Hello I m thinking of a way to handle a RBAC with Keto I tho Ory Community #talk-keto

Hello, I'm thinking of a way to handle a RBAC with...

victorious-flower-63171

11/18/2021, 12:24 PM

Hello, I'm thinking of a way to handle a RBAC with Keto. I thought of reprensenting roles as a namespace using something like that :

Copy code

storage:id1#read@roles:editor#member
storage:id1#write@roles:editor#member

However I read a bit about hotspot handling in the zanzibar paper and it seems this representation would cause a hotspot I think ? I guess the alternative to that would be to use inheritance of relations with subjectset rewrites once they're added, but in that case how would you handle listing the roles available for binding ? Do you have any best practice advice on this maybe ?

steep-lamp-91158

11/18/2021, 12:42 PM

Did you already read https://github.com/ory/keto/issues/598 and the blog post linked there?

victorious-flower-63171

11/18/2021, 12:51 PM

Yes, it seems to use a role namespace, but there doesn't seem to be anything about hotspots. I guess it's a bit early in the life of Keto to worry about hotspots

victorious-flower-63171

11/18/2021, 12:52 PM

Also in the Zanzibar paper there is a little word about implementing an RBAC, saying that roles are similar to relations, but there is no details given

steep-lamp-91158

11/18/2021, 12:53 PM

hm yeah hotspots are nothing we ran into yet

steep-lamp-91158

11/18/2021, 12:54 PM

I would just go with it like that and figure out how to optimize it later

victorious-flower-63171

11/18/2021, 12:54 PM

OK, thanks for your assistance 🙂

steep-lamp-91158

11/18/2021, 12:55 PM

I understand that they mostly combat hotspots with the distributed cache

steep-lamp-91158

11/18/2021, 12:56 PM

so not unsolvable

steep-lamp-91158

11/18/2021, 12:56 PM

and you can still have them in your data

6 Views

Open in Slack

Previous Next