kevin/baron-sso
1
0
Fork 0
forked from baron/baron-sso
Code Pull Requests Activity

fix: Keto 연결 설정 오류 수정 및 ReBAC 권한 상속 정책 추가 #239

Browse Source
This commit is contained in:
조찬영
2026-02-11 10:58:10 +09:00
parent 4ef7ab78e2
commit 10aa6f837f
4 changed files with 18 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.env.sample
View File

@@ -88,6 +88,8 @@ HYDRA_VERSION=v25.4.0-distroless
# Ory Keto Configuration # Ory Keto Configuration
KETO_VERSION=v25.4.0-distroless KETO_VERSION=v25.4.0-distroless
KETO_READ_URL=http://localhost:4466
KETO_WRITE_URL=http://localhost:4467
# KETO_READ_PORT=4466 # Internal only # KETO_READ_PORT=4466 # Internal only
# KETO_WRITE_PORT=4467 # Internal only # KETO_WRITE_PORT=4467 # Internal only

3
compose.ory.yaml
View File

@@ -121,6 +121,9 @@ services:
keto: keto:
image: oryd/keto:${KETO_VERSION:-v25.4.0} image: oryd/keto:${KETO_VERSION:-v25.4.0}
container_name: ory_keto container_name: ory_keto
ports:
- "4466:4466" # Read API
- "4467:4467" # Write API
environment: environment:
- DSN=postgres://${ORY_POSTGRES_USER}:${ORY_POSTGRES_PASSWORD}@postgres_ory:5432/${KETO_DB:-ory_keto}?sslmode=disable&max_conns=20 - DSN=postgres://${ORY_POSTGRES_USER}:${ORY_POSTGRES_PASSWORD}@postgres_ory:5432/${KETO_DB:-ory_keto}?sslmode=disable&max_conns=20
volumes: volumes:

2
docker-compose.yaml
View File

@@ -23,6 +23,8 @@ services:
- KRATOS_ADMIN_URL=${KRATOS_ADMIN_URL:-http://kratos:4434} - KRATOS_ADMIN_URL=${KRATOS_ADMIN_URL:-http://kratos:4434}
- HYDRA_ADMIN_URL=${HYDRA_ADMIN_URL:-http://hydra:4445} - HYDRA_ADMIN_URL=${HYDRA_ADMIN_URL:-http://hydra:4445}
- HYDRA_PUBLIC_URL=${HYDRA_PUBLIC_URL:-http://hydra:4444} - HYDRA_PUBLIC_URL=${HYDRA_PUBLIC_URL:-http://hydra:4444}
- KETO_READ_URL=${KETO_READ_URL:-http://keto:4466}
- KETO_WRITE_URL=${KETO_WRITE_URL:-http://keto:4467}
- DB_HOST=postgres - DB_HOST=postgres
- CLICKHOUSE_HOST=clickhouse - CLICKHOUSE_HOST=clickhouse
- CLICKHOUSE_PORT=${CLICKHOUSE_PORT_NATIVE:-9000} - CLICKHOUSE_PORT=${CLICKHOUSE_PORT_NATIVE:-9000}

13
docker/ory/keto/namespaces.ts
View File

@@ -2,6 +2,12 @@ import { Namespace, Subject, Context, SubjectSet } from "@ory/keto-definitions"
class User implements Namespace {} class User implements Namespace {}
class TenantGroup implements Namespace {
related: {
admins: User[]
}
}
class UserGroup implements Namespace { class UserGroup implements Namespace {
related: { related: {
members: User[] members: User[]
@@ -19,17 +25,20 @@ class Tenant implements Namespace {
admins: User[] admins: User[]
members: User[] members: User[]
parent: Tenant[] parent: Tenant[]
parent_group: TenantGroup[]
} }
permits = { permits = {
view: (ctx: Context): boolean => view: (ctx: Context): boolean =>
this.related.members.includes(ctx.subject) || this.related.members.includes(ctx.subject) ||
this.related.admins.includes(ctx.subject) || this.related.admins.includes(ctx.subject) ||
this.related.parent.traverse((p) => p.permits.view(ctx)), this.related.parent.traverse((p) => p.permits.view(ctx)) ||
this.related.parent_group.traverse((g) => g.related.admins.includes(ctx.subject)),
manage: (ctx: Context): boolean => manage: (ctx: Context): boolean =>
this.related.admins.includes(ctx.subject) || this.related.admins.includes(ctx.subject) ||
this.related.parent.traverse((p) => p.permits.manage(ctx)), this.related.parent.traverse((p) => p.permits.manage(ctx)) ||
this.related.parent_group.traverse((g) => g.related.admins.includes(ctx.subject)),
create_subtenant: (ctx: Context): boolean => create_subtenant: (ctx: Context): boolean =>
this.permits.manage(ctx) this.permits.manage(ctx)