Partial Evaluation

[kevinmichaelchen]

Is Cedar Agent able to support Partial Evaluation?

In this permit.io video with Mike Hicks and the Cedar team, they present a Partial Evaluation feature that lets you answer the question:

What resources could this principal perform this action on successfully?

The result is a series of residual expressions that can enumerate all of the allowed resources, from which we can derive a where clause (e.g., WHERE id IN [1, 2, 3]) to constrain which resources get retrieved by the database, thereby saving unnecessary data transfer.

Impact

The impact of this feature would be huge for service calls dealing with large batches of resources, which may only be partially accessible to the principal.

Example Scenario

Consider a university application where teachers may only view data (subjects, classroom blocks, other teachers, etc.) that they specifically teach.

We could try to model this fine-grained authorization logic using where clauses, but eventually, the database may exhaust its ability to do so. (Maybe, for example, authz decisions will be decided by data that simply is not in the database, e.g., Salesforce or some other external system).

query {
  schoolByPk(id: 42) {
    name
    teachers {
      id
      fullName
    }
    subjects {
      name # e.g., Linear Algebra
      blocks {
        recurrenceRules
        teacher {
          id
          fullName
        }
      }
    }
  }
}

Current Approach

My current approach to make sure the client sees only what is accessible is to:

1. Constrain the query by some kind of notion of multi-tenancy (e.g., school 42)
2. Retrieve everything under that from the database
3. Aggregate all the resources and submit them, one by one, in parallel, to Cedar Agent.
4. Filter out any resources that are not accessible.

I can't help but think an approach using Partial Evaluation would be cleaner.

[orweis]

Hi @kevinmichaelchen ! :) - I Love how on top of things you are .
We are in touch with the Cedar-core team, and partial evaluation is something we're discussing about adding to Cedar and to Cedar-agent. We'll keep you posted. :)

[kevinmichaelchen]

@orweis — Thanks for the fast response! Amazing to hear! I will stay tuned.

[aronglia]

Hey, it looks like there is partial evaluation in Cedar now https://cedarland.blog/usage/partial-evaluation/content.html. Will it also be added to cedar agent?

[orweis]

Hey, it looks like there is partial evaluation in Cedar now https://cedarland.blog/usage/partial-evaluation/content.html. Will it also be added to cedar agent?

We were just discussing this the other day.
As this is an experimental feature, it might be best to add it in a. experimental way to cedar-agent as well, i.e. with a build-flag, or at leat runtime envar.
Exposing the API shouldn't be a problem.

Any takers on helping with a PR here?

CC: @asafc , @omer9564 , @obsd

[omer9564]

I can try to take a look at the required actions here tomorrow and see how hard it is to add this to cedar-agent API

[omer9564]

Took a look at the source of the partial evaluation feature.
I can try to implement an API endpoint to use the partial evaluation feature without too much effort ( assuming upgrading to latest cedar crate won't cause any troubles ).
The main issue here is that the feature isn't well documented and it will probably won't be easy to test this feature and understand the expected output of a request you make ..

CC: @orweis, @asafc, @obsd