We have a usecase that implies relations among resources and we try to solve it with Keto.
- We have users (which have user-uuid), groups (which have group-uuid) and projects (which have project-uuid).
- Users can have access to projects.
- Users can be part of groups (or not).
- Users in group have access to projects of all users in that group.
We do not want to get all project-uuid from Keto because we have to request them in database, and after benchmarking, this is a bad case to do a "where in project-uuid in (project-uuids...)".
Because we do not want to do that kind of request, we think of another approach: request in db through ownerships.
To do that, we have to trick with Keto to use it not to check permission of accessing projects, but get all owners of projects with the expand request.
In our database we add to projects table an owner column which is the owner (which is an user-uuid).
Keto store only the user-group relation as follow:
- user-uuid#join@(group-uuid#access) -- all users in a group can access to its related subjects (users)
- user-uuid#access@user-uuid -- in case the user is not part of a group
the way to find all groups of a user is to expand: user-uuid#access
the way to find all users in the group is to expand: group-uuid#join
In that case, with one user-uuid and this two requests, we can get in our db all projects that the user has access to by filter by "where owner in (user-uuids...)".
I think that I have revert the mecanism of Keto and I don't think that what it's intended for.
Is that a good way to use keto to do that kind of usecase or it exist a best way to get all related projects of an user using Keto?
10/05/2021, 2:48 PM
That is a very interesting and nice use-case. Just looking into how I would solve it currently. I am pretty sure it would be a lot simpler and less "hacky" with https://github.com/ory/keto/issues/263
but after thinking through your workaround a bit, it seems to make sense to me
the bi-directional relation between groups and users is what allows you to go from one user to all the others of the group
10/05/2021, 3:08 PM
Exactly, and I didn't find another way to do it with the currently state of Keto.
10/05/2021, 3:09 PM
I am really interested in this case, can you keep me updated on how you implement that and if it works without a problem?
10/05/2021, 3:09 PM
10/06/2021, 11:26 AM
@adamant-shoe-395 We have a similar case as well (not exactly overlapping). Thank you for posting this.