I am migrating some legacy authorization code to Ory Keto an Ory Community #ory-selfhosting

I am migrating some legacy authorization code to O...

billowy-actor-35983

10/07/2024, 10:57 AM

I am migrating some legacy authorization code to Ory Keto and encountered a permission check issue. A part of the process is a generic RBAC where a role restricts access to some entity types (without checking ownership) and access types. Since the entity type and role should be dynamic, I created the following rules:

Copy code

import type {
 Namespace,
 Context,
 SubjectSet,
} from '@ory/permission-namespace-types';

class User implements Namespace {}

class Group implements Namespace {
 related: {
  members: User[];
 };
}

class Entity implements Namespace {
 related: {
  managers: SubjectSet<Group, 'members'>[];
  creators: SubjectSet<Group, 'members'>[];
  viewers: SubjectSet<Group, 'members'>[];
  editors: SubjectSet<Group, 'members'>[];
 };

 permits = {
  create: (ctx: Context) =>
   this.related.creators.includes(ctx.subject) ||
   this.related.managers.includes(ctx.subject),
  read: (ctx: Context) =>
   this.related.viewers.includes(ctx.subject) ||
   this.related.managers.includes(ctx.subject),
  update: (ctx: Context) =>
   this.related.editors.includes(ctx.subject) ||
   this.related.managers.includes(ctx.subject),
  delete: (ctx: Context) => this.permits.update(ctx),
 };
}

Create some relationships 1. Group:testRole#members@User:userId 2. Entity:Annotation#managers@Group:testRole 3. Entity:Calendar#editors@Group:testRole 4. Entity:Dashboard#managers@Group:testRole Fetch relationships for the given User http://keto4466/relation-tuples?subject-id=userId

Copy code

{
  "relation_tuples": [
    {
      "namespace": "Group",
      "object": "admin",
      "relation": "members",
      "subject_set": {
        "namespace": "User",
        "object": "userId",
        "relation": ""
      }
    },
    {
      "namespace": "Entity",
      "object": "Calendar",
      "relation": "editors",
      "subject_set": {
        "namespace": "Group",
        "object": "testRole",
        "relation": ""
      }
    },
    {
      "namespace": "Entity",
      "object": "Dashboard",
      "relation": "managers",
      "subject_set": {
        "namespace": "Group",
        "object": "testRole",
        "relation": ""
      }
    },
    {
      "namespace": "Entity",
      "object": "Annotation",
      "relation": "managers",
      "subject_set": {
        "namespace": "Group",
        "object": "testRole",
        "relation": ""
      }
    },
    {
      "namespace": "Group",
      "object": "testRole",
      "relation": "members",
      "subject_set": {
        "namespace": "User",
        "object": "userId",
        "relation": ""
      }
    }
  ],
  "next_page_token": ""
}

Check permissions 1. With the

Group:testRole

http://keto4466/relation-tuples/check?namespace=Entity&object=Annotation&relation=read&subject_set.object=testRole&subject_set.namespace=Group&subject_set.relation

Copy code

{
  "allowed": true
}

2. With the

User:userId

http://keto:4466/relation-tuples/check?namespace=Entity&object=Annotation&relation=read&subject_set.object=userId&subject_set.namespace=User&subject_set.relation Here comes the problem…

Copy code

{
  "allowed": false
}

Following the documentation here and from my past experience, I believe this permission check should be valid. Why isn’t it?

billowy-actor-35983

10/08/2024, 8:31 AM

The mistake was on me!🙈 Instead of the following relationships: 1. Entity:Annotation#managers@Group:testRole 2. Entity:Calendar#editors@Group:testRole 3. Entity:Dashboard#managers@Group:testRole It should have been: 1. Entity:Annotation#managers@Group:testRole#members 2. Entity:Calendar#editors@Group:testRole#members 3. Entity:Dashboard#managers@Group:testRole#members

Open in Slack

Previous Next