https://www.ory.sh/
Join Slack
Hi All :wave:, Does the expand API not drill down to the root namespace on empty relation in subject...
# talk-keto
g
Hi All 👋, Does the expand API not drill down to the root namespace on empty relation in subject_set? The userset rewrite example does not expand the permission to the User level when we try to run - `keto expand parents File keto/README.md``
s
can you give example relation tuples you have stored, the namespace config, and what you get from expand?
g
We can consider the userset rewrite example itself: Config:
Copy code
// Copyright © 2023 Ory Corp
// SPDX-License-Identifier: Apache-2.0
// import { Namespace, SubjectSet, Context } from "@ory/keto-namespace-types"
/// <reference path="./lib.ts" />

class User implements Namespace {
  related: {
    manager: User[]
  }
}

class Group implements Namespace {
  related: {
    members: (User | Group)[]
  }
}

class Folder implements Namespace {
  related: {
    parents: (File | Folder)[]
    viewers: SubjectSet<Group, "members">[]
  }

  permits = {
    view: (ctx: Context): boolean =>
      this.related.viewers.includes(ctx.subject) ||
      this.related.parents.traverse((p) => p.permits.view(ctx)),
  }
}

class File implements Namespace {
  related: {
    parents: (File | Folder)[]
    viewers: (User | SubjectSet<Group, "members">)[]
    owners: (User | SubjectSet<Group, "members">)[]
  }

  // Some comment
  permits = {
    view: (ctx: Context): boolean =>
      this.related.parents.traverse((p) => p.permits.view(ctx)) ||
      this.related.viewers.includes(ctx.subject) ||
      this.related.owners.includes(ctx.subject),

    edit: (ctx: Context) => this.related.owners.includes(ctx.subject),
  }
}
tuples:
Copy code
[
  {
    "namespace": "Group",
    "object": "developer",
    "relation": "members",
    "subject_id": "patrik"
  },
  {
    "namespace": "Group",
    "object": "developer",
    "relation": "members",
    "subject_set": {
      "namespace": "User",
      "object": "Patrik"
    }
  },
  {
    "namespace": "Group",
    "object": "developer",
    "relation": "members",
    "subject_set": {
      "namespace": "User",
      "object": "Henning"
    }
  },
  {
    "namespace": "Folder",
    "object": "keto/",
    "relation": "viewers",
    "subject_set": {
      "namespace": "Group",
      "object": "developer",
      "relation": "members"
    }
  },
  {
    "namespace": "File",
    "object": "keto/README.md",
    "relation": "parents",
    "subject_set": {
      "namespace": "Folder",
      "object": "keto/"
    }
  },
  {
    "namespace": "Folder",
    "object": "keto/src/",
    "relation": "parents",
    "subject_set": {
      "namespace": "Folder",
      "object": "keto/"
    }
  },
  {
    "namespace": "File",
    "object": "keto/src/main.go",
    "relation": "parents",
    "subject_set": {
      "namespace": "Folder",
      "object": "keto/src/"
    }
  },
  {
    "namespace": "File",
    "object": "private",
    "relation": "owners",
    "subject_set": {
      "namespace": "User",
      "object": "Henning"
    }
  }
]
expand result:
Copy code
{
  "type": "union",
  "children": [
    {
      "type": "leaf",
      "tuple": {
        "namespace": "",
        "object": "",
        "relation": "",
        "subject_set": {
          "namespace": "Folder",
          "object": "keto/",
          "relation": ""
        }
      }
    }
  ],
  "tuple": {
    "namespace": "",
    "object": "",
    "relation": "",
    "subject_set": {
      "namespace": "File",
      "object": "keto/README.md",
      "relation": "parents"
    }
  }
}
@steep-lamp-91158
s
I don't see a problem with that? It gives you the parents of the file, i.e. the one parent
as expected
maybe you are looking for the reverse of expand instead? https://github.com/ory/keto/issues/689
g
Shouldn't the expand API also let me know who is the viewer(Group of Developers) of the 
keto/README.md
object under the 
Folder
namespace as well? What i mean is: If i ask the expand API to fetch me all the users who have permission on the File 
keto/README.md
indirectly via the parent of the File which in this case is 
keto/
, then how would we achieve it?
s
this is expand in the other direction, which is not yet implemented
currently what you have to do is use some application context to do the right list API calls
g
Okay, same is the situation with the use case where: I want to check all the files a user has access to (direct and indirect present through subject-set rewrite) ?
s
yes exactly
we know this is a serious limitation right now, so it is the next big feature we want to do in keto
g
Gotcha, thanks @steep-lamp-91158!
d
@steep-lamp-91158 do you have any time estimate for this feature? More specifically is there any chance this will be done in the next 3 months? We have a customer project coming up and this feature would come in handy. Thanks!
g
@steep-lamp-91158 ^
s
Nope sorry, we don't
Open in Slack
PreviousNext
Powered by

Ory Community

Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Powered by