search

ory / keto

Open Source (Go) implementation of "Zanzibar: Google's Consistent, Global Authorization System". Ships gRPC, REST APIs, newSQL, and an easy and granular permission language. Supports ACL, RBAC, and other access models.
https://www.ory.sh/?utm_source=github&utm_medium=banner&utm_campaign=keto
Apache License 2.0
4.7k stars 342 forks source link

feat: batch check relations #1521

Open patrickduffy95 opened 2 months ago

patrickduffy95 commented 2 months ago

Related issue(s)

https://github.com/ory/keto/issues/812

Checklist

Further Comments

This change adds REST and gRPC endpoints for batch checking relations. The endpoint accepts a list of relation tuples to check, iterates through them (with concurrency), and returns a list of allowed responses.

REST API New endpoint: POST /relation-tuples/batch/check?max-depth=<depth>&parallelization-factor=<max-concurrent-requests> Request body:

{
    "tuples": [
        {
            "namespace": <namespace>,
            "object": <object>,
            "relation": <relation>,
            "subject_id": <subject_id>,
            "subject_set": <subject_set>
        }
    ]
}

Response:

{
    "results": [
        {
            "allowed": true,
            "error": "an optional error message if the individual check fails"
        }
    ]
}

gRPC New RPC: CheckService/BatchCheck Request:

// The request for a CheckService.BatchCheck RPC.
// Checks a batch of relations.
message BatchCheckRequest {
  repeated RelationTuple tuples = 1;

  // This field is not implemented yet and has no effect.
  bool latest = 2;
  // This field is not implemented yet and has no effect.
  string snaptoken = 3;
  // The maximum depth to search for a relation.
  //
  // If the value is less than 1 or greater than the global
  // max-depth then the global max-depth will be used instead.
  int32 max_depth = 4;
  // The number of check requests to perform in parallel.
  //
  // Will default to 5 if not provided. If provided, it must be
  // a positive integer
  optional int32 parallelization_factor = 5;
}

Response

// The response for a CheckService.BatchCheck rpc.
message BatchCheckResponse {
  // The results of the batch check. The order of these
  // results will match the order of the input.
  repeated CheckResponseWithError results = 1;
}

// The response for an individual check in the CheckService.BatchCheck rpc.
message CheckResponseWithError {
  // Whether the specified subject (id)
  // is related to the requested object.
  //
  // It is false by default if no ACL matches.
  bool allowed = 1;
  // If there was an error checking the tuple,
  // this will contain the error message.
  //
  // If the check was performed successfully, this will be empty.
  string error = 2;
  // This field is not implemented yet and has no effect.
  string snaptoken = 3;
}

Notes:

CLAassistant commented 2 months ago

CLA assistant check
All committers have signed the CLA.

patrickduffy95 commented 2 months ago

@alnr would you be able to let me know if this PR is on the right track?

aeneasr commented 1 month ago

Hello, sorry for kot responding here. I think this feature is grand! @zepatrik and @hperl are finishing up some work on our end and can probably check out this PR in a week or two.

PrimeDominus commented 1 month ago

Thanks for implementing this. We've hit a roadblock and without this feature we have to write a bunch of custom code in our server which is getting cumbersome to maintain. Really looking forward to trying this.

patrickduffy95 commented 1 month ago

Hello, sorry for kot responding here. I think this feature is grand! @zepatrik and @hperl are finishing up some work on our end and can probably check out this PR in a week or two.

Thanks @aeneasr! Do you have a better idea now of when they might be able to take a look at it?

patrickduffy95 commented 1 month ago

Thanks a lot for the review @hperl. I will let you know once this PR is updated.

patrickduffy95 commented 3 weeks ago

@hperl I have update the PR based on your feedback and it is now ready for review.