https://www.ory.sh/ logo
v

victorious-flower-63171

11/18/2021, 12:24 PM
Hello, I'm thinking of a way to handle a RBAC with Keto. I thought of reprensenting roles as a namespace using something like that :
Copy code
storage:id1#read@roles:editor#member
storage:id1#write@roles:editor#member
However I read a bit about hotspot handling in the zanzibar paper and it seems this representation would cause a hotspot I think ? I guess the alternative to that would be to use inheritance of relations with subjectset rewrites once they're added, but in that case how would you handle listing the roles available for binding ? Do you have any best practice advice on this maybe ?
s

steep-lamp-91158

11/18/2021, 12:42 PM
Did you already read https://github.com/ory/keto/issues/598 and the blog post linked there?
v

victorious-flower-63171

11/18/2021, 12:51 PM
Yes, it seems to use a role namespace, but there doesn't seem to be anything about hotspots. I guess it's a bit early in the life of Keto to worry about hotspots
Also in the Zanzibar paper there is a little word about implementing an RBAC, saying that roles are similar to relations, but there is no details given
s

steep-lamp-91158

11/18/2021, 12:53 PM
hm yeah hotspots are nothing we ran into yet
I would just go with it like that and figure out how to optimize it later
v

victorious-flower-63171

11/18/2021, 12:54 PM
OK, thanks for your assistance 🙂
s

steep-lamp-91158

11/18/2021, 12:55 PM
I understand that they mostly combat hotspots with the distributed cache
so not unsolvable
and you can still have them in your data
6 Views