Is there any way to control access to keto itself we re look Ory Community #talk-keto

Is there any way to control access to keto itself ...

cuddly-elephant-29413

11/02/2022, 11:57 AM

Is there any way to control access to keto itself -- we're looking to implement the RBAC model and use Oathkeeper to secure the write API with a small app to allow permissions to be managed. We want to allow certain users to update relation tuples only for certain objects. Am I correct that we'll need to write some sort of shim application to do this?

cuddly-elephant-29413

11/02/2022, 12:00 PM

The initial plan was to have a pure frontend client/js app to manage the permissions that would call the Keto write API directly and Oathkeeper sitting between would control access but I don't think we can do this?

steep-lamp-91158

11/02/2022, 12:13 PM

You could probably check that using Keto itself, although you would have to ensure only certain things can be updated... an error could quickly lead to privilege escalation not sure if you can configure oathkeeper to do all of that

steep-lamp-91158

11/02/2022, 12:17 PM

maybe something along the lines of

Copy code

authorizer: {
        handler: 'remote_json',
        config: {
          remote: '<https://keto.local/relation-tuples/check>',
          payload: |||
            {
              "subject_id": "{{ print .Subject }}",
              "relation": "{{ print .Header.Relation }}",
              "namespace": "whatever-constant",
              "object": "{{ printIndex .MatchContext.RegexpCaptureGroups 2 }}"
            }
          |||,
        },
      },

might work, but depends on your use-case you would have to have all parameters in the header or path

cuddly-elephant-29413

11/02/2022, 12:18 PM

Ooh that's neat, I hadn't thought about piping the result of a keto check back into Oathkeeper

3 Views

Open in Slack

Previous Next