Hello everyone, I utilized Helm-chart to deploy Ory Keto, but I'm encountering issues accessing the read and write URLs. I attempted to configure ingress to redirect them to https://keto.mydomain.com/read and https://keto.mydomain.com/write, respectively. However, when I try to visit https://keto.mydomain.com/read, I receive a "not found" error. Below are the configurations for my ingress and Keto. @steep-lamp-91158

keto:

ingress:

read:

enabled: true

annotations:

<http://nginx.ingress.kubernetes.io/rewrite-target|nginx.ingress.kubernetes.io/rewrite-target>: /$2

hosts:

- host: keto.{{ .Values.baseDomain }}

paths:

- path: /read

pathType: Prefix

backend:

serviceName: ory-keto-read

servicePort: 4466

write:

enabled: true

annotations:

<http://nginx.ingress.kubernetes.io/rewrite-target|nginx.ingress.kubernetes.io/rewrite-target>: /$2

hosts:

- host: keto.{{ .Values.baseDomain }}

paths:

- path: /write

pathType: Prefix

backend:

serviceName: ory-keto-write

servicePort: 4467

keto:

autoMigrate: {{ .Values.ketoAutoMigrate }}

config:

dsn: <postgres://postgres>:{{ requiredEnv "POSTGRES_PASSWORD" }}@{{ .Values.dbhost }}:5432/identity?sslmode=disable

serve:

namespaces:

- id: 1

name: ukama

Rephrasing the same question that @chilly-scientist-84712 has put. Can we have a the name spaces, relationships and their permissions defined dynamically? One way could be, to rewrite the keto yml file with the new namespace so that Keto would reload the file. But this approach would involve additional layer of generating the namespace definition code programmatically. Is there a better way of achieving this?

Hey guys, I tried using the Sdk following this implementation but I always get 404 seems like the version v0.5.2 does not work.

package main

import (

"context"

"fmt"

"os"

ory "<http://github.com/ory/keto-client-go|github.com/ory/keto-client-go>"

)

// Use this context to access Ory APIs which require an Ory API Key.

var namespace = "Blog"

var object = "secret_post"

var relation = "view"

var subjectId = "Bob"

func main() {

payload := ory.CreateRelationshipBody{

Namespace: &namespace,

Object:    &object,

Relation:  &relation,

SubjectId: &subjectId,

}

configuration := ory.NewConfiguration()

configuration.Servers = []ory.ServerConfiguration{

{

URL: "<http://127.0.0.1:4467>", // Write API

},

}

writeClient := ory.NewAPIClient(configuration)

_, r, err := writeClient.RelationshipApi.CreateRelationship(context.Background()).CreateRelationshipBody(payload).Execute()

if err != nil {

fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)

panic("Encountered error: " + err.Error())

}

fmt.Println("Successfully created tuple")

configuration.Servers = []client.ServerConfiguration{

{

URL: "<http://127.0.0.1:4466>", // Read API

},

}

readClient := client.NewAPIClient(configuration)

check, r, err := readClient.PermissionApi.CheckPermission(context.Background()).

Namespace(*&namespace).

Object(*&object).

Relation(*&relation).

SubjectId(*&subjectId).Execute()

if err != nil {

fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)

panic("Encountered error: " + err.Error())

}

if check.Allowed {

fmt.Println(*&subjectId + " can " + *&relation + " the " + *&object)

}

}

Hello! I’m trying to make a proof of concept using Keto for my company, using one of the example OPL schemas:

import { Namespace, Context } from "@ory/keto-namespace-types"

class User implements Namespace {}

class Document implements Namespace {
  related: {
    owners: User[]
    editors: User[]
    viewers: User[]
    parents: Folder[]
  }

  permits = {
    view: (ctx: Context): boolean =>
        this.related.viewers.includes(ctx.subject) ||
        this.permits.edit(ctx),
    edit: (ctx: Context): boolean =>
        this.related.editors.includes(ctx.subject) ||
        this.permits.share(ctx),
    delete: (ctx: Context): boolean =>
        this.permits.share(ctx),
    share: (ctx: Context): boolean =>
        this.related.owners.includes(ctx.subject) || this.related.parents.traverse((parent) => parent.permits.share(ctx)),
  }
}

class Folder implements Namespace {
  related: {
    owners: User[]
    editors: User[]
    viewers: User[]
    parents: Folder[]
  }

  permits = {
    delete: (ctx: Context): boolean =>
        this.permits.share(ctx),
    share: (ctx: Context): boolean =>
        this.related.owners.includes(ctx.subject) || this.related.parents.traverse((parent) => parent.permits.share(ctx)),
  }
}

