| ▲ | Show HN: CEL by Example(celbyexample.com) |
| 41 points by bufbuild 4 hours ago | 17 comments |
| |
|
| ▲ | d4mi3n 3 hours ago | parent | next [-] |
| I've seen but haven't used CEL. Anybody with experience with competing tech have any strong opinions? I've used OPA, know CEL used by GCP and Kyverno, but otherwise haven't seen anything compelling enough to move away from the OPA ecosystem. |
| |
| ▲ | erdii 3 hours ago | parent | next [-] | | The kubernetes apiserver allows using CEL in CustomResourceDefinition validation rules:
- https://kubernetes.io/docs/reference/using-api/cel/
- https://kubernetes.io/docs/tasks/extend-kubernetes/custom-re... It also allows using CEL in ValidatingAdmissionPolicies:
- https://kubernetes.io/docs/reference/access-authn-authz/vali... | |
| ▲ | isacikgoz 3 hours ago | parent | prev | next [-] | | I think apples to apples comparison would be comparing against Rego. To me CEL is more appealing due to its simplicity. | | |
| ▲ | talideon an hour ago | parent | next [-] | | And even then, I'm not sure it's apples to apples, at least if by Rego you're thinking of OPA. CEL and Rego take very different approaches, with CEL being quite procedural, while Rego is about constraint satisfaction, not unlike Prolog. At $WORK, Rego (in the form of OPA) gets used quite a bit for complicated access control logic, while CEL gets used in places where we've simpler logic that needs to be broken out and made configurable, and a more procedural focus works there. | |
| ▲ | thayne 33 minutes ago | parent | prev [-] | | Rego is much more powerful, and can do things cel can't. |
| |
| ▲ | mtrimpe 3 hours ago | parent | prev [-] | | CEL is much more computationally limited as it aims to keep evaluations in the microsecond range. With OPA you can easily create policies that take tens, hundreds or even thousands of millisecond. That comes at the expense of a lot of power though, so much of the complex logic that you can write in OPA simply isn't achievable in CEL. |
|
|
| ▲ | hamandcheese 3 hours ago | parent | prev | next [-] |
| Does CEL have any way to import other files? i.e. could it serve as a general purpose config language like jsonnet? |
| |
| ▲ | talideon an hour ago | parent [-] | | It's not really a configuration language like Jsonnet and CUE. It's an expression language for specifying things like conditions and policies. You _could_ abuse it as a configuration language, but it'd be overkill. |
|
|
| ▲ | madduci an hour ago | parent | prev | next [-] |
| CEL is used a lot in FHIR as Path Expressions |
|
| ▲ | bossyTeacher 2 hours ago | parent | prev | next [-] |
| I would love if languages like Scala, Swift or F# had something like Cel but running at compile time so your program was evaluated against those restrictions. I believe a language called Idris has something like this |
|
| ▲ | IshKebab 2 hours ago | parent | prev [-] |
| It seems weird to require an entirely new programming language for this tbh. They make the claim that it is special because it's not Turing-complete, but that's nonsense. Turing completeness is almost never a property that is important. I think in this case they're equating Turing incompleteness with "doesn't take a long time to execute" but that isn't really the case at all. The property you really want is "can be cancelled after a certain amount of compute time - ideally a deterministic amount", and you can obviously do that with Turing complete languages. |
| |
| ▲ | aleksiy123 29 minutes ago | parent | next [-] | | Ease/ability to embed in other language safely. Predictability of memory, execution. Known constraints like guaranteed to terminate is useful. no Doom running on cel. I recently wanted to expose some basic user auto tagging/labeling based on the json data. I chose cel, over python, SQL because I could just import the runtime in C++, or any language that implements it (python, js etc..) Safely running a sandboxed python execution engine is significantly more effort and lower performance. At this cel excels. Where it didn't was user familiarity and when the json data itself was complex. | | |
| ▲ | IshKebab 2 minutes ago | parent [-] | | > Known constraints like guaranteed to terminate is useful. "Guaranteed to terminate" actually means "guaranteed to terminate in finite but possibly arbitrarily large time" which is really not a useful property. There's no practical difference between a filter that might take 1 billion years to run and one that might take more than a billion years. |
| |
| ▲ | talideon an hour ago | parent | prev | next [-] | | No, they're equating _Turing completeness_ with _might not terminate_. CEL, Expr, Rego, and other languages like them are intended to guarantee to complete. You can't do that cleanly with a Turing complete language. | | |
| ▲ | IshKebab 9 minutes ago | parent [-] | | Right but "guaranteed to terminate" is not a useful property. You could write a program that terminates... after a billion years. |
| |
| ▲ | joshuamorton 2 hours ago | parent | prev [-] | | What you really want is "can be completed after a certain amount of time", not "can be cancelled". You don't want iam policy rules to be skipped because they took too long. | | |
| ▲ | IshKebab 4 minutes ago | parent [-] | | Well CEL doesn't offer that guarantee. For any given "certain amount of time" you can write a CEL filter that takes longer. |
|
|
