Use SpiceDB rather than Keto

Author: alukach

demo/keto/.gitignore

@@ -137,55 +137,54 @@ services:
       - PGUSER=username
       - PGPASSWORD=password
       - PGDATABASE=postgis
-      - POSTGRES_MULTIPLE_DATABASES=accesscontroldb
+      - POSTGRES_MULTIPLE_DATABASES=spicedb
     ports:
       - "${MY_DOCKER_IP:-127.0.0.1}:5439:5432"
     command: postgres -N 500
     volumes:
       - ./dockerfiles/scripts/docker-postgresql-multiple-databases.sh:/docker-entrypoint-initdb.d/docker-postgresql-multiple-databases.sh
       - ./.pgdata:/var/lib/postgresql/data
 
-  keto-migrate:
-    image: oryd/keto:v0.12.0-alpha.0
-    command: migrate up -y
+  spicedb-migrate:
+    image: authzed/spicedb
+    command: migrate head
+    restart: on-failure
     environment:
-      - LOG_LEVEL=debug
-      - DSN=postgres://username:password@database:5432/accesscontroldb?sslmode=disable
-    volumes:
-      - type: bind
-        source: demo/keto
-        target: /home/ory
+      - SPICEDB_DATASTORE_ENGINE=postgres
+      - SPICEDB_DATASTORE_CONN_URI=postgres://username:password@database:5432/spicedb?sslmode=disable
     depends_on:
       - database
-    restart: on-failure
 
-  keto:
-    image: oryd/keto:v0.12.0-alpha.0
-    command: serve -c /home/ory/keto.yml
-    environment:
-      - DSN=postgres://username:password@database:5432/accesscontroldb?sslmode=disable
-    volumes:
-      - type: bind
-        source: demo/keto
-        target: /home/ory
+  spicedb:
+    image: authzed/spicedb
+    command: serve --http-enabled
+    restart: always
     ports:
-      - "4466:4466"
-      - "4467:4467"
+      - 8443:8443 # HTTP API
+      - 9090:9090 # Prometheus metrics
+      - 50051:50051 # gRPC API
+    environment:
+      - SPICEDB_GRPC_PRESHARED_KEY="eoapi-secret-token"
+      - SPICEDB_DATASTORE_ENGINE=postgres
+      - SPICEDB_DATASTORE_CONN_URI=postgres://username:password@database:5432/spicedb?sslmode=disable
+      - SPICEDB_HTTP_ENABLED=true
     depends_on:
-      - keto-migrate
-    restart: on-failure
+      - spicedb-migrate
 
-  keto-init:
-    image: oryd/keto:v0.12.0-alpha.0
-    command: relation-tuple create /home/ory/relationships.json --insecure-disable-transport-security
+  spicedb-init:
+    image: authzed/zed
+    command: import file:///home/spicedb/zed.yaml
+    restart: on-failure
     environment:
-      - KETO_READ_REMOTE=keto:4466
-      - KETO_WRITE_REMOTE=keto:4467
+      - ZED_ENDPOINT=spicedb:50051
+      - ZED_INSECURE=true
+      - ZED_TOKEN=eoapi-secret-token
     volumes:
       - type: bind
-        source: demo/keto
-        target: /home/ory
-    restart: on-failure
+        source: runtime/spicedb
+        target: /home/spicedb
+    depends_on:
+      - spicedb
 
 networks:
   default:

demo/keto/README.md

@@ -0,0 +1,37 @@
+definition user {}
+
+definition anonymous_user {}
+
+definition team {
+	// Recursive team structure to support groups of groups
+	relation owner: user | team#owner_or_member
+	relation member: user
+	permission owner_or_member = member + owner
+}
+
+definition collection {
+	// Recursive collection structure to support collections of collections
+	relation collection: collection
+	relation owner: user | team#owner_or_member
+	relation editor: user | team#owner_or_member
+	relation reader: user | team#owner_or_member | user:*
+
+	// Collection-level permissions
+	permission read = reader + update
+	permission update = editor + editor->owner_or_member + delete
+	permission delete = owner + owner->owner_or_member
+	permission make_public = delete
+	permission transfer_ownership = owner + owner->owner_or_member
+
+	// Item-level permissions
+	permission add_item = update
+}
+
+definition item {
+	relation collection: collection
+	relation reader: user | team#owner_or_member | anonymous_user:*
+	// Permissions are mostly inherited from collection, except support for one-off read permissions
+	permission read = reader + collection->read
+	permission update = collection->update
+	permission delete = collection->update
+}