I then use the go SDK to set a document as having a parent folder, and then make a user an owner of the folder. However when I go to check if the user has view permission on the document, the permissions api returns that they do not. Perhaps I’m misunderstanding something? For reference here’s the go code I have:

package main

import (
	"context"
	"fmt"
	"os"

	ory "<http://github.com/ory/keto-client-go|github.com/ory/keto-client-go>"
)

func Ptr[T any](v T) *T {
	return &v
}

func main() {
	configuration := ory.NewConfiguration()
	configuration.Servers = []ory.ServerConfiguration{
		{
			URL: "<http://127.0.0.1:4467>", // Write API
		},
	}
	writeClient := ory.NewAPIClient(configuration)
	ctx := context.Background()

	_, r, err := writeClient.RelationshipApi.CreateRelationship(ctx).CreateRelationshipBody(ory.CreateRelationshipBody{
		Namespace: Ptr("Document"),
		Object:    Ptr("doc_1"),
		Relation:  Ptr("parents"),
		SubjectId: Ptr("folder_1"),
	}).Execute()

	if err != nil {
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
		panic("Encountered error: " + err.Error())
	}

	_, r, err = writeClient.RelationshipApi.CreateRelationship(ctx).CreateRelationshipBody(ory.CreateRelationshipBody{
		Namespace: Ptr("Folder"),
		Object:    Ptr("folder_1"),
		Relation:  Ptr("owners"),
		SubjectId: Ptr("user_1"),
	}).Execute()

	if err != nil {
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
		panic("Encountered error: " + err.Error())
	}

	configuration.Servers = []ory.ServerConfiguration{
		{
			URL: "<http://127.0.0.1:4466>", // Read API
		},
	}
	readClient := ory.NewAPIClient(configuration)
	checkRelation(ctx, readClient, "Folder", "folder_1", "share", "user_1")
	checkRelation(ctx, readClient, "Document", "doc_1", "view", "user_1")
}

func checkRelation(ctx context.Context, readClient *ory.APIClient, namespace, object, relation, subjectId string) {
	check, r, err := readClient.PermissionApi.CheckPermission(ctx).
		Namespace(namespace).
		Object(object).
		Relation(relation).
		SubjectId(subjectId).Execute()
	if err != nil {
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
		panic("Encountered error: " + err.Error())
	}
	if check.Allowed {
		fmt.Println(subjectId + " CAN " + relation + " the " + object)
	} else {
		fmt.Println(subjectId + " CANNOT " + relation + " the " + object)
	}
}

and here’s the output:

user_1 CAN share the folder_1
user_1 CANNOT view the doc_1

Any help would be greatly appreciated!

hello! Is it possible to "stub" out a permission in a permission model typescript such that it can be used in the application but provides no actionable check value? I was using

view: (ctx: Context): boolean => true

but keto didn't like that on startup (expected

this

where

true

is). It isn't strictly necessary -- seems like the workaround / implication is to just not have a permit that relies on that for now (which means the application code wouldn't perform any check). That's fine. Means that I have to redeploy my application when I do want to change the model to legitimately implement

view

though.

second question: I noticed that I can insert (using

keto relation-tuple create

) something I have in a

permit

. Is that expected? Or put another way -- are permits supposed to be directly assignable as well as act as functions against relations (

related

) / are permits relations themselves? e.g.:

class Connection implements Namespace {
  related: {
    owners: User[];
  };

  permits = {
    view: (ctx: Context): boolean => this.permits.edit(ctx),
    edit: (ctx: Context): boolean => this.related.owners.includes(ctx.subject),
...

then:

echo "Connection:1#edit@bob" | keto relation-tuple parse --format json - | keto relation-tuple create -

keto check bob edit Connection 1

Allowed

Hey everyone! I am trying to authorize my requests to oathkeeper via Keto, so I have added "keto_engine_acp_ory" to authorizer to my oathkeeper config. The request to check permissions indeed goes to the keto server, but it hits

/engines/acp/ory/regex/allowed

endpoint and receives a 404 error. Seems like this particular endpoint just doesn't exist. Has anyone faced this issue before? Will appreciate any help. Oathkeeper configuration and versions of ory products are in the thread below.

I think others may have asked this but it has gone unanswered -- if I have a 'view'

permits

, how do I check which object IDs allow that given a subject? Using the List API doesn't seem to return results -- it seems like permits are only considered relations when interacted with via the Check service, but nothing else? The use case is I want to determine which objects a subject has effective permissions to so I can filter them before returning them from an API service.

To rephrase my question above, do indirect relationships have to be explicitly added? Using the example OPL is not working as expected for me, at least with the golang sdk.

Running keto in docker getting this error

unable to initialize config provider: open /home/ory/keto.yml: no such file or directory

docker compose file

version: "3"
services:
  keto:
    image: oryd/keto:v0.11.1
    volumes:
      - ./keto:/home/ory
    ports:
      - "4466:4466"
      - "4467:4467"
    command: serve -c /home/ory/keto.yml
    restart: on-failure

volumes:
  keto:

directory structure

keto/
   keto.yml
   namespaces.keto.ts
docker-compose.yaml

keto.yaml

version: v0.11.1

dsn: memory

namespaces:
  location: file://./namespaces.keto.ts

log:
  level: debug

serve:
  read:
    host: 0.0.0.0
    port: 4466
  write:
    host: 0.0.0.0
    port: 4467

I am trying to run the rewrite example in ory keto, this is my permission file

// Copyright © 2023 Ory Corp
// SPDX-License-Identifier: Apache-2.0

import { Namespace, SubjectSet, Context } from "@ory/keto-namespace-types"

class User implements Namespace {
  related: {
    manager: User[]
  }
}

class Group implements Namespace {
  related: {
    members: (User | Group)[]
  }
}

class Folder implements Namespace {
  related: {
    parents: (File | Folder)[]
    viewers: SubjectSet<Group, "members">[]
  }

  permits = {
    view: (ctx: Context): boolean =>
      this.related.viewers.includes(ctx.subject) ||
      this.related.parents.traverse((p) => p.permits.view(ctx)),
  }
}

class File implements Namespace {
  related: {
    parents: (File | Folder)[]
    viewers: (User | SubjectSet<Group, "members">)[]
    owners: (User | SubjectSet<Group, "members">)[]
  }

  permits = {
    view: (ctx: Context): boolean =>
      this.related.parents.traverse((p) => p.permits.view(ctx)) ||
      this.related.viewers.includes(ctx.subject) ||
      this.related.owners.includes(ctx.subject),

    edit: (ctx: Context) => this.related.owners.includes(ctx.subject),
  }
}

basically, i want that any user having the viewers access of parent should have viewer access for any of the childs. I created user group developer that has viewers access for folder keto/ and folder keto/ is parent folder keto/src/. I have two users in developer group. when i run check for viewers access for the user in developer to keto/ it gives me allowed true, but when i run check for viewers access for keto/src/ it gives me false, even though the parent has the viewers access. As far as i could understand from the permission file the user should have viewers access for the children as well #keto

I just recrete my k8s cluster and deploy all our service including Keto, but now when I try to insert/update values in Keto, I have this kind of error:

Keto Delete team: team=0070c83f-4214-4a95-a88a-5aa99e7dcfdc tenant=0c64fa2d-2c4b-4a8d-adaa-7dc15af64bfd status=error message=2 UNKNOWN: failed to close prepared statement: ERROR: current transaction is aborted, commands ignored until end of transaction block (SQLSTATE 25P02): ERROR: insert or update on table "keto_relation_tuples" violates foreign key constraint "keto_relation_tuples_nid_fk" (SQLSTATE 23503)
ⅹ tenant deletion failed (2 UNKNOWN: failed to close prepared statement: ERROR: current transaction is aborted, commands ignored until end of transaction block (SQLSTATE 25P02): ERROR: insert or update on table "keto_relation_tuples" violates foreign key constraint "keto_relation_tuples_nid_fk" (SQLSTATE 23503))

