Introducing Cedar: Amazon’s Open‑Source Policy Language for Access Control
Cedar is an open‑source, domain‑specific language from Amazon that lets developers define, analyze, and enforce access‑control policies outside application code, supporting RBAC and ABAC, with SDKs for Rust and Java and integration into Amazon Verified Permissions and AWS Verified Access.
Amazon Web Services has open‑sourced Cedar, a domain‑specific language designed to define and enforce access‑control policies separate from application code, enabling independent authoring, analysis, and auditing. Cedar supports both role‑based (RBAC) and attribute‑based (ABAC) access control models.
The language is implemented in Rust and is available through a Rust crate and a Java package, allowing developers to integrate Cedar into their applications via SDKs that can write and validate policies and authorization requests.
Using the SDK, developers can call the Cedar authorization engine to evaluate whether a request is permitted. Below is a Rust example that builds a request and invokes
self.authorizer.is_authorized(&q, &self.policies, &es)to obtain a decision:
pub fn is_authorized(&self, principal: impl AsRef<EntityUid>, action: impl AsRef<EntityUid>, resource: impl AsRef<EntityUid>) -> Result<()> {
let es = self.entities.as_entities();
let q = Request::new(
Some(principal.as_ref().clone().into()),
Some(action.as_ref().clone().into()),
Some(resource.as_ref().clone().into()),
Context::empty(),
);
info!("is_authorized request: principal: {}, action: {}, resource: {}", principal.as_ref(), action.as_ref(), resource.as_ref());
let response = self.authorizer.is_authorized(&q, &self.policies, &es);
info!("Auth response: {:?}", response);
match response.decision() {
Decision::Allow => Ok(()),
Decision::Deny => Err(Error::AuthDenied(response.diagnostics().clone())),
}
}In Java, policies can be created via the SDK; the following snippet builds a policy that permits the principal Alice to perform the View_Photo action on resources under Album::"Vacation":
private Set<Policy> buildPolicySlice() {
Set<Policy> ps = new HashSet<>();
String fullPolicy = "permit(principal == User::\"Alice\", action == Action::\"View_Photo\", resource in Album::\"Vacation\");";
ps.add(new Policy(fullPolicy, "p1"));
return ps;
}A Java method can then query the authorization engine:
public boolean sampleMethod() throws AuthException {
AuthorizationEngine ae = new WrapperAuthorizationEngine();
AuthorizationQuery q = new AuthorizationQuery("User::\"Alice\"", "Action::\"View_Photo\"", "Photo::\"pic01\"");
return ae.isAuthorized(q, buildSlice()).isAllowed();
}Following the open‑source release, Permit.io introduced Cedar‑Agent, an HTTP server that acts as a policy and data store for Cedar policies, supporting create, retrieve, update, and delete operations and performing authorization checks against stored data.
Community reactions note that Cedar fills a gap between OPA’s data‑driven approach and Google’s Zanzibar model, sparking discussion about its potential impact on the policy‑engine landscape.
Cedar is licensed under Apache 2.0, hosted on GitHub, and further details are available in the AWS blog and the Cedar Policy Slack channel.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
php Courses
php中文网's platform for the latest courses and technical articles, helping PHP learners advance quickly.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.