Querying ACL/permissions graph using gremlin?

Question

My permissions graph looks like this:

In this situation,

1. user1 has permission on folder1 through Group1.
2. user2 has direct permissions without any group, though the user is part of group2 where group2 doesn't have access over folder1.
3. user3 has permission through group hierarchy, not the direct group to folder access.

I was able to write separate gremlin queries to determine whether a user has permission through one of the groups and user direct permission.

Checking permission through group

g.V().has('user','userId','user1').emit().repeat(out('member_of'))
 .outE('has_permission').has('permission','p1').inV()
 .has('folder','folderId','folder1').hasNext()

User-direct permission

g.V().has('user','userId','user2')
  .outE('has_permission').has('permission','p1').inV()
  .has('folder','folderId','folder1').hasNext()

But I couldn't figure out the logic in a single query which can check both direct and group to see whether the user has permission or not.

Can someone help me out here?

Answer 1

Your graph:

g = TinkerGraph.open().traversal()
g.addV('user').property('userId','user1').as('u1').
  addV('user').property('userId','user2').as('u2').
  addV('user').property('userId','user3').as('u3').
  addV('group').property('groupId','group1').as('g1').
  addV('group').property('groupId','group2').as('g2').
  addV('group').property('groupId','group3').as('g3').
  addV('folder').property('folderId','folder1').as('f1').
  addE('member_of').from('u1').to('g1').
  addE('member_of').from('u2').to('g2').
  addE('member_of').from('u3').to('g3').
  addE('member_of').from('g3').to('g1').
  addE('has_permission').from('g1').to('f1').
  addE('has_permission').from('u2').to('f1').iterate()

A general solution to your problem:

g.V().has('user','userId',<userId>).
  emit().
    until(__.not(outE('member_of'))).
    repeat(out('member_of')).
  filter(out('has_permission').has('folder','folderId',<folderId>)).hasNext()

Traversal executed on the sample graph:

gremlin> g.V().has('user','userId','user1').
           emit().
             until(__.not(outE('member_of'))).
             repeat(out('member_of')).
           filter(out('has_permission').has('folder','folderId','folder1')).hasNext()
==>true
gremlin> g.V().has('user','userId','user2').
           emit().
             until(__.not(outE('member_of'))).
             repeat(out('member_of')).
           filter(out('has_permission').has('folder','folderId','folder1')).hasNext()
==>true
gremlin> g.V().has('user','userId','user3').
           emit().
             until(__.not(outE('member_of'))).
             repeat(out('member_of')).
           filter(out('has_permission').has('folder','folderId','folder1')).hasNext()
==>true

Answer 2

Thanks Daniel. just to complicate the above query to check whether user have given permission or not. below is the answer for any one like me looking for

gremlin> g.V().has('user','userId','user3').
           emit().
             until(__.not(outE('member_of'))).
             repeat(out('member_of')).
           filter(outE('has_permission').has('permission','V').inV().has('folder','folderId','folder1')).hasNext()
==>true