I've seen but haven't used CEL. Anybody with experience with competing tech have any strong opinions? I've used OPA, know CEL used by GCP and Kyverno, but otherwise haven't seen anything compelling enough to move away from the OPA ecosystem.
And even then, I'm not sure it's apples to apples, at least if by Rego you're thinking of OPA. CEL and Rego take very different approaches, with CEL being quite procedural, while Rego is about constraint satisfaction, not unlike Prolog. At $WORK, Rego (in the form of OPA) gets used quite a bit for complicated access control logic, while CEL gets used in places where we've simpler logic that needs to be broken out and made configurable, and a more procedural focus works there.
It's not really a configuration language like Jsonnet and CUE. It's an expression language for specifying things like conditions and policies. You _could_ abuse it as a configuration language, but it'd be overkill.
I would love if languages like Scala, Swift or F# had something like Cel but running at compile time so your program was evaluated against those restrictions. I believe a language called Idris has something like this
It seems weird to require an entirely new programming language for this tbh. They make the claim that it is special because it's not Turing-complete, but that's nonsense. Turing completeness is almost never a property that is important. I think in this case they're equating Turing incompleteness with "doesn't take a long time to execute" but that isn't really the case at all.
The property you really want is "can be cancelled after a certain amount of compute time - ideally a deterministic amount", and you can obviously do that with Turing complete languages.
It's not fully applicable here, but industry standard DSLs also stick around because non-programmers find learning it a good investment.
I have a business analytics friend that knows SQL because it's part of his workflows.
But Excel, Notion, Power BI, and other low/no-code tools all have their own data filtering and transformation languages (or dialects). He'd rather spend his time learning more about his line of business, than an aspect of yet another cloud tool that gets forced on him.
> Known constraints like guaranteed to terminate is useful.
"Guaranteed to terminate" actually means "guaranteed to terminate in finite but possibly arbitrarily large time" which is really not a useful property.
There's no practical difference between a filter that might take 1 billion years to run and one that might take more than a billion years.
No, they're equating _Turing completeness_ with _might not terminate_. CEL, Expr, Rego, and other languages like them are intended to guarantee to complete. You can't do that cleanly with a Turing complete language.
What you really want is "can be completed after a certain amount of time", not "can be cancelled". You don't want iam policy rules to be skipped because they took too long.
I've seen but haven't used CEL. Anybody with experience with competing tech have any strong opinions? I've used OPA, know CEL used by GCP and Kyverno, but otherwise haven't seen anything compelling enough to move away from the OPA ecosystem.
The kubernetes apiserver allows using CEL in CustomResourceDefinition validation rules: - https://kubernetes.io/docs/reference/using-api/cel/ - https://kubernetes.io/docs/tasks/extend-kubernetes/custom-re...
It also allows using CEL in ValidatingAdmissionPolicies: - https://kubernetes.io/docs/reference/access-authn-authz/vali...
I think apples to apples comparison would be comparing against Rego. To me CEL is more appealing due to its simplicity.
And even then, I'm not sure it's apples to apples, at least if by Rego you're thinking of OPA. CEL and Rego take very different approaches, with CEL being quite procedural, while Rego is about constraint satisfaction, not unlike Prolog. At $WORK, Rego (in the form of OPA) gets used quite a bit for complicated access control logic, while CEL gets used in places where we've simpler logic that needs to be broken out and made configurable, and a more procedural focus works there.
Rego is much more powerful, and can do things cel can't.
CEL is much more computationally limited as it aims to keep evaluations in the microsecond range.
With OPA you can easily create policies that take tens, hundreds or even thousands of millisecond.
That comes at the expense of a lot of power though, so much of the complex logic that you can write in OPA simply isn't achievable in CEL.
Does CEL have any way to import other files? i.e. could it serve as a general purpose config language like jsonnet?
It's not really a configuration language like Jsonnet and CUE. It's an expression language for specifying things like conditions and policies. You _could_ abuse it as a configuration language, but it'd be overkill.
CEL is used a lot in FHIR as Path Expressions
I would love if languages like Scala, Swift or F# had something like Cel but running at compile time so your program was evaluated against those restrictions. I believe a language called Idris has something like this
It seems weird to require an entirely new programming language for this tbh. They make the claim that it is special because it's not Turing-complete, but that's nonsense. Turing completeness is almost never a property that is important. I think in this case they're equating Turing incompleteness with "doesn't take a long time to execute" but that isn't really the case at all.
The property you really want is "can be cancelled after a certain amount of compute time - ideally a deterministic amount", and you can obviously do that with Turing complete languages.
It's not fully applicable here, but industry standard DSLs also stick around because non-programmers find learning it a good investment.
I have a business analytics friend that knows SQL because it's part of his workflows.
But Excel, Notion, Power BI, and other low/no-code tools all have their own data filtering and transformation languages (or dialects). He'd rather spend his time learning more about his line of business, than an aspect of yet another cloud tool that gets forced on him.
Ease/ability to embed in other language safely. Predictability of memory, execution. Known constraints like guaranteed to terminate is useful.
no Doom running on cel.
I recently wanted to expose some basic user auto tagging/labeling based on the json data.
I chose cel, over python, SQL because I could just import the runtime in C++, or any language that implements it (python, js etc..)
Safely running a sandboxed python execution engine is significantly more effort and lower performance.
At this cel excels.
Where it didn't was user familiarity and when the json data itself was complex.
> Known constraints like guaranteed to terminate is useful.
"Guaranteed to terminate" actually means "guaranteed to terminate in finite but possibly arbitrarily large time" which is really not a useful property.
There's no practical difference between a filter that might take 1 billion years to run and one that might take more than a billion years.
No, they're equating _Turing completeness_ with _might not terminate_. CEL, Expr, Rego, and other languages like them are intended to guarantee to complete. You can't do that cleanly with a Turing complete language.
Right but "guaranteed to terminate" is not a useful property. You could write a program that terminates... after a billion years.
What you really want is "can be completed after a certain amount of time", not "can be cancelled". You don't want iam policy rules to be skipped because they took too long.
Well CEL doesn't offer that guarantee. For any given "certain amount of time" you can write a CEL filter that takes longer.