Not sure how the networks entry are generated in keto, when I try to list the tuples Keto return nothing, but my

keto_relation_tuples

contains more then 14'000 entries

What's wrong?

class LegalEntity implements Namespace {
  related: {
    readers: User[]
    writers: User[]
  }

  permits = {
    read: (ctx: Context): boolean =>
      this.related.readers.includes(ctx.subject) ||
      this.related.writers.includes(ctx.subject),
    write: (ctx: Context): boolean => this.related.writers.includes(ctx.subject),
  }
}

relationships.js:

[
  {
    "namespace": "LegalEntity",
    "object": "entity1",
    "relation": "readers",
    "subject": "User:user1"
  },
  {
    "namespace": "LegalEntity",
    "object": "entity1",
    "relation": "writers",
    "subject": "User:user2"
  }
]

And getting invalid memory address.

I am trying to run the rewrite example in ory keto, this is my permission file

// Copyright © 2023 Ory Corp
// SPDX-License-Identifier: Apache-2.0

import { Namespace, SubjectSet, Context } from "@ory/keto-namespace-types"

class User implements Namespace {
  related: {
    manager: User[]
  }
}

class Group implements Namespace {
  related: {
    members: (User | Group)[]
  }
}

class Folder implements Namespace {
  related: {
    parents: (File | Folder)[]
    viewers: SubjectSet<Group, "members">[]
  }

  permits = {
    view: (ctx: Context): boolean =>
      this.related.viewers.includes(ctx.subject) ||
      this.related.parents.traverse((p) => p.permits.view(ctx)),
  }
}

class File implements Namespace {
  related: {
    parents: (File | Folder)[]
    viewers: (User | SubjectSet<Group, "members">)[]
    owners: (User | SubjectSet<Group, "members">)[]
  }

  permits = {
    view: (ctx: Context): boolean =>
      this.related.parents.traverse((p) => p.permits.view(ctx)) ||
      this.related.viewers.includes(ctx.subject) ||
      this.related.owners.includes(ctx.subject),

    edit: (ctx: Context) => this.related.owners.includes(ctx.subject),
  }
}

basically, i want that any user having the viewers access of parent should have viewer access for any of the childs. I created user group developer that has viewers access for folder keto/ and folder keto/ is parent folder keto/src/. I have two users in developer group. when i run check for viewers access for the user in developer to keto/ it gives me allowed true, but when i run check for viewers access for keto/src/ it gives me false, even though the parent has the viewers access. As far as i could understand from the permission file the user should have viewers access for the children as well this is my relationship tuple

{
  "relation_tuples": [
    {
      "namespace": "Folder",
      "object": "keto/",
      "relation": "viewers",
      "subject_set": {
        "namespace": "Group",
        "object": "developer",
        "relation": "members"
      }
    },
    {
      "namespace": "Folder",
      "object": "keto/src/",
      "relation": "parents",
      "subject_set": {
        "namespace": "Folder",
        "object": "keto/",
        "relation": ""
      }
    },
    {
      "namespace": "Group",
      "object": "developer",
      "relation": "members",
      "subject_set": {
        "namespace": "User",
        "object": "Tom",
        "relation": ""
      }
    },
    {
      "namespace": "Group",
      "object": "developer",
      "relation": "members",
      "subject_set": {
        "namespace": "User",
        "object": "John",
        "relation": ""
      }
    },
    {
      "namespace": "File",
      "object": "keto/README.md",
      "relation": "parents",
      "subject_set": {
        "namespace": "Folder",
        "object": "keto/",
        "relation": ""
      }
    }
  ],
  "next_page_token": ""
}

#keto

Hello, my question might seem strange but I am trying to use the TS keto SDK. From what I figured out, I have to use the

PermissionApi

to generate a client. Then I have to use the

checkPermission

function to test the permission. What I don’t understand is why the

checkPermission

function asks for a relation ? The payload seems to be the same than for creating a relationship. I checked the HTTP API and it asks for the same thing. But in my case I want to test if “userId” can do the action “edit”. I don’t want to check if “userId” is a member of “editors”. I want to check actions not relations. It should be the OPL that is in charge of translating permissions to relation membership based on my OPL rules. What did I miss ?

