Partial Evaluation Cedar Meeting

Attendees

• Darin McAdams
• Jeff Lombardo
• Alex Babeanu
• Vladi Berger
• David Brossard
• Michiel Trimpe

Partial Evaluation in Cedar

• Experimental feature for the time being
• Some customers are playing with it
• By the time customers try it though, they find it too raw and give up
• Common use cases
  • Search: how do you map residual fragments to the relevant query language?
  • Search: there is a risk you might hit a non-indexed field in the underlying DB
    -Hopelessness check: I don't have an entire request and I don't want to incur the cost of retrieving all attributes if I don't have all the information if I know I will get access denied.
  • Impact analysis
    • What if I change this policy, how will access be impacted?
  • Access reviews
    • What can Alice do? What can manager do?
• Cedar already produces a JSON version of its AST that represents a partial evaluation response
  • https://cedarland.blog/usage/partial-evaluation/content.html
• We can compare it with the draft spec

Differences between products

• The usefulness and scope of partial evaluation depends on the fact the underlying implementation is stateful or stateless

Ucast

• https://github.com/stalniy/ucast
• https://github.com/StyraInc/ucast-linq
• Integration with Prisma
  • https://www.npmjs.com/package/@styra/ucast-prisma
  • https://www.prisma.io/
• Challenge
  • ucast is not a standard
  • ucast doesn't define a serialization format in the OS project
  • check with Styra
  • the last commit is nearly 2 years old

Other formats

• https://json-e.js.org/

Reaching out to the new 'product bucket'

• If partial evaluation is about data filtering, then the target is data platforms (in a broad sense) such as SQL DB vendors, data platforms (Trino, Immuta, Snowflake), or DB SaaS (Athena, RDS…)