Description
Category
Other
Describe the feature you'd like to request
I have a valid, auto-generated 5000 line schema of Kubernetes types, and tried out the cedar-lean-cli analyze compare command.
I tried comparing two policysets that should be equivalent, namely:
simple1.cedar
permit (
principal == k8s::User::"lucas",
action == k8s::Action::"create",
resource is core::configmaps
);
simple2.cedar
permit (
principal == k8s::User::"lucas",
action == k8s::Action::"create",
resource is core::configmaps
) when {
resource.name != "foo"
};
permit (
principal == k8s::User::"lucas",
action == k8s::Action::"create",
resource is core::configmaps
) when {
resource.name == "foo"
};
Then I ran
time cedar-lean-cli analyze compare simple1.cedar simple2.cedar api.cedarschema
which took around 4 minutes. I wondered why it's so slow, until I waited for the output, and found out it does the checks for every request environment. That makes sense for sure, but in my case I guess it's known that all request environments not targeted by either policy must be the same, without checking.
There were 1707 request environments, it (only) took on average 146ms to evaluate a fully empty request environment with lots of schema, but no policy attached.
So I guess that could be an optimization to cut a significant amount of time from larger policy comparisons.
Describe alternatives you've considered
Additional context
Is this something that you'd be interested in working on?
- 👋 I may be able to implement this feature request
-
⚠️ This feature might incur a breaking change