Allow `is_authorized()` to source action entities from a schema

[cdisselkoen]

Category

User level API changes

Describe the feature you'd like to request

Today, in order to provide is_authorized() with information about action entities (e.g., attributes or parents), you have to pass them as part of the entities argument to is_authorized(). If callers want to reuse the action definition from their schema, they have to manually call .action_entities() on their schema and then add those entities to their other Entities. Cedar could/should provide a convenience API that automates this. As one possible design (but not the only design), Authorizer::new() could take an optional schema argument; if present, action entities from that schema would automatically be added to each authorization request made with that Authorizer.

Describe alternatives you've considered

• Instead of changing Authorizer::new(), we could make an additional Authorizer constructor that takes a schema argument. This might be better for backwards compatibility.
• Instead of embedding the schema in the Authorizer, we could just have an optional schema argument to is_authorized(), or a new version of is_authorized() that takes a schema argument.
• We could prevent actions from being passed in entities, and instead take a actions argument to is_authorized(), which could be provided by a schema or directly from a second Entities object. This would probably involve a new trait IntoActions or something, which would be implemented by both Schema and Entities.

Additional context

• We still don't want to make schemas required for authorization. This means that you need to be able to call is_authorized() without a schema, and also that you'll need to still be able to provide action entities somehow even if you're not providing a schema. In the main proposal above, this would be trivially satisfied by continuing to allow action entities to be passed as part of entities.
• This issue may or may not involve a breaking change to Cedar's public API, depending on design choices above.
• This issue affects/is impacted by New API for validating requests #191

Is this something that you'd be interested in working on?

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

[cdisselkoen]

The design where the schema is just passed in to Authorizer somehow, with no other interface changes, is not the best one. It would require that on every is_authorized() call, we extract the actions, add to the passed Entities, and re-compute TC. Even if we get around re-computing TC somehow, we still don't want to be modifying the Entities every is_authorized() call. We want to retain the property that the construction of Entities can be fully amortized across is_authorized() calls by reusing the same Entities object with no modifications.

Possible solutions:

• Have the schema be an optional argument to Entities constructors, and extract the actions at that time. Note that some Entities constructors already take an optional schema argument for other purposes; this would reuse that schema argument for this purpose as well.
• Have the Authorizer itself hold the Entities, so that is_authorized() doesn't take an Entities argument but instead just uses the Entities stored in the Authorizer. If we go this route, it might make sense to do the same for the PolicySet argument to is_authorized(). This would mean that users need to construct a new Authorizer every time their entity/policy slice changes, which is different from today. Alternately, we could also provide setters/mutators for the entities and/or policies stored in the Authorizer.
• Similar to the third alternative above -- Don't rely on combining the action entities into the passed Entities, and instead refactor the evaluator so that it can function with two different sources of entity data in the same is_authorized() call: one that can only have actions, and one that can have both actions and other entities. Or, force all users (even without schema) to split their entities into actions and non-actions, and pass these separately to is_authorized(). These would be larger changes to core evaluation code that I'm a little more hesitant to make.
• any other ideas?

[andrewmwells-amazon]

What if we added actions from the schema into the Entities as part of schema-based parsing?

[cdisselkoen]

That's implied in the first bullet in this comment. We also want a solution that works when using other Entities constructors (i.e., the ones that don't take JSON)

[andrewmwells-amazon]

IMO that would handle 95% of the pain with minimal changes. I suspect users who are constructing their entities programmatically won't really mind having to call .action_entities() on their schema. If they do, maybe we could provide a NonActionEntities that converts to Entities by adding the action entities automatically?

IMHO, changes other than your first bullet point seem pretty invasive to make unless we have concrete examples where customers need them.

[andrewmwells-amazon]

concrete examples where customers need them

To give my experience:
I've seen two examples where customers would like this feature, but both were importing JSON entities.