Merge branch 'dev' into feature/i18n

docker/ory/keto/namespaces.ts

@@ -2,6 +2,12 @@ import { Namespace, Subject, Context, SubjectSet } from "@ory/keto-definitions"
 
 class User implements Namespace {}
 
+class TenantGroup implements Namespace {
+  related: {
+    admins: User[]
+  }
+}
+
 class UserGroup implements Namespace {
   related: {
     members: User[]
@@ -19,17 +25,20 @@ class Tenant implements Namespace {
     admins: User[]
     members: User[]
     parent: Tenant[]
+    parent_group: TenantGroup[]
   }
 
   permits = {
     view: (ctx: Context): boolean =>
       this.related.members.includes(ctx.subject) ||
       this.related.admins.includes(ctx.subject) ||
-      this.related.parent.traverse((p) => p.permits.view(ctx)),
+      this.related.parent.traverse((p) => p.permits.view(ctx)) ||
+      this.related.parent_group.traverse((g) => g.related.admins.includes(ctx.subject)),
 
     manage: (ctx: Context): boolean =>
       this.related.admins.includes(ctx.subject) ||
-      this.related.parent.traverse((p) => p.permits.manage(ctx)),
+      this.related.parent.traverse((p) => p.permits.manage(ctx)) ||
+      this.related.parent_group.traverse((g) => g.related.admins.includes(ctx.subject)),
       
     create_subtenant: (ctx: Context): boolean =>
       this.permits.manage(ctx)

docker/ory/kratos/kratos.yml

@@ -13,6 +13,12 @@ serve:
     admin:
         base_url: http://localhost:4434/
 
+session:
+    cookie:
+        domain: hmac.kr
+        same_site: Lax
+        path: /
+
 selfservice:
     default_browser_return_url: http://localhost:5000/
     allowed_return_urls: