https://www.ory.sh/ logo
Join Slack
Powered by
Hi, is there a way to create OPL and upload this t...
# _newcomer
g
Hi, is there a way to create OPL and upload this to an instance of Ory Keto? there does not seem to be a corresponding restful api operation that does this https://www.ory.sh/docs/reference/api#tag/relationship/operation/getRelationships
m
Hello @glamorous-mouse-45555 You do it through updating the configuration, either through API on Ory Network or directly when self-hosting
g
Thank you for the reply, I noticed that under the permissions schema it is blank is there documentation found anywhere that can help me find out what are acceptable fields in that api route that you shared, this is what I see.
Copy code
"services": {
"identity": {},
"oauth2": {},
"permission": {
"config": { }
}
},
Looking for documentation for the 
config: {}
object
c
This is a very rough spot in the documentation. The instructions for Ory Network are clear, but for Keto self-hosted you need to reverse engineer the code. I am facing the same issue, will figure it out but definitely giving me second thoughts. duplicate questions: https://ory-community.slack.com/archives/C02PSRUGUAV/p1722087609983569 https://ory-community.slack.com/archives/C0522079BS5/p1722029147891349 https://ory-community.slack.com/archives/C0522079BS5/p1728079087757669 https://ory-community.slack.com/archives/C010F7Z4XM1/p1725371785977109?thread_ts=1725283062.171299&cid=C010F7Z4XM1
For the next reader, here is what worked for me. 
$ORY_NAMESPACE
is your k8s ory namespace. Generate a Configmap from your directory of OPL files. This command assumes you have one or more in a folder called "./policies", it does not apply anything to your cluster, just loads the files into a configmap and dumps it to yaml: 
kubectl create configmap typescript-files-configmap --from-file=./policies/ -n $ORY_NAMESPACE --dry-run=client -o yaml > typescript-files-configmap.yaml
(If you are not doing gitops with your manifests, you can go ahead and apply this configmap before continuing) Assuming you are using the helm chart, you need to add an extra volume and volume mount to your values overrides and make sure your namespace location is referencing the files mounted. Like so:
Copy code
keto:
  config:
    namespaces:
      location: file:///etc/config/opl_dir/
deployment:
  extraVolumes:
    - name: opl-dir-volume
      configMap:
        name: typescript-files-configmap
  extraVolumeMounts:
    - name: opl-dir-volume
      mountPath: /etc/config/opl_dir/
      readOnly: true
Now when you render your chart, it'll generate deployments with this volume and volume mount defined, allowing the location of your policies to be resolved/loaded by keto. This approach does seem to mean a restart of the pods (at least) is necessary when the policies change, meaning it may not be a good approach if some of your policies are dynamically derived (say from customer-configured rules).
13 Views
Open in Slack
PreviousNext
Powered by