Hey guys Is it possible to get relation tuple for subject ba Ory Community #talk-keto

Hey guys Is it possible to get relation-tuple for ...

little-pager-97837

10/05/2022, 1:14 PM

Hey guys Is it possible to get relation-tuple for subject based on permits from namespaces.keto.ts? My use case I have such initial tuples

Copy code

NAMESPACE       OBJECT          RELATION NAME   SUBJECT
groups          meta            members         users:Bob
roles           developer       has             users:Bob
permissions     view-products   allowed         roles:developer#has
products        1               viewersGroup    groups:meta
products        1               viewers         permissions:view-products#allowed
products        1               editors         permissions:edit-products#allowed

and such namespaces.keto.ts

Copy code

class users implements Namespace {
}

class groups implements Namespace {
  related: {
    members: users[]
    parents: groups[]
  }

  permits = {
    has_member: (ctx: Context): boolean =>
        this.related.members.includes(ctx.subject) ||
        this.related.parents.traverse((parent) => parent.permits.has_member(ctx))
  }
}

class roles implements Namespace {
  related: {
    has: users[]
  }
}

class permissions implements Namespace {
  related: {
    allowed: (users | SubjectSet<roles, "has">)[]
  }
}

class products implements Namespace {
  related: {
    editorsGroups: groups[]
    viewersGroups: groups[]
    editors: SubjectSet<permissions, "allowed">[]
    viewers: SubjectSet<permissions, "allowed">[]
  }

  permits = {
    view: (ctx: Context): boolean =>
        (this.related.editorsGroups.traverse((org) => org.permits.has_member(ctx)) ||
            this.related.viewersGroups.traverse((org) => org.permits.has_member(ctx))) &&
        (this.related.editors.includes(ctx.subject) || this.related.viewers.includes(ctx.subject)),
    edit: (ctx: Context): boolean =>
        this.related.editorsGroups.traverse((org) => org.permits.has_member(ctx)) &&
        this.related.editors.includes(ctx.subject),
  }
}

When I ask keto about users:Bob view permission for product 1 - I'm getting Allowed

Copy code

keto check users:Bob view products 1

But if I wanna get all products, for which users:Bob has view permissions How can I make it? I tried something like

Copy code

keto relation-tuple get --subject-set users:Bob --namespace products --relatio
n view

But it doesn't work, of course Is it possible to achieve using keto? I see only one stupid workaroud: • get all roles and groups of user

Copy code

keto relation-tuple get --subject-set users:Bob

• get all permissions for user roles

Copy code

keto relation-tuple get --subject-set roles:developer#has --namespace permissi
ons

• get all products available by permission and match it with products available for group ... It's very inconvenient way Can you recommend something?

bright-wire-30388

10/05/2022, 2:41 PM

If I'm grokking right,

ListRelationTuples

on read service does this. https://github.com/ory/keto/blob/v0.10.0-alpha.0/proto/ory/keto/relation_tuples/v1alpha2/read_service.proto#L25 (Uncertain about the cli command equivalent)

little-pager-97837

10/05/2022, 2:42 PM

As I understand it doesn't support recursive traverse of relations

little-pager-97837

10/05/2022, 2:42 PM

I just saw source code

little-pager-97837

10/05/2022, 2:42 PM

And it's just do something like select * from relation-tuples where subject="abc" and object="bca"...

great-arm-27773

10/12/2022, 6:25 PM

I think this somewhat similar to the expand issue where an expand operation doesn't include permits from the rewrites. See https://github.com/ory/keto/issues/1060

14 Views

Open in Slack

Previous Next