search

cedar-policy / rfcs

Apache License 2.0
10 stars 8 forks source link

Embedded Attribute Maps #68

Closed mwhicks1 closed 3 months ago

mwhicks1 commented 5 months ago

Proposes to add entity attribute maps, a feature useful for encoding tags that are attached to entities.

Rendered

emina commented 5 months ago

I like the main proposal, and I think it’s a good place to start. If it turns out that we need dynamic attributes, we can always extend the implementation to support Alternative A, without breaking any existing policies.

max2me commented 5 months ago

Let me see if I understand it correctly. Tags are like records except:

Use cases this unlocks make a lot of sense. None of limitations concern me too much but I do wonder if we can somehow allow tags to be part of context to address use cases similar to RequestTags in IAM (I don't know how else someone would model that feature in Cedar).

mwhicks1 commented 5 months ago

allow tags to be part of context to address use cases similar to RequestTags in IAM

You can define request tags as a special entity that is referenced in context. E.g., 

entity RequestTags = {
  Tags<Set<String>> tags,
};
...
action MyAction appliesTo {
  ...
  context: { requestInfo: RequestTags }
};

A policy would look like

permit(...) when {
  context.requestInfo.tags has orange &&
  context.requestInfo.tags.orange.contains(principal.tag)
};

Does that seem acceptable?

Also:

allow tags to be part of context to address use cases similar to RequestTags in IAM

This is the case now, for simplicity, but Alternative A is doable later. Just more work.

max2me commented 5 months ago

Does that seem acceptable? Yes, it does

allow tags to be part of context to address use cases similar to RequestTags in IAM This is the case now, for simplicity, but Alternative A is doable later. Just more work. If we are keeping door open here, then this seems like a great way to start.

aaronjeline commented 4 months ago

I like the proposal, but echo Craig's concern that the syntax makes it look like a first class type.

cdisselkoen commented 4 months ago

The final comment period (FCP) for this RFC is starting now, with intent to accept. The FCP will end 2024-07-17 at 10am PT / 1pm ET / 5pm UTC. Please add comments, and especially any objections, if you have any. For more on the RFC process, see https://github.com/cedar-policy/rfcs.

jeffsec-aws commented 4 months ago

I like the final revision of this RFC which will unlock new use cases.

max2me commented 3 months ago

FWIW All top 3 cloud providers (AWS, Azure, GCP) have a concept of "tags" that represents key-value pairs on a resource/entity. I