Querying ACL/permissions graph using gremlin?

Question

My permissions graph looks like this:

In this situation,

1. user1 has permission on folder1 through Group1 .
2. user2 has direct permissions without any group, though the user is part of group2 where group2 doesn't have access over folder1 .
3. user3 has permission through group hierarchy, not the direct group to folder access.

I was able to write separate gremlin queries to determine whether a user has permission through one of the groups and user direct permission.

Checking permission through group

g.V().has('user','userId','user1').emit().repeat(out('member_of'))
 .outE('has_permission').has('permission','p1').inV()
 .has('folder','folderId','folder1').hasNext()

User-direct permission

g.V().has('user','userId','user2')
  .outE('has_permission').has('permission','p1').inV()
  .has('folder','folderId','folder1').hasNext()

But I couldn't figure out the logic in a single query which can check both direct and group to see whether the user has permission or not.

Can someone help me out here?

Answer 1

Your graph:

g = TinkerGraph.open().traversal()
g.addV('user').property('userId','user1').as('u1').
  addV('user').property('userId','user2').as('u2').
  addV('user').property('userId','user3').as('u3').
  addV('group').property('groupId','group1').as('g1').
  addV('group').property('groupId','group2').as('g2').
  addV('group').property('groupId','group3').as('g3').
  addV('folder').property('folderId','folder1').as('f1').
  addE('member_of').from('u1').to('g1').
  addE('member_of').from('u2').to('g2').
  addE('member_of').from('u3').to('g3').
  addE('member_of').from('g3').to('g1').
  addE('has_permission').from('g1').to('f1').
  addE('has_permission').from('u2').to('f1').iterate()

A general solution to your problem:

g.V().has('user','userId',<userId>).
  emit().
    until(__.not(outE('member_of'))).
    repeat(out('member_of')).
  filter(out('has_permission').has('folder','folderId',<folderId>)).hasNext()

Traversal executed on the sample graph:

gremlin> g.V().has('user','userId','user1').
           emit().
             until(__.not(outE('member_of'))).
             repeat(out('member_of')).
           filter(out('has_permission').has('folder','folderId','folder1')).hasNext()
==>true
gremlin> g.V().has('user','userId','user2').
           emit().
             until(__.not(outE('member_of'))).
             repeat(out('member_of')).
           filter(out('has_permission').has('folder','folderId','folder1')).hasNext()
==>true
gremlin> g.V().has('user','userId','user3').
           emit().
             until(__.not(outE('member_of'))).
             repeat(out('member_of')).
           filter(out('has_permission').has('folder','folderId','folder1')).hasNext()
==>true

Answer 2

Thanks Daniel. just to complicate the above query to check whether user have given permission or not. below is the answer for any one like me looking for

gremlin> g.V().has('user','userId','user3').
           emit().
             until(__.not(outE('member_of'))).
             repeat(out('member_of')).
           filter(outE('has_permission').has('permission','V').inV().has('folder','folderId','folder1')).hasNext()
==>true