[jeffbee]

I went diving into the docs to find out how Keto implements Zanzibar's consistency guarantees, which for Zanzibar are provided mostly by Spanner, but it seems that Keto just does not[1]. This does not strike me as the kind of thing that can just be added after the project begins.

https://github.com/ory/keto/blob/master/docs/docs/concepts/s...

[neupatr]

So the idea in the paper is that you store a version token (aka. zookie) next to every object version. When you ask Zanzibar if a user is allowed to modify it, the request contains the stored token. Then you get a new token with a successful response that you store with the new version. This guarantees that a user can only access 1. objects they have access to and 2. objects they don't have access to but only at versions they once had access to. The second case only occurs until an ACL update propagates around the globe and through all distributed caches. In our opinion that can be added later on (the proto definitions already account for that), although it is a breaking change of course. One important point is that Keto can be operated locally as well, which means there are no database sync delays. This is the only mode it supports right now, and it does not need the zookies for that.