Skip to content

Provide a function returning all dereferenced field paths #2127

Open
Open
Provide a function returning all dereferenced field paths#2127
Labels
feature-requestThis issue requets a substantial new featurepending-triageThe cedar maintainers haven't looked at this yet. Automicaly added to all new issues.
@luxas

Description

@luxas
luxas
opened on Feb 3, 2026

Category

User level API features/changes

Describe the feature you'd like to request

For static analysis of policies (e.g. upbound/kubernetes-cedar-authorizer#24), it's useful to what field paths are used. For example,

  • the authorization system might require policy authors to not "forget" to slice their policies across certain important dimensions. It might be easier for users to reason about a policy of form

    principal.name == "lucas" && resource.namespace like "*" && resource.name like "*"

    instead of one with just

    principal.name == "lucas"

    Despite both of the policies being equivalent, it's more explicit for policy authors and reviewers that the policy indeed grants lucas access to any name and namespace. The linter could mention that resource.namespace and resource.name should always be used in the policy in some way or the other.

  • If an authorization policy needs to take multiple schema/API version representations into account, one needs to something like the following:

    if resource has v1 then
   resource.v1.ownerFieldInV1 == principal.name
else if resource has v2 then
   resource.v2.renamedV2OwnerField == principal.name
else false

    In this case, when a v3 version of the API comes out, the linter can notice that resource.v3.* is never dereferenced (even though it should), and can poke the policy author to update their policy with the relevant fieldpath in v3.

  • In some request environments, a field might exist in the schema, but not in practice (a bit similar to Provide action-specific optionality in Cedarschema #1862), e.g. say that resource.v1.foo exists only on writes but not reads (as one cannot filter a get request based on foo). If a policy author then dereferences resource.v1.foo in a request environment of a read, the linter could say that it is guaranteed to be false.

Describe alternatives you've considered

Have downstream users implement this out of core.

Additional context

No response

Is this something that you'd be interested in working on?

  • 👋 I may be able to implement this feature request
  • ⚠️ This feature might incur a breaking change

Metadata

Metadata

Assignees

No one assigned

    Labels

    feature-requestThis issue requets a substantial new featurepending-triageThe cedar maintainers haven't looked at this yet. Automicaly added to all new issues.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions