Crates.io | cedar-policy |
lib.rs | cedar-policy |
version | 4.2.2 |
source | src |
created_at | 2023-05-10 11:34:26.333645 |
updated_at | 2024-11-11 17:32:18.409499 |
description | Cedar is a language for defining permissions as policies, which describe who should have access to what. |
homepage | https://cedarpolicy.com |
repository | https://github.com/cedar-policy/cedar |
max_upload_size | |
id | 861275 |
size | 717,358 |
Cedar is a language for defining permissions as policies, which describe who should have access to what. It is also a specification for evaluating those policies. Use Cedar policies to control what each user of your application is permitted to do and what resources they may access.
Cedar can be used in your application by depending on the cedar-policy
crate.
Just add cedar-policy
as a dependency by running
cargo add cedar-policy
Let's write a super simple Cedar policy and test it:
permit(principal == User::"alice", action == Action::"view", resource == File::"93");
This policy permits exactly one authorization request, alice
is allowed to view
file 93
.
Any other authorization request will be implicitly denied. Let's embed this policy in Rust and use the Cedar Authorizer:
use cedar_policy::*;
fn main() {
const POLICY_SRC: &str = r#"
permit(principal == User::"alice", action == Action::"view", resource == File::"93");
"#;
let policy: PolicySet = POLICY_SRC.parse().unwrap();
let action = r#"Action::"view""#.parse().unwrap();
let alice = r#"User::"alice""#.parse().unwrap();
let file = r#"File::"93""#.parse().unwrap();
let request = Request::new(alice, action, file, Context::empty(), None).unwrap();
let entities = Entities::empty();
let authorizer = Authorizer::new();
let answer = authorizer.is_authorized(&request, &policy, &entities);
// Should output `Allow`
println!("{:?}", answer.decision());
let action = r#"Action::"view""#.parse().unwrap();
let bob = r#"User::"bob""#.parse().unwrap();
let file = r#"File::"93""#.parse().unwrap();
let request = Request::new(bob, action, file, Context::empty(), None).unwrap();
let answer = authorizer.is_authorized(&request, &policy, &entities);
// Should output `Deny`
println!("{:?}", answer.decision());
}
If you'd like to see more details on what can be expressed as Cedar policies, see the documentation.
Examples of how to use Cedar in an application are contained in the repository cedar-examples. The most full-featured of these is TinyTodo, which is a simple task list management service whose users' requests, sent as HTTP messages, are authorized by Cedar.
General documentation for Cedar is available at docs.cedarpolicy.com, with source code in the cedar-policy/cedar-docs repository.
Generated documentation for the latest version of the Rust crates can be accessed on docs.rs.
If you're looking to integrate Cedar into a production system, please be sure the read the security best practices
To build, simply run cargo build
(or cargo build --release
).
Changelogs for all release branches and the main
branch of this repository are
all maintained on the main
branch; the most up-to-date changelog for this
crate is
here.
For a list of the current and past releases, see crates.io or Releases.
See SECURITY
We welcome contributions from the community. Please either file an issue, or see CONTRIBUTING
This project is licensed under the Apache-2.0 License.