What you really want is "can be completed after a certain amount of time", not "can be cancelled". You don't want iam policy rules to be skipped because they took too long.
What you really want is "can be completed after a certain amount of time", not "can be cancelled". You don't want iam policy rules to be skipped because they took too long.
Well CEL doesn't offer that guarantee. For any given "certain amount of time" you can write a CEL filter that takes longer.
See my other comment - you can refuse to accept CEL filters that take too long to begin with.
Correct, but you can also reject filters that will take longer statically. The point is not "any arbitrary CEL program will run in less than 10us", it's that I can encode "do not allow filters that take more than 10us to evaluate" an then have a very high degree of confidence that that will be true for any user provided filter that is accepted (and if I'm wrong it'll be...11us, not 5s)
In the common use-cases for CEL that I've seen, you don't want to skip evaluation and fail open or closed arbitrarily. That can mean things like "abusive user gets access to data they should not be allowed to access because rule evaluation was skipped".
You also may have tons of rules and be evaluating them very often, so speed is important.