Cedar standard library #58
Conversation
Signed-off-by: Craig Disselkoen <[email protected]>
cdisselkoen
force-pushed
the
cdisselkoen/standard-library
branch
from
29de6e1 to
2929508
Compare
cdisselkoen
added
the
pending
|
A meta question: Is it for human-readable format only? If not, we should provide the JSON representation as well. |
|
I support the "extends" feature and have several scenarios where it would help us manage schemas in large-scale systems with many services and application builders, in which central teams define a common structure which others can expand. The Cedar standard library is a special case in which a common structure is so ubiquitous as to be nearly universal. I think this could be useful, but will naturally take longer to finalize these types and so it makes sense to decouple the standard type definitions (like OIDC User) from the rest of the proposal. We'd probably want to run the standard types through a process that looks like a standards community, including audiences from the OpenID Foundation, for example. |
|
When it comes to bikeshedding the naming, if we sought to avoid "extends" because of it's object-oriented connotations, I would be in favor of the aforementioned suggestion of "expands". |
Signed-off-by: Craig Disselkoen <[email protected]>
Signed-off-by: Craig Disselkoen <[email protected]>
|
@aaronjeline says
@D-McAdams says
These are good thoughts. I would say that this RFC proposes three things:
but this RFC does not propose a specific declaration for |
|
I'm a big fan of |
| or | ||
| ``` | ||
| entity Group { myAttribute: String }; | ||
| entity User extends __cedar::OIDC::User in [Group] { emailOptOut: Boolean }; |
There was a problem hiding this comment.
While we say below that we will not support subtyping (with strict validation) using this construct, that may disappoint users who expect to get it, since morally we are extending/reusing an existing base type.
There was a problem hiding this comment.
There is also a technical issue: Suppose I have
entity Group { myAttribute: String, sibling: [Group] };
entity HierarchicalGroup extends Group { tag: String };
A strict interpretation of extends would make HierarchicalGroup equivalent to
entity HierarchicalGroup { myAttribute: String, sibling: [Group], tag: String };
But users might be expecting that sibling's type is updated with the extended type, i.e.,
entity HierarchicalGroup { myAttribute: String, sibling: [HierarchicalGroup], tag: String };
Doing so would be important for strict validation, since it does not allow subtyping. With permissive validation, leaving sibling as [Group] is less problematic because HierarchicalGroups are effectively subtypes of Groups, and we could introduce subtyping edges explicitly to support that.
There was a problem hiding this comment.
Another option could be to do what IonSchema does: https://amazon-ion.github.io/ion-schema/docs/isl-2-0/spec#all_of.
They allow an "any_of" and an "all_of". Then you're encouraged to use composition without the overhead of inheritance.
| Create a Cedar Standard Library of type declarations that are likely to be | ||
| useful to many Cedar users, and are distributed along with Cedar. |
There was a problem hiding this comment.
It feels weird to me to call this a standard "library" because there is no general notion of library that this proposal instantiates with a standard. Indeed, I expect there is interest in supporting 3rd party libraries of type definitions (and data definitions, if we adopt RFC 61), and I'd propose we think through how that might work, and then leverage that for our particular proposed definitions, here.
| 2. Ensuring the community's alignment on the "best" way to declare each type. | ||
| For instance, should OIDC `updatedAt` be expressed as a `String`, as a `Long` | ||
| (eg Unix timestamp), or as a record with multiple components? | ||
| This allows Cedar to encourage best practices. |
There was a problem hiding this comment.
I can imagine some variation in how to define things, rather than a single source of truth. For example, some apps might want to make OIDC attributes out of enumerated entities, but others might prefer to make them strings. (This is a real disagreement with real customers!) It's a problem if the "standard" definition doesn't work for 95% of customers, I would claim.
There was a problem hiding this comment.
