Hi All wave Does the expand API not drill down to the root n Ory Community #talk-keto

Hi All :wave:, Does the expand API not drill down ...

green-kitchen-58087

03/09/2023, 11:57 AM

Hi All 👋, Does the expand API not drill down to the root namespace on empty relation in subject_set? The userset rewrite example does not expand the permission to the User level when we try to run - `keto expand parents File keto/README.md``

steep-lamp-91158

03/09/2023, 12:25 PM

can you give example relation tuples you have stored, the namespace config, and what you get from expand?

green-kitchen-58087

03/09/2023, 12:34 PM

We can consider the userset rewrite example itself: Config:

Copy code

// Copyright © 2023 Ory Corp
// SPDX-License-Identifier: Apache-2.0
// import { Namespace, SubjectSet, Context } from "@ory/keto-namespace-types"
/// <reference path="./lib.ts" />

class User implements Namespace {
  related: {
    manager: User[]
  }
}

class Group implements Namespace {
  related: {
    members: (User | Group)[]
  }
}

class Folder implements Namespace {
  related: {
    parents: (File | Folder)[]
    viewers: SubjectSet<Group, "members">[]
  }

  permits = {
    view: (ctx: Context): boolean =>
      this.related.viewers.includes(ctx.subject) ||
      this.related.parents.traverse((p) => p.permits.view(ctx)),
  }
}

class File implements Namespace {
  related: {
    parents: (File | Folder)[]
    viewers: (User | SubjectSet<Group, "members">)[]
    owners: (User | SubjectSet<Group, "members">)[]
  }

  // Some comment
  permits = {
    view: (ctx: Context): boolean =>
      this.related.parents.traverse((p) => p.permits.view(ctx)) ||
      this.related.viewers.includes(ctx.subject) ||
      this.related.owners.includes(ctx.subject),

    edit: (ctx: Context) => this.related.owners.includes(ctx.subject),
  }
}

green-kitchen-58087

03/09/2023, 12:34 PM

tuples:

Copy code

[
  {
    "namespace": "Group",
    "object": "developer",
    "relation": "members",
    "subject_id": "patrik"
  },
  {
    "namespace": "Group",
    "object": "developer",
    "relation": "members",
    "subject_set": {
      "namespace": "User",
      "object": "Patrik"
    }
  },
  {
    "namespace": "Group",
    "object": "developer",
    "relation": "members",
    "subject_set": {
      "namespace": "User",
      "object": "Henning"
    }
  },
  {
    "namespace": "Folder",
    "object": "keto/",
    "relation": "viewers",
    "subject_set": {
      "namespace": "Group",
      "object": "developer",
      "relation": "members"
    }
  },
  {
    "namespace": "File",
    "object": "keto/README.md",
    "relation": "parents",
    "subject_set": {
      "namespace": "Folder",
      "object": "keto/"
    }
  },
  {
    "namespace": "Folder",
    "object": "keto/src/",
    "relation": "parents",
    "subject_set": {
      "namespace": "Folder",
      "object": "keto/"
    }
  },
  {
    "namespace": "File",
    "object": "keto/src/main.go",
    "relation": "parents",
    "subject_set": {
      "namespace": "Folder",
      "object": "keto/src/"
    }
  },
  {
    "namespace": "File",
    "object": "private",
    "relation": "owners",
    "subject_set": {
      "namespace": "User",
      "object": "Henning"
    }
  }
]

green-kitchen-58087

03/09/2023, 12:36 PM

expand result:

Copy code

{
  "type": "union",
  "children": [
    {
      "type": "leaf",
      "tuple": {
        "namespace": "",
        "object": "",
        "relation": "",
        "subject_set": {
          "namespace": "Folder",
          "object": "keto/",
          "relation": ""
        }
      }
    }
  ],
  "tuple": {
    "namespace": "",
    "object": "",
    "relation": "",
    "subject_set": {
      "namespace": "File",
      "object": "keto/README.md",
      "relation": "parents"
    }
  }
}

green-kitchen-58087

03/09/2023, 12:37 PM

@steep-lamp-91158

steep-lamp-91158

03/09/2023, 12:45 PM

I don't see a problem with that? It gives you the parents of the file, i.e. the one parent

steep-lamp-91158

03/09/2023, 12:45 PM

as expected

steep-lamp-91158

03/09/2023, 12:47 PM

maybe you are looking for the reverse of expand instead? https://github.com/ory/keto/issues/689

green-kitchen-58087

03/09/2023, 12:56 PM

Shouldn't the expand API also let me know who is the viewer(Group of Developers) of the

keto/README.md

object under the

Folder

namespace as well? What i mean is: If i ask the expand API to fetch me all the users who have permission on the File

keto/README.md

indirectly via the parent of the File which in this case is

keto/

, then how would we achieve it?

steep-lamp-91158

03/09/2023, 1:03 PM

this is expand in the other direction, which is not yet implemented

steep-lamp-91158

03/09/2023, 1:04 PM

currently what you have to do is use some application context to do the right list API calls

green-kitchen-58087

03/09/2023, 1:15 PM

Okay, same is the situation with the use case where: I want to check all the files a user has access to (direct and indirect present through subject-set rewrite) ?

steep-lamp-91158

03/09/2023, 1:43 PM

yes exactly

steep-lamp-91158

03/09/2023, 1:44 PM

we know this is a serious limitation right now, so it is the next big feature we want to do in keto

green-kitchen-58087

03/09/2023, 2:13 PM

Gotcha, thanks @steep-lamp-91158!

delightful-gpu-48475

03/18/2023, 3:58 PM

@steep-lamp-91158 do you have any time estimate for this feature? More specifically is there any chance this will be done in the next 3 months? We have a customer project coming up and this feature would come in handy. Thanks!

green-kitchen-58087

03/24/2023, 7:29 AM

@steep-lamp-91158 ^

steep-lamp-91158

03/24/2023, 7:55 AM

Nope sorry, we don't

Open in Slack

Previous Next