</span><span class="o">.</span><span class="n">Background</span><span class="p">())</span> <span class="n">cursor</span><span class="o">.</span><span class="n">All</span><span class="p">(</span><span class="n">context</span><span class="o">.</span><span class="n">Background</span><span class="p">(),</span> <span class="o">&amp;</span><span class="n">allowed</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="n">c</span><span class="o">.</span><span class="n">JSON</span><span class="p">(</span><span class="m">200</span><span class="p">,</span> <span class="n">gin</span><span class="o">.</span><span class="n">H</span><span class="p">{</span><span class="s">"files"</span><span class="o">:</span> <span class="n">allowed</span><span class="p">})</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="c">// Fallback when OpenFGA not configured</span> <span class="n">files</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">getAllFileRecords</span><span class="p">()</span> <span class="n">c</span><span class="o">.</span><span class="n">JSON</span><span class="p">(</span><span class="m">200</span><span class="p">,</span> <span class="n">gin</span><span class="o">.</span><span class="n">H</span><span class="p">{</span><span class="s">"files"</span><span class="o">:</span> <span class="n">files</span><span class="p">})</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <ul> <li>/share-file will check if the current user has the "can-edit" file permission. If yes, then a tuple with and viewer relation will be created with the file ID and the user for whom the access is going. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">shareFile</span><span class="p">(</span><span class="n">c</span> <span class="o">*</span><span class="n">gin</span><span class="o">.</span><span class="n">Context</span><span class="p">)</span> <span class="p">{</span> <span class="n">userVal</span><span class="p">,</span> <span class="n">exists</span> <span class="o">:=</span> <span class="n">c</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="s">"user"</span><span class="p">)</span> <span class="k">if</span> <span class="o">!</span><span class="n">exists</span> <span class="p">{</span> <span class="n">c</span><span class="o">.</span><span class="n">JSON</span><span class="p">(</span><span class="m">401</span><span class="p">,</span> <span class="n">gin</span><span class="o">.</span><span class="n">H</span><span class="p">{</span><span class="s">"error"</span><span class="o">:</span> <span class="s">"Please login"</span><span class="p">})</span> <span class="k">return</span> <span class="p">}</span> <span class="n">user</span> <span class="o">:=</span> <span class="n">userVal</span><span class="o">.</span><span class="p">(</span><span class="n">User</span><span class="p">)</span> <span class="k">var</span> <span class="n">req</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">ID</span> <span class="kt">string</span> <span class="s">`json:"id"`</span> <span class="c">// file id</span> <span class="n">Username</span> <span class="kt">string</span> <span class="s">`json:"username"`</span> <span class="c">// username to which we need to associate that file</span> <span class="p">}</span> <span class="n">c</span><span class="o">.</span><span class="n">ShouldBindJSON</span><span class="p">(</span><span class="o">&amp;</span><span class="n">req</span><span class="p">)</span> <span class="c">// SECURITY CHECK: Verify the current user can edit access of this file</span> <span class="k">if</span> <span class="n">fgaClient</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="c">// Check if user has permission to edit access (can_edit file acces permission)</span> <span class="n">checkBody</span> <span class="o">:=</span> <span class="n">fgaclient</span><span class="o">.</span><span class="n">ClientCheckRequest</span><span class="p">{</span> <span class="n">User</span><span class="o">:</span> <span class="s">"user:"</span> <span class="o">+</span> <span class="n">user</span><span class="o">.</span><span class="n">Username</span><span class="p">,</span> <span class="n">Relation</span><span class="o">:</span> <span class="s">"can_edit"</span><span class="p">,</span> <span class="n">Object</span><span class="o">:</span> <span class="s">"file:"</span> <span class="o">+</span> <span class="n">req</span><span class="o">.</span><span class="n">ID</span><span class="p">,</span> <span class="p">}</span> <span class="n">checkResp</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">fgaClient</span><span class="o">.</span><span class="n">Check</span><span class="p">(</span><span class="n">context</span><span class="o">.</span><span class="n">Background</span><span class="p">())</span><span class="o">.</span><span class="n">Body</span><span class="p">(</span><span class="n">checkBody</span><span class="p">)</span><span class="o">.</span><span class="n">Execute</span><span class="p">()</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">c</span><span class="o">.</span><span class="n">JSON</span><span class="p">(</span><span class="m">500</span><span class="p">,</span> <span class="n">gin</span><span class="o">.