[ORY Keto] Patterns for updating policies in multi user environments?


The Keto policies update endpoints currently work with a full copy of the resource. This means that if we want to update just a specific property of the policy (for example, to add or remove a subject), we need to fetch the full policy, update it contents to the expected end state, and then overwrite the existing policy with the updated one.
But in a multi-user environment, this could result in a situation where changes made by a user are completely overwritten by another user. Example scenario:

  1. User 1 and User 2 both want to add a subject to the same policy
  2. User 1 GETs a policy to make changes to it
  3. User 2 GETs the same policy to make changes to it
  4. User 1 and 2 update the subjects field for the policy
  5. User 1 & 2 PUT the updated policy using the policies api

The the scenario above, whichever user’s PUT request is received last would win, overwriting the other user’s update.

I’m curious if there is any official guidance around how the policy updates should be handled in a multi-user scenario, and also how other users of Keto are handling this.

Notably, the Keto Roles API seems to offer specific endpoints just for adding and removing members, without needing to overwrite the entire resource, which would go a long way in reducing the race condition scenario outlined above. @aeneasr, are there any plans to add similar fine-grained APIs for policies as well?

We have been thinking for some time now about adding PATCH capabilities to our APIs with JSON Patch ( http://jsonpatch.com ). This is currently however not implemented!