Oathkeeper how to pass context to Keto


#1

How do I pass context from Oathkeeper to Keto? I need to check if a subject is the owner of a resource.


#2

I could check if the subject is an owner in my api code. However, I want to allow subjects that are part of the admin role to be able to do anything. I can’t figure out how to check in keto if a subject is part of the admin role without pulling all subjects a role contains /engines/acp/ory/{flavor}/roles/{id} (which seems unscalable and inefficient).


#3

Ok, so here’s what I’m doing so far. Please let me know if there is a better approach.

I create an admin role that can access everything.

{
    "subjects": ["admin"],
    "resources": ["<.*>"],
    "effect": "allow",
    "actions": ["<.*>"]
}

In the api code I first check if the subject has access to the resource ‘any’ and the action ‘any’. If the subject does, I grant him access. If the subject does not, I check if the subject is the owner, in which case I grant him access.

The only danger with this approach, is that any subject with a resource ‘any’ and action ‘any’ will now be treated like an admin, even if they are not an admin.