Using Keto List in cases with deeper nested tuples

[zepatrik]

Originally posted by @zhaochy1990 in #681 (comment)

We are trying to use keto as the foundation of our authorization system. I'v already read keto docs and had a brief understanding of keto implementation through reading part of keto codes.

our business scenarios have 1k+ subjects that might be binded to a role, and a role will be assigned to a principal, principal could be any of User, Department, UserGroup, Organization, Application, Device, etc...

our planned modeling like following

OBJECT         NAMESPACE               RELATION               SUBJECT

3vc3fa1y       Principal               member                 Bob

r1             Role                    assignment             Bob
r2             Role                    assignment             Principal:3vc3fa1y#member

d038f916       Book                    Read                   Role:r1#assignment
d038f916       Book                    Update                 Role:r1#assignment
b24b4f92       Book                    Read                   Role:r2#assignment
b24b4f92       Book                    Update                 Role:r2#assignment

With the above model, we have the following considerations for the list API, and we are happy to see if you could give our some suggestions:

1. we need to get all Books that a user have Read permission, which means the list API also needs to includes object from indirect relation-tuples
2. most of the time, there might be business query filters along with the list API. For instance:
   1. I want to list all books I can Read which are published in 2021.
   2. I want to list all books I can Read sort by the books' publish time
3. both 1 and 2 needs to support pagination

[vinckr]

I like the idea 🙌
I will see to get some more eyes on it, maybe there is other users who came upon the same scenario.

[TomVerlaat]

We are currently trying to implement the same approach as in point 1. Has there been any research done to determine if this approach could be made possible?😄

[TomVerlaat]

@vinckr @aeneasr Are there any updates on this topic? We would like to use it in our application. 😄

[dsykes16]

I'm confused how point 2 relates to keto. Keto has no knowledge of the underlying object's data, so it can't possibly return a list of sorted/filtered object IDs. Enforcing permissions at the query level is an option, and Ory Oathkeeper is pretty well equipped for that assuming it fits your use case.

Assuming all Book objects are related to a Role object
Assuming your API schema looks something like /api/roles/[role_id]/books/[book_id]
It's quite easy to implement access control via Ory Oathkeeper with Ory Keto as the decision engine.

In my case, I'm trying to tackle a similar issue and I still haven't settled on a solution. I'm using GraphQL, so Oathkeeper isn't much use out-of-the-box, and not all permissions issues line up so nicely as the assumption-laden example I put forth. Perhaps I'm wrong and there is a solution for this in keto or something cleaner than defining permissions on queries.