Skip to content

Refactor FGA store ID lookup to use OpenFGA directly with caching #351

New issue
New issue
Open
Open
Refactor FGA store ID lookup to use OpenFGA directly with caching#351
@nexus49

Description

@nexus49
nexus49
opened on Feb 17, 2026

Summary

Refactor the FGA store ID lookup mechanism in the security-initializer to retrieve store IDs directly from OpenFGA instead of relying on the AccountInfo object.

Current Behavior

Today, the security-operator retrieves the FGA store ID through the AccountInfo object:

  1. WorkspaceInitializer creates a Store CRD resource (workspace_initializer.go:65-67)
  2. StoreSubroutine calls fga.ListStores() to find/create the store and populates Store.Status.StoreID (store.go:81-102)
  3. WorkspaceInitializer then copies the store ID to AccountInfo.Spec.FGA.Store.Id (workspace_initializer.go:109)
  4. Other components (tuples, authorization models) lookup AccountInfo or Store CRD to get the store ID

This creates a dependency on AccountInfo for store ID retrieval and requires multiple Kubernetes API calls.

Proposed Changes

  1. Derive organization name from KCP path convention

    • The KCP path annotation (kcp.io/path) already contains the organization info (e.g., root:orgs:workspace-name)
    • The security-initializer should extract the org name directly from this path instead of relying on AccountInfo

  2. Lookup stores in OpenFGA directly

    • Query OpenFGA's ListStores() API to find stores by name
    • Remove the indirection through AccountInfo for store ID retrieval

  3. Implement store ID caching

    • Add an in-memory cache for store IDs (org name → store ID mapping)
    • Reduce repeated ListStores() calls during reconciliation
    • Cache should have appropriate TTL and invalidation strategy

  4. Remove AccountInfo updates from security-operator

    • Stop creating/updating AccountInfo entirely in the workspace initializer
    • Remove the code that writes AccountInfo.Spec.FGA.Store.Id (workspace_initializer.go:105-114)
    • The security-operator should no longer manage AccountInfo objects
    • This removes the cross-operator dependency where security-operator modifies account-operator resources

Benefits

  • Reduced coupling: Remove dependency on AccountInfo for FGA store ID
  • Better separation of concerns: Security-operator no longer modifies AccountInfo (owned by account-operator)
  • Better performance: Cached lookups avoid repeated OpenFGA API calls
  • Simpler architecture: Direct lookup eliminates the need to persist store ID in multiple places
  • Faster reconciliation: Cached store IDs speed up tuple and authorization model operations

Files to Modify

  • internal/subroutine/workspace_initializer.go - Remove all AccountInfo creation/update logic
  • internal/subroutine/store.go - Add caching layer for store lookups
  • internal/subroutine/tuples.go - Use cached store ID lookup
  • internal/subroutine/authorization_model.go - Use cached store ID lookup
  • New file for store cache service/helper

Acceptance Criteria

  • Organization name is derived from KCP path convention
  • Store IDs are looked up directly from OpenFGA
  • Store ID cache is implemented with appropriate TTL
  • Security-operator no longer creates or updates AccountInfo objects
  • All existing functionality continues to work
  • Unit tests cover the new caching logic

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    OpenMesh - Backlog

    Status

    ForRefinement

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions