Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for template groups #106

Open
2 tasks
mwhicks1 opened this issue May 31, 2023 · 2 comments
Open
2 tasks

Support for template groups #106

mwhicks1 opened this issue May 31, 2023 · 2 comments
Labels
backlog We hope to work on this in the future feature-request Request for a new feature

Comments

@mwhicks1
Copy link
Contributor

mwhicks1 commented May 31, 2023
edited
Loading

Category

Cedar language features

Describe the feature you'd like to request

Allow template policies to be grouped together using the CLI, so they can be linked all at once. Doing so ensures that the application writer cannot mistakenly link one policy in the group separately from all the policies.

Describe the solution you'd like

Consider this pair of template policies:

@id("policy1")
permit(
  principal == ?principal,
  action, 
  resource in ?resource);

@id("policy2")
permit(
  principal == ?principal,
  action == Action::"viewDoc",
  resource in Directory::"DivisionDocs");

This pair represents a role: the linked principal can access any resource in the linked group (policy1), or it can view any document in a particular collection. We want to make sure that both policies are always linked, together, and not just one or the other. Some grouping mechanism would help. For example:

@group("role1")
@id("policy1")
permit(
  principal == ?principal,
  action, 
  resource in ?resource);

@group("role1")
@id("policy2")
permit(
  principal == ?principal,
  action == Action::"viewDoc",
  resource in Directory::"DivisionDocs");

Here we have labeled both policies with the same @group; we could instantiate them together in an API that references the group, rather than individual policy.

Describe alternatives you've considered

We could achieve a similar effect combining both templates into a single one:

@id("bothpolicies")
permit(
  principal == ?principal,
  action, 
  resource)
when {
   resource in ?resource ||
   (action == Action::"viewDoc" && resource in Directory::"DivisionDocs")
};

This has the drawback that the combined policy is more complicated to understand. It also requires the template slot ?resource to appear in the when condition, rather than the scope, which is currently not supported. Finally, this policy will not index very well in Verified Permissions because of multiple constraints on the action and resource.

Additional context

This feature request only applies to the CLI, using the annotation mechanism as shown. It should have no impact on core Cedar or its APIs.

Is this something that you'd be interested in working on?

  • 👋 I may be able to implement this feature request
  • ⚠️ This feature might incur a breaking change
@mwhicks1 mwhicks1 added the pending-triage Hasn't been triaged yet label May 31, 2023
@mwhicks1 mwhicks1 mentioned this issue May 31, 2023
Closed
2 tasks
@andrewmwells-amazon andrewmwells-amazon added enhancement and removed pending-triage Hasn't been triaged yet labels Jun 1, 2023
@anwarmamat anwarmamat added requires-RFC Needs to go through the RFC process feature-request Request for a new feature and removed enhancement labels Jun 6, 2023
@khieta khieta added pending-review Awaiting review by the core team feature-request Request for a new feature requires-RFC Needs to go through the RFC process and removed feature-request Request for a new feature requires-RFC Needs to go through the RFC process pending-review Awaiting review by the core team labels Jun 6, 2023
@mwhicks1 mwhicks1 mentioned this issue Jun 16, 2023
Closed
@khieta
Copy link
Contributor

khieta commented Jun 23, 2023

Closing this issue in favor of cedar-policy/rfc#7. Please move any future discussion there.

@khieta khieta closed this as completed Jun 23, 2023
@mwhicks1
Copy link
Contributor Author

I am canceling the corresponding RFC and reopening this issue. The proposed change, to be implemented as written, should only apply to the CLI, with no changes to core Cedar or its APIs. This means it does not rise to the level of an RFC and it makes sense to bring back this issue.

@mwhicks1 mwhicks1 reopened this Jun 23, 2023
@mwhicks1 mwhicks1 removed the requires-RFC Needs to go through the RFC process label Jun 23, 2023
@WanderingStar WanderingStar mentioned this issue Jul 12, 2023
Closed
@anwarmamat anwarmamat added the backlog We hope to work on this in the future label Jul 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
backlog We hope to work on this in the future feature-request Request for a new feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

template groups RFC cedar-policy/rfcs
4 participants
@mwhicks1 @khieta @anwarmamat @andrewmwells-amazon