Keto example permission model doesn't traverse graph
Opened this issue · 1 comments
Preflight checklist
- I could not find a solution in the existing issues, docs, nor discussions.
- I agree to follow this project's Code of Conduct.
- I have read and am following this repository's Contribution Guidelines.
- I have joined the Ory Community Slack.
- I am signed up to the Ory Security Patch Newsletter.
Ory Network Project
https://gracious-hypatia-b9te8t22yp.projects.oryapis.com
Describe the bug
Following steps in this guide: https://www.ory.sh/docs/keto/modeling/create-permission-model
Created a bug here as the documentation should make clearer how to the setup relationships to make the permission model work.
Please let me know if I understand something fundamentally wrong about the way the permission model is supposed to work :)
Reproducing the bug
- Go the permission model page
- Copy code of
permissions-v5.ts - Go to https://console.ory.sh/projects/-/permissions/configuration
- Paste the code under "Permission Rules"
- Click save
- Go to relationships: https://console.ory.sh/projects/-/permissions/relationships
- Create the following two relationships:
userAisownersofFolder:folderAfolderAisparentsofDocument:docA- Make the following request: https://-.projects.oryapis.com/relation-tuples/check?namespace=Document&object=docA&relation=share&subject_id=userA&max-depth=100
Expected: /relation-tuples/check returns {"allowed": true}
Actual: /relation-tuples/check returns {"allowed": false}
Relevant log output
No response
Relevant configuration
No response
Version
v0.13.0-alpha.0
On which operating system are you observing this issue?
Ory Network
In which environment are you deploying?
Ory Network
Additional Context
Permission v3 and v4 don't work. Permission v5 works again (which is marked as optional) :D
I agree that the docs are confusing and incomplete here. The console is not super helpful either (and partially lacking functionality), but here are the details on how to make it work:
You are mixing subject sets (typed subjects) and subject IDs (untyped). What you want to do is create the relationships with the subject set, which you can do in the console like this:
The permission check then also has to use subject sets: /relation-tuples/check?namespace=Document&object=docA&relation=share&subject_set.object=userA&max-depth=100&subject_set.namespace=User&subject_set.relation=
In general you should probably never use subject IDs, but always the subject set instead. We do plan to deprecate the subject ID for this confusion and no real benefit.
I will keep this issue open so that we keep track of the docs changes.