Hey guys need some help in understanding how do I connect th Ory Community #ory-selfhosting

Hey guys need some help in understanding how do I ...

acceptable-psychiatrist-42609

05/22/2025, 11:57 AM

Hey guys need some help in understanding how do I connect the namespace_permissions.ts file with the config file to make it work on the ory keto self hosted structure?

mysterious-mechanic-56172

07/30/2025, 1:22 PM

Hey @acceptable-psychiatrist-42609 were you able to find solution to this ? i am also stuck at same place, nned a way to mount namespace.ts in keto self hosted

adorable-dream-95774

07/31/2025, 11:49 PM

I'm stuck here too

adorable-dream-95774

08/01/2025, 2:12 AM

Figured this out. In

keto.yml

you need to add:

Copy code

namespaces:
  location: file:///<path-to-your-file>

In my case, I mounted my file in my docker-compose for local development to /etc/config/keto/permissions.ts. So I have:

Copy code

serve:
  read:
    host: 0.0.0.0
    port: 4466
  write:
    host: 0.0.0.0
    port: 4467
  metrics:
    host: 0.0.0.0
    port: 4468

namespaces:
  location: file:///etc/config/keto/permissions.ts

dsn: <postgres://keto:keto_secret@keto-db:5432/keto>

log:
  level: trace
  format: json

🙌 1

mysterious-mechanic-56172

08/01/2025, 7:00 AM

Hey @adorable-dream-95774, Thanks for the help, its working now

magnificent-energy-493

08/01/2025, 10:42 AM

Thanks for sharing the solution Robert. We can probably add something to the troubleshooting docs here 🤔

adorable-dream-95774

08/01/2025, 3:51 PM

It'd def be helpful to future folks to somehow improve the docs. I'd be happy to contribute, it'd be my first contribution. It seems like there is some confusion about this: https://archive.ory.sh/t/28573171/for-self-hosted-ory-keto-how-do-i-connect-my-typescript-perm The solution I found here: https://github.com/ory/keto/discussions/1125

adorable-dream-95774

08/01/2025, 5:17 PM

I still haven't gotten traversal to work as expected but it may be implementation issues on my end when creating tuples. But I'm able to pick up the file and create tuples in the appropriate namespace and make simple tuple checks

adorable-dream-95774

08/01/2025, 6:27 PM

I finally got this to work. The key insight for me was that parent relationships for checks that use traversal require

subject_set

in the tuples themselves in addition to the

traverse

definition in the OPL schema. So, for example, I have:

Copy code

import { Namespace, Context } from "@ory/permission-namespace-types"

class User implements Namespace {}

// FollowUpBoss CRM entities
class FollowUpBossPerson implements Namespace {
  related: {
    owners: User[]
    editors: User[]
    viewers: User[]
  }

  permits = {
    view: (ctx: Context): boolean =>
      this.related.viewers.includes(ctx.subject) ||
      this.related.editors.includes(ctx.subject) ||
      this.related.owners.includes(ctx.subject),
    edit: (ctx: Context): boolean =>
      this.related.editors.includes(ctx.subject) ||
      this.related.owners.includes(ctx.subject)
  }
}

class FollowUpBossDeal implements Namespace {
  related: {
    owners: User[]
    editors: User[]
    viewers: User[]
    parents: FollowUpBossPerson[]
  }

  permits = {
    view: (ctx: Context): boolean =>
      this.related.viewers.includes(ctx.subject) ||
      this.related.editors.includes(ctx.subject) ||
      this.related.owners.includes(ctx.subject) ||
      this.related.parents.traverse((parent) => parent.permits.view(ctx)),
    edit: (ctx: Context): boolean =>
      this.related.editors.includes(ctx.subject) ||
      this.related.owners.includes(ctx.subject) ||
      this.related.parents.traverse((parent) => parent.permits.edit(ctx))
  }
}

Then as example tuples I have:

Copy code

{
  "relation_tuples": [
    {
      "namespace": "FollowUpBossPerson",
      "object": "FollowUpBossPerson:636",
      "relation": "editors",
      "subject_id": "eefa251f-cff2-468f-9ffb-15ff9dc32b46"
    },
    {
      "namespace": "FollowUpBossDeal",
      "object": "FollowUpBossDeal:1793",
      "relation": "editors",
      "subject_id": "FollowUpBossPerson:636"
    },
    {
      "namespace": "FollowUpBossDeal",
      "object": "FollowUpBossDeal:1793",
      "relation": "parents",
      "subject_set": {
        "namespace": "FollowUpBossPerson",
        "object": "FollowUpBossPerson:636",
        "relation": ""
      }
    },
    ...
  ]
}

Then I can perform checks:

Copy code

❯ curl -X POST "<http://localhost:4466/relation-tuples/check>" \
                                                        -H "Content-Type: application/json" \
                                                        -d '{
                                                      "namespace": "FollowUpBossDeal",
                                                      "object": "FollowUpBossDeal:1793",
                                                      "relation": "view",
                                                      "subject_id": "FollowUpBossPerson:636"
                                                    }'
{"allowed":true}

❯ curl -X POST "<http://localhost:4466/relation-tuples/check>" \
                                                        -H "Content-Type: application/json" \
                                                        -d '{
                                                      "namespace": "FollowUpBossDeal",
                                                      "object": "FollowUpBossDeal:1793",
                                                      "relation": "view",
                                                      "subject_id": "eefa251f-cff2-468f-9ffb-15ff9dc32b46"
                                                    }'
{"allowed":true}

Hope this helps anyone else stuck on this!

Open in Slack

Previous Next