H-467: Set up Ory Keto service for local dev (#2923)

.env

@@ -27,6 +27,14 @@ HASH_KRATOS_PG_PASSWORD=kratos
 HASH_KRATOS_PG_DEV_DATABASE=dev_kratos
 HASH_KRATOS_PG_TEST_DATABASE=test_kratos
 
+HASH_ORY_KETO_VERSION=0.11.1
+HASH_ORY_KETO_READ_PORT=4466
+HASH_ORY_KETO_WRITE_PORT=4467
+HASH_ORY_KETO_PG_USER=ory_keto
+HASH_ORY_KETO_PG_PASSWORD=ory_keto
+HASH_ORY_KETO_PG_DEV_DATABASE=dev_ory_keto
+HASH_ORY_KETO_PG_TEST_DATABASE=test_ory_keto
+
 HASH_VAULT_HOST=http://127.0.0.1
 HASH_VAULT_PORT=8200
 HASH_VAULT_ROOT_TOKEN=dev_root_token

apps/hash-external-services/docker-compose.test.yml

@@ -3,11 +3,20 @@ version: "3.9"
 services:
   postgres:
     environment:
+      HASH_ORY_KETO_PG_DATABASE: "${HASH_ORY_KETO_PG_TEST_DATABASE}"
       HASH_KRATOS_PG_DATABASE: "${HASH_KRATOS_PG_TEST_DATABASE}"
       HASH_TEMPORAL_PG_DATABASE: "${HASH_TEMPORAL_PG_TEST_DATABASE}"
       HASH_TEMPORAL_VISIBILITY_PG_DATABASE: "${HASH_TEMPORAL_VISIBILITY_PG_TEST_DATABASE}"
       HASH_GRAPH_PG_DATABASE: "${HASH_GRAPH_PG_TEST_DATABASE}"
 
+  ory-keto-migrate:
+    environment:
+      - DSN=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres:${POSTGRES_PORT}/${HASH_ORY_KETO_PG_TEST_DATABASE}
+
+  ory-keto:
+    environment:
+      - DSN=postgres://${HASH_ORY_KETO_PG_USER}:${HASH_ORY_KETO_PG_PASSWORD}@postgres:${POSTGRES_PORT}/${HASH_ORY_KETO_PG_TEST_DATABASE}
+
   graph-migrate:
     environment:
       HASH_GRAPH_PG_DATABASE: "${HASH_GRAPH_PG_TEST_DATABASE}"

apps/hash-external-services/docker-compose.yml

@@ -48,6 +48,9 @@ services:
       HASH_KRATOS_PG_USER: "${HASH_KRATOS_PG_USER}"
       HASH_KRATOS_PG_PASSWORD: "${HASH_KRATOS_PG_PASSWORD}"
       HASH_KRATOS_PG_DATABASE: "${HASH_KRATOS_PG_DEV_DATABASE}"
+      HASH_ORY_KETO_PG_USER: "${HASH_ORY_KETO_PG_USER}"
+      HASH_ORY_KETO_PG_PASSWORD: "${HASH_ORY_KETO_PG_PASSWORD}"
+      HASH_ORY_KETO_PG_DATABASE: "${HASH_ORY_KETO_PG_DEV_DATABASE}"
       HASH_TEMPORAL_PG_USER: "${HASH_TEMPORAL_PG_USER}"
       HASH_TEMPORAL_PG_PASSWORD: "${HASH_TEMPORAL_PG_PASSWORD}"
       HASH_TEMPORAL_PG_DATABASE: "${HASH_TEMPORAL_PG_DEV_DATABASE}"
@@ -70,6 +73,86 @@ services:
       retries: 5
     command: -c 'config_file=/etc/postgresql/postgresql.conf'
 
