Skip to content

Support wildcards in template policy resources #95

@WanderingStar

Description

@WanderingStar

Category

Cedar language features

Describe the feature you'd like to request

We would like to be able to use template linking to grant permissions on patterns of resources, for example "Shohreh has the Editor policy on all Documents matching *.pdf".

This depends on #81

Describe the solution you'd like

Allow the like operator to accept expressions, not just literal strings on the RHS. Support like on entities, with the logic that the LHS entity must be the same EntityType as the RHS entity and the LHS entity's name must be like the RHS entity.

@id("Editor")
permit(
    principal == ?principal,
    action in [Action::"Read", Action::"Write", Action::"Comment"],
    resource like ?resource
);

Describe alternatives you've considered

To achieve this goal today, we can create more policies with the wildcards in literal strings, but we would prefer to use policy templates so that the templates can evolve.

If #94 is implemented, one option would be to separate the type check from the name check:

resource.name like ?resource.name
&& resource is Document

If there were more placeholders than just ?principal and ?resource, maybe a string placeholder would be better:

resource.name like ?pattern
&& resource is Document

Additional context

No response

Is this something that you'd be interested in working on?

  • 👋 I may be able to implement this feature request
  • ⚠️ This feature might incur a breaking change

Metadata

Metadata

Assignees

No one assigned

    Labels

    feature-requestThis issue requets a substantial new feature

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions