Authorization infrastructure for Milo's business operating system backed by OpenFGA - enabling fine-grained, relationship-based access control across business entities like customers, products, agreements, and organizational resources.
This project provides the authorization backbone for the Milo business operating system, which uses Kubernetes APIServer patterns to manage business entities for product-led B2B companies. The auth provider bridges Milo's business APIs with OpenFGA's relationship-based authorization engine to answer complex business questions like:
- "Can this sales rep view pricing for customers in this project?"
- "Can this account manager modify agreements for this organization?"
- "Which product features can this customer access based on their entitlements?"
- Resource Authorization - Protects Milo's resources using relationship-based policies
- Organizational Hierarchies - Supports complex business structures with permission inheritance across organizations and projects
- Dynamic Permission Models - Automatically builds authorization models as new resource types are registered in Milo
- Real-time Access Control - Provides webhook-based authorization that integrates seamlessly with Milo's Kubernetes-based APIs
- Resource Registration:
ProtectedResourceCRDs define what resources should be protected and what permissions are available (view, edit, delete, manage) - Authorization Model Sync: The system automatically builds OpenFGA type definitions based on registered resources
- Role Management:
RoleCRDs define roles (Sales Rep, Account Manager) with collections of permissions - Access Binding:
PolicyBindingCRDs create relationships between subjects, roles, and target resources - Runtime Authorization: Webhook servers evaluate access requests by querying OpenFGA relationship graphs
- Inheritance Support: Resources inherit permissions through organizational hierarchies (Organization → Project → Customer)
Review the Architecture documentation for more information.
task dev:setup # Complete environment setup
task dev:deploy # Deploy/redeploy application
task dev:status # Check environment status
task dev:logs # View application logs
task test # Run tests- Architecture Guide - System design, components, and data flow
- OpenFGA Integration - OpenFGA authorization model and implementation details
├── config/ # Kubernetes manifests and Kustomize overlays
├── docs/ # Detailed documentation
├── internal/ # Application logic
│ ├── controller/ # Kubernetes controllers
│ ├── webhook/ # Authorization webhook server
│ └── openfga/ # OpenFGA integration layer
├── cmd/ # CLI entrypoints (manager, webhook)
└── test/ # E2E tests
task dev:setup- Set up environment- Make your changes
task test && task test:e2e- Verify changes- Submit PR
For detailed guidelines, see Contributing Guide.