The graph of relations
The relation tuples of the ACL used by Ory Keto can be represented as a graph of relations. This graph will help us to understand many implications on performance and internal algorithms.
Definition
The graph consists of three types of nodes. Object nodes that represent application objects, intermediary subject set nodes, and subject ID nodes representing individuals. Edges are directed and represent the relation between an object and subject.
Example
The following example translates a view relation tuples into the corresponding graph of relations.
This example omits the namespace from all data to improve readability. In practice, the namespace always has to be considered.
// user1 has access on dir1
dir1#access@user1
// Have a look on the subjects concept page if you don't know the empty relation.
dir1#child@(file1#)
// Everyone with access to dir1 has access to file1. This would probably be defined
// through a subject set rewrite that defines this inherited relation globally.
// In this example, we define this tuple explicitly.
file1#access@(dir1#access)
// Direct access on file2 was granted.
file2#access@user1
// user2 is owner of file2
file2#owner@user2
// Owners of file2 have access to it; possibly defined through subject set rewrites.
file2#access@(file2#owner)
This is represented by the following graph:
Solid edges represent explicitly defined relations, while dotted edges represent relations inherited through a subject set.
Observations about the graph
Ory Keto utilizes the following key properties of the graph of relations:
- Directed edges from objects to subjects: This implies a neat arrangement with objects in one region, subject IDs in another one, and subject sets in between. Edges will always go from the object region towards the subject region.
- Searching for a possible path is local: Trying to find a path from an object to a subject will always happen locally. This means that it's only necessary to traverse the nodes that are successors of the object. In typical setups, this means that only a small fraction of the graph has to be searched, regardless of the outcome. The intuition here is that the relations of user1's files are irrelevant when checking access to user2's files.
Both of these properties are important to ensure high performance.