v2.0.0-RC1
Pre-release
Pre-release
·
473 commits
to main
since this release
2a6f260
This commit was signed with the committer’s verified signature.
freakyfelt
Bruce Felt
Release candidate for a major simplification of the resolver.
Warning
This is a complete rewrite of the system. I debated adding a compatibility layer; please reach out if this would be useful
New features
- Simplified policy definition that drops built-in support for resources and environments
- Please reach out if a compatibility layer is desired for this
- Allow for pattern matching at the start or end of the action names
- Evaluate deny and allow policies using native JS instead of JsonLogic
- Add initial support for adding new policy documents to the store
- Add caching layers for finding matching policies and compiled evaluators
Migrating
The resolver no longer concerns itself with resource types and environments, meaning implementors will need to create a strategy to load the correct policies into the resolver
{
- "resourceType": "Kitty",
// NOTE: actions are now optional
"actions": ["kitty:pet"],
+ "statement": [
- "definitions": [
- {
- "environment": "production",
- "policies": [
{
"action": "*",
"effect": "allow",
"constraint": true
}
- ]
- }
]
}Remaining work
- Allow for replacing existing policies in the store
- Allow for dropping policies from the store
- [minor] Organize policies by rough complexity (e.g. evaluate constraints that are purely
falsefirst as they are much faster to evaluate)