Is there anyone trying to use keto for fine grained authorization problem in unreal game development?

I’m not using Keto for games development, but I’d be really curious to see where this goes! Keto most likely has the ability to do what you need, but more information would be needed to make any comments. i.e. what sort of fine grain auth do you require, what areas (namespaces) need permissions, what rules (relations) are needed, what entities are involved (objects/subjects), etc. Once you have these, you could try to build up some relation tuples in the format of

namespace:object#relation@subject

then maybe setup a basic proof of concept to see if it satisfies your needs ory keto

I think the FGA of ory meets the requirement to build an MMO game. There are usually complicated relationship between players, clans. The real problem is I can't just call the remote auth API every time I need to do the check. Because this interface will be called at very high frequency for every user and also make all the auth check async will make the development complicated. But I am still trying to use keto to do this work since it's already good at AuthZ problem. I am thinking about cache a part of the access the user have locally, but still wondering what the data structure should be look like at how to watch the access changes.

Perhaps somewhere between the

List

endpoint and the

Check

endpoint you could find a solution that works. You could perform a List call to fetch a list of objects a user has access to and cache that response. You could use this to influence your UI state (e.g. not a clan owner so you don’t see the options for deleting the clan). You would only have to perform

Checks

when you are validating an action (e.g. clan management owner can delete clan, admin can edit, moderator can kick, member can join, etc.). This should be done server side, as malicious users could easily bypass the checks if they are client-side and could gain access to whatever they like. Also, Keto just released subject set rewrites that allows you to define a hierarchy of relations in Ory’s Permission Language which will be really useful for setting up the hierarchies of things like clan relations (e.g. owner inherits admin, which inherits moderator, which inherits member, so when you add a new admin you don’t have to add all 3 relation tuples, but can still simplify your

Checks

to one of the lower levels (e.g. checking if an admin is a member = true)

Yes. I think

List

endpoint is exactly what I need. About the Ory's Permission language, I am wondering what will happen if the tuples disagree with the global permission rules? e.g. The manager of the clan can't modify clan name by default in global rules. But I add a tuple that one manager can modify his clan name.

This would require a mix of

RBAC

and

ABAC

, where you have RBAC for default behaviour and ABAC for fine grained control. e.g. user is a clan

manager

and by default can only do the actions that have been programmed to work on a successful

manager

check (RBAC -

manager

is the role), then a secondary check (or maybe a single check if the permission language supports it) for the specific action (ABAC - action/attribute here is changing the clan name

can_change_name

). If a user is given the relation tuple for being able to perform the specific action, the check will be true regardless of whether or not they are a manager. Pairing the checks in the server could force both to be required (has to be manager + has to have name changing relation) I wouldn’t be able to tell you if there is a nice way of mixing the two using the permission language as I have yet to properly sink my teeth into it, but will be doing soon!

Yeah, I think keto can't support ABAC yet. But that's not the main problem I think. Sometimes we need a file for product manager to define the

Default Rules

, and we also want our player can change the Rules as their wish within limitation. I think

Casbin

has similar functionality of handling default and exception.

Great discussion so far! To add on the caching, we will build some kind of layered cache at some point and aim to get latency to a minimum. You will probably not get a lot of cache hits from an edge cache due to fine-grained permissions. It would be great to get some realistic use-cases and latencies, because in the benchmarks you can tweak the result quite a lot. Feel free to open issues for any limits you reach.