Hello everyone, how are you?! 👋 I'm trying to find an open-source tool to handle the permissions of my application. So, I have an admin dashboard, and the three basic features that I need are: 1. List the resources and roles that a user has access (user page details) : 2. List the users and roles that have access to a specific resource (resource details page): 3. Check if a user can perform an action. This one I'm sure I can do with keto. Can I do the numbers 1 and 2 with keto, remembering that I will have relations (implicit roles), so I can't only list the relations (explicit) on the database. Basically, this is my model:

import { Namespace, Context } from "@ory/keto-namespace-types"

class User implements Namespace {}

class Workspace implements Namespace {
  related: {
    owners: User[]
    editors: User[]
    viewers: User[]
  }
}

class Organization implements Namespace {
  related: {
    owners: User[]
    editors: User[]
    viewers: User[]
    parents: Workspace[]
  }
}

An Organization can be in one or more workspaces, and if the user is the owner of the Workspace (explicit) he will be the owner of the Organization (implicit). Example:

User:user1 is in owners of Organization:org1
Workspace:ws1 is in parents of Organization:org1
User:user2 is in owners of Workspace:ws1

User 1 and 2 are owners of org1. I believe an image will be better to understand ... 1. Detalle de usuário: user details page 2. Detalle de la organizacion: organization details page 3. Detalle ell ambient: workspace details page

Has anyone successfully integrated Ory Keto with a Django Admin site? I'm currently working on integrating it using a custom middleware and a backend that calls Keto's check API from

has_perm

. However, I've encountered a problem with this approach: the page load time is significantly slowed down due to multiple ModelAdmins making calls to the check API when generating the admin view. One potential solution is to leverage Django's permission system, which is based on user groups. This system loads the entire permissions model in memory for a given user and quickly evaluates the user's permissions for each ModelAdmin. However, it's unclear if Ory Keto supports this method.

what would be the recommended approach to model permissions where the relation can be one of multiple namespaces, a user or a group of users and for access to the group would need to traverse? its currently not possible because a warning that the view permit is not on the user is thrown example

class File implements Namespace {

related: { owners: (User | Group)[]; }; permits = { view: (ctx: Context): boolean => this.related.owners.includes(ctx.subject) || this.related.owners.traverse((p) => p.permits.view(ctx)) // error throws here because user doesn't have a permit

};

}

OPL syntax check endpoint is giving 404 page not found. keto config:

version: v0.11.1

dsn: memory

namespaces:
  location: file:///home/ory/namespaces.keto.ts

log:
  level: debug
  format: json
  leak_sensitive_values: true


serve:
  read:
    host: 0.0.0.0
    port: 4466
  write:
    host: 0.0.0.0
    port: 4467

I am making a post request to this endpoint : localhost:4466/opl/syntax/check #keto

Sending the same request body in creating relationship tuples creates multiple entry causing redundancy, is there a way to skip adding the permission if it already exists? example if i have a request body:

{
  "namespace": "Folder",
  "object": "keto/src/",
  "relation": "parents",
  "subject_set": {
    "namespace": "Folder",
    "object": "keto/",
    "relation": ""
  }
}

and i make multiple put request to the create API instead of keeping a single copy it adds multiple entries of the same relationship tuple. #keto

Hello, what is the standard way to check if a user can do an action ? I see from the API that we can test for relationships but not actions. What I would like is to check if

user

can

edit

(action) the file

myfile

from the

File

namespace. I do not want to check if

user

is

editors

(relation) of the file

myFile

.

How to debug OPL, something like using console.log or any logging capabilities.

