Skip to content

Latest commit

 

History

History
2517 lines (2034 loc) · 119 KB

CHANGELOG.md

File metadata and controls

2517 lines (2034 loc) · 119 KB
Raw

Changelog

Table of Contents

0.0.0 (2024-07-04)

Bug Fixes

  • Add not to docs (#1530) (3b3b768)

  • Missing persister when initializing without network (#1525) (e675d5b):

    • fix: missing persister when initializing without network
    • chore: ignore CVE-2024-3154

  • Typo in error message (#1520) (4a35588)

Features

  • Add ContextKeyDialFunc (#1534) (567ceb9)

  • Add grpc server opts config (#1524) (7278e44):

    • feat: add grpc server opts config
    • chore: bump base image
    • chore: temp ignore cve

  • Add Inspect option to registry (#1523) (213cfa5):

    • chore: add alnr to codeowners
    • feat: add Inspect option

0.13.0-alpha.0 (2024-02-27)

autogen(docs): regenerate and update changelog

[skip ci]

Bug Fixes

Code Generation

  • docs: Regenerate and update changelog (c756958):

    [skip ci]

0.12.0-alpha.0 (2024-02-01)

Improves performance, SDKs, and resolves minor issues.

Bug Fixes

  • Add width limit when expanding subject-sets in checks (#1433) (f1317da):

    This change limits the max width that can be expanded during checks. An integration that runs into this limit would previously likely have timed out. A correct integration should not run into this limit.

  • Config schema (generated) (#1502) (e7faf48)

  • Incorrect error return (#1332) (fc09573)

  • Missing block flag on migrate status (#1432) (040b3db)

  • Postgres docker-compose startup (#1295) (a4218d7):

    • Fix starting docker-compose-postgres.yml
    • bump docker image version
    • make format

  • Reduce SQL tracing noise (#1301) (b1cf198)

  • Sqa config values unified across projects (#1315) (0b9baed)

  • Sqa write key for correct product (#1297) (23ccef8)

  • Use correct tracer in middleware (#1373) (2bc4901)

  • Validate that namespace ID is int32 (#1278) (d093b37)

Code Generation

  • Pin v0.12.0-alpha.0 release commit (4b40e18)

Documentation

  • Fix multiline comments from proto files breaking tables (#1431) (ef9132d):

    • Add markdown.tmpl file for bufbuild
    • fix typo

    Signed-off-by: Cléo Rebert [email protected]

    • docs: add issue reference

Features

  • Add distroless (#1348) (f0839ee):

    • feat: add distroless
    • Update Dockerfile-build
    • Update Dockerfile-distroless-static

  • Add flag to block until migrations are done (#1380) (129902b)

  • Add tracing to fetcher (#1294) (4ffb7bc):

    • feat: add tracing to fetcher
    • rerun CI

  • Allow extra database migrations (#1365) (d3b62a9)

  • Cache OPL when loading from HTTP(S) (#1429) (b89ce02)

  • Clearer error messages when not using block (#1393) (a3b5494):

    • feat: clearer error messages when not using block
    • dont timeout if block is used
    • consolidate block flag into grpc client package
    • respect timeout context key
    • remove flake test by changing port manipulation in test
    • fix case=timeout,noblock status test
    • remove flakyness by reducing timeout to micro

  • Enable GRPC metrics (#1302) (91c12c9):

    • feat: enable GRPC metrics
    • fix: test and server registration
    • fix: GRPC metrics
    • fix: clean up for PR

  • Improve emitting of events (#1314) (5028c75):

    • feat: improve emitting of events
    • rename event constants
    • move events package
    • refactor event emitting

  • Sqa metrics v2 (#1335) (a115e15)

  • Upgrade grpc buf generator (#1507) (872b118)

  • Write to UUID mapper and relation tuples in one SQL transaction (#1340) (eeeecf6):

    • fix: lint
    • feat: wrap an SQL transaction around the UUID mapper's and the relation tuple manager's write operations

0.11.1-alpha.0 (2023-03-09)

This release includes small fixes and improvements.

Bug Fixes

  • Return meaningful status code when relation is not known (#1275) (1fef45a)
  • Subject expansion is terminated unexpectedly (#1256) (f88a479)

Code Generation

  • Pin v0.11.1-alpha.0 release commit (db5c007)

Features

Tests

0.11.0-alpha.0 (2023-02-23)

This release includes a ton of bugfixes, especially around the Ory Permission Language and language parser.

Also, we started a greater effort to drastically improve latency, currently by introducing an experimental strict mode that reduces the number of SQL queries performed during checks. This is experimental to allow adjusting its behavior in a breaking manner, but it is ready for production usage. Do expect a non-stable behavior over the next releases. Any breaking behavior will be properly documented. Further, we also optimized some of the non-strict queries.

Code Generation

  • Pin v0.11.0-alpha.0 release commit (7f1f580)

0.11.0-alpha.0.pre.1 (2023-02-23)

autogen: pin v0.11.0-alpha.0.pre.1 release commit

Bug Fixes

  • Allow comments in more places in OPL (#1117) (5f89fcf), closes #1116

  • Do not insert UUID mappings on readonly APIs (#1190) (a86db70):

    Endpoints that do not mutate the database (such as list or check) now use a read-only version of the UUID mapper that does not write the mapping to the database (as all relevant mapping information is already mapped).

  • Docs broken links (#1254) (e646380):

    • fix: docs broken links
    • fix: edit proto files to fix links

  • More robust parser (d38e006)

  • More robust query counting (#1218) (4503a74)

  • Only type-check if there are no parser errors (b4bef07):

    Type checks are not particularly useful on partially parsed input.

  • Panic with unknown subject set during expand (#1139) (1f3c568)

  • Properly lex imports in OPL (#1041) (26944e9)

  • Race condition (05ec2da)

  • Race condition in setup (#1107) (07dfce7)

  • Recover from panics in gRPC server (#1149) (3e38d13):

    Panics in the gRPC server now result in codes.Internal being returned, instead of killing the server.