</span><span class="n">H</span><span class="p">{</span><span class="s">"error"</span><span class="o">:</span> <span class="s">"Failed to verify permissions"</span><span class="p">})</span> <span class="k">return</span> <span class="p">}</span> <span class="k">if</span> <span class="n">checkResp</span><span class="o">.</span><span class="n">Allowed</span> <span class="o">==</span> <span class="no">nil</span> <span class="o">||</span> <span class="o">!*</span><span class="n">checkResp</span><span class="o">.</span><span class="n">Allowed</span> <span class="p">{</span> <span class="n">c</span><span class="o">.</span><span class="n">JSON</span><span class="p">(</span><span class="m">403</span><span class="p">,</span> <span class="n">gin</span><span class="o">.</span><span class="n">H</span><span class="p">{</span><span class="s">"error"</span><span class="o">:</span> <span class="s">"You don't have permission to edit access for this file"</span><span class="p">})</span> <span class="k">return</span> <span class="p">}</span> <span class="c">// If authorized, create the viewer relationship</span> <span class="n">body</span> <span class="o">:=</span> <span class="n">fgaclient</span><span class="o">.</span><span class="n">ClientWriteRequest</span><span class="p">{</span> <span class="n">Writes</span><span class="o">:</span> <span class="p">[]</span><span class="n">fgaclient</span><span class="o">.</span><span class="n">ClientTupleKey</span><span class="p">{{</span> <span class="n">User</span><span class="o">:</span> <span class="s">"user:"</span> <span class="o">+</span> <span class="n">req</span><span class="o">.</span><span class="n">Username</span><span class="p">,</span> <span class="n">Relation</span><span class="o">:</span> <span class="s">"viewer"</span><span class="p">,</span> <span class="n">Object</span><span class="o">:</span> <span class="s">"file:"</span> <span class="o">+</span> <span class="n">req</span><span class="o">.</span><span class="n">ID</span><span class="p">,</span> <span class="p">}},</span> <span class="p">}</span> <span class="n">_</span><span class="p">,</span> <span class="n">err</span> <span class="o">=</span> <span class="n">fgaClient</span><span class="o">.</span><span class="n">Write</span><span class="p">(</span><span class="n">context</span><span class="o">.</span><span class="n">Background</span><span class="p">())</span><span class="o">.</span><span class="n">Body</span><span class="p">(</span><span class="n">body</span><span class="p">)</span><span class="o">.</span><span class="n">Execute</span><span class="p">()</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">c</span><span class="o">.</span><span class="n">JSON</span><span class="p">(</span><span class="m">500</span><span class="p">,</span> <span class="n">gin</span><span class="o">.</span><span class="n">H</span><span class="p">{</span><span class="s">"error"</span><span class="o">:</span> <span class="s">"Failed to share file"</span><span class="p">})</span> <span class="k">return</span> <span class="p">}</span> <span class="p">}</span> <span class="n">c</span><span class="o">.</span><span class="n">JSON</span><span class="p">(</span><span class="m">200</span><span class="p">,</span> <span class="n">gin</span><span class="o">.</span><span class="n">H</span><span class="p">{</span><span class="s">"message"</span><span class="o">:</span> <span class="s">"Access Added"</span><span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p><strong>Conclusion</strong><br> Successfully implementing the Role-Based Access Control (RBAC) and doing this manually can quickly get messy as an application grows in complexity. That’s where OpenFGA truly shines. it brings structure, scalability, and flexibility to authorisation without forcing you to reinvent the wheel. With just a few API calls, you can define and enforce permissions across users, roles, and resources in a clean way.</p> <p><code>You can access the full code here</code> (<a href="https://github.com/yash-raj10/Go-openFGA-implementation" rel="noopener noreferrer">https://github.com/yash-raj10/Go-openFGA-implementation</a>)</p> go openfga opensource security Services in Linux & How to configure your own App as a service? Yash Raj Thu, 16 Nov 2023 13:38:05 +0000 https://forem.com/yashraj10/services-in-linux-how-to-configure-your-own-app-as-a-service-2gi3 https://forem.com/yashraj10/services-in-linux-how-to-configure-your-own-app-as-a-service-2gi3 <p>in oneline "<strong>Services are Linux programs that run in the background</strong>" but let's dive into it a little more and find out why it's important, what it does, how can you configure it and what are the commands around it.</p> <p>In General terms, Services in Linux help you to configure software to run in the background &amp; make sure that they Run all the time automatically when servers are rebooted and as well as follow the right order of startup. when any software that runs as a service in the background is installed they are automatically configured as a <strong>service</strong> on the system.