Oathkeeper how to pass context to Keto

codejamninja · January 6, 2019, 11:24pm

How do I pass context from Oathkeeper to Keto? I need to check if a subject is the owner of a resource.

codejamninja · January 7, 2019, 12:05am

I could check if the subject is an owner in my api code. However, I want to allow subjects that are part of the admin role to be able to do anything. I can’t figure out how to check in keto if a subject is part of the admin role without pulling all subjects a role contains /engines/acp/ory/{flavor}/roles/{id} (which seems unscalable and inefficient).

codejamninja · January 7, 2019, 12:17am

Ok, so here’s what I’m doing so far. Please let me know if there is a better approach.

I create an admin role that can access everything.

{
    "subjects": ["admin"],
    "resources": ["<.*>"],
    "effect": "allow",
    "actions": ["<.*>"]
}

In the api code I first check if the subject has access to the resource ‘any’ and the action ‘any’. If the subject does, I grant him access. If the subject does not, I check if the subject is the owner, in which case I grant him access.

The only danger with this approach, is that any subject with a resource ‘any’ and action ‘any’ will now be treated like an admin, even if they are not an admin.

hefekranz · June 19, 2019, 10:51am

I have a similar issue.
I simply want to check if the subject accessing the resource is its owner like
/someResource/{userId}} should only be accesible for {{userId}}.

I tried this with the subject condition
{
“description”: “One policy to rule them all.”,
“subjects”: [“users:maria”],
“actions”: [“delete”, “create”, “update”],
“effect”: “allow”,
“resources”: [“resources:articles:<.*>”],
“conditions”: {
“owner”: {
“type”: “EqualsSubjectCondition”,
“options”: {}
}
}
}

But for this to work I need to be able to construct an owner in oathkeeper and pass it in the context to keto. So far I didn’t find a solution for that. And seeing the code ref below makes me think it is not possible to define a context in oathkeeper

github.com

ory/oathkeeper/blob/6b509ad5e3ce109521de80540bd0c762b7ecd8d2/pipeline/authz/keto_engine_acp_ory.go#L63


	c configuration.Provider


	client         *http.Client
	contextCreator authorizerKetoWardenContext
}


func NewAuthorizerKetoEngineACPORY(c configuration.Provider) *AuthorizerKetoEngineACPORY {
	return &AuthorizerKetoEngineACPORY{
		c:      c,
		client: httpx.NewResilientClientLatencyToleranceSmall(nil),
		contextCreator: func(r *http.Request) map[string]interface{} {
			return map[string]interface{}{
				"remoteIpAddress": realip.RealIP(r),
				"requestedAt":     time.Now().UTC(),
			}
		},
	}
}


func (a *AuthorizerKetoEngineACPORY) GetID() string {
	return "keto_engine_acp_ory"

Obrys · November 11, 2019, 6:16pm

I too am having an issue with this. I can create a policy in Keto to require some context, and i can manually pass in a request via curl/postman with that context(example below)

{
“action”: “create”,
“resource”: “resources:test-resource”,
“subject”: “subjects:id-12345”,
“context”: {
“test”: “value”
}
}

This works fine, but i’m not able to build that context with oathkeeper in any way that i can see, and the request fails because of it.

Is there any way to pass in a context from oathkeeper currently? Or will there be in the future? This seems like a rather large part of using Oathkeeper to authorize that doesn’t work unless I’m missing how to pass the context somewhere.