Hey all I m new to keto and I m pretty confused about whethe Ory Community #talk-keto

Hey all - I’m new to keto, and I’m pretty confused...

white-twilight-17165

10/13/2023, 12:40 PM

Hey all - I’m new to keto, and I’m pretty confused about whether or not subject set rewrites are implemented, and how to get them to work. I have a simple model of

Clients

Groups

and

Users

. If a

User

is a member of a

Group

which is an accessor of a

Client

, then the

User

has permission to

access

the client. My OPL file:

Copy code

import { Namespace, SubjectSet, Context } from "@ory/keto-namespace-types";

class User implements Namespace {}
class Group implements Namespace {
  related: {
    member: User[];
  };
}
class Client implements Namespace {
  related: {
    accessor: SubjectSet<Group, "member">[];
  };

  permits = {
    access: (ctx: Context) => this.related.accessor.includes(ctx.subject),
  };
}

My relations in RTS (I have no idea what this syntax is officially called:

Copy code

Group:admin#member@User:woodywoodsta
Client:uptime-kuma#accessor@Group:admin

My relations in JSON, as queried from what I currently have loaded into keto:

Copy code

{
  "relation_tuples": [
    {
      "namespace": "Client",
      "object": "uptime-kuma",
      "relation": "accessor",
      "subject_set": {
        "namespace": "Group",
        "object": "admin",
        "relation": ""
      }
    },
    {
      "namespace": "Group",
      "object": "admin",
      "relation": "member",
      "subject_set": {
        "namespace": "User",
        "object": "woodywoodsta",
        "relation": ""
      }
    }
  ],
  "next_page_token": ""
}

If I check using a POST check with a body of:

Copy code

{
  "namespace": "Client",
  "object": "uptime-kuma",
  "relation": "access",
  "subject_set": {
    "namespace": "User",
    "object": "woodywoodsta"
  }
}

I get

false

, however it is my understanding that the

this.related.accessor.includes(ctx.subject)

portion of my OLP effectively defines the subject set rewrite. What am I misunderstanding here?

white-twilight-17165

10/13/2023, 2:56 PM

OK, I’ve managed to make a bit of progress. I’ve changed my OPL to look like the following:

Copy code

class User implements Namespace {}
class Group implements Namespace {
  related: {
    member: User[];
  };

  permits = {
    member: (ctx: Context) => this.related.member.includes(ctx.subject),
  };
}
class Client implements Namespace {
  related: {
    accessor: Group[];
  };

  permits = {
    access: (ctx: Context) =>
      this.related.accessor.traverse((group) => group.permits.member(ctx)),
  };
}

And this appears to indirectly give all members of accessors access to the client. My question is now why using

SubjectSet<>

and a direct

includes

in the

Client

namespace permissions did not work the first time forcing me to explicitly write a check for the members relationship in the permissions of the

Group

namespace?? I’m very confused!

white-twilight-17165

10/13/2023, 2:58 PM

Perhaps this is the part that is currently not implemented as per https://github.com/ory/keto/pull/877? If it’s not implemented, why are there examples all of the documentation of using

SubjectSet

types?

10 Views

Open in Slack

Previous Next