</p> <h2> Why do we need services? </h2> <p>Services are necessary for various reasons like Continuous operations, Automation, resource management, etc. For example, Services run in the background and operate independently of user interactions. This allows them to provide continuous functionality without any user intervention. Eg:- a web server Software like Apache HTTP can continue to serve web pages to users without needing direct input from users.</p> <h2> Some Basic Commands related to Services </h2> <ul> <li>To Start a Service:- <code>service &lt;Service name&gt; start</code> or <code>systemctl start &lt;Service name&gt;</code> </li> <li>To Stop a Service:- <code>service &lt;Service name&gt; start</code> or <code>systemctl stop &lt;Service name&gt;</code> </li> <li>Configure a service to start at startup:- <code>systemctl enable &lt;Service name&gt;</code> </li> <li>Configure a service to not start at startup:- <code>systemctl disable &lt;Service name&gt;</code> </li> <li>Check the Status of Service:- <code>systemctl status &lt;Service name&gt;</code> ( for ex.)</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu6mojlhjvwbpolsmd7ez.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu6mojlhjvwbpolsmd7ez.png" alt="A man controlling the Universe with Linux" width="800" height="241"></a></p> <h2> Configuring your Application as a Service </h2> <p>let's suppose you have an app.py application and you want to configure this as a service &amp; also a service that will automatically start itself when we reboot the system. For this, we have to add a unit file under <code>/etc/systemd/system</code> that will have the same name as the application with an extension service, here it will look like <code>app.service</code> &amp; in this unit file, we have to define some sections under [] bracket like [Service] and provide directives (ex:- Excstart) to them<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[Service] ExcStart = &lt;command used to run the application&gt; #(enough to make app.py a service) [Install] WantedBy=multi-user.target #To automatically run when system boots up </code></pre> </div> <p>and that's it you can use app.py as a service Now. some extra directive which is used generally in a .service unit file.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[Unit] Description= python application # Meta data about the application [Service] ExexStart=&lt;command used to run the application&gt; ExexStartPre=&lt;path of application&gt; #dependency which is used before running the app.py ExexStartPost=&lt;path of application&gt; #dependency which is used after running the app.py Restart=always #restart the application when it crashes [Install] WantedBy=multi-user.target </code></pre> </div> services webservices linux Understanding Why We Don't Use Pointers to change the value of the element in Slice Data Type in Go Lang! Yash Raj Fri, 03 Nov 2023 19:14:40 +0000 https://forem.com/yashraj10/understanding-why-we-dont-use-pointers-to-change-the-value-of-the-element-in-slice-data-type-in-go-lang-32fi https://forem.com/yashraj10/understanding-why-we-dont-use-pointers-to-change-the-value-of-the-element-in-slice-data-type-in-go-lang-32fi <p>Ever wondered why we don't use a pointer to change the value of the element in a Slice (GO Lang) like we do with other data types like Int, String, or Struct ?</p> <p>Let's have a look at the inner functioning of Slices and understand how they are working in the Background.</p> <p>So when you create a slice in Go then the GO internally creates two Separate data structures for us, one is An Array (representing the actual list of items) and another is a new Slice having [ptr to head, Capacity, Length].</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbta6xlj0juxgxritge0l.jpeg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbta6xlj0juxgxritge0l.jpeg" alt="Image description" width="800" height="285"></a><br> let's suppose in the RAM the new slice is stored at the address 2000 and the other data stru i.e. array (containing the actual items) is seperately stored at address 3000 and then the prt to head thing in the new slice (from 2000) is pointing to the array at 3000 and also the country var here is not pointing at the array(at 3000), it points at the new Slice at 2000 </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo41jedfdf4d5ebbcpopq.jpeg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo41jedfdf4d5ebbcpopq.jpeg" alt="Image description" width="800" height="298"></a><br> so whenever we refer to country var it's actually returning the new slice data stru, not the array &amp; when we call a func updateCountry (used to update the list) and pass country var into it, Go still behaves as a pass by value language, and as country var points at new slice at 2000 it also makes the copy of that new Slice (at 4000) but the main thing here is that the new copy of that slice (which is at 4000) is still pointing(with the help of ptr to head) at the array of items which is at 3000 and hence in the func updateCountry when we attempt to modify the slice, we are actually modifying the same array that both copies of the slice are now pointing to(at 3000)!</p> <p>And that's why we don't use a pointer to change the value of the element in a Slice</p> <p>Data Stru Which acts similarly to Slices(Reference type)<br> ~Maps<br> ~Channels.</p> go datatypes