일반 사용자의 DevFront 접근 및 RP 관리자 권한 연동

2026-04-20 14:16:24 +09:00
parent 51e46a4d00
commit e15de6d334
12 changed files with 570 additions and 182 deletions
--- a/docker/ory/keto/namespaces.ts
+++ b/docker/ory/keto/namespaces.ts
@@ -63,6 +63,7 @@ class RelyingParty implements Namespace {
    access: (User | SubjectSet<Tenant, "members"> | SubjectSet<System, "authenticated_users"> | SubjectSet<System, "super_admins">)[]
    creator: (User | SubjectSet<System, "super_admins">)[]
    config_editor: (User | SubjectSet<System, "super_admins">)[]
+    secret_viewer: (User | SubjectSet<System, "super_admins">)[]
    secret_rotator: (User | SubjectSet<System, "super_admins">)[]
    jwks_viewer: (User | SubjectSet<System, "super_admins">)[]
    jwks_operator: (User | SubjectSet<System, "super_admins">)[]
@@ -77,6 +78,7 @@ class RelyingParty implements Namespace {
    view: (ctx: Context): boolean =>
      this.related.admins.includes(ctx.subject) ||
      this.related.config_editor.includes(ctx.subject) ||
+      this.related.secret_viewer.includes(ctx.subject) ||
      this.related.secret_rotator.includes(ctx.subject) ||
      this.related.jwks_viewer.includes(ctx.subject) ||
      this.related.jwks_operator.includes(ctx.subject) ||
@@ -101,6 +103,11 @@ class RelyingParty implements Namespace {
      this.related.config_editor.includes(ctx.subject) ||
      this.permits.manage(ctx),

+    view_secret: (ctx: Context): boolean =>
+      this.related.secret_viewer.includes(ctx.subject) ||
+      this.permits.rotate_secret(ctx) ||
+      this.permits.manage(ctx),
+
    rotate_secret: (ctx: Context): boolean =>
      this.related.secret_rotator.includes(ctx.subject) ||
      this.permits.manage(ctx),