<@U04UQ68083H> wake up
# ory-copilot
m
@chilly-king-10285 wake up
b
A message from kapa.ai
I'm here and ready to help! If you have any questions about Ory or its products, please let me know.
m
@chilly-king-10285 why ory-keto endpoitnt has two ports dedicated to read and write operations ? can be configured to be only using one?
b
A message from kapa.ai
Ory Keto uses two separate ports for read and write operations to enhance security and flexibility in deployment. The read API (typically on port 4466) is used for querying permissions, while the write API (typically on port 4467) is used for modifying relationships and permissions. This separation allows you to expose only the read API to certain services or networks, while keeping the write API more restricted, reducing the attack surface and risk of unauthorized modifications. Regarding configuration: The knowledge sources do not explicitly state whether Ory Keto can be configured to use a single port for both read and write operations. The provided examples and documentation consistently show separate ports for these APIs, and this is a recommended practice for production deployments to improve security and control access granularity [Prepare for production](https://www.ory.sh/docs/keto/guides/production). If you need to change the ports or explore advanced configurations, you can refer to the configuration documentation, but based on the available information, running both APIs on a single port is not described as a supported or recommended setup [keto serve](https://www.ory.sh/docs/keto/cli/keto-serve).
m
@chilly-king-10285 how do I patch this relationship? { "namespace": "Project", "object": "project_number_2", "relation": "viewer", "subject_id": "mamma" }, what is the best strategy ? I want to patch into { "namespace": "Project", "object": "project_number_2", "relation": "owner", "subject_id": "mamma" },
b
A message from kapa.ai
To patch a relationship in Ory Permissions (Keto), you can use the PATCH endpoint for relationships. Based on your example, you want to change the relation from "viewer" to "owner" for the subject "mamma" on the object "project_number_2" in the "Project" namespace. Here's how to do it: ## Using the PATCH API endpoint You need to send a PATCH request to
/admin/relation-tuples
with a JSON payload that includes: 1. First, a delete action for the existing relationship 2. Then, an insert action for the new relationship
Copy code
json [   {     "action": "delete",     "relation_tuple": {       "namespace": "Project",       "object": "project_number_2",       "relation": "viewer",       "subject_id": "mamma"     }   },   {     "action": "insert",     "relation_tuple": {       "namespace": "Project",       "object": "project_number_2",       "relation": "owner",       "subject_id": "mamma"     }   } ]
## Using Ory CLI If you're using the Ory CLI with Ory Network, you can use the following approach:
Copy code
bash # Create a JSON file with the patch operations echo '[   {     "action": "delete",     "relation_tuple": {       "namespace": "Project",       "object": "project_number_2",       "relation": "viewer",       "subject_id": "mamma"     }   },   {     "action": "insert",     "relation_tuple": {       "namespace": "Project",       "object": "project_number_2",       "relation": "owner",       "subject_id": "mamma"     }   } ]' > patch.json  # Apply the patch ory patch relation-tuples --project <project-id> --workspace <workspace-id> --file patch.json
Note that according to a GitHub issue comment, there's an inconsistency in the API where you might not be able to use the DELETE endpoint to remove relation tuples in some cases, but the PATCH endpoint works reliably for both adding and removing relationships [Github Issue (open): OPL traverse.(...) not working](https://github.com/ory/keto/issues/1330). This approach ensures atomicity - either both operations succeed or both fail, maintaining consistency in your permission system.
m
@chilly-king-10285 how do I get the existin relatonship?
Copy code
{
    "action": "delete",
    "relation_tuple": {
      "namespace": "Project",
      "object": "project_number_2",
      "relation": "viewer",
      "subject_id": "mamma"
    }
  },
b
A message from kapa.ai
To get the existing relationship that you want to delete, you can query the relationship using Ory's API or CLI. Here are the methods to retrieve the relationship: ## Using the REST API You can use the
GET /relation-tuples
endpoint to query for the specific relationship:
Copy code
GET /relation-tuples?namespace=Project&object=project_number_2&relation=viewer&subject_id=mamma
This will return all relationships matching these parameters [Ory API Reference](https://raw.githubusercontent.com/ory/docs/master/docs/reference/api.json). ## Using the Ory CLI
Copy code
bash ory list relationships \   --namespace Project \   --object project_number_2 \   --relation viewer \   --subject-id mamma
Or with the older command format:
Copy code
bash ory list relation-tuples \   --namespace Project \   --object project_number_2 \   --relation viewer \   --subject-id mamma
[Ory CLI Documentation](https://www.ory.sh/docs/cli/ory-list-relationships) ## Using Keto CLI (if using standalone Keto)
Copy code
bash keto relation-tuple get \   --namespace Project \   --object project_number_2 \   --relation viewer \   --subject-id mamma
[Keto CLI Documentation](https://www.ory.sh/docs/keto/cli/keto-relation-tuple-get) The response will include the relationship details in a format similar to:
Copy code
json {   "relation_tuples": [     {       "namespace": "Project",       "object": "project_number_2",       "relation": "viewer",       "subject_id": "mamma"     }   ],   "next_page_token": "" }
You can use this to verify the relationship exists before attempting to delete it or modify it. Would you like more information about any of these methods?
m
@chilly-king-10285 are you drunk ? I don't know previous "relation=viewer" - where do I get it ?
b
A message from kapa.ai
I apologize for the confusion in my previous response. You're right to question this - if you don't know the current relation value, you need to query it first before attempting to modify it. To discover what relationships exist for a specific object and subject without knowing the relation type: ## Using the Ory CLI
Copy code
bash ory list relationships \   --namespace Project \   --object project_number_2 \   --subject-id mamma
This command will list all relationships between the subject "mamma" and the object "project_number_2" in the "Project" namespace, regardless of what the relation value is [Ory CLI Documentation](https://www.ory.sh/docs/cli/ory-list-relationships). ## Using the REST API
Copy code
GET /relation-tuples?namespace=Project&object=project_number_2&subject_id=mamma
This query will return all relationships matching these parameters without specifying the relation [Ory API Reference](https://raw.githubusercontent.com/ory/docs/master/docs/reference/api.json). Once you have the results, you can see what relation types exist (viewer, owner, editor, etc.) and then proceed with your patch operation to modify the relationship as needed. Thank you for pointing this out, and I apologize for the confusion in my previous response.