Hello, I tried searching and couldn't see if this ...
# talk-ketoq
quiet-mouse-79324
07/06/2022, 9:16 PMHello, I tried searching and couldn't see if this had been answered before. I'm evaluating a number of zanzibar-based systems for our company and recently started looking at Keto. My main challenge was trying to figure out whether relationship based access control (ReBAC) was also supported or if it was just role based access control. https://www.ory.sh/docs/keto/guides/rbac.
quiet-mouse-79324
07/06/2022, 9:19 PMIf relationships are supported, how are they managed? Is there an SDL or configuration for managing the relationship between entities?
n
narrow-van-43826
07/07/2022, 8:04 AMHi, and thanks for your interest in Keto. Keto is based on relationships (see https://www.ory.sh/docs/keto/concepts/relation-tuples), which you can manage through our SDKs (https://www.ory.sh/docs/keto/sdk/).
narrow-van-43826
07/07/2022, 8:05 AMWhat is your use case?
s
steep-lamp-91158
07/07/2022, 9:35 AM
We currently only support relations. The guide for RBAC shows how to build RBAC on top of relations. You define and query relations through the API. Please see this PR where we implement global rewrite rules: https://github.com/ory/keto/pull/877
q
quiet-mouse-79324
07/07/2022, 4:08 PMWhat is your use case?We have a use case similar to what's described in the Airbnb blog post: https://medium.com/airbnb-engineering/himeji-a-scalable-centralized-system-for-authorization-at-airbnb-341664924574 where we are moving our business logic authorization to a service. As described in that paper, they have a configuration for managing relationships, and have the ability to reference other objects. I saw other projects like authzed have an SDL https://docs.authzed.com/guides/schema and Auth0 has a configuration language https://docs.fga.dev/modeling/configuration-language. I'm trying to understand Keto's equivalent
n
narrow-van-43826
07/07/2022, 5:13 PMThanks for the details! We have something very similar to Himeji/Auth0/AuthZed in the works. Our SDL, the Ory Permission Language, is based on TypeScript, which we found easier to read and write in user studies.
You can find an example of how the SDL looks here: https://www.typescriptlang.org/play?strictPropertyInitialization=false&noLib=true#code/PTAEGEHsFtsg7UAXAngBwKagCY[…]LgNhGjdzFPhfgSFzdhDOral23RkeJQgA.
The actual implementation is currently under review (here: https://github.com/ory/keto/pull/877), so it should land in the master branch soon.
I was one of the engineers building this, so if you have any feedback, concerns, or open questions, please reach out 🙂.
q
quiet-mouse-79324
07/07/2022, 6:54 PMThanks for the information, I'll take a look
2 Views