Empty relation on a subset doesn't work as wildcard after upgrading to v0.11.1

[gpadilha]

Preflight checklist

• [X] I could not find a solution in the existing issues, docs, nor discussions.
• [X] I agree to follow this project's Code of Conduct.
• [X] I have read and am following this repository's Contribution Guidelines.
• [x] I have joined the Ory Community Slack.
• [X] I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe the bug

For the following tuples:

groups:readers#owner@user1
groups:readers#member@user2
files:foo.txt#access@groups:readers# (subset with empty relation, regardless of relation all should have access)

On version v0.8.0, the following check returns {allowed:true} curl -X GET "http://127.0.0.1:4466/check?namespace=files&object=foo.txt&relation=access&subject_id=user1"

However, the same check on v0.11.1-alpha.0 returns {allowed:false} curl -X GET "http://127.0.0.1:4466/relation-tuples/check?namespace=files&object=foo.txt&relation=access&subject_id=user1"

Reproducing the bug

1. Spin a keto container version v0.8.0 connected to another container running mysql db
2. Run the curl command to create the two tuples mentioned above
3. Run the v0.8.0 respective check curl, it should return {allowed:true}
4. Redeploy the keto container with v0.11.1-alpha.0
5. Run the migrations
6. Run the v0.11.1-alpha.0 respective check curl, it will return {allowed:false}, expected to be {allowed:true} as in the v0.8.0

Relevant log output

No response

Relevant configuration

No response

Version

v0.11.1-alpha.0

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Docker Compose

Additional Context

No response