Upgrading from Hydra 0.9.15 => how to connect Hydra and Keto

johnwu96822 · October 14, 2020, 5:36pm

We used Hydra 0.9.15 many years back and wanting to upgrade it to the latest version. We use the client credentials grant for our internal service to service communication, and used the /warden/token/allowed endpoint to verify tokens. Hence we manage Hydra policies with subjects and resources to control access between services.

However since Hydra 1.0, warden/policies have been moved out of Hydra and into Keto. So what should be our approach to upgrade Hydra to the latest and still maintain the warden capability? Can Hydra and Keto work together and how to hook them up?? Thank you!

hackerman · October 14, 2020, 12:19pm

Hey @johnwu96822, nice to see you back again! Yes, you can combine those two projects!

johnwu96822 · October 14, 2020, 4:44pm

Hi @hackerman thanks for remembering me. I do need assistance in setting up the latest Hydra that uses Keto to determine whether a token as access to a resource. I will also need a way to migrate the current database to Hydra and Keto. Could you please provide me with any documentation or instructions? Thank you!

johnwu96822 · October 14, 2020, 10:43pm

I found this https://github.com/ory/examples/commit/cf012f79f5e7e3f835fdd17af1346b361e4a4ed9#diff-7c871fb24f77979d302875614eb87cd95bdf492a8a3178f7abb700bcef250636 Will a similar setup still work with the latest versions of Hydra, Keto, and Oathkeeper?

Also found https://github.com/ory/hydra/blob/master/UPGRADE.md#upgrading-from-versions-v09x

hackerman · October 16, 2020, 9:04am

Yes, the upgrade guides and changelings are the best source there. Unfortunately 0.9 is very old (2017) and lots has changed since then so I can’t really give you a lot of pointers on what to do. You could try following the upgrade guide one-by-one for each major release until you reach current 1.8, or, you could try and start from scratch. While some APIs changed, many of the concepts are still the ones established with 0.9 (e.g. the consent flow) and then, once that works, figure out a migration path for the database.

johnwu96822 · October 19, 2020, 5:35pm

Hi @hackerman Any idea about the performance of Keto? Like how many requests per sec, memory footprint, and is it scalable with large number of policies? Thank you!

hackerman · October 20, 2020, 11:01am

Unfortunately not, you would have to do your own testing!

johnwu96822 · November 10, 2020, 10:10am

Found this issue against opa https://github.com/open-policy-agent/opa/issues/1443

My own testing also revealed the same result, that Keto’s (with opa) lookup time is proportional to the size of the policy data.

I’ve no more questions. This topic can be closed. Thanks!!