#access-control #policy #security-policy #cedar #authorization #security

cedar-policy

Cedar is a language for defining permissions as policies, which describe who should have access to what

38 stable releases

4.2.2 Nov 11, 2024
4.1.0 Sep 30, 2024
3.4.1 Sep 23, 2024
3.2.1 May 31, 2024
2.3.1 Jul 20, 2023

#4 in Configuration

Download history 11478/week @ 2024-08-22 12102/week @ 2024-08-29 12077/week @ 2024-09-05 12028/week @ 2024-09-12 10918/week @ 2024-09-19 8954/week @ 2024-09-26 9224/week @ 2024-10-03 9056/week @ 2024-10-10 13502/week @ 2024-10-17 13343/week @ 2024-10-24 12034/week @ 2024-10-31 12703/week @ 2024-11-07 14964/week @ 2024-11-14 15928/week @ 2024-11-21 15545/week @ 2024-11-28 11612/week @ 2024-12-05

60,694 downloads per month
Used in 83 crates (12 directly)

Apache-2.0

4MB
86K SLoC

Cedar-Policy

Cedar Logo

Cedar is a language for defining permissions as policies, which describe who should have access to what. It is also a specification for evaluating those policies. Use Cedar policies to control what each user of your application is permitted to do and what resources they may access.

Using Cedar

Cedar can be used in your application by depending on the cedar-policy crate.

Just add cedar-policy as a dependency by running

cargo add cedar-policy

Quick Start

Let's write a super simple Cedar policy and test it:

permit(principal == User::"alice", action == Action::"view", resource == File::"93");

This policy permits exactly one authorization request, alice is allowed to view file 93. Any other authorization request will be implicitly denied. Let's embed this policy in Rust and use the Cedar Authorizer:

use cedar_policy::*;

fn main() {
    const POLICY_SRC: &str = r#"
permit(principal == User::"alice", action == Action::"view", resource == File::"93");
"#;
    let policy: PolicySet = POLICY_SRC.parse().unwrap();

    let action = r#"Action::"view""#.parse().unwrap();
    let alice = r#"User::"alice""#.parse().unwrap();
    let file = r#"File::"93""#.parse().unwrap();
    let request = Request::new(alice, action, file, Context::empty(), None).unwrap();

    let entities = Entities::empty();
    let authorizer = Authorizer::new();
    let answer = authorizer.is_authorized(&request, &policy, &entities);

    // Should output `Allow`
    println!("{:?}", answer.decision());

    let action = r#"Action::"view""#.parse().unwrap();
    let bob = r#"User::"bob""#.parse().unwrap();
    let file = r#"File::"93""#.parse().unwrap();
    let request = Request::new(bob, action, file, Context::empty(), None).unwrap();

    let answer = authorizer.is_authorized(&request, &policy, &entities);

    // Should output `Deny`
    println!("{:?}", answer.decision());
}

If you'd like to see more details on what can be expressed as Cedar policies, see the documentation.

Examples of how to use Cedar in an application are contained in the repository cedar-examples. The most full-featured of these is TinyTodo, which is a simple task list management service whose users' requests, sent as HTTP messages, are authorized by Cedar.

Documentation

General documentation for Cedar is available at docs.cedarpolicy.com, with source code in the cedar-policy/cedar-docs repository.

Generated documentation for the latest version of the Rust crates can be accessed on docs.rs.

If you're looking to integrate Cedar into a production system, please be sure the read the security best practices

Building

To build, simply run cargo build (or cargo build --release).

What's New

Changelogs for all release branches and the main branch of this repository are all maintained on the main branch; the most up-to-date changelog for this crate is here.

For a list of the current and past releases, see crates.io or Releases.

Security

See SECURITY

Contributing

We welcome contributions from the community. Please either file an issue, or see CONTRIBUTING

License

This project is licensed under the Apache-2.0 License.

Dependencies

~11–21MB
~287K SLoC