Migrating policies from 0.5 to 0.6
0.6 release makes Ory Access Control Policy DSL modeled after AWS IAM Policies obsolete. This guide will help you to rewrite your policies in to relation-tuples. You can read The Evolution of Ory Keto: A Global Scale Authorization System blogpost to understand a benefits of 0.6 release
Legacy rules example
The policy below allows Alice and Bob to create/read/modify/delete blog_posts:my-first-blog-post, blog_posts:2, and
blog_posts:3.
{
"subjects": ["alice", "bob"],
"resources": ["blog_posts:my-first-blog-post", "blog_posts:2", "blog_posts:3"],
"actions": ["delete", "create", "read", "modify"],
"effect": "allow"
}
Rewriting it to relationships
According to the example above we need to create required namespace and relationship
General mapping from old to new policies
- Subjects -> Subject IDs or Subject Sets
- Resources -> Objects scoped by namespaces
- Actions -> Relations
- Effect -> Became obsolete or can be considered as Relations
We need to have blog_posts namespace for our example. Let's add the following content to keto.yml configuration file. You can
find a good template here.
namespaces:
- id: 0
name: blog_posts
serve:
read:
host: 0.0.0.0
port: 4466
write:
host: 0.0.0.0
port: 4467
Alice relationships
Let's create an alice_policies file with the following content, which adds exactly the same permissions to Alice as the previous
example
blog_posts:my-first-blog-post#read@alice
blog_posts:my-first-blog-post#modify@alice
blog_posts:my-first-blog-post#delete@alice
blog_posts:my-first-blog-post#create@alice
blog_posts:2#read@alice
blog_posts:2#modify@alice
blog_posts:2#delete@alice
blog_posts:2#create@alice
blog_posts:3#read@alice
blog_posts:3#modify@alice
blog_posts:3#delete@alice
blog_posts:3#create@alice
You can create a similar bob_policies file with the following permissions
blog_posts:my-first-blog-post#read@bob
blog_posts:my-first-blog-post#modify@bob
blog_posts:my-first-blog-post#delete@bob
blog_posts:my-first-blog-post#create@bob
blog_posts:2#read@bob
blog_posts:2#modify@bob
blog_posts:2#delete@bob
blog_posts:2#create@bob
blog_posts:3#read@bob
blog_posts:3#modify@bob
blog_posts:3#delete@bob
blog_posts:3#create@bob
Creating relationships using the CLI
This example uses the Ory Keto CLI to create the relationship using the write API
keto relation-tuple parse alice_policies --format json | \
keto relation-tuple create - >/dev/null \
&& echo "Successfully created tuple" \
|| echo "Encountered error"
Bob
keto relation-tuple parse bob_policies --format json | \
keto relation-tuple create - >/dev/null \
&& echo "Successfully created tuple" \
|| echo "Encountered error"
Now, we can use the check-API to verify that alice is allowed
to read the my-first-blog-post:
keto check alice read blog_posts my-first-blog-post
Allowed
What about Bob?
keto check bob read blog_posts my-first-blog-post
Allowed
What about John?
keto check john read blog_posts my-first-blog-post
Denied