openfga
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseOpenFGA Best Practices
OpenFGA最佳实践
Comprehensive guide for authoring OpenFGA authorization models and using OpenFGA SDKs, maintained for AI agents and developers. Contains rules across 7 categories covering core concepts, relationship patterns, testing, custom roles, model optimization, and language-specific SDK usage.
这是一份面向AI Agent与开发者的OpenFGA授权模型编写及OpenFGA SDK使用综合指南,涵盖8大类别规则,包括核心概念、关系定义、测试与验证、模型设计、自定义角色、模型优化、特定语言SDK使用及工作流规范。
When to Apply
适用场景
Reference these guidelines when:
- Creating new OpenFGA authorization models
- Defining types and relations in files
.fga - Writing relationship tuples
- Testing models with files
.fga.yaml - Implementing custom roles
- Reviewing or refactoring existing models
- Integrating OpenFGA with JavaScript/TypeScript, Go, Python, Java, or .NET applications
在以下场景中可参考本指南:
- 创建新的OpenFGA授权模型
- 在文件中定义类型与关系
.fga - 编写关系元组
- 使用文件测试模型
.fga.yaml - 实现自定义角色
- 审核或重构现有模型
- 在JavaScript/TypeScript、Go、Python、Java或.NET应用中集成OpenFGA
Rule Categories by Priority
按优先级划分的规则类别
| Priority | Category | Impact | Prefix |
|---|---|---|---|
| 1 | Core Concepts | CRITICAL | |
| 2 | Relationship Definitions | CRITICAL | |
| 3 | Testing & Validation | HIGH | |
| 4 | Model Design | HIGH | |
| 5 | Custom Roles | MEDIUM | |
| 6 | Optimization | MEDIUM | |
| 7 | SDK Integration | HIGH | |
| 8 | Workflow | CRITICAL | |
| 优先级 | 类别 | 影响程度 | 前缀 |
|---|---|---|---|
| 1 | 核心概念 | 严重 | |
| 2 | 关系定义 | 严重 | |
| 3 | 测试与验证 | 高 | |
| 4 | 模型设计 | 高 | |
| 5 | 自定义角色 | 中 | |
| 6 | 优化 | 中 | |
| 7 | SDK集成 | 高 | |
| 8 | 工作流 | 严重 | |
Quick Reference
快速参考
1. Core Concepts (CRITICAL)
1. 核心概念(严重)
- - Define types for all entity classes
core-types - - Always use schema 1.1
core-schema-version - - Define relations on object types, not user types
core-relations - - Write relationship tuples to establish facts
core-tuples - - Separate schema (model) from data (tuples)
core-separation
- - 为所有实体类定义类型
core-types - - 始终使用1.1版本的Schema
core-schema-version - - 在对象类型而非用户类型上定义关系
core-relations - - 编写关系元组以确立事实
core-tuples - - 将Schema(模型)与数据(元组)分离
core-separation
2. Relationship Definitions (CRITICAL)
2. 关系定义(严重)
- - Use
relation-directfor direct assignments[type] - - Use
relation-concentricfor permission inheritanceor - - Use
relation-indirectfor hierarchical accessX from Y - - Use
relation-usersetsfor group-based accesstype#relation - - Use CEL conditions for contextual authorization
relation-conditions - - Use
relation-wildcardsfor public access carefullytype:* - - To use
relation-wildcards-as-booleansto model boolan attributestype:*
- - 使用
relation-direct进行直接分配[type] - - 使用
relation-concentric实现权限继承or - - 使用
relation-indirect实现层级访问X from Y - - 使用
relation-usersets实现基于组的访问type#relation - - 使用CEL条件实现上下文授权
relation-conditions - - 谨慎使用
relation-wildcards实现公共访问type:* - - 使用
relation-wildcards-as-booleans模拟布尔属性type:*
3. Model Design (HIGH)
3. 模型设计(高)
- - Define
design-permissionsrelations for permissionscan_* - - Model parent-child relationships correctly
design-hierarchy - - Structure organization-level access
design-organization - - Use clear, consistent naming conventions
design-naming - - Split a model in modules for collaboration among multiple teams.
design-modules
- - 为权限定义
design-permissions关系can_* - - 正确建模父子关系
design-hierarchy - - 构建组织级访问结构
design-organization - - 使用清晰、一致的命名规范
design-naming - - 将模型拆分为模块以支持多团队协作
design-modules
4. Testing & Validation (HIGH)
4. 测试与验证(高)
- - Structure tests in
test-fga-yamlfiles.fga.yaml - - Write check assertions for permission verification
test-check-assertions - - Test list_objects queries
test-list-objects - - Test list_users queries
test-list-users - - Test conditional relationships with context
test-conditions - - Use OpenFGA CLI for model testing
test-cli
- - 在
test-fga-yaml文件中构建测试结构.fga.yaml - - 编写检查断言以验证权限
test-check-assertions - - 测试list_objects查询
test-list-objects - - 测试list_users查询
test-list-users - - 结合上下文测试条件关系
test-conditions - - 使用OpenFGA CLI进行模型测试
test-cli
5. Custom Roles (MEDIUM)
5. 自定义角色(中)
- - Implement simple user-defined roles
roles-simple - - Use role assignments for resource-specific roles
roles-assignments - - Combine static and custom roles
roles-static-combo - - Choose the right role pattern
roles-when-to-use
- - 实现简单的用户自定义角色
roles-simple - - 使用角色分配实现资源特定角色
roles-assignments - - 组合静态角色与自定义角色
roles-static-combo - - 选择合适的角色模式
roles-when-to-use
6. Optimization (MEDIUM)
6. 优化(中)
- - Remove unused types and relations
optimize-simplify - - Use indirect relationships to reduce tuple count
optimize-tuples - - Apply appropriate type restrictions
optimize-type-restrictions
- - 移除未使用的类型与关系
optimize-simplify - - 使用间接关系减少元组数量
optimize-tuples - - 应用适当的类型限制
optimize-type-restrictions
7. SDK Integration (HIGH)
7. SDK集成(高)
- - JavaScript/TypeScript SDK usage
sdk-javascript - - Go SDK usage
sdk-go - - Python SDK usage (async and sync)
sdk-python - - Java SDK usage
sdk-java - - .NET SDK usage
sdk-dotnet
- - JavaScript/TypeScript SDK使用
sdk-javascript - - Go SDK使用
sdk-go - - Python SDK使用(异步与同步)
sdk-python - - Java SDK使用
sdk-java - - .NET SDK使用
sdk-dotnet
8. Workflow (CRITICAL)
8. 工作流(严重)
- - Always validate models before delivery
workflow-validate
- - 交付前始终验证模型
workflow-validate
How to Use
使用方法
Read individual rule files for detailed explanations and code examples:
rules/core-types.md
rules/relation-concentric.md
rules/test-fga-yaml.mdEach rule file contains:
- Brief explanation of why it matters
- Incorrect code example with explanation
- Correct code example with explanation
- Additional context and references
阅读单个规则文件以获取详细说明及代码示例:
rules/core-types.md
rules/relation-concentric.md
rules/test-fga-yaml.md每个规则文件包含:
- 规则重要性的简要说明
- 错误代码示例及解释
- 正确代码示例及解释
- 额外上下文与参考资料
Full Compiled Document
完整编译文档
For the complete guide with all rules expanded:
AGENTS.md如需查看包含所有展开规则的完整指南,请查阅:
AGENTS.md