  • Relative file URL parsing (#1145) (03cac63)

  • Relax OPL parsing (#1059) (a15c5ad):

    • Allow semicolons in more places
    • Allow commas in more places

  • Tiny stuff (#1211) (719a7d5):

    • fix: tracing in persistence.sql.TraverseSubjectSetRewrite
    • fix: incorrect HTTP return code

  • Trace SQL in TraverseSubjectSetExpansion (#1242) (8968451)

  • Tune error message (b51d215)

  • Use resilient HTTP client (e431978)

  • Validate subjects before mapping (#1039) (71b30c4)

Code Generation

  • Pin v0.11.0-alpha.0.pre.1 release commit (3fb1ca5)

Code Refactoring

Documentation

  • Add getting started guide to readme (#1094) (e3b88d2)

  • Adds JSDoc to the npm package '@ory/keto-namespace-types' (#1136) (b582375)

  • Allow $schema key in config.schema.json (#1083) (333af27)

  • Fix invalid link (#1072) (2686e98)

  • Fix quickstart up.sh (#1158) (30a74c6):

    Added --insecure-disable-transport-security flag to all client commands.

  • Improve rewrites example (d809c76)

  • Standardize license headers (#1061) (6c0e1ba)

  • Update README content and links (#1043) (7aacf0d)

Features

  • Add API to list namespaces (a8d8767)

  • Add libfuzzer for parser (05c9a01)

  • Add option to add custom health checks (#1225) (3399f60)

  • Allow loading OPL configs from base64 URLs (640abc1)

  • Allow permits referencing permits (c4d84f6):

    You can now use this.permits.<permission>(ctx) to reference another permission in a permission declaration.

    Example:

    comment: (ctx: Context) => this.permits.read(ctx)

  • Allow quoting object keys in OPL (081d834)

  • Allow setting the authority header in the CLI (17f10ef)

  • Emit events through tracing (#1244) (70dd8be)

  • Expose function to generate OPL (#1057) (b80a230)

  • Expose OPL syntax check API (57ff639)

  • Faster SQL queries for checks and strict check mode (#1171) (8e07890):

    With this change we introduce an experimental strict mode that drastically reduces the number of SQL queries performed during checks. This is experimental to allow adjusting its behavior in a breaking manner, but it is ready for production usage. Also some of the non-strict queries are optimized.

  • Handle HTTP config locations (6571bae)

  • Improve tracing (#1169) (64dc85e)

  • Rename to Ory Network (#1081) (3fe1d68)

  • Return bad request on DELETE body (#1219) (195182c)

  • Support Array<> syntax in type decl (#1152) (c4c456b):

    You can now use Array<T> as an alternative to T[] when declaring types for relations in the Ory Permission Language.

  • Support semicolons in types (#1151) (a06eda7), closes #1135

Tests

Unclassified

  • ci: authenticate nancy action (#1239) (137fe6b), closes #1239

0.10.0-alpha.0 (2022-09-27)

This release ships the long-awaited Ory Permission Language (a.k.a. userset-rewrites) 🎉. You can now define global 🌍 rules for permissions, like "every user who is an owner also has read access", and many more. Best of all, you don't have to learn a new language to express these rules, but instead just use a subset of TypeScript. Therefore syntax highlighting, formatting tools, linters, unit test frameworks, ... work out of the box 📦! We will give a talk 🗣️ about how we ended up with this solution at the Ory Summit, so make sure to sign up or watch the recoding on YouTube later. Start exploring the Ory Permission Language by following our guide 📖. This is only the most shiny ✨ feature we packed into this release, see the full changelog for all the other fixes and features we included.

Bug Fixes

  • Concurrency-safe graph utils (ea9dda9)

  • Correct paths in TypeScript SDK (#1025) (8b30508)

  • Do not setup /etc/nsswitch.conf on alpine (1f9fa96):

    Go fixed the initial issue and does not rely on that file anymore, see golang/go#35305

  • Race in serve metrics init (5f4c19b)

  • Remove check constraint (54c00c3):

    Tests now use the new httpclient to properly handle empty strings vs strings (where the value is omitted in the JSON request).

  • Request metrics (#1007) (96ff767):

    httprequest* metrics contain data related only to /metrics/prometheus endpoint. This commit adds endpoints from non-monitoring routers.

    • fix: register read and write routers with PrometheusManager
    • fix: register read and write routers with PrometheusManager p2
    • fix: register read and write routers with PrometheusManager p3
    • feat: grpc request metrics
    • chore: add test
    • chore: revert gRPC metric test
    • chore: re-trigger ci
    • chore: re-trigger ci
    • chore: re-trigger ci
    • fix: lint
    • fix: cve

  • Sdk generation (acc1546):

    • fix: better error handling
    • chore: remove old httpclient

  • Use TLS in gRPC client (#988) (b1ffd6b):

    Enable TLS and certificate checking in the gRPC client when communicating with remote hosts.

  • Uuid mapping migration paginates (3a5fb2c)

  • Validate tuples for non-nil subject (a22dd19)

Build System

Code Generation

  • Pin v0.10.0-alpha.0 release commit (52259a3):

    Bumps from v0.10.0-alpha.0.pre.0

  • Pin v0.10.0-alpha.0.pre.1 release commit (2a63481)

Code Refactoring

  • Generalize tree structure (6a0b2fe):

    This will allow reusing the tree to provide debug info on how a check decision was reached.

Documentation

  • Add initial documentation example for rewrites (065ce46)
  • Fix version meta schema (b054b24)

Features

  • Add bearer token auth (5110f63)

  • Configure subject-set rewrites (0ce1519):

    The subject-set rewrites can now be configured through the Ory Permission Language (OPL), which is a subset of TypeScript. The OPL config is referenced in the central configuration under namespaces as such:

    [...]
namespaces:
  location: <location>
[...]

    The can be any valid file, directory or URI.

  • Fine-grained control over transport security (5f056b7):

    This adds two new flags to the Keto CLI:

    • --insecure-disable-transport-security: Use plaintext instead of TLS
    • --insecure-skip-hostname-verification: Use TLS, but do not verify the certificate

    By default, the Keto CLI now connects to the remote via TLS and verifies the hostname.

