38 stable releases
4.2.2 | Nov 11, 2024 |
---|---|
4.1.0 | Sep 30, 2024 |
3.4.1 | Sep 23, 2024 |
3.2.1 | May 31, 2024 |
2.3.1 | Jul 20, 2023 |
#4 in Configuration
52,160 downloads per month
Used in 79 crates
(12 directly)
4MB
86K
SLoC
Cedar-Policy
Cedar is a language for defining permissions as policies, which describe who should have access to what. It is also a specification for evaluating those policies. Use Cedar policies to control what each user of your application is permitted to do and what resources they may access.
Using Cedar
Cedar can be used in your application by depending on the cedar-policy
crate.
Just add cedar-policy
as a dependency by running
cargo add cedar-policy
Quick Start
Let's write a super simple Cedar policy and test it:
permit(principal == User::"alice", action == Action::"view", resource == File::"93");
This policy permits exactly one authorization request, alice
is allowed to view
file 93
.
Any other authorization request will be implicitly denied. Let's embed this policy in Rust and use the Cedar Authorizer:
use cedar_policy::*;
fn main() {
const POLICY_SRC: &str = r#"
permit(principal == User::"alice", action == Action::"view", resource == File::"93");
"#;
let policy: PolicySet = POLICY_SRC.parse().unwrap();
let action = r#"Action::"view""#.parse().unwrap();
let alice = r#"User::"alice""#.parse().unwrap();
let file = r#"File::"93""#.parse().unwrap();
let request = Request::new(alice, action, file, Context::empty(), None).unwrap();
let entities = Entities::empty();
let authorizer = Authorizer::new();
let answer = authorizer.is_authorized(&request, &policy, &entities);
// Should output `Allow`
println!("{:?}", answer.decision());
let action = r#"Action::"view""#.parse().unwrap();
let bob = r#"User::"bob""#.parse().unwrap();
let file = r#"File::"93""#.parse().unwrap();
let request = Request::new(bob, action, file, Context::empty(), None).unwrap();
let answer = authorizer.is_authorized(&request, &policy, &entities);
// Should output `Deny`
println!("{:?}", answer.decision());
}
If you'd like to see more details on what can be expressed as Cedar policies, see the documentation.
Examples of how to use Cedar in an application are contained in the repository cedar-examples. The most full-featured of these is TinyTodo, which is a simple task list management service whose users' requests, sent as HTTP messages, are authorized by Cedar.
Documentation
General documentation for Cedar is available at docs.cedarpolicy.com, with source code in the cedar-policy/cedar-docs repository.
Generated documentation for the latest version of the Rust crates can be accessed on docs.rs.
If you're looking to integrate Cedar into a production system, please be sure the read the security best practices
Building
To build, simply run cargo build
(or cargo build --release
).
What's New
Changelogs for all release branches and the main
branch of this repository are
all maintained on the main
branch; the most up-to-date changelog for this
crate is
here.
For a list of the current and past releases, see crates.io or Releases.
Security
See SECURITY
Contributing
We welcome contributions from the community. Please either file an issue, or see CONTRIBUTING
License
This project is licensed under the Apache-2.0 License.
Dependencies
~11–21MB
~290K SLoC