I think others may have asked this but it has gone unanswere Ory Community #talk-keto

I think others may have asked this but it has gone...

full-petabyte-13526

04/21/2023, 2:25 PM

I think others may have asked this but it has gone unanswered -- if I have a 'view'

permits

, how do I check which object IDs allow that given a subject? Using the List API doesn't seem to return results -- it seems like permits are only considered relations when interacted with via the Check service, but nothing else? The use case is I want to determine which objects a subject has effective permissions to so I can filter them before returning them from an API service.

full-petabyte-13526

04/21/2023, 2:38 PM

actually, I think it's this bug: https://github.com/ory/keto/issues/1060

full-petabyte-13526

04/21/2023, 2:48 PM

any idea of when that bug would be fixed? Any pointers on how to fix it? Wouldn't mind dumping a PR but I'm not familiar yet with the keto codebase unless someone could give me pointers.

steep-lamp-91158

04/21/2023, 3:24 PM

Unfortunately it is not a quick bug fix but we need a new API for that. It's the most requested feature, so we do want to prioritize it. For now you have to use the list API and query relations.

steep-lamp-91158

04/21/2023, 3:24 PM

https://github.com/ory/keto/issues/689

full-petabyte-13526

04/21/2023, 3:36 PM

I've tried that, but I can't seem to get it to work (against the rewrites example):

Copy code

keto relation-tuple get --insecure-disable-transport-security --relation edit --subject-id User:Henning --namespace File
neither flag --read-remote nor env var KETO_READ_REMOTE are set, falling back to 127.0.0.1:4466
NAMESPACE	OBJECT	RELATION NAME	SUBJECT	
		
NEXT PAGE TOKEN		
IS LAST PAGE	true

full-petabyte-13526

04/21/2023, 3:36 PM

doesn't seem like the list api respects rewrites either iow, unless I'm doing it wrong (which is entirely possible!)

full-petabyte-13526

04/21/2023, 3:37 PM

thank you for the response btw!

full-petabyte-13526

04/21/2023, 3:43 PM

subject-set works and shows owners:

Copy code

keto relation-tuple get --insecure-disable-transport-security --namespace File --subject-set 'User:Henning'
neither flag --read-remote nor env var KETO_READ_REMOTE are set, falling back to 127.0.0.1:4466
NAMESPACE	OBJECT	RELATION NAME	SUBJECT		
File		private	owners		User:Henning	
		
NEXT PAGE TOKEN		
IS LAST PAGE	true

but adding the edit relation in gives nothing back:

Copy code

keto relation-tuple get --insecure-disable-transport-security --namespace File --relation edit --subject-set 'User:Henning'
neither flag --read-remote nor env var KETO_READ_REMOTE are set, falling back to 127.0.0.1:4466
NAMESPACE	OBJECT	RELATION NAME	SUBJECT	
		
NEXT PAGE TOKEN		
IS LAST PAGE	true

steep-lamp-91158

04/21/2023, 4:55 PM

Yes that does not work unfortunately, you will have to determine the relations to query

2 Views

Open in Slack

Previous Next