  • OPL typescript library on npm (446fe7d)

  • Simpler notation for subjects w/o relation (ec979df)

  • Subject-set rewrites (6f61af8)

  • Support subject sets in check (1760459)

Tests

  • Add cases for checking subject sets (93aee83), closes #985

0.9.0-alpha.0 (2022-08-01)

This release ships a few changes in the API paths. Requests and responses were not changed. However, we did A LOT of internal refactoring and improvements on the persistence layer. Some naming in the SDKs changed, it is a lot cleaner now. One important change is that we removed the single table migrator. From now on to migrate from v0.6.0-alpha.1, please first migrate the legacy namespaces using v0.8.0-alpha.2 We also overhauled the whole persistence structure to ensure high scalability. This means that the migration might take a bit longer than usual, so please test the process first on a backup or staging environment. For all the details, check out the full changelog.

Breaking Changes

keto namespace migrate ... commands were removed. To migrate from v0.6.0-alpha.1, please first migrate the legacy namespaces using v0.8.0-alpha.2

The protobuf API was bumped to v1alpha2. Please upgrade your client dependency to that version. v1alpha1 is still supported for now, but might be dropped soon.

Some payload keys are now (not) required anymore. The generated SDKs will likely have breaking changes.

Co-authored-by: Patrik [email protected] Co-authored-by: hperl [email protected]

/check is now /relation-tupes/check

/expand is now /relation-tuples/expand

/relation-tuples is now /admin/relation-tuples for write APIs

gRPC package is now called ory.keto.relation_tuples.v1alpha2

gRPC relation-tuple-delta action enum names are prefixed with ACTION_

Bug Fixes

  • cli: Make flag registration non-racy (8415ced)
  • Enable telemetry by default (9dc8c7c)
  • Hide relation tuples with deleted namespace (cb1a2dd)

Code Generation

  • Pin v0.9.0-alpha.0 release commit (6a13898)

Code Refactoring

  • API paths (#862) (d29d42c):

    This change refactors the API paths to be consistent with the rest of the Ory ecosystem. This step is required for the unified Ory SDK. Additionally, as we plan to add high level APIs, e.g. for RBAC. The check and expand API paths changed to allow adding those.

  • Change pagination to use keyset pagination (7b861c9):

    The page token now is the last ID of the previous page. This enables faster queries and more stable pagination. NOTE: in case an integration modified page tokens to control pagination, this change will break the integration. Page tokens are opaque strings and should never be messed with.

Documentation

Features

  • Add check endpoints that do not mirror status code (#853) (07d0fbd)

  • Add reverse lookup indices (#875) (25af263)

  • Add spec for namespace configs (3d61b1c):

    Co-authored-by: hackerman [email protected]

  • Make sensitive log value redaction text configurable (#860) (b8b1d81)

  • Map strings to UUIDs (#809) (#840) (add6577):

    With this change Keto now maps strings to UUIDv5 on the storage layer. This change allows unlimited strings to be used while maintaining good performance. Further, it reduces the likeliness of database hot-spots. The migration that applies this mapping might take some time, so please confirm that your migration strategy works for you.

  • Metric names same as for Kratos (315ff41)

  • tracing: Improved tracing for persisters and requests (#878) (eb62c50)

  • tracing: Switch to opentelemetry (#861) (31f38ed)

Tests

  • Remove double dockertest cleanup (0bfb10e)
  • Use isolated databases to parallelize all tests (bc09032)

0.8.0-alpha.2 (2022-03-04)

Mainly fixes the SDKs.

Bug Fixes

  • Config schema required and additional properties (#848) (6230227)

Code Generation

  • Pin v0.8.0-alpha.2 release commit (be5cffd)

Documentation

  • Change oathkeeper to keto in openapi meta (9cb0b98)

0.8.0-alpha.1 (2022-02-22)

This is merly a cleanup release to fix automation issues.

Bug Fixes

Code Generation

  • Pin v0.8.0-alpha.1 release commit (6daf88b)

Tests

0.8.0-alpha.0 (2022-02-10)

Ory Keto v0.8.0-alpha.0 mainly ships internal improvements next to one bigger, possibly breaking feature. With PR #799 Keto now supports bulk deletion of relation-tuples. For gRPC clients we added a new rpc, while in the REST world we had to change the behavior of the existing delete handler.

IT NOW DELETES ALL MATCHING TUPLES.

Example:

curl -X DELETE "https://keto.local/relation-tuples?subject_id=foo"

will delete all relation tuples that have the subject ID foo, even across namespaces. Passing empty strings is equivalent to not setting a value. Please test your integrations on a copy of your database before rolling out the update.

If you don't use that REST endpoint, you are on the safe side.

Bug Fixes

  • Add dummy sidebar (555ffca)

  • Add hiring notice to README (#798) (2a6ddae)

  • CORS config values are ignored (#789) (ffeb5e3)

  • Docker compose migrate (#800) (f1599a4)

  • Docker-compose-postgres.yml SQL migration service (#779) (8f041bc)

  • Namespace should not be required in List API (#796) (07be82e):

    The namespace parameter is now not required anymore in the list REST API.

  • Openapi spec and internal SDK (#819) (a1b20c7)

  • Panic on macOS (059a6f9)

  • Slow keto start up time (b7c620c):

    Found a deeply nested dependency which was importing https://github.com/markbates/pkger, causing unreasonable CPU consumption and significant delay at start up time. With this patch, start up time was reduced from almost 1.7s to 0.02s.

    $ time keto
keto  1.65s user 2.02s system 734% cpu 0.499 total

$ time ./keto-patch
./keto-patch  0.02s user 0.01s system 6% cpu 0.425 total

  • Update golang.org/x/sys to fix macOS binary execution (#794) (ad8df58), closes #793

Code Generation

  • Pin v0.8.0-alpha.0 release commit (85d59ec)

Code Refactoring

  • Configuration structure for limits (ffa99ec)
  • Move documentation to ory/docs and move to OAS3.0 generator (#833) (55d9d4e)

Documentation

Features

  • Add max-depth parameter for check and global max-depth (#791) (1e3b63f):

    The parameter max-depth for the check command limits the depth of the search, a safeguard against particularly expensive queries. This allows users more fine-grain control.

