Skip to content

Authorization Model Metadata #228

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Authorization Model Metadata #228

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
aa9afa0
feat: add authorization_model_metadata field to support Kubernetes-st…
tylernix Jul 25, 2025
a589385
feat: add metadata field to authorization models
tylernix Jul 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
175 changes: 168 additions & 7 deletions docs/openapiv2/apidocs.swagger.json
View file
Open in desktop

Large diffs are not rendered by default.

18 changes: 18 additions & 0 deletions openfga/v1/authzmodel.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,24 @@ message AuthorizationModel {
ignore_empty: false
}
];

// Labels and metadata for the authorization model (similar to Kubernetes labels)
map<string, string> metadata = 5 [
json_name = "metadata",
(validate.rules).map.max_pairs = 20,
(validate.rules).map.keys.string = {
pattern: "^[a-z0-9]([a-z0-9\\-\\.]*[a-z0-9])?$"
max_bytes: 63
ignore_empty: true
},
Comment on lines +47 to +51
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

ignore_empty: true makes empty metadata keys valid – violates the RFC

ignore_empty: true bypasses the regex when the key is the empty string, yet the spec explicitly says “keys cannot be empty”.
Flip the flag to false (or omit it – default is false) to enforce the requirement.

-    (validate.rules).map.keys.string = {
-      pattern: "^[a-z0-9]([a-z0-9\\-\\.]*[a-z0-9])?$"
-      max_bytes: 63
-      ignore_empty: true
-    },
+    (validate.rules).map.keys.string = {
+      pattern: "^[a-z0-9]([a-z0-9\\-\\.]*[a-z0-9])?$"
+      max_bytes: 63
+      ignore_empty: false
+    },
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
(validate.rules).map.keys.string = {
pattern: "^[a-z0-9]([a-z0-9\\-\\.]*[a-z0-9])?$"
max_bytes: 63
ignore_empty: true
},
(validate.rules).map.keys.string = {
pattern: "^[a-z0-9]([a-z0-9\\-\\.]*[a-z0-9])?$"
max_bytes: 63
ignore_empty: false
},
🤖 Prompt for AI Agents 
In openfga/v1/authzmodel.proto around lines 47 to 51, the validation rule for
map keys includes 'ignore_empty: true', which allows empty keys and violates the
specification that keys cannot be empty. Remove the 'ignore_empty: true' line or
set it to false to ensure empty keys are rejected and the regex pattern is
enforced for all keys.

(validate.rules).map.values.string = {
max_bytes: 256
ignore_empty: true
},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "{\"environment\": \"production\", \"team\": \"platform\", \"version\": \"v1.2.3\"}"
}
];
}

message TypeDefinition {
Expand Down
19 changes: 18 additions & 1 deletion openfga/v1/openfga_service.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1537,8 +1537,25 @@ message WriteAuthorizationModelRequest {
(validate.rules).map.max_pairs = 25,
(validate.rules).map.keys.string = {pattern: "^[^:#@\\s]{1,50}$"}
];
}

// Labels and metadata for the authorization model (similar to Kubernetes labels)
map<string, string> metadata = 5 [
json_name = "metadata",
(validate.rules).map.max_pairs = 20,
(validate.rules).map.keys.string = {
pattern: "^[a-z0-9]([a-z0-9\\-\\.]*[a-z0-9])?$"
max_bytes: 63
ignore_empty: true
},
Comment on lines +1545 to +1549
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Empty metadata keys slip through here as well

Same issue as in authzmodel.proto: ignore_empty: true permits "" as a key.
Set it to false to honour the “non-empty key” rule.

-    (validate.rules).map.keys.string = {
-      pattern: "^[a-z0-9]([a-z0-9\\-\\.]*[a-z0-9])?$"
-      max_bytes: 63
-      ignore_empty: true
-    },
+    (validate.rules).map.keys.string = {
+      pattern: "^[a-z0-9]([a-z0-9\\-\\.]*[a-z0-9])?$"
+      max_bytes: 63
+      ignore_empty: false
+    },
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
(validate.rules).map.keys.string = {
pattern: "^[a-z0-9]([a-z0-9\\-\\.]*[a-z0-9])?$"
max_bytes: 63
ignore_empty: true
},
(validate.rules).map.keys.string = {
pattern: "^[a-z0-9]([a-z0-9\\-\\.]*[a-z0-9])?$"
max_bytes: 63
ignore_empty: false
},
🤖 Prompt for AI Agents 
In openfga/v1/openfga_service.proto around lines 1545 to 1549, the validation
rule for map keys currently sets ignore_empty to true, which allows empty string
keys to pass validation. Change ignore_empty to false to enforce the rule that
keys must be non-empty strings.

(validate.rules).map.values.string = {
max_bytes: 256
ignore_empty: true
},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "{\"environment\": \"production\", \"team\": \"platform\", \"version\": \"v1.2.3\"}"
}
];
}
message WriteAuthorizationModelResponse {
string authorization_model_id = 1 [
json_name = "authorization_model_id",
Expand Down
574 changes: 301 additions & 273 deletions proto/openfga/v1/authzmodel.pb.go
View file
Open in desktop

Large diffs are not rendered by default.

69 changes: 69 additions & 0 deletions proto/openfga/v1/authzmodel.pb.validate.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading
Loading