Partial Evaluation #20
Description
Is Cedar Agent able to support Partial Evaluation?
In this permit.io video with Mike Hicks and the Cedar team, they present a Partial Evaluation feature that lets you answer the question:
What resources could this principal perform this action on successfully?
The result is a series of residual expressions that can enumerate all of the allowed resources, from which we can derive a where clause (e.g., WHERE id IN [1, 2, 3]) to constrain which resources get retrieved by the database, thereby saving unnecessary data transfer.
Impact
The impact of this feature would be huge for service calls dealing with large batches of resources, which may only be partially accessible to the principal.
Example Scenario
Consider a university application where teachers may only view data (subjects, classroom blocks, other teachers, etc.) that they specifically teach.
We could try to model this fine-grained authorization logic using where clauses, but eventually, the database may exhaust its ability to do so. (Maybe, for example, authz decisions will be decided by data that simply is not in the database, e.g., Salesforce or some other external system).
query {
schoolByPk(id: 42) {
name
teachers {
id
fullName
}
subjects {
name # e.g., Linear Algebra
blocks {
recurrenceRules
teacher {
id
fullName
}
}
}
}
}Current Approach
My current approach to make sure the client sees only what is accessible is to:
- Constrain the query by some kind of notion of multi-tenancy (e.g., school 42)
- Retrieve everything under that from the database
- Aggregate all the resources and submit them, one by one, in parallel, to Cedar Agent.
- Filter out any resources that are not accessible.
I can't help but think an approach using Partial Evaluation would be cleaner.