    Furthermore, there is now a global max-depth configuration value that limits the overall max-depth of check and expand operations. It defaults to 5, which is considered a very safe value.

  • Add new metrics server to keto (#832) (8beba60)

  • Bulk deletion of relation tuples (#799) (c1e8546)

0.7.0-alpha.1 (2021-10-19)

This release provides small docs fixes especially for SDK clients.

Code Generation

  • Pin v0.7.0-alpha.1 release commit (0d1e33a)

Documentation

  • Adjust details missed for v0.7 (#762) (caa18c0)
  • Correct required annotation for List API parameters (#760) (ba1bec9)
  • Make max-depth expand parameter required (#755) (6d51422)

0.7.0-alpha.0 (2021-10-06)

We are proud to present you a new release of Ory Keto! It has been a while, but we have been working hard not only on code, but also concepts and discussing many upcoming features. To join us on this exciting journey, watch 👀 and start ⭐ the repository.

At a first glance the release might not look too exciting from the outside, but we had 376 changed files with 47,578 additions and 25,418 deletions. In total, 12 contributors worked on the 192 commits. The most changes were bug fixes, internal refactoring, and improving API consistency. Expect a more reliable Keto, that is also prepared to receive many new exciting features.

Because the database schema changed significantly, and it is not possible to have SQL-only migrations, there is a special migration procedure needed to upgrade from Ory Keto v0.6. Please follow the migration guide and, as always, read the changelog before upgrading.

Breaking Changes

This patch changes the payload of the REST API. The gRPC API is not affected. The parameter subject was previously an encoded string. With this change clients have to explicitly use either subject_id or (subject_set.namespace and subject_set.object and subject_set.relation). The same is true for REST responses returned by Keto. An error with a hint will be returned if subject is still used.

Bug Fixes

  • make sdk dependency on the Ory CLI (#710) (0cb5706)

  • Add missing tracers (#600) (aa263be), closes #593

  • cli: Panic when printing empty expand trees (#686) (7956dec)

  • Dockerfiles (#737) (f10dec1)

  • Exclude /health endpoints from logs (#716) (7c27f92)

  • Handle relation tuple cycles in expand and check engine (#623) (8e30119)

  • Log all database connection errors (#588) (2b0fad8)

  • Move gRPC client module root up (#620) (3b881f6):

    BREAKING: The npm package @ory/keto-grpc-client from now on includes all API versions. Because of that, the import paths changed. For migrating to the new client package, change the import path according to the following example:

    - import acl from '@ory/keto-grpc-client/acl_pb.js'
+ // from the latest version
+ import { acl } from '@ory/keto-grpc-client'
+ // or a specific one
+ import acl from '@ory/keto-grpc-client/ory/keto/acl/v1alpha1/acl_pb.js'

  • Partially reference upstream schemas (#674) (e49e16c), closes #662:

    This change significantly improves and the config schema. Parts will now be taken from upstream to ensure a more up-to-date schema.

  • Patch REST API input validation and SDK generation (#717) (d49e098)

  • Run a whole namespace migration as one transaction (#739) (142bd47)

  • Set version during release build and register version handler (#714) (8091475)

  • Update docker-compose.yml version (#595) (7fa4dca), closes #549

Chores

  • Update repository templates (f53d3eb)

Code Generation

  • Pin v0.7.0-alpha.0 release commit (7962e77)

Code Refactoring

  • Ensure namespace manager reload is resource contained (#735) (5696fc6)

  • Make subject sets and subject IDs unambiguous (#729) (5a1b0ba)

  • Persistence table structure (#638) (d02b818):

    This big refactoring greatly reduces operation complexity and paves the way for upcoming performance improvements. From now on the relation tuples from all namespaces are stored in the same table, instead of having tables per namespace. A migration path will be provided separately.

Documentation

Features

  • Add gRPC client utils helpers (#657) (8b18802):

    Behold! The Keto gRPC client library now has useful helpers that allow you to replace:

    - deltas := make([]*acl.RelationTupleDelta, len(tuples))
- for i := range rts {
- 	deltas[i] = &acl.RelationTupleDelta{
- 		Action:        acl.RelationTupleDelta_INSERT,
- 		RelationTuple: rts[i],
- 	}
- }
+ deltas := acl.RelationTupleToDeltas(tuples, acl.RelationTupleDelta_INSERT)

    and

    - &acl.Subject{Ref: &acl.Subject_Set{Set: &acl.SubjectSet{
- 	Namespace: "directories",
- 	Object:    "/photos",
- 	Relation:  "access",
- }}}
+ acl.NewSubjectSet("directories", "/photos", "access")

    and

    - &acl.Subject{Ref: &acl.Subject_Id{
- 	Id: "user1",
- }}
+ acl.NewSubjectID("user1")

    Enjoy these new treats 🍫 🍭 🍦

  • Enable telemetry collection for gRPC (#738) (5ac8b0c)

  • Make generated gRPC client its own module (#583) (f0fbb64)

  • Max_idle_conn_time (#605) (50a8623), closes #523

  • Migration to single table SQL schema (#707) (00713bc):

    This change adds a migration path from Keto version v0.6.x to the new persistence structure introduced by #638. Every namespace has to be migrated separately, or you can use the CLI to detect and migrate all namespaces at once. Have a look at keto help namespace migrate legacy for all details. Please make sure that you backup the database before running the migration command. Please note that this migration might be a bit slower than usual, as we have to pull the data from the database, transcode it in Keto, and then write it to the new table structure. Versions of Keto >v0.7 will not include this migration script, so you will first have to migrate to v0.7 and move on from there.

  • Support namespace validation from config files (#596) (f4253b8):

    The keto namespace validate command now additionally supports:

    • validation of namespaces in config files
    • validation of a directory specified in config files

Tests

  • Add migration tests (#749) (3b946d0)

  • De-flake status command test (#629) (3bcd0e3):

    Confirmed that the fix works because

    $ go test -tags sqlite -run TestStatusCmd/server_type=read/case=block -count 1000 ./cmd/status

    passed.

