Migrating policies from 0.5 to 0.6
0.6 release makes Ory Access Control Policy DSL modeled after AWS IAM Policies obsolete. This guide will help you to rewrite your policies in to relation-tuples. You can read The Evolution of Ory Keto: A Global Scale Authorization System blogpost to understand a benefits of 0.6 release
Legacy rules example
The policy below allows Alice
and Bob
to create/read/modify/delete
blog_posts:my-first-blog-post
, blog_posts:2
, and blog_posts:3
.
{
"subjects": ["alice", "bob"],
"resources": [
"blog_posts:my-first-blog-post",
"blog_posts:2",
"blog_posts:3"
],
"actions": ["delete", "create", "read", "modify"],
"effect": "allow"
}
Rewriting it to relation tuples
According to the example above we need to create required namespace and relation tuple
General mapping from old to new policies
- Subjects -> Subject IDs or Subject Sets
- Resources -> Objects scoped by namespaces
- Actions -> Relations
- Effect -> Became obsolete or can be considered as Relations
We need to have blog_posts
namespace for our example. Let's add the following
content to keto.yml
configuration file. You can find a good template
here.
namespaces:
- id: 0
name: blog_posts
serve:
read:
host: 0.0.0.0
port: 4466
write:
host: 0.0.0.0
port: 4467
Alice Relation Tuples
Let's create an alice_policies
file with the following content, which adds
exactly the same permissions to Alice as the previous example
blog_posts:my-first-blog-post#read@alice
blog_posts:my-first-blog-post#modify@alice
blog_posts:my-first-blog-post#delete@alice
blog_posts:my-first-blog-post#create@alice
blog_posts:2#read@alice
blog_posts:2#modify@alice
blog_posts:2#delete@alice
blog_posts:2#create@alice
blog_posts:3#read@alice
blog_posts:3#modify@alice
blog_posts:3#delete@alice
blog_posts:3#create@alice
You can create a similar bob_policies
file with the following permissions
blog_posts:my-first-blog-post#read@bob
blog_posts:my-first-blog-post#modify@bob
blog_posts:my-first-blog-post#delete@bob
blog_posts:my-first-blog-post#create@bob
blog_posts:2#read@bob
blog_posts:2#modify@bob
blog_posts:2#delete@bob
blog_posts:2#create@bob
blog_posts:3#read@bob
blog_posts:3#modify@bob
blog_posts:3#delete@bob
blog_posts:3#create@bob
Creating Relation Tuples using the CLI
This example uses the Ory Keto CLI to create the relation tuple using the write API
keto relation-tuple parse alice_policies --format json | \
keto relation-tuple create - >/dev/null \
&& echo "Successfully created tuple" \
|| echo "Encountered error"
Bob
keto relation-tuple parse bob_policies --format json | \
keto relation-tuple create - >/dev/null \
&& echo "Successfully created tuple" \
|| echo "Encountered error"
Now, we can use the
check-API to
verify that alice
is allowed to read
the my-first-blog-post
:
keto check alice read blog_posts my-first-blog-post
Allowed
What about Bob?
keto check bob read blog_posts my-first-blog-post
Allowed
What about John?
keto check john read blog_posts my-first-blog-post
Denied