+  telemetry-collector:
+    image: jaegertracing/all-in-one:1.40
+    deploy:
+      restart_policy:
+        condition: on-failure
+    healthcheck:
+      # Port 14269 is the Jaeger admin endpoint
+      test:
+        [
+          "CMD-SHELL",
+          "wget --no-verbose --tries=1 --spider http://localhost:14269 || exit 1",
+        ]
+      interval: 2s
+      timeout: 2s
+      retries: 10
+    ports:
+      - "16686:16686"
+      # To expose OTLP collector over gRPC on the host
+      - "4317:4317"
+      # To expose OTLP collector over HTTP on the host
+      # - "4318:4318"
+      # serve configs (sampling, etc.)
+      - "5778:5778"
+      # accept jaeger.thrift over Thrift-compact protocol (used by most SDKs)
+      - "6831:6831"
+    environment:
+      COLLECTOR_OTLP_ENABLED: "true"
+
+  ory-keto-migrate:
+    image: oryd/keto:v${HASH_ORY_KETO_VERSION}
+    depends_on:
+      postgres:
+        condition: service_healthy
+    environment:
+      DSN: "postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres:${POSTGRES_PORT}/${HASH_ORY_KETO_PG_DEV_DATABASE}"
+    volumes:
+      - ./ory-keto:/home/ory
+    read_only: true
+    security_opt:
+      - no-new-privileges:true
+    command: migrate up --yes
+
+  ory-keto:
+    image: oryd/keto:v${HASH_ORY_KETO_VERSION}
+    depends_on:
+      postgres:
+        condition: service_healthy
+      ory-keto-migrate:
+        condition: service_completed_successfully
+      telemetry-collector:
+        condition: service_healthy
+    ports:
+      - "${HASH_ORY_KETO_READ_PORT}:4466"
+      - "${HASH_ORY_KETO_WRITE_PORT}:4467"
+    restart: on-failure
+    environment:
+      DSN: "postgres://${HASH_ORY_KETO_PG_USER}:${HASH_ORY_KETO_PG_PASSWORD}@postgres:${POSTGRES_PORT}/${HASH_ORY_KETO_PG_DEV_DATABASE}"
+      TRACING_PROVIDER: "jaeger"
+      TRACING_PROVIDERS_JAEGER_SAMPLING_SERVER_URL: "telemetry-collector:5778/sampling"
+      TRACING_PROVIDERS_JAEGER_LOCAL_AGENT_ADDRESS: "telemetry-collector:6831"
+      LOG_LEVEL: trace
+    volumes:
+      - ./ory-keto:/home/ory
+    read_only: true
+    security_opt:
+      - no-new-privileges:true
+    command: serve
+    healthcheck:
+      test:
+        [
+          "CMD",
+          "keto",
+          "status",
+          "--quiet",
+          "--insecure-disable-transport-security",
+        ]
+      interval: 2s
+      timeout: 2s
+      retries: 10
+
   graph-migrate:
     init: true
     depends_on:
@@ -100,30 +183,6 @@ services:
       RUST_LOG: "${HASH_GRAPH_LOG_LEVEL:-graph=trace,hash-graph=trace,tokio_postgres=debug}"
       RUST_BACKTRACE: 1
 
