Crates.io | cedar-agent |
lib.rs | cedar-agent |
version | 0.2.1-alpha.5-aarch64-unknown-linux-gnu |
source | src |
created_at | 2023-05-10 16:33:02.296164 |
updated_at | 2024-10-08 19:33:27.59872 |
description | Cedar-Agent is an HTTP server designed to efficiently manage a policy store and a data store. It provides a seamless integration with Cedar, a language for defining permissions as policies. |
homepage | https://github.com/permitio/cedar-agent |
repository | https://github.com/permitio/cedar-agent |
max_upload_size | |
id | 861441 |
size | 6,105,595 |
Cedar-Agent is an HTTP server designed to efficiently manage a policy store and a data store.
It provides a seamless integration with Cedar, a language for defining permissions as
policies.
With Cedar-Agent, you can easily control and monitor access to your application's resources by leveraging Cedar
policies.
If you are not familiar with Cedar, we encourage you to visit the Cedar website
and playground to learn more about it.
Learn more reading these blog posts:
Cedar-Agent includes a store that allows you to create, retrieve, update, and delete policies.
These policies define who should have access to what resources within your application.
The policy store provides a centralized and flexible way to manage permissions, enabling fine-grained control over user
access.
Featured Policy Stores :
In addition to the policy store, Cedar-Agent also provides an in-memory data store. This data store allows you to store
and manage your application's data efficiently. By integrating the data store with Cedar-Agent, you can perform
authorized checks on the stored data based on incoming HTTP requests.
Featured Data Stores :
Cedar-Agent support storing custom schemas, which hold the shape of your data types and actions. Utilising the schema store enables you to create a strict definition of all the objects used by your application. Cedar-Agent will validate all your policies and data against this schema. Featured Polict Stores :
One of the key features of Cedar-Agent is its ability to perform authorization checks on stored policies and data.
By evaluating the Cedar policies, Cedar-Agent ensures that each user's access is restricted to the resources they are
permitted to access.
Authorization checks are performed based on the incoming HTTP requests, providing an easy-to-use robust and secure
mechanism for controlling access to your application.
Cedar-Agent offers a comprehensive solution for managing policies, data, and authorization checks within your application. With its seamless integration with Cedar and its robust HTTP server capabilities, Cedar-Agent empowers you to enforce fine-grained access control and protect your resources effectively.
To use Cedar-Agent, follow the steps below:
Before proceeding, ensure that you have Rust and Cargo installed on your system. If you don't have them installed, you can visit the official Rust installation page and follow the instructions specific to your operating system.
Start by cloning the Cedar-Agent repository to your local machine:
git clone https://github.com/permitio/cedar-agent.git
cd cedar-agent
To build Cedar-Agent, use the following command:
cargo build
Cedar Agent configuration is available using environment variables and command line arguments.
8180
.CEDAR_AGENT_PORT
environment variable.--port
, -p
command line argument.Authorization
header. Defaults to None
.CEDAR_AGENT_AUTHENTICATION
environment variable.--authentication
, -a
command line argument.127.0.0.1
.CEDAR_AGENT_ADDR
environment variable.--addr
command line argument.info
.CEDAR_AGENT_LOG_LEVEL
environment variable.--log-level
, -l
command line argument.None
.CEDAR_AGENT_SCHEMA
environment variable.
--schema
, -s
command line argument.None
.CEDAR_AGENT_DATA
environment variable.
--data
, -d
command line argument.None
.
CEDAR_AGENT_POLICIES
environment variable.
--policies
command line argument.command line arguments take precedence over environment variables when configuring the Cedar Agent
There are several ways to run the Cedar Agent
To run Cedar-Agent, use the following command:
cargo run
to add any arguments to the command append them after --
, for example:
cargo run -- --port 8080
To run the binary, make sure you've done the build step, and run this command:
./target/debug/cedar-agent
To check the arguments you can pass to the binary, run:
./target/debug/cedar-agent --help
To execute the Cedar Agent docker image, use the following command:
docker run -p 8180:8180 permitio/cedar-agent
To test Cedar-Agent, use the following command:
cargo test
After running Cedar-Agent, the application provides comprehensive API documentation and endpoint schema using Rapidoc and Swagger UI, that you can access through the following routes:
Store schema using this command:
curl -X PUT -H "Content-Type: application/json" -d @./examples/schema.json http://localhost:8180/v1/schema
Store policy using this command:
curl -X PUT -H "Content-Type: application/json" -d @./examples/policies.json http://localhost:8180/v1/policies
Store data using this command:
curl -X PUT -H "Content-Type: application/json" -d @./examples/data.json http://localhost:8180/v1/data
Perform IsAuthorized check using this command:
curl -X POST -H "Content-Type: application/json" -d @./examples/allowed_authorization_query.json http://localhost:8180/v1/is_authorized
The response is:
{
"decision": "Allow",
"diagnostics": {
"reason": [
"admins-policy"
],
"errors": []
}
}
As you can see the user is allowed to access the resource because policy id admins-policy
permits it.
Check for a user that is not allowed to access the resource:
curl -X POST -H "Content-Type: application/json" -d @./examples/denied_authorization_query.json http://localhost:8180/v1/is_authorized
The response is:
{
"decision": "Deny",
"diagnostics": {
"reason": [],
"errors": []
}
}
As you can see the user is denied access to the resource because no policy allows this request.
For more details about the performed requests you can check the examples directory
Want to run multiple Cedar-agents and have them loaded with the data and policeis you need? Try OPAL. OPAL (Open Policy Administration Layer) is a sister project to Cedar-Agent, which has become the de-facto way to manage policy agents (including others like OPA) at scale. Check out the tutorial for Cedar+OPAL in the OPAL docs.
Come talk to us about Cedar Agent, or authorization in general - we would love to hear from you ❤️
You can raise questions and ask for features to be added to the road-map in our GitHub discussions, report issues in GitHub issues, join our Slack community to chat about authorization, open-source, realtime communication, tech, or anything else!
If you are using our project, please consider giving us a ⭐️
If you encounter any issues or have suggestions for improvement, please open an issue, on the Cedar-Agent GitHub repository to get assistance from the community.