Ory Keto: Authorization and Access Control as a Service¶ > 자유게시판

• 목록
• 답변
• 글쓰기
• 게시판 리스트 옵션
  • 수정
  • 삭제

Internet has come a long way since its inception. The first few years might have been a new adventure for those building web applications, but in the modern day software development and Supraketo Supplement in 2024, you rarely stop to question most of the common practices around the industry. One of the most frequent requirement for any application is to have some sort of access control policy. The most used approach in today's world is the use of RBAC. It makes a lot of sense to treat a group of one or multiple identities of a system the same way and grant or deny them a specific set of permissions. Ory Keto comes with all the batteries included. It provides a fearless authorization platform, friendly API for developers, and scalable stateless application. If you're creating an application over HTTP these days, chances are, Ory Keto has a lot to offer you. Stick around till the end to find out how. Today's software development is rarely just the software itself.

We all get tangled up on all the other aspects of production-readiness and the ever so famous checklist. We find ourselves doing application development only 20% of the time. The rest gets us all so busy with the never ending yak-shavings1. Fortunately for us, Ory comes with a bundle of plug-and-play products to make our lives easier. We will have one less aspect to worry about when it comes to securing our application in the wild world out there. With Ory Keto, you can grant or deny access to your application in a flexible manner, customize the permission sets as required, and grow effortlessly as your application scales. What is Ory Keto? Ory Keto is a one-stop shop for all the authorization needs. With Keto, you can define policies, roles, and permissions for your application. These policies can be written either using a programming language SDK in the Ory Permission Language(OPL)2, or a configuration file in JSON or YAML3. It has a friendly REST API4 that you can use to query or modify the policies on the fly.

Is the user/identity X allowed to access the resource Y? In that the first one is: Is the request authenticated/logged-in? We will get to the nitty gritty details of how it identifies how to answer this under the hood in a bit, but the important thing to mention here is that it simplifies the authorization problem by centralizing the policies and consolidating the definitions in one place. Keto is not the only authorization solution out there. The reality is that there are countless other alternatives, each with their own strength and flexibility. You may end up getting lost finding the right fit for your setup! There are programming language authorization libraries such as Casbin5 and Supraketo Official OPA6. There are cloud-based solutions such as Auth07 and Okta8. In my experience managing production workloads over the years, I have found that the authorization is mostly an operational concern. Although some folks may disagree, I have found that taking the authorization out of the application simplifies the maintainability and long-term success of the application, allowing the developers focusing on increasing the success and richness of the business logic.

However, when placing RBAC and other authorization mechanisms inside the application, you'll end up with a lot of code that is mostly relevant to the production environment and only slows the developers down when working locally. Why is that an issue? Well, imagine having to populate your access policy documents at the start of the application on each local development. That's a waste of computation and engineering time. On top of that, every time a new member joins the team, you end up having to explain the authorization mechanism to them and how to set the whole thing up. We may get clever automating the process by creating a migration step for the authorization policies. However, that only pushes the problem to a different layer rather than solving it. All in all, Ory Keto is a great place to offload such a tedious task, and it comes with a lot of flexibility in the operational and admin layer.

Without Keto, you'd end up waiting a long time for a change to the application code to reflect the new access control policy. With Keto, you can make the change in the operational layer and have it reflected in the production instantly. All that's require with Keto is an API call to the admin endpoint when managing the authorization of your platform at the operational level, using an authorization as a service tool such as Ory Keto. This blog post is NOT sponsored by Ory(1). I'm just a happy user of their products and I want to share my experience with you. 1. Though, I definitely wouldn't mind seeing some dollars. How Does Ory Keto Work? If you've worked with RBAC systems before, understanding the inner workings of Ory Keto should be a piece of cake for you. It also closely resembles Linux file permissions9, in that you can assign users to groups, and allow them a certain level of access over files and directories.