This message was deleted.

Hi @Yuan, a pluggable data store is a planned feature of Cedar Agent. We are intending to start with Redis but make it pluggable with backing-store plugins that the community can contribute. We're planning to add this soon, but If you want to contribute this feature sooner we will be super happy to guide you.

Thanks for your reply! Does this require changing the Cedar API? Since the Authorizer takes a in memory

Entities

instead of a

EntitiesRepository

that makes query during the evaluation. I'd love to know how a pluggable data store may work with the existing authorizer APIs in Cedar

There’s a simple conversion from the stored format into the cedar query format. But I don’t think it requires changing the cedar agent http api which is quite generic. The entities format can be easily dumped into Redis.

I only found the stored format (like in an entities json file). Do you mind point me to the query format you mentioned?

It looks like this file converts from

Entity

which is the JSON schema of the API directly into

ast::Entity

which is the cedar format. So actually

ast::Entity

looks to be both the stored format and the input that goes into Cedar, while

Entity

is the format expected by the API Endpoint. @Omer Zuarets the code author might be able to elaborate more 🙂 Link: https://github.com/permitio/cedar-agent/blob/main/src/schemas/data.rs#L21C1-L27C2

Exactly like @Asaf Cohen said, the API accepts the json representation of the Entity. If you intend to implement other data store you would need to convert the EntityJson format to your database model when inserting data and do the opposite when querying for data and performing authorization queries.

Thanks a lot for explaining! @Asaf Cohen @Omer Zuarets If I understand it correctly, I'd still need to read all the entities from my datastore and convert them to the JSON representation before passing them to the evaluate cedar API, right? But if I have millions of entities in my datastore, I cannot convert them all to the in-memory entities. Will it be possible to let the cedar evaluator makes query to my datastore only for the entities that are needed.

Yes, but you will have a lot of work to do building your query, I’ll explain: The easy case is that you query for the principal, action, resource entities. It becomes harder when you use parents and attributes, then you have to search for any entity reference in the attributes and any ancestor inside the parents ( imagine a situation of 3 levels of ancestors, you’ll need them all ). So basically the answer is yes, but needs a lot of thinking.. Just to clarify the convention to json format is necessary because that is your only way to convert it to the struct that the cedar policy crate uses

Thanks for the helpful explanation! And not only for the resource and principal related entities, if the size of policies grow, can the authz server still dump all policies to the cedar policy authorizer? Or is it not a concern