Auth Module Design: Role-Based Authorization with Dynamic users in ACL via External AuthZ

[sandeepkunusoth]

Hi all,

I am seeking feedback on an Auth module we have implemented.

We are implementing group/role-based authorization for users and mapping them to Valkey ACL permissions based on resolved roles.

Authorization decisions are made from an external policy engine such as OpenFGA (or other sources like Azure AD groups). Once the user’s role is resolved, we dynamically create/update the corresponding Valkey ACL user during authentication within this custom Auth module.

Current Role-to-ACL permissions

The module defines role permission templates configurable via module configuration:

admin_acl_permissions  (default):  +@admin
writer_acl_permissions (default):  +@read +@write -@admin -ACL
reader_acl_permissions (default):  +@read -@write -@dangerous -ACL

Flow:

Explanation:

At authentication time:

• User role is resolved from external authorization layer.
• Role permissions are read from module config (valkey.conf).
• We check whether the existing ACL user already matches the resolved role.
• If role changed or permissions drift is detected → ACL SETUSER is executed.
• If ACL already matches → skip ACL update.
• Connection is authenticated using that ACL user.

Why We Chose This Approach

• Keeps ACL state in Valkey aligned with external authorization outcome.
• Avoids manual ACL provisioning per user.
• Uses Valkey ACL for command-level permissions.
• Prevents permission drift by checking role at every login.

Questions for the Valkey Community

• Is calling ACL SETUSER during auth/login flow (create/update on role change) considered a recommended pattern?
• Is there a better pattern for integrating external authorization services with Valkey ACL?

Thank you for your feedback.