  • Ensure problematic chars are not creatable over REST (#709) (12b7954)

  • Single table migration as transaction (#736) (9eda48c)

0.6.0-alpha.3 (2021-04-29)

Resolves CRDB and build issues.

Code Generation

  • Pin v0.6.0-alpha.3 release commit (d766968)

0.6.0-alpha.2 (2021-04-29)

This release improves stability and documentation.

Bug Fixes

Code Generation

  • Pin v0.6.0-alpha.2 release commit (470b2c6)

Documentation

Features

  • Global docs sidebar and added cloud pages (c631c82)
  • Support retryable CRDB transactions (833147d)

0.6.0-alpha.1 (2021-04-07)

We are extremely happy to announce next-gen Ory Keto which implements Zanzibar: Google’s Consistent, Global Authorization System:

Zanzibar provides a uniform data model and configuration language for expressing a wide range of access control policies from hundreds of client services at Google, including Calendar, Cloud, Drive, Maps, Photos, and YouTube. Its authorization decisions respect causal ordering of user actions and thus provide external consistency amid changes to access control lists and object contents. Zanzibar scales to trillions of access control lists and millions of authorization requests per second to support services used by billions of people. It has maintained 95th-percentile latency of less than 10 milliseconds and availability of greater than 99.999% over 3 years of production use.

Ory Keto is the first open source planet-scale authorization system built with cloud native technologies (Go, gRPC, newSQL) and architecture. It is also the first open source implementation of Google Zanzibar 🎉!

Many concepts developer by Google Zanzibar are implemented in Ory Keto already. Let's take a look!

As of this release, Ory Keto knows how to interpret and operate on the basic access control lists known as relation tuples. They encode relations between objects and subjects. One simple example of such a relation tuple could encode "user1 has access to file /foo", a more complex one could encode "everyone who has write access on /foo has read access on /foo".

Ory Keto comes with all the basic APIs as described in the Zanzibar paper. All of them are available over gRPC and REST.

  1. List: query relation tuples
  2. Check: determine whether a subject has a relation on an object
  3. Expand: get a tree of all subjects who have a relation on an object
  4. Change: create, update, and delete relation tuples

For all details, head over to the documentation.

With this release we officially move the "old" Keto to the legacy-0.5 branch. We will only provide security fixes from now on. A migration path to v0.6 is planned but not yet implemented, as the architectures are vastly different. Please refer to the issue.

We are keen to bring more features and performance improvements. The next features we will tackle are:

  • Subject Set rewrites
  • Native ABAC & RBAC Support
  • Integration with other policy servers
  • Latency reduction through aggressive caching
  • Cluster mode that fans out requests over all Keto instances

So stay tuned, ⭐ this repo, 👀 releases, and subscribe to our newsletter 📧.

Bug Fixes

  • Add description attribute to access control policy role (#215) (831eba5)

  • Add leak_sensitive_values to config schema (2b21d2b)

  • Bump CLI (80c82d0)

  • Bump deps and replace swagutil (#212) (904258d)

  • Check engine overwrote result in some cases (#412) (3404492)

  • Check health status in status command (21c64d4)

  • Check REST API returns JSON object (#460) (501dcff), closes #406

  • Empty relationtuple list should not error (#440) (fbcb3e1)

  • Ensure nil subject is not allowed (#449) (7a0fcfc):

    The nodejs gRPC client was a great fuzzer and pointed me to some nil pointer dereference panics. This adds some input validation to prevent panics.

  • Ensure persister errors are handled by sqlcon (#473) (4343c4a)

  • Handle pagination and errors in the check/expand engines (#398) (5eb1a7d)

  • Ignore dist (ba816ea)

  • Ignore x/net false positives (d8b36cb)

  • Improve CLI remote sourcing (#474) (a85f4d7)

  • Improve handlers and add tests (#470) (ca5ccb9)

  • Insert relation tuples without fmt.Sprintf (#443) (fe507bb)

  • Minor bugfixes (#371) (185ee1e)

  • Move dockerfile to where it belongs (f087843)

  • Namespace migrator (#417) (ea79300), closes #404

  • Remove SQL logging (#455) (d8e2a86)

  • Rename /relationtuple endpoint to /relation-tuples (#519) (8eb55f6)

  • Resolve gitignore build (6f04bbb)

  • Resolve goreleaser issues (d32767f)

  • Resolve windows build issues (8bcdfbf)

  • Rewrite check engine to search starting at the object (#310) (7d99694), closes #302

  • schema: Add trace level to logger (a5a1402)

  • Secure query building (#442) (c7d2770)

  • Strict version enforcement in docker (e45b28f)

  • Update dd-trace to fix build issues (2ad489f)

  • Update docker to go 1.16 and alpine (c63096c)

  • Use errors.WithStack everywhere (#462) (5f25bce), closes #437:

    Fixed all occurrences found using the search pattern return .*, err\n.

  • Use make() to initialize slices (#250) (84f028d), closes #217

  • Use package name in pkger (6435939)

Build System

  • Pin dependency versions of buf and protoc plugins (#338) (5a2fd1c)

Code Generation

  • Pin v0.6.0-alpha.1 release commit (875af25)

Code Refactoring

Documentation

Features

  • Add .dockerignore (8b0ff06)

  • Add and automate version schema (b01eef8)

  • Add check engine (#277) (396c1ae)

  • Add gRPC health status (#427) (51c4223)

  • Add is_last_page to list response (#425) (b73d91f)

  • Add POST REST handler for policy check (7d89860)

  • Add relation write API (#275) (f2ddb9d)

  • Add REST and gRPC logger middlewares (#436) (615eb0b)

  • Add SQA telemetry (#535) (9f6472b)

  • Add sql persister (#350) (d595d52)

  • Add tracing (#536) (b57a144)

  • Allow to apply namespace migrations together with regular migrations (#441) (57e2bbc)

  • Delete relation tuples (#457) (3ec8afa), closes #452

  • Dockerfile and docker compose example (#390) (10cd0b3)

  • Expand API (#285) (a3ca0b8)

  • Expand GPRC service and CLI (#383) (acf2154)

  • First API draft and generation (#315) (bda5d8b)

  • GRPC status codes and improved error messages (#467) (4a4f8c6)

  • GRPC version API (#475) (89cc46f)

  • Implement goreleaser pipeline (888ac43), closes #410

  • Incorporate new GRPC API structure (#331) (e0916ad)

  • Koanf and namespace configuration (#367) (3ad32bc)

  • Namespace configuration (#324) (b94f50d)

  • Namespace migrate status CLI (#508) (e3f7ad9):

    This also refactors the current migrate and namespace migrate commands.

