Using "keto check" with inherited/subject sets

[pigfrown]

Hi,

I've been playing with keto but am having trouble using the "keto expand" command/checking inherited relations/subject sets (not sure I'm getting my terminology right here!)

I am trying to model the following hierarchy where permissions are inherited:

OrgAdmin owns Organisation
Project belongsto Organisation
ProjectAdmin administrates Project
ProjectUser access Project

OrgAdmin, ProjectAdmin, and ProjectUser are all Kratos users. Organisation and Project are stored in my own DB. Everything is represented with UUIDs, and I have 2 namespaces, "projects" and "organisations".

I created 1 of each of the above, and I end up with the following tuples in the projects namespace:

NAMESPACE	OBJECT					RELATION NAME	SUBJECT								
projects	5c84e4f4-74ec-40cd-9f33-63c68d1ee666	belongsto	6dd29cb7-2b6b-458c-abf2-9e5aa9174e1b				
projects	6dd29cb7-2b6b-458c-abf2-9e5aa9174e1b	access		9c7e8963-8ab8-4c7b-ae9b-9470fd28a798				
projects	6dd29cb7-2b6b-458c-abf2-9e5aa9174e1b	access		projects:6dd29cb7-2b6b-458c-abf2-9e5aa9174e1b#administrates	
projects	6dd29cb7-2b6b-458c-abf2-9e5aa9174e1b	administrates	673b37cf-d18a-4b11-80f6-0001c60191b0				
projects	6dd29cb7-2b6b-458c-abf2-9e5aa9174e1b	administrates	organisations:5c84e4f4-74ec-40cd-9f33-63c68d1ee666#owns	

I can successfully use "keto check" to confirm simple relations, e.g checking that a ProjectAdmin administrates a Project with:

keto check 673b37cf-d18a-4b11-80f6-0001c60191b0 administrates projects 6dd29cb7-2b6b-458c-abf2-9e5aa9174e1b

will return Allowed.

However I'm unsure how I can check inherited/subjectset relations. I.e. how can I check that an OrgAdmin of an Organisation that a Project "belongsto" to can also "administrate" the Project (the last tuple if I got things correct). Likewise how can I check that an OrgAdmin can "access" a Project.

Is there a way to invoke "keto check" to do this? I tried various invocations with no success. Or is there an go/grpc example of this somewhere?

I also checked out the "keto expand" command, but can't seem to get this working. I always get the message

"Got an empty tree. This probably means that the requested relation tuple is not present in Keto."

I thought I was missing something so tested the "keto expand" command from the CatVideos example with a fresh repo and also get the same output. Is there a new way to invoke "keto expand"? This would be useful to visualise my relations.

Apologies if I've missed something obvious.. gotta admit I have been lost in the sea of UUIDs quite a few times! :)

Thanks

[vinckr]

Hello @pigfrown
Apologies for the late answer and trouble with the documentation.

I get the expected output when running keto expand in the cat video example:

∪ videos:/cats/1.mp4#view
├─ ∪ videos:/cats/1.mp4#owner
│  ├─ ∪ videos:/cats#owner
│  │  ├─ ☘ cat lady️
├─ ☘ *️

As for your other problem, and maybe this is something I got wrong, but following this example

// user1 has acces to the directory foo
directories:foo#access@user1
// user2 has access to the file foo
files:foo#access@user2

your tuples look fine. Maybe @zepatrik can weigh in on this 🙏

[zepatrik]

I just checked in the code, the check command does not allow to pass subject sets at the moment. Tracked as #850.
Generally the check command follows indirections, so most of the time you probably don't even want to pass it: keto check 673b37cf-d18a-4b11-80f6-0001c60191b0 access projects 6dd29cb7-2b6b-458c-abf2-9e5aa9174e1b will also return Allowed.

For expand, I would have to see an example of what you tried. But it should work to use keto expand access projects 6dd29cb7-2b6b-458c-abf2-9e5aa9174e1b.