[Openid-specs-authzen] Partial Evaluation meeting running as we speak

Thu Apr 10 18:13:27 UTC 2025

Yup there was no formal definition of the ucast syntax but there was an implicit one. I spent a lot of time documenting it.

The benefits we weighed when going down this route was very similar to the AuthZen one: standardizing on an “open source” response format that we can build out integrations to in the most common languages/frameworks/ORMs.

Thanks,
Chris
Styra
On Apr 10, 2025 at 6:25 PM +0100, Michiel Trimpe via Openid-specs-authzen <openid-specs-authzen at lists.openid.net>, wrote:
> Hi all,
>
> The UCAST project doesn't have a serialization format; but I did some looking after the call and Styra does define the JSON format they use to serialize UCAST here: https://docs.styra.com/apps/data/reference/ucast-syntax
>
> Cheers, Michiel
> From: Openid-specs-authzen <openid-specs-authzen-bounces at lists.openid.net> on behalf of David Brossard via Openid-specs-authzen <openid-specs-authzen at lists.openid.net>
> Sent: 10 April 2025 19:10
> To: AuthZEN Working Group List <openid-specs-authzen at lists.openid.net>
> Cc: David Brossard <david.brossard at gmail.com>
> Subject: Re: [Openid-specs-authzen] Partial Evaluation meeting running as we speak
>
> And here are the notes from the meeting:
>
> https://hackmd.io/pSQDKYrPSnuVX4K7rjo8_w?view
>
>
> Partial Evaluation Cedar Meeting
> Attendees
>
> • Darin McAdams
> • Jeff Lombardo
> • Alex Babeanu
> • Vladi Berger
> • David Brossard
> • Michiel Trimpe
>
> Partial Evaluation in Cedar
>
> • Experimental feature for the time being
> • Some customers are playing with it
> • By the time customers try it though, they find it too raw and give up
> • Common use cases
>     • Search: how do you map residual fragments to the relevant query language?
>     • Search: there is a risk you might hit a non-indexed field in the underlying DB
> -Hopelessness check: I don't have an entire request and I don't want to incur the cost of retrieving all attributes if I don't have all the information if I know I will get access denied.
>     • Impact analysis
>         • What if I change this policy, how will access be impacted?
>     • Access reviews
>         • What can Alice do? What can manager do?
> • Cedar already produces a JSON version of its AST that represents a partial evaluation response
>     • https://cedarland.blog/usage/partial-evaluation/content.html
> • We can compare it with the draft spec
>
> Differences between products
>
> • The usefulness and scope of partial evaluation depends on the fact the underlying implementation is stateful or stateless
>
> Ucast
>
> • https://github.com/stalniy/ucast
> • https://github.com/StyraInc/ucast-linq
> • Integration with Prisma
>     • https://www.npmjs.com/package/@styra/ucast-prisma
>     • https://www.prisma.io/
> • Challenge
>     • ucast is not a standard
>     • ucast doesn't define a serialization format in the OS project
>     • check with Styra
>     • the last commit is nearly 2 years old
>
> Other formats
>
> • https://json-e.js.org/
>
> Reaching out to the new 'product bucket'
>
> • If partial evaluation is about data filtering, then the target is data platforms (in a broad sense) such as SQL DB vendors, data platforms (Trino, Immuta, Snowflake), or DB SaaS (Athena, RDS…)
>
>
>
>
> On Thu, Apr 10, 2025 at 9:10 AM Lombardo, Jeff via Openid-specs-authzen <openid-specs-authzen at lists.openid.net> wrote:
> > You can join the meeting for the next hour if possible for you. We will share the recording after the fact.
> >
> > Meeting title: AuthZEN Partial Evaluation discussion
> > Personalized ID: 6455908420
> > Meeting ID: 6455 90 8420
> > Hosting Region: United States (Ohio)
> > URL Link: https://chime.aws/6455908420
> > US dial-in: +1 206-462-5569
> > US toll-free dial-in: +1 855-552-4463
> > International dial-in numbers: https://chime.aws/dialinnumbers/
> >
> > Jean-François “Jeff” Lombardo | Amazon Web Services
> >
> > Principal Solution Architect, Security Specialist - Montréal, Canada
> > Mobile: 514.778.5565
> >
> > Thoughts on our interaction? Provide feedback here.
> >
> > --
> > Openid-specs-authzen mailing list
> > Openid-specs-authzen at lists.openid.net
> > https://lists.openid.net/mailman/listinfo/openid-specs-authzen
>
>
> --
> ---
> David Brossard
> http://www.linkedin.com/in/davidbrossard
> http://twitter.com/davidjbrossard
> http://about.me/brossard
> ---
> Stay safe on the Internet: IC3 Prevention Tips
> Prenez vos précautions sur Internet: https://cyber.gouv.fr/bonnes-pratiques-protegez-vous
> --
> Openid-specs-authzen mailing list
> Openid-specs-authzen at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-authzen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-authzen/attachments/20250410/9104c4ef/attachment.htm>