  • Nodejs gRPC definitions (#447) (3b5c313):

    Includes Typescript definitions.

  • Read API (#269) (de5119a):

    This is a first draft of the read API. It is reachable by REST and gRPC calls. The main purpose of this PR is to establish the basic repository structure and define the API.

  • Relationtuple parse command (#490) (91a3cf4):

    This command parses the relation tuple format used in the docs. It greatly improves the experience when copying something from the documentation. It can especially be used to pipe relation tuples into other commands, e.g.:

    echo "messages:02y_15_4w350m3#decypher@john" | \
  keto relation-tuple parse - --format json | \
  keto relation-tuple create -

  • REST patch relation tuples (#491) (d38618a):

    The new PATCH handler allows transactional changes similar to the already existing gRPC service.

  • Separate and multiplex ports based on read/write privilege (#397) (6918ac3)

  • Swagger SDK (#476) (011888c)

Tests

0.5.6-alpha.1 (2020-05-28)

This release bumps vulnerable transient dependencies (those are not actually used in ORY Keto) and updates several documentation pages and improves structured logging output. Additionally, ORY Keto now uses the updated release pipeline!

Bug Fixes

Chores

  • Pin v0.5.6-alpha.1 release commit (ed0da08)

0.5.5-alpha.1 (2020-05-28)

This release bumps vulnerable transient dependencies (those are not actually used in ORY Keto) and updates several documentation pages and improves structured logging output. Additionally, ORY Keto now uses the updated release pipeline!

Bug Fixes

  • Move deps to go_mod_indirect_pins (dd3e971)
  • Resolve test issues (9bd9956)
  • Update install.sh script (f64d320)
  • Use semver-regex replacer func (2cc3bbb)

Chores

  • Pin v0.5.5-alpha.1 release commit (4666a0f)

Documentation

0.5.4-alpha.1 (2020-04-07)

fix: resolve panic when executing migrations (#178)

Closes #177

Bug Fixes

0.5.3-alpha.3 (2020-04-06)

autogen(docs): regenerate and update changelog

Code Generation

  • docs: Regenerate and update changelog (769cef9)

Code Refactoring

Documentation

  • Regenerate and update changelog (dda79b1)
  • Regenerate and update changelog (9048dd8)
  • Regenerate and update changelog (806f68c)
  • Regenerate and update changelog (8905ee7)
  • Regenerate and update changelog (203c1cc)
  • Regenerate and update changelog (8875a95)
  • Regenerate and update changelog (28ddd3e)
  • Regenerate and update changelog (927c4ed)
  • Updates issue and pull request templates (#168) (29a38a8)
  • Updates issue and pull request templates (#169) (99b7d5d)
  • Updates issue and pull request templates (#171) (7a9876b)

0.5.3-alpha.1 (2020-04-03)

chore: move to ory analytics fork (#167)

Chores

0.5.2 (2020-04-02)

docs: Regenerate and update changelog

Documentation

  • Regenerate and update changelog (1e52100)
  • Regenerate and update changelog (e4d32a6)

0.5.0 (2020-04-02)

docs: use real json bool type in swagger (#162)

Closes #160

Bug Fixes

  • Move to ory sqa service (#159) (c3bf1b1)
  • Use correct response mode for removeOryAccessControlPolicyRoleMe… (#161) (17543cf)

Documentation

  • Regenerate and update changelog (6a77f75)
  • Regenerate and update changelog (c8c9d29)
  • Regenerate and update changelog (fe8327d)
  • Regenerate and update changelog (b5b1d66)
  • Update forum and chat links (e96d7ba)
  • Updates issue and pull request templates (#158) (ab14cfa)
  • Use real json bool type in swagger (#162) (5349e7f), closes #160

0.4.5-alpha.1 (2020-02-29)

docs: Regenerate and update changelog

Bug Fixes

  • driver: Extract scheme from DSN using sqlcon.GetDriverName (#156) (187e289), closes #145

Documentation

  • Regenerate and update changelog (41513da)

0.4.4-alpha.1 (2020-02-14)

docs: Regenerate and update changelog

Bug Fixes

  • goreleaser: Update brew section (0918ff3)

Documentation

  • Prepare ecosystem automation (2e39be7)
  • Regenerate and update changelog (009c4c4)
  • Regenerate and update changelog (49f3c4b)
  • Updates issue and pull request templates (#153) (7fb7521)

Features

Unclassified

  • Update CHANGELOG [ci skip] (63fe513)
  • Update CHANGELOG [ci skip] (7b7c3ac)
  • Update CHANGELOG [ci skip] (8886392)
  • Update CHANGELOG [ci skip] (5bbc284)

0.4.3-alpha.2 (2020-01-31)

Update README.md

Unclassified

0.4.3-alpha.1 (2020-01-23)

Disable access logging for health endpoints (#151)

Closes #150

Unclassified

  • Disable access logging for health endpoints (#151) (6ca0c09), closes #151 #150

0.4.2-alpha.1 (2020-01-14)

Update CHANGELOG [ci skip]

Unclassified

  • Update CHANGELOG [ci skip] (afaabde)

0.4.1-beta.1 (2020-01-13)

Update CHANGELOG [ci skip]

Unclassified

0.4.0-alpha.1 (2020-01-13)

Move to new SDK generators (#146)

Unclassified

  • Move to new SDK generators (#146) (4f51a09), closes #146
  • Fix typos in the README (#144) (85d838c), closes #144

