https://www.ory.sh/ logo
Join Slack
Powered by
is there a proper keto integration tutorial somewh...
# talk-keto
b
is there a proper keto integration tutorial somewhere? the documentation doesn’t really work (i.e. all the guides seem to skip how to provide the opl file for the docker compose setup). I just wanna follow something to get keto up and running for a POC to see if it works for us (w/o using the different managed API). I’m using the following in the keto.yml:
Copy code
namespaces:
  location: file:///home/ory/workspaces.ts
also the cat video example is horribly outdated with 0.6.x while current is 0.11.x and I get the impression that keto is nowhere near production ready with bugs like https://github.com/ory/keto/issues/1330 and https://github.com/ory/keto/issues/1339 w/o any updates/answers at all or for a while. can someone comment on the status of the project? I don’t see a lot of progress on github as well. looks to me like focus is elsewhere? PS: let me also add this ticket https://github.com/ory/keto/issues/1060
and I didn’t find a documented way on how to provide OPL input for running keto instances. how do you update that while it’s running? the schema will evolve eventually 🤔
b
This is also a question that I am trying to find out 🙂
b
we could keep each other posted if we learn something @billions-leather-15882;) what I found is that you can maybe manipulate something to namespaces as mentioned here: https://www.ory.sh/docs/keto/cli/keto-namespace. but then again keto cli doesn’t work with dockerized keto instances right now (see above) and additionally, the documentation is pretty much non-existent. not sure what that thing does
if that’s really the source, then it seems to be able to read OPL judging from config_template/namespaces.ts.tmpl
b
yes, using the ory cli tool you can "patch" the opl file... but I am runnign ory as docker containers
b
can you elaborate? my understanding is that keto cli should be able to talk to docker containers in theory, it’s just a bug that it doesn’t work right now. I just want to understand how this would work once in production.
b
I don't either. That is just the only thing I have found how to use OPL with keto. I did some grepping of the sourcecode and atleast there does not seem to be any api endpoint except the syntax check that is for the opl
b
that was my finding as well, looking at the API documentation
b
I also tried the same as you - put the namespaces.ts file to the config but no luck with that
Seems that I was able to make it work
I had an error in the namespaces: configuration
How is your docker compose file for keto setup? I have: volumes: - ./keto/config:/home/ory And in keto/config file I have permissions.ts And in keto.yml I have namespaces: location: file:///home/ory/permissions.ts
but how do I confirm that it works though... Lot's of questions I do have 🙂
if I want to save subject_id "1" (just to simplify the uuid) and it represents user, should I save it as User:1 or is it up to me how to separate the subject_id from the namespace?
or is this the case for subject_sets?
it seems it works because my "NotDefined" namespace causes an error 🙂
Did you get it working aswell?
b
you could check it by creating a permission via curl:
Copy code
~/d/k/keto >>>  curl <http://0.0.0.0:4467/admin/relation-tuples> -d ' {                                                                                             (base) 585ms  Thu Jun 29 15:19:55 2023
                    "$schema": "../.schema/relation_tuple.schema.json",
                    "namespace": "workspace",
                    "object": "1",
                    "relation": "owner",
                    "subject_set": {
                        "namespace": "user",
                        "object": "alice"
                    }
                }' -X PUT
= that gives me 
{"error":{"code":404,"status":"Not Found","reason":"Unknown namespace with name \"workspace\".","message":"The requested resource could not be found"}}
b
atleast you are not using the naming correctly.. it should be Workspace and User .. and relation should be owners... Does your keto complain something when you bring it up?
how about your opl file?
b
nope, no relevant logs
b
Can you show me your opl file?
b
b
Yep.. you have namespace: "Workspace".. so "workspace" does not work
also relation is "owners" not "owner"
b
okay let me try that, thank you!
b
Try with those small changes
b
niiice! thank you so much haha
Copy code
~/d/k/keto >>>  curl <http://0.0.0.0:4467/admin/relation-tuples> -d ' {                                                                                                    (base)  Thu Jun 29 15:26:45 2023
                    "$schema": "../.schema/relation_tuple.schema.json",
                    "namespace": "Workspace",
                    "object": "1",
                    "relation": "owners",
                    "subject_set": {
                        "namespace": "User",
                        "object": "alice"
                    }
                }' -X PUT
{"namespace":"Workspace","object":"1","relation":"owners","subject_set":{"namespace":"User","object":"alice","relation":""}}
b
no prob! Eventhough our problems were little bit different, you were able to help me still 🙂
And I was able to help you!
b
haha, that’s great to hear! 🤝
maybe I’ll publish my poc in go, that would help a lot of people. keto really needs just a simple repo with a compose and a simple integration, that would be so helpful
b
Maybe even an example with opl and few curl commands would do the trick
b
yup, I would include that
Copy code
~/d/k/keto >>>  curl "<http://0.0.0.0:4466/relation-tuples/check?namespace=Workspace&object=1&relation=owners&subject_id=alice>"                                           (base)  Thu Jun 29 15:47:40 2023
{"allowed":false}
~/d/k/keto >>>  curl "<http://0.0.0.0:4466/relation-tuples/check?namespace=Workspace&object=1&relation=users&subject_id=alice>"                                            (base)  Thu Jun 29 15:47:57 2023
{"allowed":false}
~/d/k/keto >>>  curl "<http://0.0.0.0:4466/relation-tuples/check?namespace=Workspace&object=1&relation=users&subject_id=bob>"                                              (base)  Thu Jun 29 15:48:08 2023
{"allowed":false}
that’s not working as expected 😄 @billions-leather-15882 did you get a check to work yet?
Copy code
~/d/k/keto >>>  curl "<http://0.0.0.0:4466/relation-tuples/expand?namespace=Workspace&object=1&relation=owners>"                                                           (base)  Thu Jun 29 15:48:50 2023
{"type":"union","children":[{"type":"leaf","tuple":{"namespace":"","object":"","relation":"","subject_set":{"namespace":"User","object":"alice","relation":""}}}],"tuple":{"namespace":"","object":"","relation":"","subject_set":{"namespace":"Workspace","object":"1","relation":"owners"}}}
~/d/k/keto >>>  curl "<http://0.0.0.0:4466/relation-tuples/expand?namespace=Workspace&object=1&relation=users>"                                                            (base)  Thu Jun 29 15:49:54 2023
{"type":"union","children":[{"type":"leaf","tuple":{"namespace":"","object":"","relation":"","subject_set":{"namespace":"User","object":"bob","relation":""}}}],"tuple":{"namespace":"","object":"","relation":"","subject_set":{"namespace":"Workspace","object":"1","relation":"users"}}}
okay, got it!
instead of querying via the GET, query by post and use subject_set instead of subject_id:
Copy code
~/d/k/keto >>>  curl "<http://0.0.0.0:4466/relation-tuples/check>" -d '{                                                                                                   (base)  Thu Jun 29 15:52:03 2023
                "namespace": "Workspace",
                "object":"1",
                "relation":"owners",
                "subject_set":{"namespace":"User","object":"alice"}
                }' -X POST
{"allowed":true}
b
I am using the client library on the communications so it is little bit easier to get those right
b
yeah I also use that, but wanted to validate with curl first 🙂 worked out in the end!
12 Views
Open in Slack
PreviousNext
Powered by