Cedar syntax for entity collections #102
Description
Cedar originally only used JSON for schema, and then added a native syntax with RFC 24. I'm interested in feedback on proposing the same for an entity literal syntax that would be used for defining lists of entities, in particular during testing.
Copying the RFC 24 motivation section here:
Cedar schemas for non-toy applications are hard to read and write. The root cause of the difficulty is the use of JSON:
- JSON has low information density. For three applications we’ve modeled — TinyTodo, Document Cloud, and GitHub — schemas span 4-5 pages.
- JSON does not support comments. This means that any design intent for a schema cannot be expressed inline.
We believe that a custom syntax for Cedar schemas can help. It can be more information-dense, support comments, and leverage familiar syntactic constructs. We think customers will be happier with a custom syntax: we regularly hear favorable reviews of Cedar's custom policy syntax, as compared to a JSON-based syntax.
I think the same applies to a developer's testing loop for the entities in a request. To test out a given request, a cumbersome JSON must be constructed and modified, remembering all the JSON keys for the various parts of an entity definition. I've experienced firsthand developers discussing and building Cedar schema for a use case and then starting to experiment with building policies against that schema but bogging down in getting enough entities defined to make testing the policies useful, and then when adjusting the schema, changing the entities to match is another cumbersome exercise. Unlike schema, where there is value for Cedar syntax being used during development as well as the data format in the implementation itself, I think the value here is primarily just during development.
Actions are already sort of entity literals anyway, so I don't think there would be a lot of new syntax to invent for it. Taking the default list of entities that's populated in the Cedar playground for the photo sharing app, 57 lines of JSON:
[
{
"uid": {
"type": "PhotoApp::User",
"id": "alice"
},
"attrs": {
"userId": "897345789237492878",
"personInformation": {
"age": 25,
"name": "alice"
}
},
"parents": [
{
"type": "PhotoApp::UserGroup",
"id": "alice_friends"
},
{
"type": "PhotoApp::UserGroup",
"id": "AVTeam"
}
]
},
{
"uid": {
"type": "PhotoApp::Photo",
"id": "vacationPhoto.jpg"
},
"attrs": {
"private": false,
"account": {
"__entity": {
"type": "PhotoApp::Account",
"id": "ahmad"
}
}
},
"parents": []
},
{
"uid": {
"type": "PhotoApp::UserGroup",
"id": "alice_friends"
},
"attrs": {},
"parents": []
},
{
"uid": {
"type": "PhotoApp::UserGroup",
"id": "AVTeam"
},
"attrs": {},
"parents": []
}
]one could imagine it being instead as something like
PhotoApp::User::"alice" in [PhotoApp::UserGroup::"alice_friends", PhotoApp::UserGroup::"AVTeam"] {
userId: "897345789237492878",
personInformation: {
age: 25,
name: "alice"
}
};
PhotoApp::Photo::"vacationPhoto.jpg" {
private: false,
account: PhotoApp::Account::"ahmad"
};
PhotoApp::UserGroup::"alice_friends" {};
PhotoApp::UserGroup::"AVTeam" {};