Understanding subject-set rewrites and the graph of relations

[alexhanson]

Hey all! I've been reading through the Ory Keto documentation, and I've been particularly interested in the Graph of Relations page and the general guidance around Subjects. I also spent some time with the Zanzibar paper for a conceptual overview.

I have a few questions I haven't been able to answer for myself:

1. Is the parenthesis-using syntax — seen in dir1#child@(file1#) and file1#access@(dir1#access) — an example of a subject-set rewrite? Or is it only a subject-set rewrite if it applies more broadly and dynamically, using some forthcoming syntax? (Is there a different name for the more specific indirection seen in these docs?)
2. Irrespective of name, are the examples shown on those pages supported by Keto at present, or do they rely on some upcoming work?
3. Does use of the empty relation — seen in dir1#child@(file1#) — cause any sort of inheritance of other relations automatically, or is it just establishing some link (metadata of sorts?) that may be used in the future for, say, subject-set rewrites?

I'm trying to sketch out how I might use Keto to say "this item belongs to this group" and "for any item in this group, these people should have these permissions". The particular set of people is bound to change over time, and I would want to make that change centrally without having to revisit the permissions for all items in the group.

I'd appreciate any insight or references you can give!

[zepatrik]

It is important to distinguish subject-sets and subject-set-rewrites here. The former are supported by Keto, while the latter are not yet implemented. The examples you provided all contain subject-sets and are regular relationtuples.

Subject-set-rewrites are a global configuration that works a bit like an instruction to define tuples that are not actually stored, but deducted from the stored ones. The most straight forward example (from the zanzibar paper):

relation: {
  name: "editor"
  userset_rewrite: {
    union: {
      child: { _this: {} }
      child: { computed_userset: { relation: "owner" } }
} } }

This means that for each tuple of the format <object>#owner@<subject>, the system should act as if there would be the tuple <object>#editor@<subject>. More complex rewrites are also possible and achieve different results, but that is the basic idea. Subject-set-rewrites allow to "define tuples with variables", or "a declarative way to define tuples". All depending on already existing tuples.

Until subject-set-rewrites are supported by Keto, you can as a workaround construct the relationtuples that would be defined through the rewrite, and actually store them in Keto. That is not really scalable, but works for the beginning. An example for above rewrite is that on every API call that adds an owner relationtuple, you add additionally an editor one with the same object and subject.

The empty relation is just a special relation that allows you to use objects as subjects, therefore defining a relation between two objects. What that actually means has to be defined through subject-sets or -rewrites. Answering your question: it only establishes a link and no inheritance.

Regarding your example, I would currently model it with the following relationtuples:

// user -> group
group0#member@user0
group0#member@user1

// item -> group
item0#access@(group0#member)

but it will be much nicer with subject-set-rewrites, as you will be able to use the empty relation to establish the link between items and groups instead.

[alexhanson]

Thanks Patrik! The distinction between subjects, subject sets, and (forthcoming) subject-set rewrites was the missing piece for me. I appreciate the thorough explanation and guidance.

[jessepinkman9900]

Hi @zepatrik,
Any estimate on when Subject-set-rewrites will be released in Ory Keto?

[vinckr]

A bit late on the response, but they have been merged back in August for anyone else who comes across this: #877

[WoodyWoodsta]

@vinckr This PR says that the underlying mechanisms for rewrites is available, but I'm completely confused as to whether we are now able to specify these rules? If so, how?