I’m working on a simple test case in OPL and am having some problems getting things working (using Ory Network). My current model is:

import { Namespace, SubjectSet, Context } from "@ory/permission-namespace-types"

class Account implements Namespace { }

class Organization implements Namespace {
  related: {
    members: Account[]
  }

  permits = {
    view: (ctx: Context): boolean => this.related.members.includes(ctx.subject)
  }
}

However, I get a denied when checking if an account has permission to view an Organization that it’s a member of:

$ ory list relationships
NAMESPACE	OBJECT					RELATION NAME	SUBJECT
Organization	b8cec46a-2544-487a-9a22-a1ce10aaa552	member		Account:6ec2f549-0006-469e-af3b-1bd4207e7035

NEXT PAGE TOKEN
IS LAST PAGE	true

$ ory is allowed Account:6ec2f549-0006-469e-af3b-1bd4207e7035 view Organization b8cec46a-2544-487a-9a22-a1ce10aaa552
Denied

Am I missing something simple here?

And scratch that question, simple typo (“member” vs “members”)

Keto friends! I know this may be sorta unconventional, but I am trying to use the keto grpc client for typescript (the pre-generated one), and it fails building with the error "Exports and export assignments are not permitted in module augmentations." - which kinda makes sense, but I don't think there is anything I can do to fix it, is there? This is the package imported from npm @ory/keto-grpc-client

Hello, I have an issue using the

traverse

function in my Keto OPL files. Here are the permissions:

export class User implements Namespace {}

export class UserList implements Namespace {
	related: {
		members: User[]
		community: Community[]
	}

	permits = {
		view: (ctx: Context): boolean => this.related.community.traverse((c) => c.permits.view(ctx)),
		add_member: (ctx: Context): boolean =>
			this.related.community.traverse((c) => c.related.user_list_managers.includes(ctx.subject)),
		remove_member: (ctx: Context): boolean =>
			this.related.community.traverse((c) => c.related.user_list_managers.includes(ctx.subject)),
	}
}

export class Community implements Namespace {
	related: {
		members: (User | SubjectSet<UserList, "members">)[]
		user_list_managers: (User | SubjectSet<UserList, "members">)[]
	}

	permits = {
		view: (ctx: Context): boolean => this.related.members.includes(ctx.subject),
		create_user_list: (ctx: Context): boolean => this.related.user_list_managers.includes(ctx.subject),
	}
}

My issue is that when using the Ory Network I can make it work and get allowed when intended (checking

add_member

for example) But when I use the self hosted version of Keto and I create exactly the same relations using the API I get “denied” instead of allowed. What am I doing wrong ? Is there an issue with how I use traverse ? Or maybe with how I create relations ? I put my Ory Network relations and my database relations in thread for comparison.

After enquiring on the payload returned from Ory Network, I found that I should have created my community relationships this way:

{
  "namespace": "UserList",
  "object": "copains",
  "relation": "community",
  "subject_set": {
    "namespace": "Community",
    "object": "com",
    "relation": ""
  }
}

instead of this way:

{
  "namespace": "UserList",
  "object": "copains",
  "relation": "community",
  "subject_id": "com"
}

After using the proper way my issue is fixed! Maybe this way of doing should be more documented as using an empty relation was not intuitive to me.

Hello, Is it possible to remove all relationships related to an entity with a single request ? There is a DELETE endpoint but for example I have `Group`s that have both relationships as the object (users are

members

of groups) and also as subject set (

members

of

myGroup

are

admins

of a

Community

). If I only had relationships where the group is the object then I believe the endpoint would be enough but how about when it is a subject set ? Do I have to do two requests, one with the group as the object and one as the subject set ? What should be the payload of each request then ? Thanks for any help!

Hello,I have a question when i follow the guides below：https://www.ory.sh/docs/keto/install#docker，I executed the following two commands：docker pull oryd/keto:v0.11.1-alpha.0 docker run --rm -it oryd/keto:v0.11.1-alpha.0 help，but there has no server start, what should i do？thanks

We're running Keto as our authorizer in Oathkeeper within our k8s cluster for checking the permissions of an identity before granting access. From initial testing however, it doesn't appear that the Keto service is distributing load properly. Is this a known issue?