Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow an unknown principal, resource or action to be constrained to a certain entity type #1393

Closed
1 of 2 tasks
B-Lorentz opened this issue Dec 23, 2024 · 3 comments
Closed
1 of 2 tasks

Allow an unknown principal, resource or action to be constrained to a certain entity type #1393

B-Lorentz opened this issue Dec 23, 2024 · 3 comments
Labels
feature-request This issue requets a substantial new feature

Comments

@B-Lorentz
Copy link
Contributor

Category

User level API features/changes

Describe the feature you'd like to request

Allow the caller to create a request with an unknown principal or resource, that is still known to belong to a certain type.

This is enroaching on the open rfc of https://github.com/cedar-policy/rfcs/pull/83/files
but I found it to be very useful for a 'query construction' usecase, similar to the one outlined here:
https://cedarland.blog/usage/partial-evaluation/content.html#what-can-alice-access

Describe alternatives you've considered

Without this, the only way to remove from the residual policies which are clearly excluded by the scope is to construct a full dummy entity ID of the right type, and then insert into the entity store an entry with that id.
But this requires all the fields of the entity to be explicitly set to 'unknown', and makes the evaluator assume the entity has no parents (since the parents of a concrete entity can't be unknown atm)

Additional context

No response

Is this something that you'd be interested in working on?

  • 👋 I may be able to implement this feature request
  • ⚠️ This feature might incur a breaking change
@B-Lorentz B-Lorentz added feature-request This issue requets a substantial new feature pending-triage The cedar maintainers haven't looked at this yet. Automicaly added to all new issues. labels Dec 23, 2024
@B-Lorentz B-Lorentz changed the title All an unknown principal, resource or action to be constrained to a certain entity type Allow an unknown principal, resource or action to be constrained to a certain entity type Dec 23, 2024
@B-Lorentz B-Lorentz mentioned this issue Dec 23, 2024
Open
4 tasks
@shaobo-he-aws shaobo-he-aws added pending-review A Cedar maintainer has looked at this, but believes it needs review by more of the core team and removed pending-triage The cedar maintainers haven't looked at this yet. Automicaly added to all new issues. labels Dec 30, 2024
@cdisselkoen
Copy link
Contributor

This is a special case of #812

@shaobo-he-aws shaobo-he-aws removed the pending-review A Cedar maintainer has looked at this, but believes it needs review by more of the core team label Dec 31, 2024
@B-Lorentz
Copy link
Contributor Author

This is a special case of #812

I would even say it's a duplicate. I tried to search if there is a similar issue already, but somehow overlooked that one

@shaobo-he-aws
Copy link
Contributor

That being said, I still think #1391 is helpful. Let's close this issue in favor of #812 and keep the PR.

@cdisselkoen cdisselkoen closed this as not planned Won't fix, can't repro, duplicate, stale Jan 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature-request This issue requets a substantial new feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cdisselkoen @B-Lorentz @shaobo-he-aws