{"id":21971340,"url":"https://github.com/DeluxeOwl/kala-go","last_synced_at":"2025-07-22T17:32:54.729Z","repository":{"id":53933634,"uuid":"485675836","full_name":"DeluxeOwl/kala-go","owner":"DeluxeOwl","description":"An authorization framework written in Go based on Google's Zanzibar.","archived":false,"fork":false,"pushed_at":"2023-04-25T20:05:24.000Z","size":1616,"stargazers_count":29,"open_issues_count":3,"forks_count":0,"subscribers_count":5,"default_branch":"main","last_synced_at":"2024-04-17T20:12:48.128Z","etag":null,"topics":["authorization","go","graph","react","zanzibar"],"latest_commit_sha":null,"homepage":"https://kala.andreisurugiu.com/","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/DeluxeOwl.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-04-26T07:18:59.000Z","updated_at":"2024-03-17T19:05:12.000Z","dependencies_parsed_at":"2023-02-08T18:01:13.523Z","dependency_job_id":null,"html_url":"https://github.com/DeluxeOwl/kala-go","commit_stats":null,"previous_names":[],"tags_count":15,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DeluxeOwl%2Fkala-go","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DeluxeOwl%2Fkala-go/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DeluxeOwl%2Fkala-go/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DeluxeOwl%2Fkala-go/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/DeluxeOwl","download_url":"https://codeload.github.com/DeluxeOwl/kala-go/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":227149539,"owners_count":17738249,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authorization","go","graph","react","zanzibar"],"created_at":"2024-11-29T14:50:16.977Z","updated_at":"2024-11-29T14:50:21.907Z","avatar_url":"https://github.com/DeluxeOwl.png","language":"TypeScript","funding_links":[],"categories":["TypeScript"],"sub_categories":[],"readme":"# https://kala.andreisurugiu.com/\n\nNot a final version.\n\n\u003cimg src=\"./img/logo.png\" width=\"100\"/\u003e\n\nAn authorization framework written in go based on [Zanzibar: Google’s Consistent, Global Authorization System](https://storage.googleapis.com/pub-tools-public-publication-data/pdf/10683a8987dbf0c6d4edcafb9b4f05cc9de5974a.pdf).\n\nIt offers an IDE with a graph for visualizing the relations and permissions between entities.\n\n**!!! This is not meant for production usage, there are still a lot of things missing and the quality and organization of code is questionable since this is my first Go project and was done in a serious hurry!!!**  \nSee below for \"planned\" things.\n\n![graph](./img/graph.png)\n\n## Editor\n\nIn the editor, you can define the relation between entities using `yaml`, for example, the default configuration is this:\n\n```yaml\ntype: user\n---\ntype: group\nrelations:\n  member: user\n\n---\ntype: folder\nrelations:\n  reader: user | group#member\n\n---\ntype: document\nrelations:\n  parent_folder: folder\n  writer: user\n  reader: user\npermissions:\n  read: reader | writer | parent_folder.reader\n  read_and_write: reader \u0026 writer\n  read_only: reader \u0026 !writer\n```\n\nThis is just an example, Kala is able to model and combine every type of authorization (**RBAC, ABAC, ACL, Custom Roles etc.**), you can find some examples in the dropdown.\n\nIn the above example, there are 4 types defined:\n\n- **user**\n- **group** that has a **relation** that indicates a `member` can be an **user**\n- **folder** with a `reader` relation that can _either_ be an **user** or **the members of a group**\n- **document** with some relations and some permissions:\n  - `read` permission indicates that someone can **read** the document if they're a `reader` **OR** `writer` **OR** they have `reader` on the `parent_folder`\n  - `read_and_write` indicates that they need to be both a `reader` **AND** a `writer`\n  - `read_only` indicates that they need to be `reader` **BUT NOT** a `writer`\n\nPermissions are only computed from relations.\n\nAfter each change in the editor **you need to press `Ctrl+K` to load the config**.\n\n## Tuples\n\nYou can define some tuples for the authorization system, as seen in the tuples tab which indicate the **relations** between some entities, the id of the entities is up to you to define, they don't have any more meaning than what you give them.\n\nAn interesting tuple is the following:\n![parent](./img/1_parent.png)\n\nThe `folder:secret_folder` is a `parent_folder` for `document:report.csv`.\n\n![parent2](./img/2_dev_reader.png)\n\nThe `member`s of `group:dev` are a `reader` on `folder:secret_folder`.\n\n![parent3](./img/3_steve_member.png)\n\n`user:steve` is a `member` of `group:dev`.\n\n## PermissionCheck\n\nYou can verify permissions between entities, based on the previous example, does `user:steve` have `read` permission on `document:report.csv`?\n\n![parent4](./img/4_perm_check.png)\n\nBased on the defined relations, the answer is `true`.\n\n## How does it work?\n\nKala uses `ent` as an ORM for the Go backend, which offers functions to query your database using a graph-like structure.\n\nInternally, permissions are evaluated **concurrently** and short-circuited, for the example above, we're checking at the same time if steve has any of the following relations on the document: `reader | writer | parent_folder.reader`.\n\nIf any of them returns true, return `true` and cancel all other goroutines (since we have an **OR** expression).\n\nThis can be seen by clickiing the question mark button to get a little overview on the relation check process:\n\n![parent5](./img/5_relationcheck.png)\n\n# Dev\n\nIn `./website`, create an `.env.local` with:\n\n```\nNEXT_PUBLIC_BACKEND_URL=\"http://127.0.0.1:1323/v0\"\n```\n\nYou can either build the docker image for the backend or run the backend using [task](https://taskfile.dev/).\n\n```sh\ntask gen\ntask run-once\ncd website\nyarn dev\n```\n\n# How to use\n\nThe whole website is keyboard driven, press `Ctrl+Shift+K` for help\n\n1. After you finish modifying your config, you need to reload the changes by pressing `Ctrl+K`\n2. Add tuples to the database using the \"Tuples\" tab\n3. Verify permissions using the \"PermissionCheck\" tab\n\n# Future things?\n\n- obviously implement a proper CRUD interface, don't @ me\n- organize the code !!!\n- caching for permission checks, implement something similar to Zookies used in Google's Zanzibar paper\n- some proper logging\n- healtcheck, metrics endpoints\n- support relation checking\n- watch permission changes endpoint\n- answering the question: \"Who has access to this resource?\"\n- Adding a way to add \"public access\" easily\n- Proper expression support in permissions (doesn't support paranthesis)\n- make it distributed\n- some CLI functionality\n- some simple policy engine similar to OPA on top\n- SDKs and client libraries\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FDeluxeOwl%2Fkala-go","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FDeluxeOwl%2Fkala-go","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FDeluxeOwl%2Fkala-go/lists"}