Comments (1)
Ah. You have hit the heart of the challenge that the ory:keto creators faced when they decided to create the OPL. The OPL parser is not a compiler. It's a loose transpiler at best. To be completely unfair, calling it a converter would not be totally wrong either.
The point is: while the OPL looks like typescript, it is most definitely NOT true typescript. It makes sense though. What OPL really does is it gives developers the ability to define keto's configuration
using a language that we're familiar with. While our IDE's give us nice typechecking, when the permission model is built by keto, the namespace models are not fully typechecked and there are ways (as you have discovered) to "fool" the typechecking that is being done.
As a case-in-point, during a traverse, the parser determines the types
for the relation being traversed (which in your example is: parents
). And it will discover that type to be Organization
. A check is performed to ensure that parents
in-fact exists on the current namespace (Organization
) and within the traversal the relation view
is checked to ensure that it exists in All of the relevant types (see above) associated with the parents
relation. That's it. No check is made to ensure that the thing
is, in-fact of type X
or Y
. From keto's perspective of a subject
, it's irrelevant.
I say that but you hit on a weakness of OPL as it stands today. Right now the types
associated with related
fields is, in the words of Hector Barbossa (youtube link): "more whatcha call guidelines than actual rules". What that means is this: the type
only matters when it comes down to either 1. traversing that relation or 2. resolving a permits
on that relation. Keto's parser will check that the type associated with that relation (for example parents
) has the associated relation to be traversed (for example: viewers
) or the associated permits
(for example: view
). In this case, unfortunately (and rightly confusingly) Shop
does, in fact have a relation (a dynamic one under permits) called view
. But so does Organization
. What this means is that, when rules are checked, if a relation
is created that associates a Shop
where only an Organization
is expected, it will work not as you intended but it will work as it was designed because both namespaces have the relation
named view
, so the typechecks
will pass.
from keto.
Related Issues (20)
- upstream reference closed: github.com/GoogleContainerTools/distroless/issues/1342
- Individual permissions can't be checked with REST API HOT 4
- Helm Release Job NotReady Status HOT 1
- Empty relation on a subset doesn't work as wildcard after upgrading to v0.11.1
- Does the object support the expression like '/cats/*' to indicate all items starts with '/cats/' HOT 1
- List distinct objects in the namespace
- Config schema references `tracing` instead of `otelx`
- msg=Unable to connect to database, retrying. audience=application error=map[message:unsupported dialect 'jdbc'] service_name=Ory Keto service_version=v0.11.1-alpha.0 HOT 2
- failed to parse as URL HOT 1
- Keto CLI cannot communicate with the containers
- Self-hosting keto returns "404 Page Not Found" when running a permission check HOT 2
- Quickstart is outdated HOT 1
- Poor query performance as traversal width increases HOT 5
- OPL: Incorrect Evaluation of Permissions in Ory Keto HOT 10
- @ory/keto - Latest image - Blocker HOT 1
- upstream reference closed: github.com/opencontainers/runc/issues/4233
- Deleting a namespace makes relationships referencing it undeletable
- Permission check returns Denied if a User belongs to a UserGroup that has a specific permission HOT 1
- keto CLI relation-tuple create executed repeatly
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from keto.