Migrating policies from 0.5 to 0.6

The 0.6 release of Ory Keto makes Ory Access Control Policy DSL modeled after AWS IAM Policies obsolete. This guide will help you to rewrite your policies in to relation-tuples.

Legacy rules example

The policy below allows Alice and Bob to create/read/modify/delete blog_posts:my-first-blog-post, blog_posts:2, and blog_posts:3.

{
  "subjects": ["alice", "bob"],
  "resources": ["blog_posts:my-first-blog-post", "blog_posts:2", "blog_posts:3"],
  "actions": ["delete", "create", "read", "modify"],
  "effect": "allow"
}

Rewriting it to relationships

According to the example above we need to create required namespace and relationship.

General mapping from old to new policies

• Subjects -> Subject IDs or Subject Sets
• Resources -> Objects scoped by namespaces
• Actions -> Relations
• Effect -> Became obsolete or can be considered as Relations

We need to have blog_posts namespace for our example. Let's add the following content to keto.yml configuration file. You can find a template in the configuration overview here.

namespaces:
  - id: 0
    name: blog_posts

serve:
  read:
    host: 0.0.0.0
    port: 4466
  write:
    host: 0.0.0.0
    port: 4467

Alice relationships

Let's create an alice_policies file with the following content, which adds exactly the same permissions to Alice as the previous example

blog_posts:my-first-blog-post#read@alice
blog_posts:my-first-blog-post#modify@alice
blog_posts:my-first-blog-post#delete@alice
blog_posts:my-first-blog-post#create@alice
blog_posts:2#read@alice
blog_posts:2#modify@alice
blog_posts:2#delete@alice
blog_posts:2#create@alice
blog_posts:3#read@alice
blog_posts:3#modify@alice
blog_posts:3#delete@alice
blog_posts:3#create@alice

You can create a similar bob_policies file with the following permissions

blog_posts:my-first-blog-post#read@bob
blog_posts:my-first-blog-post#modify@bob
blog_posts:my-first-blog-post#delete@bob
blog_posts:my-first-blog-post#create@bob
blog_posts:2#read@bob
blog_posts:2#modify@bob
blog_posts:2#delete@bob
blog_posts:2#create@bob
blog_posts:3#read@bob
blog_posts:3#modify@bob
blog_posts:3#delete@bob
blog_posts:3#create@bob

Creating relationships using the CLI

This example uses the Ory Keto CLI to create the relationship using the write API

keto relation-tuple parse alice_policies --format json | \
  keto relation-tuple create - >/dev/null \
  && echo "Successfully created tuple" \
  || echo "Encountered error"

keto relation-tuple parse bob_policies --format json | \
  keto relation-tuple create - >/dev/null \
  && echo "Successfully created tuple" \
  || echo "Encountered error"

Now we can use the check-API to verify that alice is allowed to read the my-first-blog-post:

keto check alice read blog_posts my-first-blog-post
Allowed

What about Bob?

keto check bob read blog_posts my-first-blog-post
Allowed

What about John?

keto check john read blog_posts my-first-blog-post
Denied

Next steps

• Check whether a user has access to something
• List API: Display all objects a user has access to