ory/keto

Individual permissions can't be checked with REST API

kaiba42 opened this issue · 4 comments

Preflight checklist

Ory Network Project

https://inspiring-lichterman-l25lz6u2q1.projects.oryapis.com

Describe the bug

In Ory Permission Language, a user defines a namespace, and the relations (defined as related) and permits for objects within that namespace.

Keto has one REST API endpoint for checking the permissions of a subject: relation-tuples/check.
This endpoint takes 4 arguments (passed as either query params for GET requests, or in a JSON body for POST requests):

  1. namespace
  2. object
  3. relation
  4. subject_id

None of these arguments specify the permission to be checked against the permits in a permissions model defined with Ory Permission Language. The caller is only able to check against the relations in a permissions model.

This seems like a fundamental issue, or there may be some alternative endpoint that checks against permits that I am unaware of.

Reproducing the bug

None -- the bug is the absence of core functionality.

Relevant log output

No response

Relevant configuration

No response

Version

Ory Network

On which operating system are you observing this issue?

None

In which environment are you deploying?

Ory Network

Additional Context

No response

I see that keys from both permits and related can be passed to the relation input.

There aren't any docs that tell you what can be passed into the relation input though. I feel like that's pretty key to using Ory Keto. The documentation for the relation argument is currently:
relation | string | Relation to query
This is not informative of usage.

Totally agree, lost some time trying to understand exactly what you described.

+1 to this - it's very confusing