Hi Ory Community, I am reaching you out to try to solve some doubts I have regarding Ory Keto. As far as I has been able to discover, there is currently a stable version 0.5.x which is not following the Zanzibar paper and 0.6.x, 0.7.x and now 0.8.x release which are based on Zanzibar. My question is in regards the stability of the 0.7.x to use it in production: • Is it supporting PostgreSQL? • Does someone has tested it with let say millions of rows? • Other than that I know some features not implemented yet, would be that channel the best place to discuss feature specific questions or it is better to use Github discussions? Features I am interested in following/testing/contributing are: • Database sharding / Graph DB / Spicedb • RBAC • Reverse indexing (Query the list of objects a user has access to) • Performance test scalability

Is it true the

ListIdentities

page

is 1-indexed instead of 0-indexed? page=0 seems to be the same as page=1 also, is there an efficient way to get the total number of all identities in the system, for pagination?

is it possible for

Check

and

List

to be out of sync/inconsistent? We assigned a role to a user and

Check

confirmed that the user had that role. But when we call

List

on that user, the role doesn’t show up we only started seeing this today - was working fine for months

Hi, I was quite interested in how can we use the idea of shards in keto, didnt spent much time in exploring. But has anyone did it to scale keto instances? Would be interested to know this.

Hey Guys, Is it possible for keto to check one of two or more permissions? would be really helpful Im running into this issue when using

oathkeeper

that authorizes the routes based on matching the url. But this forces me to make multiple rules for the same permission

Any effort on comparing authzed spicedb vs keto with new zanzibar model... Would be good for making decision for the community

Any update when the OPA friendly Keto might drop? If someone wanted to build an ABAC prototype today is there any path you might recommend?

Is there anyone I could talk to that would be able to walk me through how to implement an API endpoint permissions setup with Keto? I’ve RTFM twice now and each time I’m more confused about how Keto works.

Hello again 🙂 I'm working on the access control for some object storage. Since there could be millions, if not billions of object in the storage, I can't possibly represent them all in Keto. But I still want to be able to define rights at the object granularity. So the solution that I found was to only store in keto the rights to objects that do not have the default rights, and rely on more global permissions (eg. bucket). However the only way that I found to do that would be to check access multiple times, starting with the more global ACLs and working my way down to more specific permissions. So for example if I have to check the read right for a specific object, I would have the following checks to do :

// z is parent of y which is parent of x
storage:z#read@user // if allowed, stop here, else continue
bucket:y#read@user  // same
object:x#read@user  // if still not allowed here, then the user is not allowed on this object

I find that this is quite inefficient with the calls, as it creates quite a lot of calls for a single object. Is there a way to optimize it by doing a bulk check that would return as soon as there is 1 allowed ? Or maybe I'm missing something else ?

Making our own preflight request against the server with Curl (HTTP OPTIONS) will not give us any headers in the reponse - only the 200 OK.

Hello, I'm thinking of a way to handle a RBAC with Keto. I thought of reprensenting roles as a namespace using something like that :

storage:id1#read@roles:editor#member
storage:id1#write@roles:editor#member

However I read a bit about hotspot handling in the zanzibar paper and it seems this representation would cause a hotspot I think ? I guess the alternative to that would be to use inheritance of relations with subjectset rewrites once they're added, but in that case how would you handle listing the roles available for binding ? Do you have any best practice advice on this maybe ?

Hello, I am working on designing the access rights for my company and I thought that a visual representation of the graph created by the relation-tuples would be nice. I checked out the Auth0 Sandcastle and the AuthZed playgrounds, but these are not at all the kind of graph visualization I had in mind. So I did a quick and dirty POC by parsing the relation-tuples and converting them to graphviz syntax to get to what I wanted. Here it is : https://github.com/psauvage0/ketodot. I'd like to know if this kind of representation makes sense to other people, or if I'm just weird ? 😅 Or maybe I missed something that makes this kind of representation not useful ?

@User we released a fix on friday - use version 0.22 of out charrs

Hello, in Keto is there a way to list all the objects accessible by a user ? Something like

keto expand

but the other way around ?

Hi everyone, I am currently using v0.6, and I guess there are no wildcards in v0.6. I would like to utilize a wildcard for the following scenario: • The app consists of multiple domain-related objects (let's say text files). • You need

read

write

delete

or

update

policies for particular operations on the docs. For ex, in order to delete a doc called

temp_doc.txt

, you need

temp_doc.txt#delete@<user_id>

. • Also, the admin should do all of these operations like

*#*@(members:admin#member

which implies that the admin can do

any

action on

any

object. • So that, if the admin wants to read this

temp_doc.txt

,

temp_doc.txt#read@<admin_id>

should return true. However, I couldn't find a way to design this system. Does anyone have experience of Keto usage similar to this?  Thanks in advance!

