search

ory / keto

The most scalable and customizable permission server on the market. Fix your slow or broken permission system with Google's proven "Zanzibar" approach. Supports ACL, RBAC, and more. Written in Go, cloud native, headless, API-first. Available as a service on Ory Network and for self-hosters.
https://www.ory.sh/?utm_source=github&utm_medium=banner&utm_campaign=keto
Apache License 2.0
4.86k stars 345 forks source link

Permission check returns Denied if a User belongs to a UserGroup that has a specific permission #1550

Closed evgeniradev closed 4 months ago

evgeniradev commented 4 months ago

Preflight checklist

Ory Network Project

No response

Describe the bug

I am setting a permission model that is made up of Users, UserGroups and Clients.

Users can belong to UserGroups. UserGroups can be assigned permissions. If a UserGroup has a certain permission assigned, then all its assigned Users should have it too.

I have assigned a User to a UserGroup and given that UserGroup the permission to create a specific Client. However, when I trigger the Ory Keto check to check if the User is allowed to create the Client, the result is Denied.

Reproducing the bug

Use the following configuration:

//permission model

import { Namespace, SubjectSet, Context } from "@ory/keto-namespace-types"

class User implements Namespace {
}

class UserGroup implements Namespace {
  related: {
    members: User[]
  }
}

class Client implements Namespace {
  related: {
    testers: (User | SubjectSet<UserGroup, "members">)[]
  }

  permits = {
    create: (ctx: Context): boolean =>
      this.related.testers.includes(ctx.subject)
  }
}
//relation tuples

[
  {
    "action": "insert",
    "relation_tuple": {
      "namespace": "UserGroup",
      "object": "testers_group",
      "relation": "members",
      "subject_set": {
        "namespace": "User",
        "object": "john.tester@test.com"
      }
    }
  },
  {
    "action": "insert",
    "relation_tuple": {
      "namespace": "Client",
      "object": "ABC",
      "relation": "testers",
      "subject_set": {
        "namespace": "UserGroup",
        "object": "testers_group",
        "relation": "members"
      }
    }
  }
]

Then run:

keto check User:john.tester@test.com create Client ABC

The result appears to be Denied when, as far as I understand, it should be 'Allowed'.

Relevant log output

No response

Relevant configuration

No response

Version

v0.12.0

On which operating system are you observing this issue?

None

In which environment are you deploying?

None

Additional Context

No response

evgeniradev commented 4 months ago

Turns out it is because of the default configuration reference I pulled from the official docs here: https://www.ory.sh/docs/keto/reference/configuration

The max_read_depth value restricts the traversal to 1 level.