feat: implement basic zanzibar API contract #266
Conversation
|
I was just about to build exactly this authorization system based off of Google’s Zanzibar paper, but then found the very good looking “zanzibar/expand-api” branches in the Keto project. Great work so far! 👍 I would love to help and contribute to Keto’s ACL as I’m also familiar with the Zanzibar paper and began some thoughts about such system myself for my organization. @zepatrik I assume the Zanzibar based ACL system will be a public API as well as provide the under layer for the planned RBAC, ABAC etc. systems as its that flexible enough? Let me know if there is something I could help with in terms of implementing or as another code reviewer giving ideas and giving feedback! Things needed to be discussed, I think (or at a later stage):
|
|
Awesome, do you want to join our slack for discussions? https://slack.ory.sh/ For transparency, here are some answers to your questions:
|
|
@zepatrik I'd love to pitch in and work on this with you. I too am working on a similar design after having read the Zanzibar paper. I'm also trying to get this type of architecture built and scaled up to work for an internal use case at my company. So I'd have plenty of time to work on it. I'd love to join the slack and collaborate with you weekly or bi-weekly. |
|
I would like to get this merged - what's the status on this? |
|
I updated the milestone: https://github.com/ory/keto/milestone/4 |
|
Yeah, I think that makes sense - setting up a legacy branch based on current master and then force-pushing the zanzibar branch. |
There was a problem hiding this comment.
- Update the introduction page https://github.com/ory/keto/blob/master/docs/docs/index.md
docs/docs/secure.md
Outdated
| access control on their own. Any request made to any Keto API is considered | ||
| authenticated, authorized, and is thus being executed. However, these endpoints | ||
| are very sensitive as they define who is allowed to do what in your system. | ||
|
|
||
| Please protect these endpoints using | ||
| [ORY Oathkeeper](https://github.com/ory/oathkeeper) or a comparable API Gateway. | ||
| [Ory Oathkeeper](https://github.com/ory/oathkeeper) or a comparable API Gateway. | ||
| How you protect them, is up to you. | ||
|
|
||
| If you require support for this, consider [asking us](mailto:hi@ory.sh). |
There was a problem hiding this comment.
Would probably link to GitHub discussions here instead
docs/sidebar.json
Outdated
| "engines/rbac", | ||
| "engines/acp-ory", | ||
| "engines/acp-aws" | ||
| "Concepts": [ |
docs/docs/configure-deploy.md
Outdated
| @@ -1,166 +0,0 @@ | |||
| --- | |||
| id: configure-deploy | |||
| title: Configure and Deploy | |||
There was a problem hiding this comment.
We have this document in all the other projects and it helps people understand how to wire things together. I think it makes sense to re-add and update this, even if it is similar to the Try Along. However, the try-along does not explain how to set up or connect the database, does not say anything about migrations, and so on.
Makefile
Outdated
| && \ | ||
| npm i \ | ||
| && \ | ||
| npm test |
There was a problem hiding this comment.
Please add a "make docker" target which builds the Dockerfile including SQLite!
Dockerfile
Outdated
| # | ||
| # $ packr; GO111MODULE=on GOOS=linux GOARCH=amd64 go build; docker build -t oryd/keto:latest .; rm keto; packr clean | ||
| FROM alpine:3.9 | ||
| FROM golang:1.16-alpine AS builder |
There was a problem hiding this comment.
Please follow the structure of https://github.com/ory/kratos/tree/master/.docker
The main Dockerfile is an empty container where goreleaser injects its binary into.
docs/docs/examples/cat-videos.mdx
Outdated
| # clone the repository if you don't have it yet | ||
| git clone git@github.com:ory/keto.git && cd keto | ||
|
|
||
| docker-compose -f contrib/cat-videos-example/docker-compose.yml up |
There was a problem hiding this comment.
This fails with several error messages, including the fallback URL.
docs/docs/concepts/namespaces.mdx
Outdated
| [namespace migration CLI reference](/TODO) and | ||
| [running in production guide](/TODO) to learn more about that process. |
There was a problem hiding this comment.
Update links, write migration guide.
docs/docs/concepts/namespaces.mdx
Outdated
|
|
||
| Ory Keto knows F438 the concept of namespaces to organize | ||
| [relation tuples](./relation-tuples). Namespaces have a configuration that | ||
| defines the relations, and some other important values ([see reference](/TODO)). |
docs/docs/concepts/namespaces.mdx
Outdated
| The namespaces' purpose is to split up the data into coherent partitions, each | ||
| with its corresponding configuration. Internally each namespace has its own | ||
| table in the database to allow setting individual | ||
| [storage specific options](/TODO). |
There was a problem hiding this comment.
Update links - basically just search for /TODO
internal/check/handler.go
Outdated
|
|
||
| // swagger:route GET /check read getCheck | ||
| // | ||
| // Check a relation tuple |
There was a problem hiding this comment.
NYT case for all swagger titles please :)
|
Is there a reason why |
This PR is an umbrella PR that keeps track of everything that goes into implementing a zanzibar-like next-gen Keto. It shows the current state of the zanzibar branch where the development happens. If you have general feedback/usecases/.... please let us know either in this PR or by opening an issue.