https://www.ory.sh/ logo
#talk-keto
Title
# talk-keto
v

victorious-flower-63171

11/22/2021, 12:59 PM
Hello again 🙂 I'm working on the access control for some object storage. Since there could be millions, if not billions of object in the storage, I can't possibly represent them all in Keto. But I still want to be able to define rights at the object granularity. So the solution that I found was to only store in keto the rights to objects that do not have the default rights, and rely on more global permissions (eg. bucket). However the only way that I found to do that would be to check access multiple times, starting with the more global ACLs and working my way down to more specific permissions. So for example if I have to check the read right for a specific object, I would have the following checks to do :
Copy code
// z is parent of y which is parent of x
storage:z#read@user // if allowed, stop here, else continue
bucket:y#read@user  // same
object:x#read@user  // if still not allowed here, then the user is not allowed on this object
I find that this is quite inefficient with the calls, as it creates quite a lot of calls for a single object. Is there a way to optimize it by doing a bulk check that would return as soon as there is 1 allowed ? Or maybe I'm missing something else ?
I think I found a related issue https://github.com/ory/keto/issues/689