-  telemetry-collector:
-    image: jaegertracing/all-in-one:1.40
-    deploy:
-      restart_policy:
-        condition: on-failure
-    healthcheck:
-      # Port 14269 is the Jaeger admin endpoint
-      test:
-        [
-          "CMD-SHELL",
-          "wget --no-verbose --tries=1 --spider http://localhost:14269 || exit 1",
-        ]
-      interval: 2s
-      timeout: 2s
-      retries: 10
-    ports:
-      - "16686:16686"
-      # To expose OTLP collector over gRPC on the host
-      - "4317:4317"
-      # To expose OTLP collector over HTTP on the host
-      # - 4318:4318
-    environment:
-      COLLECTOR_OTLP_ENABLED: "true"
-
   graph:
     init: true
     depends_on:
@@ -133,6 +192,8 @@ services:
         condition: service_completed_successfully
       telemetry-collector:
         condition: service_healthy
+      ory-keto:
+        condition: service_healthy
     image: hash-graph
     read_only: true
     security_opt:
@@ -197,8 +258,12 @@ services:
         SECRET: "${KRATOS_API_KEY}"
         API_CALLBACK_URL: "http://host.docker.internal:5001/kratos-after-registration"
     depends_on:
+      postgres:
+        condition: service_healthy
       kratos-migrate:
         condition: service_completed_successfully
+      telemetry-collector:
+        condition: service_healthy
     ports:
       - "4433:4433" # public
       - "4434:4434" # admin
@@ -208,6 +273,9 @@ services:
       SECRETS_CIPHER: "${KRATOS_SECRETS_CIPHER}"
       COURIER_SMTP_CONNECTION_URI: "smtps://test:test@mailslurper:1025/?skip_ssl_verify=true"
       DSN: "postgres://${HASH_KRATOS_PG_USER}:${HASH_KRATOS_PG_PASSWORD}@postgres:${POSTGRES_PORT}/${HASH_KRATOS_PG_DEV_DATABASE}"
+      TRACING_PROVIDER: "jaeger"
+      TRACING_PROVIDERS_JAEGER_SAMPLING_SERVER_URL: "telemetry-collector:5778/sampling"
+      TRACING_PROVIDERS_JAEGER_LOCAL_AGENT_ADDRESS: "telemetry-collector:6831"
       LOG_LEVEL: trace
     command: serve --dev --watch-courier
     extra_hosts:

apps/hash-external-services/ory-keto/keto.yml

@@ -0,0 +1,3 @@
+namespaces:
+  - id: 0
+    name: users

apps/hash-external-services/postgres/init-user-db.sh

@@ -9,7 +9,16 @@ psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" <<-EOSQL
 
   REVOKE ALL ON DATABASE $HASH_KRATOS_PG_DATABASE FROM $HASH_KRATOS_PG_USER;
 
-  GRANT CONNECT ON DATABASE $HASH_KRATOS_PG_DATABASE TO $HASH_KRATOS_PG_USER;  
+  GRANT CONNECT ON DATABASE $HASH_KRATOS_PG_DATABASE TO $HASH_KRATOS_PG_USER;
+
+  -- Create Kratos database and user
+  CREATE USER $HASH_ORY_KETO_PG_USER WITH PASSWORD '$HASH_ORY_KETO_PG_PASSWORD';
+
+  CREATE DATABASE $HASH_ORY_KETO_PG_DATABASE;
+
+  REVOKE ALL ON DATABASE $HASH_ORY_KETO_PG_DATABASE FROM $HASH_ORY_KETO_PG_USER;
+
+  GRANT CONNECT ON DATABASE $HASH_ORY_KETO_PG_DATABASE TO $HASH_ORY_KETO_PG_USER;
 
   -- Create Graph database and user
   CREATE USER $HASH_GRAPH_PG_USER WITH PASSWORD '$HASH_GRAPH_PG_PASSWORD';
@@ -39,6 +48,18 @@ psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$HASH_KRATOS_PG_DA
 
 EOSQL
 
+psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$HASH_ORY_KETO_PG_DATABASE" <<-EOSQL
+
+  REVOKE CREATE ON SCHEMA public FROM PUBLIC;
+
+  ALTER DEFAULT PRIVILEGES
+  GRANT USAGE ON SCHEMAS TO $HASH_ORY_KETO_PG_USER;
+
+  ALTER DEFAULT PRIVILEGES
+  GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO $HASH_ORY_KETO_PG_USER;
+
+EOSQL
+
 if [[ -n $HASH_TEMPORAL_PG_DATABASE && \
       -n $HASH_TEMPORAL_PG_USER && \
       -n $HASH_TEMPORAL_PG_PASSWORD && \