lively-machine-47461
11/01/2021, 11:37 AM# User1 owns usergroup:
echo "usergroups:395ba5f9-f596-4095-aaf1-25d138dfab9c#owner@(users:72f65406-45b1-4b2a-a6f2-af909c10c832#)" | \
keto relation-tuple parse - --format json | jq . > ./relation-tuples/user_usergroup.json
# Usergroup owns location:
echo "locations:0a4fa775-1bed-455b-b1b1-b91d40df667b#owner@(usergroups:395ba5f9-f596-4095-aaf1-25d138dfab9c#)" | \
keto relation-tuple parse - --format json | jq . > ./relation-tuples/usergroup_location.json
I would then think that I can validate the first authz relation like:
keto check users:72f65406-45b1-4b2a-a6f2-af909c10c832 owner usergroups 395ba5f9-f596-4095-aaf1-25d138dfab9c
It fails, since the user is not a subject, removing the #
makes it work.
keto check users:72f65406-45b1-4b2a-a6f2-af909c10c832 owner locations 0a4fa775-1bed-455b-b1b1-b91d40df667b
steep-lamp-91158
users:
prefix, it is just part of the subject id string
I.e. users:12345
is not equal to users:12345#
and not equal to the subject id 12345
crooked-monkey-27395
11/03/2021, 8:44 AMgroups:123
as a subject id during read/write), which feels a bit hackysteep-lamp-91158
crooked-monkey-27395
11/03/2021, 9:45 AMsteep-lamp-91158
groups:1234#member@1234
, the IDs are still not considered equal btw, one is an object ID in the groups namespace, while the other is a subject IDcrooked-monkey-27395
11/03/2021, 9:50 AMbox:42#owner@1234
and box:42#owner@groups:1234
at the same time without conflicts, where subject id 1234
refers to a particular user (without a users
Keto namespace) and subject id groups:1234
refers to a particular group (where groups
is a Keto namespace)