3단계 권한 모델 확장, keto 권한 정책

2026-02-03 14:21:37 +09:00
parent 6dbdd5d483
commit d09abab5a2
24 changed files with 1071 additions and 141 deletions
--- a/docker/ory/keto/keto.yml
+++ b/docker/ory/keto/keto.yml
@@ -9,7 +9,7 @@ serve:
    port: 4467

 namespaces:
-  location: file:///etc/config/keto/namespaces.yml
+  location: file:///etc/config/keto/namespaces.ts

 log:
  level: debug
--- a/docker/ory/keto/namespaces.ts
+++ b/docker/ory/keto/namespaces.ts
@@ -0,0 +1,53 @@
+import { Namespace, Subject, Context, SubjectSet } from "@ory/keto-definitions"
+
+class User implements Namespace {}
+
+class Tenant implements Namespace {
+  related: {
+    admins: User[]
+    members: User[]
+    parent: Tenant[]
+  }
+
+  permits = {
+    view: (ctx: Context): boolean =>
+      this.related.members.includes(ctx.subject) ||
+      this.related.admins.includes(ctx.subject) ||
+      this.related.parent.traverse((p) => p.permits.view(ctx)),
+
+    manage: (ctx: Context): boolean =>
+      this.related.admins.includes(ctx.subject) ||
+      this.related.parent.traverse((p) => p.permits.manage(ctx)),
+      
+    create_subtenant: (ctx: Context): boolean =>
+      this.permits.manage(ctx)
+  }
+}
+
+class RelyingParty implements Namespace {
+  related: {
+    owners: User[]
+    parent_tenant: Tenant[]
+  }
+
+  permits = {
+    view: (ctx: Context): boolean =>
+      this.related.owners.includes(ctx.subject) ||
+      this.related.parent_tenant.traverse((t) => t.permits.view(ctx)),
+
+    manage: (ctx: Context): boolean =>
+      this.related.owners.includes(ctx.subject) ||
+      this.related.parent_tenant.traverse((t) => t.permits.manage(ctx))
+  }
+}
+
+class System implements Namespace {
+  related: {
+    super_admins: User[]
+  }
+
+  permits = {
+    manage_all: (ctx: Context): boolean =>
+      this.related.super_admins.includes(ctx.subject)
+  }
+}