Hello, I tried searching and couldn't see if this ...
# talk-keto
q
Hello, I tried searching and couldn't see if this had been answered before. I'm evaluating a number of zanzibar-based systems for our company and recently started looking at Keto. My main challenge was trying to figure out whether relationship based access control (ReBAC) was also supported or if it was just role based access control. https://www.ory.sh/docs/keto/guides/rbac.
If relationships are supported, how are they managed? Is there an SDL or configuration for managing the relationship between entities?
n
Hi, and thanks for your interest in Keto. Keto is based on relationships (see https://www.ory.sh/docs/keto/concepts/relation-tuples), which you can manage through our SDKs (https://www.ory.sh/docs/keto/sdk/).
What is your use case?
s
We currently only support relations. The guide for RBAC shows how to build RBAC on top of relations. You define and query relations through the API. Please see this PR where we implement global rewrite rules: https://github.com/ory/keto/pull/877
q
What is your use case?
We have a use case similar to what's described in the Airbnb blog post: https://medium.com/airbnb-engineering/himeji-a-scalable-centralized-system-for-authorization-at-airbnb-341664924574 where we are moving our business logic authorization to a service. As described in that paper, they have a configuration for managing relationships, and have the ability to reference other objects. I saw other projects like authzed have an SDL https://docs.authzed.com/guides/schema and Auth0 has a configuration language https://docs.fga.dev/modeling/configuration-language. I'm trying to understand Keto's equivalent
n
Thanks for the details! We have something very similar to Himeji/Auth0/AuthZed in the works. Our SDL, the Ory Permission Language, is based on TypeScript, which we found easier to read and write in user studies. You can find an example of how the SDL looks here: https://www.typescriptlang.org/play?strictPropertyInitialization=false&noLib=true#code/PTAEGEHsFtsg7UAXAngBwKagCY[…]LgNhGjdzFPhfgSFzdhDOral23RkeJQgA. The actual implementation is currently under review (here: https://github.com/ory/keto/pull/877), so it should land in the master branch soon. I was one of the engineers building this, so if you have any feedback, concerns, or open questions, please reach out 🙂.
q
Thanks for the information, I'll take a look