cedar-go allows arbitrary entity id in Action, but aws rust implementation only supports namespace 'Action'

[erichoffmanstrongdm]

No description provided.

[philhassey]

Can you go into a bit more detail on this?

How is Something::Action::"example" rejected by Rust?

Is Action::Something::"example" also rejected by Rust?

[erichoffmanstrongdm]

oh, this is actually all over. there are validators that ensure for example that any member of []parents of an action entity are also actions.

but line 721 (action_constraint_contains_only_action_types) in cedar-policy-core/src/parser/cst_to_ast.rs is a pretty big gate

https://github.com/cedar-policy/cedar/blob/main/cedar-policy-core/src/parser/cst_to_ast.rs#L717

[philhassey]

Can you make that a link, thanks!

[erichoffmanstrongdm]

I have validated that cedar is perfectly happy to operate on any namespace prefix (including unknown), but requires that Action be the last element in the namespace. this kind of contradicts the notion that namespaces are just unstructured strings that accidently have colons in them