#policy #cedar #security-policy #security #authorization #access-control

cedar-policy

Cedar is a language for defining permissions as policies, which describe who should have access to what

23 stable releases

new 3.1.3 Apr 15, 2024
3.1.2 Mar 29, 2024
3.0.1 Dec 21, 2023
2.4.5 Apr 1, 2024
2.3.1 Jul 20, 2023

#6 in Configuration

Download history 2632/week @ 2023-12-23 3710/week @ 2023-12-30 5250/week @ 2024-01-06 6448/week @ 2024-01-13 5823/week @ 2024-01-20 6287/week @ 2024-01-27 6145/week @ 2024-02-03 7772/week @ 2024-02-10 8493/week @ 2024-02-17 7474/week @ 2024-02-24 6908/week @ 2024-03-02 8818/week @ 2024-03-09 8541/week @ 2024-03-16 8701/week @ 2024-03-23 8199/week @ 2024-03-30 7521/week @ 2024-04-06

34,554 downloads per month
Used in 54 crates (10 directly)

Apache-2.0

3MB
62K SLoC

Cedar-Policy

Cedar Logo

Cedar is a language for defining permissions as policies, which describe who should have access to what. It is also a specification for evaluating those policies. Use Cedar policies to control what each user of your application is permitted to do and what resources they may access.

Using Cedar

Cedar can be used in your application by depending on the cedar-policy crate.

Just add cedar-policy as a dependency by running

cargo add cedar-policy

Quick Start

Let's write a super simple Cedar policy and test it:

permit(principal == User::"alice", action == Action::"view", resource == File::"93");

This policy permits exactly one authorization request, alice is allowed to view file 93. Any other authorization request will be implicitly denied. Let's embed this policy in Rust and use the Cedar Authorizer:

use cedar_policy::*;

fn main() {
    const POLICY_SRC: &str = r#"
permit(principal == User::"alice", action == Action::"view", resource == File::"93");
"#;
    let policy: PolicySet = POLICY_SRC.parse().unwrap();

    let action = r#"Action::"view""#.parse().unwrap();
    let alice = r#"User::"alice""#.parse().unwrap();
    let file = r#"File::"93""#.parse().unwrap();
    let request = Request::new(Some(alice), Some(action), Some(file), Context::empty(), None).unwrap();

    let entities = Entities::empty();
    let authorizer = Authorizer::new();
    let answer = authorizer.is_authorized(&request, &policy, &entities);

    // Should output `Allow`
    println!("{:?}", answer.decision());

    let action = r#"Action::"view""#.parse().unwrap();
    let bob = r#"User::"bob""#.parse().unwrap();
    let file = r#"File::"93""#.parse().unwrap();
    let request = Request::new(Some(bob), Some(action), Some(file), Context::empty(), None).unwrap();

    let answer = authorizer.is_authorized(&request, &policy, &entities);

    // Should output `Deny`
    println!("{:?}", answer.decision());
}

If you'd like to see more details on what can be expressed as Cedar policies, see the documentation.

Examples of how to use Cedar in an application are contained in the repository cedar-examples. The most full-featured of these is TinyTodo, which is a simple task list management service whose users' requests, sent as HTTP messages, are authorized by Cedar.

Documentation

General documentation for Cedar is available at docs.cedarpolicy.com, with source code in the cedar-policy/cedar-docs repository.

Generated documentation for the latest version of the Rust crates can be accessed on docs.rs.

If you're looking to integrate Cedar into a production system, please be sure the read the security best practices

Building

To build, simply run cargo build (or cargo build --release).

What's New

See CHANGELOG

Security

See SECURITY

Contributing

We welcome contributions from the community. Please either file an issue, or see CONTRIBUTING

License

This project is licensed under the Apache-2.0 License.

Dependencies

~7–17MB
~228K SLoC