Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Feature Flagging vs Authorization

I just stumbled across the concept of feature flagging, and a popular open source Java lib for this called Togglz, which quotes a Martin Fowler blog post:

The basic idea is to have a configuration file that defines a bunch of toggles for various features you have pending. The running application then uses these toggles in order to decide whether or not to show the new feature.

But to me, this really sounds like authorization: Is the user authorized to view this content?

For example, Should the user be able to see the FizzBuzz menu, or not?

In Togglz I might implement this check like so:

if(MyFeatures.ShowFizzBuzz.isActive()) {
    // Show the FizzBuzz menu.
}

In, say, Apache Shiro, I could do the exact same thing:

ShowFizzBuzzPermission showFizzBuzz = new ShowFizzBuzzPermission();
if(currentUser.isPermitted(showFizzBuzz) {
    // Show the FizzBuzz menu.
}

Again, feature flagging just feels like its the same exact problem as role- or permission-checking.

I'm sure I'm wrong, but I don't see how. So I ask: How is feature flagging different than authorization and role/permission checking, and what types of concrete use cases exemplify this difference? In other words: When should I use authorization/role/permission checking, and when should I use feature flags?

like image 799
smeeb Avatar asked Nov 21 '14 15:11

smeeb


People also ask

What does feature flagged mean?

Feature flags (also commonly known as feature toggles) is a software engineering technique that turns select functionality on and off during runtime, without deploying new code.

Should you use feature flags?

Using feature flags makes it easier to not only control the way applications behave in different environments but to also test new features. You can implement new features in your source code but use feature flags in such a way that features are turned on only in development or testing environments.

What is feature flagging software?

Feature flags (also known as feature toggles or feature switches) are a software development technique that turns certain functionality on and off during runtime, without deploying new code. This allows for better control and more experimentation over the full lifecycle of features.

What is feature flag in Salesforce?

Also known as feature flip, feature flags, or features bits. Feature toggling is a technique used to enable or disable certain behavior of the system (typically at runtime) to gradually release and test new features.


2 Answers

I'm going to use Mr. Fowlers terminology for the two types of Feature Toggles:

  • Business Toggle: would be features that are long-lived configuration where all states are supported.
  • Release Toggle: Meant to help transition from an old or nonexistent implementation to a 'new' one. The intent with this one is to retire the old way of working when the work is done. This enables you to when you want to preserve the current way of working while the 'new' way is unfinished. Most people agree these should be avoided when possible.

How is feature flagging different than authorization and role/permission checking, and what types of concrete use cases exemplify this difference?

I think authorization and role/permission checking are configuration underneath the implementation of a Business Toggle. Authentication is your Business Toggle feature, Shiro would be a tool that helps you configure and enforce your authentication feature. Togglz is an framework for the implementation of Business Toggles or Version Toggles. It could be used for an authentication feature

If you used Togglz to turn on/off authentication, and then Shiro to enforce a user's configuration, your code would look like this:

if(MyFeatures.ShowFizzBuzz.isActive()) {
  ShowFizzBuzzPermission showFizzBuzz = new ShowFizzBuzzPermission();
  if(currentUser.isPermitted(showFizzBuzz) {
    // Show the FizzBuzz menu.
  }
}

You may choose to forget the Feature Toggle, because you always want authentication ON. The toggle is just introducing an additional check and technical debt.

When should I use authorization/role/permission checking, and when should I use feature flags?

I think this decision is up to you. I would say that authorization is a feature, and you could use Shiro to implement it. Your application could have many other features that would go beyond the scope of Shiro, and make you want to use Togglz to turn them on and off. I argue that any complex feature will still require configuration to drive your business logic.

like image 109
ajk Avatar answered Sep 29 '22 04:09

ajk


I won't answer for logic behind Togglz. In FF4J documentation (feature flipping for Java), you could find a cristal clear schema which explains the difference.

Feature Toggle vs Authorization

A feature is a treatment, a function which could be enable and disable at runtime through dedicated web console. This should the main driver to toggle your code : Does I need to activate/desactivate through configuration ?

Once you identify Feature Toggle mechanism would have great value (you can pick up some use case in the bottom of ff4J.org page) you can check permissions.

Checking permissions in a Feature Toggle context is meant to perform a "Canary Release" : open a new feature for limited subset of users before opening for everyone.

like image 27
Cédrick Lunven Avatar answered Sep 29 '22 05:09

Cédrick Lunven