Hi all I have a question about my Ory Keto setup if anyone w Ory Community #ory-selfhosting

Hi all. I have a question about my Ory Keto setup...

average-table-45768

07/10/2024, 4:51 PM

Hi all. I have a question about my Ory Keto setup if anyone would be willing to help me. I am thinking to raise this as a bug, but thought I would check here first to see if I have misunderstood anything. Given the below configuration, I am expecting the check

keto check User:<mailto:john.tester@test.com|john.tester@test.com> create Client ABC

to return

Allow

, but for some reason it returns

Denied

. Am I correct in assuming the

Allow

result should be expected here?

Copy code

//permission model

import { Namespace, SubjectSet, Context } from "@ory/keto-namespace-types"

class User implements Namespace {
}

class UserGroup implements Namespace {
  related: {
    members: User[]
  }
}

class Client implements Namespace {
  related: {
    testers: (User | SubjectSet<UserGroup, "members">)[]
  }

  permits = {
    create: (ctx: Context): boolean =>
      this.related.testers.includes(ctx.subject)
  }
}




//relation tuples

[
  {
    "action": "insert",
    "relation_tuple": {
      "namespace": "UserGroup",
      "object": "testers_group",
      "relation": "members",
      "subject_set": {
        "namespace": "User",
        "object": "john.tester@test.com"
      }
    }
  },
  {
    "action": "insert",
    "relation_tuple": {
      "namespace": "Client",
      "object": "ABC",
      "relation": "testers",
      "subject_set": {
        "namespace": "UserGroup",
        "object": "testers_group",
        "relation": "members"
      }
    }
  }
]

average-table-45768

07/11/2024, 10:39 AM

Turns out it is because of the default configuration reference I pulled from the offical docs here https://www.ory.sh/docs/keto/reference/configuration The

max_read_depth

value restricts the traversal to 1 level.

8 Views

Open in Slack

Previous Next