In short: Being in the business of maintaining a standard library is an opportunity for regret, since we might discover that many things we introduce are wrong, but we can't easily remove them. Better to have a general mechanism the community can use, and then take clear winners into a standard location when/if they emerge.
| 1. Saving each Cedar user the effort of writing the declaration themselves. | ||
| This facilitates code reuse in schemas, and makes it easier to get started |
There was a problem hiding this comment.
This is a benefit of libraries in general, not necessarily a standard library. If we provided a library facility, then we could let third parties vend these definitions and customers adopt the ones they want.
| When everyone shares a common definition of `OIDC::User`, the community could | ||
| conceivably converge on a reusable library function for, e.g., converting an | ||
| OIDC token into Cedar entity data. |
There was a problem hiding this comment.
Agreed, the community could converge on such a thing -- so we should give them a mechanism to do that, properly. Rather than pull requests to the Cedar core repository.
| This RFC also includes the new keyword `extends`, allowing a schema to extend a | ||
| previously existing entity declaration by adding more parent types and/or more | ||
| attributes. |
There was a problem hiding this comment.
If we are using permissive validation, is it always the case that if A extends B, then A can be used as a subtype of B? I think the answer is probably yes, but we should confirm.
It may be disappointing to provide this feature but then not get subtyping in strict validation. If we anticipate a future in which customers do provide functions or other operators over "standardized" types, it will be very sad if they cannot use those functions on types that extend those types.
| 4. Users may incorrectly assume that `extends` provides subtyping, while this | ||
| RFC does not propose that it provides subtyping. |
There was a problem hiding this comment.
It does provide it for permissive validation, just not for strict. But that might still be disappointing.
There was a problem hiding this comment.
Actually, it won't unless we add a specific rule that says it does. But we can probably do that.
| ## Alternatives | ||
|
|
There was a problem hiding this comment.
Alternative X: Do nothing, and instead propose a general way to define and import libraries, perhaps via URLs or some other distribution mechanism. Then let the community decide.
There was a problem hiding this comment.
I like the idea of the extends operator in schema (although I'd prefer a different name). But I'm not so keen on the idea of the standard library -- I think the OIDC definition should live in its own repository controlled by a standards committee / invested third parties (so, Alternative A).
Would you consider splitting this RFC into two?
| For instance, users may assume that an action with principal type | ||
| `BaseEntityType` could also be used with principal type `MyEntityType` which | ||
| `extends` `BaseEntityType`; but this is not the case in the current proposal. | ||
| It's also possible that the keyword being named `extends` in particular might | ||
| make this problem worse due to existing associations with object-oriented | ||
| inheritance; see Alternative H. |
There was a problem hiding this comment.
This is my main gripe with the word extends. If we don't allow for this kind of subtyping then I think we should switch to expands (or similar).
| This RFC proposes that `extends` must appear before `in` and attributes: | ||
| ``` | ||
| entity MyEntityType extends A in [B]; | ||
| ``` | ||
| We could instead require `extends` to appear _after_ `in` but before attributes: | ||
| ``` | ||
| entity MyEntityType in [B] extends A; | ||
| ``` |
There was a problem hiding this comment.
I like the RFC as-is; it's useful to have MyEntityType and A as close together as possible.
|
I think it would make more sense to break this into two RFCs: adding libraries to Cedar (combining this RFC with parts of #61) and an RFC proposing what types to include in the standard library. |
|
Here's a schema we're using for our Janssen Project Cedar science project that you might want to consider for your library: A few things to think about that this schema has:
I understand the desire to map these to RFC's, but there is a lot of interconnection... for example OpenID Connect Dynamic Client Reg, OAuth Client Reg and Draft OAuth Client Reg with Attestation. I don't think you should boil the ocean here. Just start with a small schema? |
|
These last four comments (@mwhicks1, @khieta, @andrewmwells-amazon, and @nynymike) all make good points; I'll work on splitting this RFC into (at least) two parts, separating the ideas of library mechanisms, |
|
As the first step of that, I just posted RFC 69: Schema libraries. Comments welcome. |
Rendered
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.