Skip to main content

Basic: Olymp Library

A basic, down-to-earth full feature example

Consider a file sharing application called "Olymp Library". Each file is stored in a key-value store, where the key is a UUIDv4 (pseudorandom unique identifier), while the value is the metadata and content. The application uses Ory Keto to keep track of ownership and granted access on a per file level.

note

This example assumes there is a namespace files with the relations owner and access defined, where each owner of an object also has access to that object. All relation tuples are stored in that namespace.

Now, the user identified by its unique username demeter wants to upload a file containing the most fertile grounds. The file gets assigned the UUID ec788a82-a12e-45a4-b906-3e69f78c94e4. The application adds the following relation tuple to Ory Keto through the write-API:

ec788a82-a12e-45a4-b906-3e69f78c94e4#owner@demeter

To prepare for an important meeting with the user athena, demeter wants to share the file with fertile grounds with athena so that they can both read it. Therefore, he opens the "Olymp Library" and is presented with a list of all files he owns. The application will internally request all objects (file IDs) with the owner demeter by using the list-API. The response will contain the object ec788a82-a12e-45a4-b906-3e69f78c94e4, which the application maps to the file in question.

The user demeter will then ask the application to share the file with athena. The application will translate that request into a write-API request adding the following relation tuple to Ory Keto:

ec788a82-a12e-45a4-b906-3e69f78c94e4#access@athena

To confirm the successful operation, the application uses Ory Keto's expand-API to compile a list of everyone who can access the file:

// The following subject set is expanded by Keto
ec788a82-a12e-45a4-b906-3e69f78c94e4#access

which returns the expansion tree

∪ ec788a82-a12e-45a4-b906-3e69f78c94e4#access
├─ ∪ ec788a82-a12e-45a4-b906-3e69f78c94e4#owner
│ ├─ ☘ demeter
├─ ☘ athena

The "Olymp Library" can then display this information to demeter.

When athena wants to get the file containing fertile grounds, the application uses the check-API to verify that athena has access to the file before it returns the file. This will allow demeter to revoke athena's access at any point by deleting the corresponding relation tuple.