Allow the "is" operator in the action scope

[D-McAdams]

Category

Cedar language or syntax features/changes

Describe the feature you'd like to request

Submitting this on behalf of a customer who asked: "How would I express that a policy applies to any action in a particular namespace?"

Thought the "is" operator would work for this.

permit(
  principal,
  action is My::Namespace::Action,
  resource
) 
when {...};

But, it's prohibited.

cedar validate -s schema/admission.cedarschema -p schema/admission-policy.cedar
  × failed to parse policy set
  ╰─▶ `is` cannot appear in the action scope
    ╭─[10:5]
  9 │     principal,
 10 │     action is admission::Action,
    ·     ───────────────────────────
 11 │     resource
    ╰────
  help: try moving `action is ..` into a `when` condition

Research indicates this is because RFC 5 specifies that it is not allowed. (So the next question is, why was that explicitly written in RFC 5.)

Here's the discussion from the original RFC: cedar-policy/rfcs#5 (comment)

It is related to a discussion a while back about whether it's possible to have more than one action type. And indeed it is because of namespaces. Given that, it seems like we should allow is everywhere in Rust. (Already done in Lean: https://github.com/cedar-policy/cedar-spec/blob/884737200b12da3a22e1763a5aed9e09d350a766/cedar-lean/Cedar/Spec/Policy.lean#L42)

Re-reading the discussion I don't think there's any reason we couldn't add action is to the scope. ISTM that we took this option precisely because we could relax it later if needed.

Describe alternatives you've considered

See discussion in original RFC: cedar-policy/rfcs#5 (comment)

Additional context

No response

Is this something that you'd be interested in working on?

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change