batch

package
v1.5.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 11, 2026 License: Apache-2.0 Imports: 11 Imported by: 0

Documentation

Overview

Package batch allows for performant batch evaluations of Cedar policy given a set of principals, actions, resources, and/or context as variables. The batch evaluation takes advantage of a form of partial evaluation to whittle the policy set down to just those policies which refer to the set of unknown variables. This allows for queries over a policy set, such as "to which resources can user A connect when the request comes from outside the United States?" which can run much faster than a brute force trawl through every possible authorization request.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Authorize 

func Authorize(ctx context.Context, policies cedar.PolicyIterator, entities types.EntityGetter, request Request, cb Callback) error

Authorize will run a batch of authorization evaluations.

All the request parts (PARC) must be specified, but you can specify Variable or Ignore. Variables can be enumerated using the Variables.

Using Ignore you can ask questions like "When ignoring context could this request be allowed?"

  1. When a Permit Policy Condition refers to an ignored value, the Condition is dropped from the Policy.
  2. When a Forbid Policy Condition refers to an ignored value, the Policy is dropped.
  3. When a Scope clause refers to an ignored value, that scope clause is set to match any.

Errors may be returned for a variety of reasons:

  • It will error in case of a context.Context error (e.g. cancellation).
  • It will error in case any of PARC are an incorrect type at authorization.
  • It will error in case there are unbound variables.
  • It will error in case there are unused variables.
  • It will error in case of a callback error.

The result passed to the callback must be used / cloned immediately and not modified.

func Ignore 

func Ignore() types.Value

Ignore returns a value that should be ignored during batch evaluation.

func Variable 

func Variable(name types.String) types.Value

Variable returns a named variable that is populated during batch evaluation.

Types

type Callback 

type Callback func(Result) error

Callback is a function that is called for each single batch authorization with a Result.

type Request 

type Request struct {
	Principal types.Value
	Action    types.Value
	Resource  types.Value
	Context   types.Value
	Variables Variables
}

Request defines the PARC and map of Variables to batch evaluate.

type Result 

type Result struct {
	Request    types.Request
	Values     Values
	Decision   types.Decision
	Diagnostic types.Diagnostic
}

Result is the result of a single batched authorization. It includes a specific Request, the Values that were substituted, and the resulting Decision and Diagnostics.

type Values 

type Values map[types.String]types.Value

Values is a map of String to Value. This structure is part of the result and reveals the current variable substitutions.

type Variables 

type Variables map[types.String][]types.Value

Variables is a map of String to slice of Value.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.