Is partial evaluation supported?

[hobofan]

I was trying to figure out whether regorus supports partial evaluation (as outlined in the docs of the official implementation https://www.openpolicyagent.org/docs/filtering/partial-evaluation), to support use-cases like data filtering? From what I can tell this isn't possible right now, but it's also not quite clear to me whether adding support for that would be something that requires invasive changes to the engine, or it's just a specialized high-level interface that would work with the current internals.

Right now I'm doing policy enforcement/data filtering over lists of data by doing a best-effort approximation SQL query that mimicks the policy structure to retrieve a list of candidates, and then doing an allow query for each item in the set. This does work, but also risks either under-fetching (losing out on some items) or over-fetching (in certain edge-cases significant additional query latency from the DB). Optimally I could mostly re-use some of the Rego policy and build the queries based on partial evaluation.

[anakrish]

Hey @hobofan, Sorry for the delayed response.

We did prototype a Rego -> KQL converter sometime ago: https://github.com/anakrish/regorus/tree/dsl/tests/kql_codegen/cases. So yes, it is possible to convert a subset of rego to KQL/SQL for remote execution via database engines.

Admittedly I don't have a well enough unserstanding of OPA's partial evaluation. It seems, technically, the filtering use case can be implemented without actually implementing OPA's notion of partial evaluation.

[hobofan]

We did prototype a Rego -> KQL converter sometime ago: anakrish/regorus@dsl/tests/kql_codegen/cases. So yes, it is possible to convert a subset of rego to KQL/SQL for remote execution via database engines.

That looks amazing! Yes, ultimately I don't care whether partial evaluation is used as long as I can translate it into a SQL query, so this looks like a great starting point. I guess partial evaluation like OPA does it may already help to eliminate some clauses so that there is less load on the database, though typical database query engines should also do a good job at optimizing those away.