0.3.9-sandbox (2019-12-16)

Update go modules

Unclassified

0.3.7-sandbox (2019-12-11)

Update documentation banner image (#143)

Unclassified

  • Update documentation banner image (#143) (e444755), closes #143
  • Revert incorrect license changes (094c4f3)
  • Fix invalid pseudo version (#138) (79b4457)

0.3.6-sandbox (2019-10-16)

Resolve issues with mysql tests (#137)

Unclassified

  • Resolve issues with mysql tests (#137) (ef5aec8), closes #137

0.3.5-sandbox (2019-08-21)

Implement roles and policies filter (#124)

Documentation

  • Incorporates changes from version v0.3.3-sandbox (57686d2)
  • README grammar fixes (#114) (e592736)
  • Updates issue and pull request templates (#110) (80c8516)
  • Updates issue and pull request templates (#111) (22305d0)
  • Updates issue and pull request templates (#112) (dccada9)
  • Updates issue and pull request templates (#125) (15f373a)
  • Updates issue and pull request templates (#128) (eaf8e33)
  • Updates issue and pull request templates (#130) (a440d14)
  • Updates issue and pull request templates (#131) (dbf2cb2)
  • Updates issue and pull request templates (#132) (e121048)
  • Updates issue and pull request templates (#133) (1b7490a)

Unclassified

0.3.3-sandbox (2019-05-18)

ci: Resolve goreleaser issues (#108)

Continuous Integration

Documentation

  • Incorporates changes from version v0.3.1-sandbox (b8a0029)
  • Updates issue and pull request templates (#106) (54a5a27)

0.3.1-sandbox (2019-04-29)

ci: Use image that includes bash/sh for release docs (#103)

Signed-off-by: aeneasr [email protected]

Continuous Integration

  • Use image that includes bash/sh for release docs (#103) (e9d3027)

Documentation

  • Incorporates changes from version v0.3.0-sandbox (605d2f4)

Unclassified

  • Allow configuration files and update UPGRADE guide. (#102) (3934dc6), closes #102

0.3.0-sandbox (2019-04-29)

docker: Remove full tag from build pipeline (#101)

Signed-off-by: aeneasr [email protected]

Documentation

Unclassified

  • Remove duplicate code in Makefile (#99) (04f5223), closes #99

  • Add tracing support and general improvements (#98) (63b3946), closes #98:

    This patch improves the internal configuration and service management. It adds support for distributed tracing and resolves several issues in the release pipeline and CLI.

    Additionally, composable docker-compose configuration files have been added.

    Several bugs have been fixed in the release management pipeline.

  • storage/memory: Fix upsert with pre-existing key will causes duplicate records (#88) (1cb8a36), closes #88 #80

  • Add content-type in the response of allowed (#90) (39a1486)

  • Fix disable-telemetry check (#85) (38b5383)

  • Fix remove member from role (#87) (698e161), closes #74

  • Fix the type of conditions in the policy (#86) (fc1ced6)

  • Improve naming for ory policies (#100) (b39703d)

  • Move Go SDK generation to go-swagger (#94) (9f48a95), closes #92

  • Remove full tag from build pipeline (#101) (602a273)

  • Send 403 when authorization result is negative (#93) (de806d8), closes #75

  • Update dependencies (#91) (4d44174)

0.2.3-sandbox+oryOS.10 (2019-02-05)

dist: Fix packr build pipeline (#84)

Closes #73 Closes #81

Signed-off-by: aeneasr [email protected]

Documentation

  • Add documentation for glob matching (5c8babb)
  • Incorporates changes from version v0.2.2-sandbox+oryOS.10 (ed7af3f)
  • Properly generate api.swagger.json (18e3f84)

Unclassified

  • Add placeholder go file for rego inclusion (6a6f64d)
  • Add support for glob matching (bb76c6b)
  • Ex- and import rego subdirectories for go get #77 (59cc053), closes #73
  • Fix packr build pipeline (#84) (65a87d5), closes #73 #81
  • Import glob in rego/doc.go (7798442)
  • Properly handle dbal error (6811607)
  • Properly handle TLS certificates if set (36399f0), closes #73

0.2.2-sandbox+oryOS.10 (2018-12-13)

ci: Fix docker push arguments in publish task

Signed-off-by: aeneasr [email protected]

Continuous Integration

  • Fix docker push arguments in publish task (f03c77c)

0.2.1-sandbox+oryOS.10 (2018-12-13)

ci: Fix docker release task

Signed-off-by: aeneasr [email protected]

Continuous Integration

  • Fix docker release task (7a0414f)

0.2.0-sandbox+oryOS.10 (2018-12-13)

all: gofmt

Signed-off-by: aeneasr [email protected]

