Comments (10)
mwhicks1
commented on September 15, 2024
1
Stepping back from the original request:
I wonder if a better solution might be some form of template group which puts together multiple templates so they can be instantiated as a unit? Then you could write multiple policies like you have done above, but as a group that can be linked all at once?
from cedar.
cdisselkoen
commented on September 15, 2024
1
Let's be clear about exactly the scope of this issue -- I think that OP is specifically looking for just allowing the existing ?principal and ?resource placeholders in template conditions. @iamatjlovelock's example requires additional placeholders and, more importantly perhaps, placeholders for values other than entity references, which would be significantly more implementation work and maybe have other ramifications. IMO it would be better to discuss those feature requests in a separate issue (@iamatjlovelock feel free to make one).
from cedar.
cdisselkoen
commented on September 15, 2024
1
Hi again! We're working on transitioning to a formal RFC process like many other language projects. See the README at https://github.com/cedar-policy/rfcs. In support of this transition, I've written up this issue and the discussion in this thread as cedar-policy/rfcs#3. Feel free to suggest any edits you like. Going forward, let's continue discussion there, per the RFC process outlined in the README. Thanks!
from cedar.
mwhicks1
commented on September 15, 2024
It looks like you want more than just slots in conditions, you also want to allow slots in more locations in an expression. In particular, we do not currently allow the following:
@id("AdminNavigate")
permit(
principal == ?principal,
action == Action::"Navigate",
?resource in resource); // allow access up the tree for navigation
That's because ?resource needs to be on the RHS of the in, not the LHS.
from cedar.
WanderingStar
commented on September 15, 2024
As I mentioned above, the current implementation appears to support what I'm asking for already, despite the docs saying it doesn't. It both honors template placeholders in the conditions, and honors ?resource on both the LHS and RHS.
Here's a toy example:
mini-entities.txt
mini-roles.txt
mini-schema.txt
mini-template-linked.txt
Policy template:
@id("Admin")
permit(
principal == ?principal,
action,
resource
)
when {
// write in descendants
(resource in ?resource && action == FS::Action::"Write")
// list in ancestors
|| (?resource in resource && action == FS::Action::"List")
};
Entity graph:
FS::Disk::"SSD"FS::Folder::"Downloads"FS::File::"package.zip"
FS::Folder::"Photos"<-- Alice is admin of thisFS::File::"vacation.jpg"
Run like:
cargo run authorize \
--policies mini-roles.txt \
--schema mini-schema.txt \
--entities mini-entities.txt \
--template-linked mini-template-linked.txt \
--principal 'FS::Person::"Alice"' \
--action 'FS::Action::"List"' \
--resource 'FS::Disk::"SSD"'
| Action | Resource | Result | Note |
|---|---|---|---|
FS::Action::"List" |
FS::Disk::"SSD" |
ALLOW |
Can List ancestor |
FS::Action::"Write" |
FS::Disk::"SSD" |
DENY |
... but not Write |
FS::Action::"List" |
FS::Folder::"Downloads" |
DENY |
Wrong branch |
FS::Action::"Write" |
FS::Folder::"Downloads" |
DENY |
Wrong branch |
FS::Action::"List" |
FS::File::"package.zip" |
DENY |
Wrong branch |
FS::Action::"Write" |
FS::File::"package.zip" |
DENY |
Wrong branch |
FS::Action::"List" |
FS::Folder::"Photos" |
ALLOW |
Can List bound resource |
FS::Action::"Write" |
FS::Folder::"Photos" |
ALLOW |
... and Write it |
FS::Action::"List" |
FS::File::"vacation.jpg" |
DENY |
Can't List descendant |
FS::Action::"Write" |
FS::File::"vacation.jpg" |
ALLOW |
... but can Write it |
from cedar.
WanderingStar
commented on September 15, 2024
I wonder if a better solution might be some form of template group which puts together multiple templates so they can be instantiated as a unit? Then you could write multiple policies like you have done above, but as a group that can be linked all at once?
I'd love template groups. The when { A || B || C } I'm using is awkward.
I'd still want to have ?resource allowed on both the LHS and RHS (as it seems it already is).
from cedar.
mwhicks1
commented on September 15, 2024
we do not currently allow the following:
I'm not sure what version you are using, but I just cloned the most recent version and tried to get the CLI to parse this policy
permit(
principal == ?principal,
action == Action::"Navigate",
?resource in resource); // allow access up the tree for navigation
and it fails saying that ?resource is unrecognized. If I move the ? to the RHS it works. I guess this support was rolled back recently, to match the docs. @anwarmamat ?
For template groups: I've filed a separate issue for that: #106
from cedar.
WanderingStar
commented on September 15, 2024
I was on 960394d5da664ce2dba383270e29fa2a8683e4bd From May 18. Looks like support for placeholders in conditions was removed here:
9772870
from cedar.
iamatjlovelock
commented on September 15, 2024
I've definitely seen this request for placeholders in template conditions for simpler use cases. In particular to create time bound policies using a template.
The when clause for the template would be something like : when { context.currentDate < ?expiryDate }
from cedar.
cdisselkoen
commented on September 15, 2024
I'll go ahead and close this issue in favor of the linked RFC.
from cedar.
Related Issues (20)
- Reserve `Set`, `Record`, `Entity`, `Extension` in schemas
- Additional APIs for manipulating schemas HOT 1
- Carry source info through schema structures HOT 1
- Generate schema warnings later in the process
- Allow reopening a namespace in human-syntax schemas HOT 1
- Improve parse errors on parenthized "special" expressions
- Improve error message when forgetting `name` field of `Entity` or `EntityOrCommon` in schema JSON syntax
- Clarify `Template` vs. `Policy`
- `unknown` extension function is allowed without enabling `partial-evaluation` feature
- Implement RFC 68: Entity Attribute Maps
- Implement RFC 70: Disallow shadowing definitions in the empty namespace HOT 1
- Make `Policy` and `Template` APIs consistent wrt annotations
- Some authorization errors do not have source locations attached
- Lossless schema fragments aren't lossless
- Add API to list entity literals in a policy
- API to substitute all occurences of an expr with another expr
- Add help messages for errors related to the Cedar schemas
- Various Schema APIs
- More restrictions on type shadowing / collisions HOT 2
- Performance regression testing
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cedar.