Upgrading from Hydra 0.9.15 => how to connect Hydra and Keto

We used Hydra 0.9.15 many years back and wanting to upgrade it to the latest version. We use the client credentials grant for our internal service to service communication, and used the /warden/token/allowed endpoint to verify tokens. Hence we manage Hydra policies with subjects and resources to control access between services.

However since Hydra 1.0, warden/policies have been moved out of Hydra and into Keto. So what should be our approach to upgrade Hydra to the latest and still maintain the warden capability? Can Hydra and Keto work together and how to hook them up?? Thank you!

Hey @johnwu96822, nice to see you back again! Yes, you can combine those two projects!

Hi @hackerman thanks for remembering me. I do need assistance in setting up the latest Hydra that uses Keto to determine whether a token as access to a resource. I will also need a way to migrate the current database to Hydra and Keto. Could you please provide me with any documentation or instructions? Thank you!

I found this https://github.com/ory/examples/commit/cf012f79f5e7e3f835fdd17af1346b361e4a4ed9#diff-7c871fb24f77979d302875614eb87cd95bdf492a8a3178f7abb700bcef250636 Will a similar setup still work with the latest versions of Hydra, Keto, and Oathkeeper?

Also found https://github.com/ory/hydra/blob/master/UPGRADE.md#upgrading-from-versions-v09x

Yes, the upgrade guides and changelings are the best source there. Unfortunately 0.9 is very old (2017) and lots has changed since then so I can’t really give you a lot of pointers on what to do. You could try following the upgrade guide one-by-one for each major release until you reach current 1.8, or, you could try and start from scratch. While some APIs changed, many of the concepts are still the ones established with 0.9 (e.g. the consent flow) and then, once that works, figure out a migration path for the database.

Hi @hackerman Any idea about the performance of Keto? Like how many requests per sec, memory footprint, and is it scalable with large number of policies? Thank you!

Unfortunately not, you would have to do your own testing!

Found this issue against opa https://github.com/open-policy-agent/opa/issues/1443

My own testing also revealed the same result, that Keto’s (with opa) lookup time is proportional to the size of the policy data.

I’ve no more questions. This topic can be closed. Thanks!!

1 Like