Configure Permission Service
Using the Ory CLI, you can quickly adjust the configuration of the Ory Cloud Permission Service and apply config from the Cloud environment to self-hosted Ory Keto instances.
Ory Keto is the open-source project that powers the Ory Cloud Permission Service.
This feature is useful for fluently moving your local setup to the Cloud, or for working on the configuration and testing different settings in the safety of the local development environment.
To work with the Ory Cloud Permission Service, you must have an active Ory Cloud project. Use the CLI or the Ory Console to create one.
Export configuration from Ory Cloud
To get your project's Permission Service configuration, run this command:
You must be signed in to an Ory Cloud account to perform this action. Read this document to learn more.
## List all available projects
ory list projects
## Get config
ory get permission-config <project-id> --format yaml
The --format
flag defines the format of the output file. You can choose one of yaml
,json
, or json-pretty
.
Getting the configuration in the YAML format produces output that is ready to use with self-hosted Ory Keto.
Export to file
For a convenient way to get the Permission Service configuration working in self-hosted Ory Keto, save the configuration to a YAML file.
Run this command:
ory get permission-config <project-id> --format yaml > permission-config.yaml
Import configuration to Ory Cloud
To start using the configuration from a self-hosted Ory Keto instance in the Ory Cloud Permission Service, import the configuration file with the CLI:
ory update permission-config <project-id> --file permission-config.yaml
Adjust specific keys
You can adjust specific keys in the configuration using the ory patch
CLI command.
Running this sample command sets the /limit/max_read_depth
key value to 3
:
ory patch permission-config <project-id> \
--replace '/limit/max_read_depth=3'
Read this document to learn more about adjusting project configuration with the Ory CLI.
Manage relation tuples
You can manage relation tuples using Ory CLI. To run these operations, you must provide the
ID of the Ory Cloud project in which you want to manage the tuples using the --project
flag.
For convenience, you can export the ID of your project as an environment variable and use the variable with the --project
flag
instead of passing the project ID directly in the command:
Examples in this section use the environment variable. To try them out without making adjustments, export your project ID as an environment variable.
## List all available projects
ory list projects
## Export project ID as env. variable
export PROJECT=<ory-cloud-project-id>
Create
Read the Ory CLI reference to learn more about this command.
echo "groups:devs#member@tom" \
| ory parse relation-tuples --project=$PROJECT --format=json \
| ory create relation-tuples --project=$PROJECT
# NAMESPACE OBJECT RELATION NAME SUBJECT
# groups devs member tom
List
Read the Ory CLI reference to learn more about this command.
ory list relation-tuples --project=$PROJECT
# NAMESPACE OBJECT RELATION NAME SUBJECT
# groups devs member tom
#
# NEXT PAGE TOKEN
# IS LAST PAGE true
Delete
Read the Ory CLI reference to learn more about this command.
ory delete relation-tuples --project=$PROJECT --all
# WARNING: This operation is not reversible. Please use the `--force` flag to proceed.
# These tuples would be deleted:
#
# NAMESPACE OBJECT RELATION NAME SUBJECT
# groups devs member tom
#
# NEXT PAGE TOKEN
# IS LAST PAGE true
## Delete the tuple(s) after making sure this is what you want to do.
ory delete relation-tuples --project=$PROJECT --all --force