Documentation

  • Adds banner (0ec1d8f)
  • Adds GitHub templates & code of conduct (#31) (a11e898)
  • Adds link to examples repository (#32) (7061a2a)
  • Adds security console image (fd27fc9)
  • Changes hydra to keto in readme (9dab531)
  • Deprecate old versions in logs (955d647)
  • Incorporates changes from version (85c4d81)
  • Incorporates changes from version v0.0.0-testrelease.1 (6062dd4)
  • Incorporates changes from version v0.0.1-1-g85c4d81 (f4606fc)
  • Incorporates changes from version v0.0.1-11-g114914f (92a4dca)
  • Incorporates changes from version v0.0.1-16-g7d8a8ad (2b76a83)
  • Incorporates changes from version v0.0.1-18-g099e7e0 (70b12ad)
  • Incorporates changes from version v0.0.1-20-g97ccbe6 (b21d56e)
  • Incorporates changes from version v0.0.1-30-gaf2c3b5 (a1d0dcc)
  • Incorporates changes from version v0.0.1-32-gedb5a60 (a5c369a)
  • Incorporates changes from version v0.0.1-6-g570783e (0fcbbcb)
  • Incorporates changes from version v0.0.1-7-g0fcbbcb (c0141a8)
  • Incorporates changes from version v0.1.0-sandbox (9ee0664)
  • Incorporates changes from version v1.0.0-beta.1-1-g162d7b8 (647c5a9)
  • Incorporates changes from version v1.0.0-beta.2-11-g2b280bb (936889d)
  • Incorporates changes from version v1.0.0-beta.2-13-g382e1d3 (883df44)
  • Incorporates changes from version v1.0.0-beta.2-15-g74450da (48dd9f1)
  • Incorporates changes from version v1.0.0-beta.2-3-gf623c52 (b6b90e5)
  • Incorporates changes from version v1.0.0-beta.2-5-g3852be5 (3f09090)
  • Incorporates changes from version v1.0.0-beta.2-9-gc785187 (4c30a3c)
  • Incorporates changes from version v1.0.0-beta.3-1-g06adbf1 (0ba3c06)
  • Incorporates changes from version v1.0.0-beta.3-10-g9994967 (d2345ca)
  • Incorporates changes from version v1.0.0-beta.3-12-gc28b521 (b4d792f)
  • Incorporates changes from version v1.0.0-beta.3-3-g9e16605 (c43bf2b)
  • Incorporates changes from version v1.0.0-beta.3-5-ga11e898 (b9d9b8e)
  • Incorporates changes from version v1.0.0-beta.3-8-g7061a2a (d76ff9d)
  • Incorporates changes from version v1.0.0-beta.5 (0dc314c)
  • Incorporates changes from version v1.0.0-beta.6-1-g5e97104 (f14c8ed)
  • Incorporates changes from version v1.0.0-beta.8 (5045b59)
  • Incorporates changes from version v1.0.0-beta.9 (be2f035)
  • Properly sets up changelog TOC (e0acd67)
  • Puts toc in the right place (114914f)
  • Revert changes from test release (ab3a64d)
  • Update documentation links (#67) (d22d413)
  • Update link to security console (846ce4b)
  • Update migration guide (3c44b58)
  • Update to latest changes (1625123)
  • Updates copyright notice (9dd5578)
  • Updates installation guide (f859645)
  • Updates issue and pull request templates (#52) (941cae6)
  • Updates issue and pull request templates (#53) (7b222d2)
  • Updates issue and pull request templates (#54) (f098639)
  • Updates link to guide and header (437c255)
  • Updates link to open collective (382e1d3)
  • Updates links to docs (d84be3b)
  • Updates newsletter link in README (2dc36b2)

Unclassified

  • Switch to rego as policy decision engine (#48) (ee9bcf2), closes #48

  • Enable TLS option to serve API (#46) (2f62063), closes #46

  • gofmt (777b1be)

  • Updates README.md (#34) (c28b521), closes #34

  • authn/client: Payload is now prefixed with client (8584d94)

  • Add Go SDK factory (99db7e6)

  • Add go SDK interface (3dd5f7d)

  • Add health handlers (bddb949)

  • Add policy list handler (a290619)

  • Add role iterator in list handler (a3eb696)

  • Add SDK generation to circle ci (9b37165)

  • Adds ability to update a role using PUT (#14) (97ccbe6):

    • transfer UpdateRoleMembers from ory/hydra#768 to keto
    • fix tests by using right http method & correcting sql request
    • Change behavior to overwrite the whole role instead of just the members.
    • small sql migration fix

  • Adds log message when telemetry is active (f623c52)

  • Clean up vendor dependencies (9a33c23)

  • Do not split empty scope (#45) (b29cf8c)

  • Fix typo in help command in env var name (#39) (8a5016c), closes #25

  • Fixes environment variable typos (566d588)

  • Fixes typo in help command (74450da), closes #25

  • Format code (637c78c)

  • Gofmt (a8d7f9f)

  • Improve compose documentation (6870443)

  • Improves usage of metrics middleware (726c4be)

  • Improves usage of metrics middleware (301f386)

  • Introduce docker-compose file for testing (ba857e3)

  • Introduces health and version endpoints (6a9da74)

  • List roles from keto_role table (#28) (9e16605)

  • Make introspection authorization optional (e5460ad)

  • Properly names flags (af2c3b5)

  • Properly output telemetry information (#33) (9994967)

  • Properly parses cors options (edb5a60)

  • Remove ORY Hydra dependency (#44) (d487344)

  • Removes additional output if no args are passed (703e124)

  • Require explicit CORS enabling (#42) (9a45107)

  • Resolves an issue with the hydra migrate command (2b280bb), closes #23

  • Resolves broken role test (b6c7f9c)

  • Resolves minor typos and updates install guide (3852be5)

  • Update dependencies (663d8b1)

  • Update hydra to v1.0.0-beta.6 (#35) (5e97104)

  • Update npm package registry (a53d3d2)

  • Updates to latest sqlcon (2c9f643)

  • Upgrade superagent version (#41) (9c80dbc)

  • Use roles in warden decision (c785187), closes #21 #19

0.0.1 (2018-05-20)

authn: Checks token_type is "access_token", if set

Closes #1

Documentation

  • Incorporates changes from version (b5445a0)
  • Incorporates changes from version (295ff99)
  • Incorporates changes from version (bd44d41)
  • Updates readme and upgrades (0f95dbb)
  • Uses keto repo for changelog (14c0b2a)

Unclassified

  • Tells linguist to ignore SDK files (f201eb9)

  • cmd/server: Resolves DBAL not handling postgres properly (dedc32a)

  • cmd/server: Improves error message in migrate command (4b17ce8)

  • Resolves travis and docker issues (6f4779c)

  • Adds OAuth2 Client Credentials authenticator and warden endpoint (c55139b)

  • Adds SDK helpers (a1c2608)

  • Resolves SDK and test issues (#4) (2d4cd98), closes #4

  • Initial project commit (a592e51)

  • Initial commit (4f00bc9)

  • Adds migrate commands to the proper parent command (231c70d)

  • Checks token_type is "access_token", if set (d2b8f5d), closes #1

  • Removes old test (07b733b)

  • Renames subject to sub in response payloads (ca4d540)

  • Retries SQL connection on migrate commands (3d33d73):

    This patch also introduces a fatal error if migrations fail