Skip to main content

Basic: Olymp library

A basic, down-to-earth full feature example

Consider a file sharing application called "Olymp Library". Each file is stored in a key-value store, where the key is a UUIDv4 (pseudorandom unique identifier), while the value is the metadata and content. The application uses Ory Keto to keep track of ownership and granted access on a per file level.

note

This example assumes there is a namespace files with the relations owner and access defined, where each owner of an object also has access to that object. All relationships are stored in that namespace.

Now, the user identified by its unique username Bob wants to upload a file containing the most fertile grounds. The file gets assigned the UUID ec788a82-a12e-45a4-b906-3e69f78c94e4. The application adds the following relationship to Ory Keto through the write-API:

File:ec788a82-a12e-45a4-b906-3e69f78c94e4#owner@User:Bob

To prepare for an important meeting with the user Alice, Bob wants to share the file with fertile grounds with Alice so that they can both read it. Therefore, he opens the "Olymp Library" and is presented with a list of all files he owns. The application will internally request all objects (file IDs) with the owner Bob by using the list-API. The response will contain the object ec788a82-a12e-45a4-b906-3e69f78c94e4, which the application maps to the file in question.

The user Bob will then ask the application to share the file with Alice. The application will translate that request into a write-API request adding the following relationship to Ory Keto:

File:ec788a82-a12e-45a4-b906-3e69f78c94e4#access@User:Alice

To confirm the successful operation, the application uses Ory Keto's expand-API to compile a list of everyone who can access the file:

// The following subject set is expanded by Keto
File:ec788a82-a12e-45a4-b906-3e69f78c94e4#access

which returns the expansion tree

File:ec788a82-a12e-45a4-b906-3e69f78c94e4#access
├─ ∪ File:ec788a82-a12e-45a4-b906-3e69f78c94e4#owner
│  ├─ ☘ User:Bob
├─ ☘ User:Alice

The "Olymp Library" can then display this information to Bob.

When Alice wants to get the file containing fertile grounds, the application uses the check-API to verify that Alice has access to the file before it returns the file. This will allow Bob to revoke Alice's access at any point by deleting the corresponding relationship.

This diagram illustrates the relationships in this example: