Namespaces
Ory Keto knows the concept of namespaces to organize relation tuples. Namespaces have a configuration that defines the relations, and some other important values (see reference). Unlike other applications, Ory Keto does not isolate namespaces. Subject sets can cross-reference from one namespace to another. The namespaces' purpose is to split up the data into coherent partitions, each with its corresponding configuration.
Scoping of Objects
The application can also use namespaces to scope objects because Ory Keto only compares objects within a namespace. For example, if Ory Keto knows the following relation tuples
// user1 has acces to the directory foo
directories:foo#access@user1
// user2 has access to the file foo
files:foo#access@user2
both of the following check requests
// Does user2 have access to the directory foo?
directories:foo#access@user2
// Does user1 have access to the file foo?
files:foo#access@user1
will evaluate to false (a.k.a. rejected).
Vice versa, all relation tuples containing an object have to be in the same namespace to reference the same object.
Naming Conventions
Namespaces should be named after the plural of the type of objects they describe
(for example files
, chats
, organizations
). Relations within a namespace
should be a word that describes what relation a subject has towards an object.
As a rule of thumb, every relation tuple should translate to an english sentence
like so:
Subject has relation on object which is one of the namespace.
Examples:
// good examples
files:8f427c01-c295-44f3-b43d-49c3a1042f35#write@02a3c847-c903-446a-a34f-dae74b4fab86
groups:43784684-103e-44c0-9d6c-db9fb265f617#member@b8d00059-b803-4123-9d3d-b3613bfe7c1b
directories:803a87e9-0da0-486e-bc08-ef559dd8e034#child@(files:11488ab9-4ede-479f-add4-f1379da4ae43#_)
files:11488ab9-4ede-479f-add4-f1379da4ae43#parent@(directories:803a87e9-0da0-486e-bc08-ef559dd8e034#_)
// bad examples
// namespace isn't describing homogenous type of objects
tenant-1-objects:62237c27-19c3-4bb1-9cbc-a5a67372569b#access@7a012165-7b21-495b-b84b-cf4e1a21b484
// relation describes a relation of the object towards the subject
directories:803a87e9-0da0-486e-bc08-ef559dd8e034#parent@(files:11488ab9-4ede-479f-add4-f1379da4ae43#_)