Hey I have a question about checking permissions I ve implem Ory Community #talk-keto

Hey I have a question about checking permissions ...

little-pager-97837

09/30/2022, 10:07 AM

Hey I have a question about checking permissions I've implemented simple RBAC keto.namespaces.ts

Copy code

class User implements Namespace {
}

class Organization implements Namespace {
  related: {
    members: User[]
  }
}

class Role implements Namespace {
  related: {
    has: User[]
  }
}

class Permission implements Namespace {
  related: {
    allowed: (User | SubjectSet<Role, "has">)[]
  }
}

class Product implements Namespace {
  related: {
    owners: Organization[]
    viewers: SubjectSet<Permission, "allowed">[]
    editors: SubjectSet<Permission, "allowed">[]
  }

  permits = {
    view: (ctx: Context): boolean =>
        this.related.owners.traverse((org) => org.related.members.includes(ctx.subject)) &&
        (this.related.viewers.includes(ctx.subject) || this.related.editors.includes(ctx.subject)),
    edit: (ctx: Context): boolean =>
        this.related.owners.traverse((org) => org.related.members.includes(ctx.subject)) &&
        this.related.editors.includes(ctx.subject),
  }
}

Users is member of some organization User has some role Role has some permissions And permissions allow to view/edit Product My initial tuples.json

Copy code

Organization    hazemag         members         User:Bob
Organization    hazemag         members         User:Alice
Organization    bmw             members         User:John
Role            developer       has             User:John
Role            developer       has             User:Bob
Role            viewer          has             User:Alice
Permission      view-products   allowed         Role:viewer
Permission      edit-products   allowed         Role:developer
Product         product/1       owners          Organization:hazemag
Product         product/1       viewers         Permission:view-products
Product         product/1       editors         Permission:edit-products
Product         product/2       owners          Organization:bmw
Product         product/2       viewers         Permission:view-products
Product         product/2       editors         Permission:edit-products

But that checks return denied

Copy code

keto check User:Alice view Product product/1
 keto check User:Bob view Product product/1

Do you have any ideas why it's happening?

little-pager-97837

09/30/2022, 11:15 AM

As I understand it should work Because when we check permission we go that way: product/1 -> view -> viewers -> Permision:view-products -> allowed -> Role:viewer -> has -> User:Alice

little-pager-97837

09/30/2022, 12:12 PM

Sorry My mistake

able-wolf-57940

09/30/2022, 12:12 PM

Has it been the

&&

? We are looking into keto as well and build up something similar 😊

little-pager-97837

09/30/2022, 12:13 PM

no I just forget to specify "allowed" relation for those policies:

Copy code

Product         product/1       viewers         Permission:view-products

it should be

Copy code

Product         product/1       viewers         Permission:view-products#allowed

able-wolf-57940

09/30/2022, 12:14 PM

Ah okay thank you 👍

6 Views

Open in Slack

Previous Next