You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We used to expose the input actions via request.actions but that is not suitable for this use case - you want to be able to write the condition based on the action that matched the wildcard rather than the full set of actions that were provided in the request.
We could add a field action to the cerbos.engine.v1.Runtime message, which would be populated with the action currently being evaluated by the engine.
The text was updated successfully, but these errors were encountered:
Variables should be forbidden from referencing runtime.action
We currently evaluate variables at the beginning of a policy. If variables are allowed to reference runtime.action we'd have to re-evaluate them for each action
Reasoning about variables becomes quite mind bending when they change from rule to rule
CEL doesn't have a way to lazily evaluate field accesses like runtime.effectiveDerivedRoles. So, the first time runtime.action is used we'd have to compute and sort the effective derived roles as well.
Variables should be forbidden from referencing runtime.action
I think this is more confusing than having variables that change from rule to rule. My mental model of variables is that they are effectively macros; a variable in an expression can be expanded with its definition (and indeed this is how we do it in the query planner). As an optimization, variables that do not reference runtime.action can be precomputed in checks, but I think lazily evaluating ones that do reference it should be allowed.
Similarly I think it should be possible to reference runtime.action in derived role conditions. The use case I am thinking of is an API key which has a set of user-configurable permissions, so the principal attributes contains something like
It would sometimes be useful to be able to write a rule matching a wildcard action and use the matched action in the condition expression, e.g.
We used to expose the input actions via
request.actions
but that is not suitable for this use case - you want to be able to write the condition based on the action that matched the wildcard rather than the full set of actions that were provided in the request.We could add a field
action
to thecerbos.engine.v1.Runtime
message, which would be populated with the action currently being evaluated by the engine.The text was updated successfully, but these errors were encountered: