ory / keto

Open Source (Go) implementation of "Zanzibar: Google's Consistent, Global Authorization System". Ships gRPC, REST APIs, newSQL, and an easy and granular permission language. Supports ACL, RBAC, and other access models.

Home Page:https://www.ory.sh/?utm_source=github&utm_medium=banner&utm_campaign=keto

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Problem with arbitrary relations

Gromitmugs opened this issue · comments

Preflight checklist

Describe the bug

Hi, I have a few problems here of using an arbitrary relation, though i'm not sure whether what i'm trying to do is the right way.
So, I made a namespace which has the relations as follows:

  • viewers
  • editors

My idea is that ,for the relationship tuples created in this namespace, their relation will not be any of the relation that is defined in a namespace configuration. Instead, I intend to use other tuples to define any arbitrary relation to be a subject set of the existing relations. For example,

	// The relation Admin of User:MyApp is an Editor of User:MyApp
	{
		Namespace: lo.ToPtr("User"),
		Object:    lo.ToPtr("MyApp"),
		Relation:  lo.ToPtr("editors"),
		SubjectSet: &ory.SubjectSet{
			Namespace: "User",
			Object:    "MyApp",
			Relation:  "Admin",
		},
	},
	// The relation Normal of User:MyApp is a Viewer of User:MyApp
	{
		Namespace: lo.ToPtr("User"),
		Object:    lo.ToPtr("MyApp"),
		Relation:  lo.ToPtr("viewers"),
		SubjectSet: &ory.SubjectSet{
			Namespace: "PlatformUser",
			Object:    "MyApp",
			Relation:  "Normal",
		},
	},

my direct tuples are

	// Add Test Users
	{
		Namespace: lo.ToPtr("User"),
		Object:    lo.ToPtr("MyApp"),
		Relation:  lo.ToPtr("Admin"),
		SubjectId: lo.ToPtr("TestAdminUser"),
	},
	{
		Namespace: lo.ToPtr("User"),
		Object:    lo.ToPtr("MyApp"),
		Relation:  lo.ToPtr("Normal"),
		SubjectId: lo.ToPtr("TestNormalUser"),
	},

my namespace config:

class User implements Namespace {
  related: {
    viewers: User[]
    editors: User[]
  }

  permits = {
    view: (ctx: Context): boolean =>
      this.related.viewers.includes(ctx.subject) ||
      this.related.editors.includes(ctx.subject),
    edit: (ctx: Context): boolean =>
      this.related.editors.includes(ctx.subject),
  }
}

Expected Output

It is expected that a TestNormalUser has the view permit to the User:MyApp, and a TestAdminUser has the view and edit permits to the User:MyApp.

Reproducing the bug

The problem arises when I try checking if the subject_id: TestNormalUser has the edit relation, the payload is below:

{
    "namespace": "User",
    "object": "MyApp",
    "relation": "edit",
    "subject_id": "TestNormalUser"
} //expecting a "false" response but got an error

Also it outputs the same when asking for view relation for TestAdminUser

{
    "namespace": "User",
    "object": "MyApp",
    "relation": "view",
    "subject_id": "TestAdminUser"
} //expecting a "true" response but got an error

But it works just fine when asking for edit relation for TestAdminUser

{
    "namespace": "User",
    "object": "MyApp",
    "relation": "edit",
    "subject_id": "TestAdminUser"
} //got a "true" response

Relevant log output

for the first check payload
{
    "error": {
        "code": 400,
        "status": "Bad Request",
        "reason": "relation \"Admin\" does not exist",
        "message": "The request was malformed or contained invalid parameters"
}

for the second check payload
{
    "error": {
        "code": 400,
        "status": "Bad Request",
        "reason": "relation \"Normal\" does not exist",
        "message": "The request was malformed or contained invalid parameters"
    }
}

Relevant configuration

No response

Version

v0.11.1-alpha.0

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Docker Compose

Additional Context

No response