Hi playing around a bit with the examples, here is my setup:

# User1 owns usergroup:
echo "usergroups:395ba5f9-f596-4095-aaf1-25d138dfab9c#owner@(users:72f65406-45b1-4b2a-a6f2-af909c10c832#)" | \
  keto relation-tuple parse - --format json | jq . > ./relation-tuples/user_usergroup.json

# Usergroup owns location:
echo "locations:0a4fa775-1bed-455b-b1b1-b91d40df667b#owner@(usergroups:395ba5f9-f596-4095-aaf1-25d138dfab9c#)" | \
  keto relation-tuple parse - --format json | jq . > ./relation-tuples/usergroup_location.json

I would then think that I can validate the first authz relation like:

keto check users:72f65406-45b1-4b2a-a6f2-af909c10c832 owner usergroups 395ba5f9-f596-4095-aaf1-25d138dfab9c

It fails, since the user is not a subject, removing the

#

makes it work. would it be possible to evaluate locations the same way? Yupp:

keto check users:72f65406-45b1-4b2a-a6f2-af909c10c832 owner locations 0a4fa775-1bed-455b-b1b1-b91d40df667b

I noticed the namespaces in the configuration file and whether they always need to be configured in the

keto.yml

? Just wondering if for every new namespace do I then need to modify this file? Or are these namespaces configurable in another way?

Is this the correct way to define a “owner” (a user) of a group?

groups:395ba5f9-f596-4095-aaf1-25d138dfab9c#owner@(users:72f65406-45b1-4b2a-a6f2-af909c10c832)

In our application, we have multiple organizations. The organizations have departments. Users can act on organization-level, where they have access to all the departments products - or on department-level, where they only have access to products in their own department. I'm wondering what the best way is to represent this? Currently I'm considering this approach:

products:org=1#list@(groups:organization1#members)

products:org=1,dep=1#list@(groups:department1#members)
products:org=1,dep=2#list@(groups:department2#members)
products:org=1,dep=1#list@(products:org=1#list)
products:org=1,dep=2#list@(products:org=1#list)

groups:department1#members@john
groups:organization1#members@jane

This way, John can only list products from his own department whereas Jane can list products from both department 1 and 2. Is this best-practice, or would you recommend another approach?

Whats the appropriate way to - via the gRPC client - validate if a transaction of relation tuples succeeded or failed?

wres, err := write.TransactRelationTuples(context.Background(),&ketoV1.TransactRelationTuplesRequest{
		RelationTupleDeltas: deltas,
	})

If I specify a non-existent namespace in the deltas,

err

is nill and I can't really get anything useful out of

wres

I've been working a bit with the Ory stack and I love it. I've started implementing Keto, but I'm stumped in importing the gRPC proto bindings for Go:

Hello, I'm doing some benchmarking on keto, and for that I need to create larger and larger databases. I was using `keto relation-tuple create`to ingest the benchmarking data, but I'm starting to hit a size limit when ingesting data (at around 4MB I believe). I was going to write a script to fragment my data, but maybe I missed a simpler solution ?

Hello, as a follow up for the documentation fix I provided. Gould we have a new relaese for the

keto-client-java

? It is basically "broken" and prevents us to being able to migrate to version 0.7

sorry for the repeated question, but as no one reacted and some news maybe obscured my question earlier, but do you guys have anywhere what is the correct structure for the setup for configuring the namespaces and relations in the config file for keto? The example is just a file (.keto_namespace) but I can't find it or examples to it anywhere

While updating to latest keto, I also updated to the latest keto-java-client. But it seems that for a

GET /relation-tuples

the object and relation parameter are now required. But the documentation says that "List API: Display all Objects a User has Access to" is still possible. I could create a ticket or Pull Request for that, but I am unsure where to do that, due to being some kind of automatic process 🙂

Thanks a lot to the Ory team for this new release! I wanted to try it out immediately, but I think the helm charts have not been updated yet. I get an error that the flag

--all-namespaces

is unknown in https://github.com/ory/k8s/blob/master/helm/charts/keto/templates/job-migration.yaml#L37 Can this be fixed easily and if so, are there any other issue to expect, or would everything work fine when this particular issue is solved?

Hello Keto, We have a usecase that implies relations among resources and we try to solve it with Keto. - We have users (which have user-uuid), groups (which have group-uuid) and projects (which have project-uuid). - Users can have access to projects. - Users can be part of groups (or not). - Users in group have access to projects of all users in that group. We do not want to get all project-uuid from Keto because we have to request them in database, and after benchmarking, this is a bad case to do a "where in project-uuid in (project-uuids...)". Because we do not want to do that kind of request, we think of another approach: request in db through ownerships. To do that, we have to trick with Keto to use it not to check permission of accessing projects, but get all owners of projects with the expand request. In our database we add to projects table an owner column which is the owner (which is an user-uuid). Keto store only the user-group relation as follow: - group-uuid#access@user-uuid - user-uuid#join@group-uuid - user-uuid#join@(group-uuid#access) -- all users in a group can access to its related subjects (users) - user-uuid#access@user-uuid -- in case the user is not part of a group the way to find all groups of a user is to expand: user-uuid#access the way to find all users in the group is to expand: group-uuid#join In that case, with one user-uuid and this two requests, we can get in our db all projects that the user has access to by filter by "where owner in (user-uuids...)". I think that I have revert the mecanism of Keto and I don't think that what it's intended for. Is that a good way to use keto to do that kind of usecase or it exist a best way to get all related projects of an user using Keto?

You might have noticed (@User did already), we are very close to a new release of Keto 🎉 just writing a migration guide and releasenotes, so you can start hacking right away 😉

Hi folks, any thoughts on authzed open sourced internal permissions db just release? Seems like a lot similar to keto https://github.com/authzed/spicedb