PyData Berlin
See only what you are allowed to see: Fine-Grained Authorization
Tutorial
Abstract
Managing who can see or do what with your data is a fundamental challenge, especially as applications and data grow in complexity. Traditional role-based systems often lack the granularity needed for modern data platforms. Fine-Grained Authorization (FGA) addresses this by controlling access at the individual resource level. In this 90-minute hands-on tutorial, we will explore implementing FGA using OpenFGA, an open-source authorization engine inspired by Google's Zanzibar. Attendees will learn the core concepts of Relationship-Based Access Control (ReBAC) and get practical experience defining authorization models, writing relationship tuples, and performing authorization checks using the OpenFGA Python SDK. Bring your laptop ready to code to learn how to build secure and flexible permission systems for your data applications.
Prerequisites
- working IDE with Python setup - FGA server setup: https://openfga.dev/docs/getting-started/setup-openfga/docker
Description
This tutorial provides a practical, hands-on introduction to implementing Fine-Grained Authorization (FGA) for data-intensive applications using the open-source tool OpenFGA. As data platforms evolve and regulatory requirements become stricter, controlling access at a granular level – perhaps even row-level in a database context – becomes essential. Role-Based Access Control (RBAC), while common, often struggles to meet these complex needs, leading to insufficient flexibility or administrative overhead.
We will introduce the concept of Relationship-Based Access Control (ReBAC), the authorization paradigm powering systems like Google's Zanzibar and OpenFGA. You'll learn how ReBAC defines permissions based on the relationships between users and objects (e.g., "Alice is a viewer of Document 'report_Q3'"), enabling highly flexible and scalable access control logic.
The core of the tutorial will be dedicated to practical implementation. We will guide attendees through:
1.Setting up a local OpenFGA instance (e.g., using Docker).
2. Defining an authorization model using OpenFGA's Domain Specific Language (DSL) to represent resources, users, and the relationships between them. We will use a simplified data access scenario as our example, potentially inspired by challenges faced in research or data collaboration platforms.
3. Writing and managing relationship tuples in OpenFGA.
4. Using the OpenFGA Python SDK to connect your application logic to the authorization engine,
5. Exploring strategies for integrating this with application backend code and potentially addressing concepts like enforcing row-level permissions.
Attendees will follow along with live coding examples and complete exercises designed to solidify their understanding and build confidence in applying FGA principles with OpenFGA. By the end of the 90 minutes, you will have a foundational understanding of FGA/ReBAC and the practical skills to start integrating OpenFGA into your own projects. The tutorial materials, including code examples and setup instructions, will be provided via a GitHub repository.