This directory contains comprehensive demo applications showcasing the OpenFGA operator's capabilities for implementing fine-grained authorization in real-world scenarios.
Location: banking-app/
A comprehensive banking application demonstrating:
- RBAC Implementation: Customer, teller, manager, loan officer, and admin roles
- Multi-ownership Support: Joint accounts with multiple owners and co-owners
- Transaction Controls: Fine-grained permissions for deposits, withdrawals, and transfers
- Loan Processing: Approval workflows with proper authorization chains
- Branch-based Security: Employee access limited to their branch
Key Features:
- Bank-branch-account hierarchy
- Multi-ownership for joint accounts
- Role-based transaction permissions
- Loan officer workflows
- Manager override capabilities
Location: genai-rag/
A Generative AI RAG (Retrieval-Augmented Generation) application demonstrating:
- Knowledge Base Management: Curator, contributor, and reader roles
- Document-Level Security: Individual document permissions with inheritance
- Content Filtering: RAG responses filtered based on document access rights
- AI Model Access Control: Separate permissions for using and configuring models
- Session-Based RAG: Controlled RAG sessions with participant management
Key Features:
- Three-tier role system for knowledge management
- Document-level permissions with inheritance
- Content filtering for RAG responses
- AI model usage and configuration controls
- Session-based access with intersection permissions
Both demos implement the following architectural patterns:
- OpenFGA DSL Format: Complete authorization models in JSON format
- Relationship-Based: Tuples defining relationships between users and resources
- Hierarchical Permissions: Role inheritance and computed relationships
- Intersection Logic: Complex permission combinations using OpenFGA's operators
demos/
├── banking-app/
│ ├── authorization-model.json # OpenFGA model definition
│ ├── banking_demo.rs # Demo implementation
│ └── README.md # Documentation
├── genai-rag/
│ ├── authorization-model.json # OpenFGA model definition
│ ├── genai_rag_demo.rs # Demo implementation
│ └── README.md # Documentation
└── README.md # This file
- Data Models: Structs representing entities (users, accounts, documents, etc.)
- Authorization Logic: Implementation of OpenFGA authorization checks
- Test Scenarios: Comprehensive test coverage for all authorization scenarios
- Helper Methods: Utility functions for common authorization patterns
# Ensure you have Rust installed
rustc --version
# Navigate to the project root
cd /path/to/authcore-openfga-operator# Build the project with demos
cargo build
# Run all tests including demo tests
cargo test
# Run only banking demo tests
cargo test banking_demo
# Run only GenAI RAG demo tests
cargo test genai_rag_demo
# Run with verbose output
cargo test -- --nocaptureThe authorization models can be imported into a running OpenFGA server:
# Start OpenFGA server (example using Docker)
docker run -p 8080:8080 openfga/openfga run
# Import banking model
curl -X POST http://localhost:8080/stores \
-H "Content-Type: application/json" \
-d @demos/banking-app/authorization-model.json
# Import GenAI model
curl -X POST http://localhost:8080/stores \
-H "Content-Type: application/json" \
-d @demos/genai-rag/authorization-model.jsonBoth demos implement hierarchical RBAC where higher-level roles inherit permissions from lower-level roles.
The banking demo shows how to handle joint accounts and shared resources with multiple owners.
Permissions that depend on the context (e.g., branch employees can only access accounts in their branch).
The GenAI demo shows how to filter content in responses based on user permissions.
Complex authorization logic where users need multiple permissions simultaneously.
Permissions that cascade down organizational hierarchies.
Each demo includes comprehensive tests covering:
- Users with proper permissions can perform authorized actions
- Role inheritance works correctly
- Multi-ownership scenarios function properly
- Users without permissions are denied access
- Unauthorized operations are blocked
- Cross-organizational access is prevented
- Boundary conditions for role hierarchies
- Complex permission intersections
- Cascading permission changes
These demos serve as templates for production applications:
- Model Deployment: Import the authorization models into your OpenFGA server
- Tuple Management: Implement tuple creation/deletion for your entities
- Authorization Checks: Integrate the authorization logic into your application
- Performance Optimization: Add caching and bulk operations as needed
Each demo includes detailed documentation covering:
- Authorization model explanation
- Entity relationships
- Permission matrices
- Usage examples
- Test scenarios
See the individual README files in each demo directory for detailed information.
When adding new demo applications:
- Follow the established directory structure
- Include comprehensive OpenFGA authorization model
- Implement realistic test scenarios
- Add thorough documentation
- Ensure all tests pass
- OpenFGA Documentation
- OpenFGA Authorization Models
- Relationship-Based Access Control ======= This directory contains demonstration applications showcasing the capabilities of the OpenFGA Operator for different use cases.
A microservice-based banking application that demonstrates fine-grained authorization for financial operations using OpenFGA.
Features:
- Account management with role-based permissions
- Transaction authorization with resource-level controls
- Multi-tenant banking operations
- RESTful API with OpenFGA integration
A Retrieval Augmented Generation (RAG) agent that uses OpenFGA for authorizing AI operations and data access.
Features:
- Document access control for RAG operations
- User-based AI model permissions
- Context-aware authorization for AI responses
- Integration with popular AI frameworks
Before running these demos, ensure you have:
- Kubernetes cluster with the OpenFGA Operator installed
- kubectl configured to access your cluster
- Docker for building container images (optional)
- Node.js 18+ for the banking application
- Python 3.9+ for the GenAI RAG agent
-
Deploy OpenFGA instance:
kubectl apply -f ../examples/basic-openfga.yaml
-
Choose and run a demo:
# Banking Application cd banking-app && npm install && npm run setup # GenAI RAG Agent cd genai-rag-agent && pip install -r requirements.txt && python setup.py
Both demos follow a similar pattern:
┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
│ Demo App │───▶│ OpenFGA API │───▶│ OpenFGA │
│ (Banking/AI) │ │ (Authorization)│ │ Instance │
└─────────────────┘ └─────────────────┘ └─────────────────┘
Each demo includes:
- Application code with OpenFGA SDK integration
- Authorization models specific to the use case
- Kubernetes deployment manifests
- Setup and usage documentation
After completing these demos, you will understand:
- How to design authorization models for different domains
- Integration patterns for OpenFGA in microservices
- Kubernetes deployment strategies for authorized applications
- Best practices for fine-grained authorization
For questions or issues with these demos:
- Check the individual demo README files
- Review the main OpenFGA Operator documentation
- Open an issue in the repository