https://www.ory.sh/
Join Slack
Hi Ory Team, I've run into an issue where I have a matching set of relationships for managing two d...
# talk-keto
b
Hi Ory Team, I've run into an issue where I have a matching set of relationships for managing two different objects. One of the checks succeeds and one of the checks fails. I could use some help debugging this, from what I can tell my relationships are set up correctly. (I would not be surprised if the issue is something as simple as a spelling mistake.) Any assistance is greatly appreciated. Here are there relevant relationships. I've inserted some fake ids where necessary.
Copy code
Namespace	    Object	        Relation	Subject	                                Check Success
event	        a	            owner	    myUser		    	    	    	    TRUE
event	        b	            owner       myUser		    	    	    		FALSE
event	        c	            owner	    myUser		    	    	    		FALSE
administrators	global	        member	    myUser		    	    	    		TRUE
administrators	calendar	    member	    administrators#global:member	        TRUE
event		    c	            owner	    administrators#calendar:member	        TRUE
event		    a	            owner	    administrators#calendar:member	        TRUE
event		    b	            owner	    administrators#calendar:member	        TRUE
n
Hi, how are you checking this? Can you post the actual requests you did?
b
Hi @narrow-van-43826, The above is using the CLI to search for relations. I retried this using the NodeJS SDK by manually performing checks in my permissions handling middleware. I'm using the 
KetoRead
, 
getCheck(...)
Requests
Copy code
getCheck('event', '19af3e48-8976-4632-9dbc-23be10613350', 'owner', undefined, 'administrators', 'calendar', 'member') -> allowed: true
getCheck('event', '19af3e48-8976-4632-9dbc-23be10613350', 'owner', undefined, 'administrators', 'global', 'member') -> allowed: true
getCheck('event', '19af3e48-8976-4632-9dbc-23be10613350', 'owner', 'myUserId') -> allowed: true
getCheck('event', 'ba448d5b-a325-4ff9-b9e3-8fc68748c69b', 'owner', undefined, 'administrators', 'calendar', 'member') -> allowed: true
getCheck('event', 'ba448d5b-a325-4ff9-b9e3-8fc68748c69b', 'owner', undefined, 'administrators',  'global', 'member') -> allowed: true
getCheck('event', 'ba448d5b-a325-4ff9-b9e3-8fc68748c69b', 'owner', 'myUserId') -> allowed: false
getCheck('administrators', 'calendar', 'member', undefined, 'administrators', 'global', 'member') -> allowed: true
getCheck('administrators', 'global', 'member', 'myUserId') -> allowed: true
Paths in the same order produced by the SDK:
Copy code
/api/.ory/relation-tuples/check/openapi?namespace=event&object=19af3e48-8976-4632-9dbc-23be10613350&relation=owner&subject_set.namespace=administrators&subject_set.object=calendar&subject_set.relation=member
/api/.ory/relation-tuples/check/openapi?namespace=event&object=19af3e48-8976-4632-9dbc-23be10613350&relation=owner&subject_set.namespace=administrators&subject_set.object=global&subject_set.relation=member
/api/.ory/relation-tuples/check/openapi?namespace=event&object=19af3e48-8976-4632-9dbc-23be10613350&relation=owner&subject_id=myUserId
/api/.ory/relation-tuples/check/openapi?namespace=event&object=ba448d5b-a325-4ff9-b9e3-8fc68748c69b&relation=owner&subject_set.namespace=administrators&subject_set.object=calendar&subject_set.relation=member
/api/.ory/relation-tuples/check/openapi?namespace=event&object=ba448d5b-a325-4ff9-b9e3-8fc68748c69b&relation=owner&subject_set.namespace=administrators&subject_set.object=global&subject_set.relation=member
/api/.ory/relation-tuples/check/openapi?namespace=event&object=ba448d5b-a325-4ff9-b9e3-8fc68748c69b&relation=owner&subject_id=myUserId
/api/.ory/relation-tuples/check/openapi?namespace=administrators&object=calendar&relation=member&subject_set.namespace=administrators&subject_set.object=global&subject_set.relation=member
/api/.ory/relation-tuples/check/openapi?namespace=administrators&object=global&relation=member&subject_id=myUserId
It looks like there is a relationship between my user and the global administrator. Which should chain down through calendar administrators as the owner of the event. I'm seeing this discrepancy with multiple events where some the owner relationship check succeeds, and some it fails. It's consistent by event id, the same event isn't switching from 
allowed: false
to 
allowed: true
. If I add my user directly as an owner, the check succeeds. I've also tried increasing the depth, but that did not change the result.
s
I've also tried increasing the depth, but that did not change the result.
did you check that the global depth is not limiting the request depth here? the global depth is set in the config, while the request can specify only a lower depth
b
I'm using Ory Cloud and I'm not sure how to check the depth, I can't find it in the documentation. I know I haven't changed it from the default. Based on what I could find the default might be 5? Would this set of indirections count as 3 (calendar admin -> global admin -> user?)
s
hm with 3 indirections it should work...
you can see and set that through the CLI
b
Which command would it be? I don't see a command related to the keto config. The closest I could find was for the permissions config: https://www.ory.sh/docs/cli/ory-get-permission-config
s
Sorry yes, permissions = Keto
b
Is it supposed to show more than just my namespace configuration? The configuration only has a link in it, which links to the same namespace configuration that is displayed on ory.sh.
Open in Slack
PreviousNext
Powered by

Ory Community

Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Powered by