Details

Autor(en) / Beteiligte

• Cutler, Joseph W.
• Disselkoen, Craig
• Eline, Aaron
• He, Shaobo
• Headley, Kyle
• Hicks, Michael
• Hietala, Kesha
• Ioannidis, Eleftherios
• Kastner, John
• Mamat, Anwar
• McAdams, Darin
• McCutchen, Matt
• Rungta, Neha
• Torlak, Emina
• Wells, Andrew M.

Titel

Cedar: A New Language for Expressive, Fast, Safe, and Analyzable Authorization

Ist Teil von

• Proceedings of ACM on programming languages, 2024-04, Vol.8 (OOPSLA1), p.670-697, Article 118

Ort / Verlag

New York, NY, USA: ACM

Erscheinungsjahr

2024

Quelle

ACM Digital Library

Beschreibungen/Notizen

• Cedar is a new authorization policy language designed to be ergonomic, fast, safe, and analyzable. Rather than embed authorization logic in an application’s code, developers can write that logic as Cedar policies and delegate access decisions to Cedar’s evaluation engine. Cedar’s simple and intuitive syntax supports common authorization use-cases with readable policies, naturally leveraging concepts from role-based, attribute-based, and relation-based access control models. Cedar’s policy structure enables access requests to be decided quickly. Cedar’s policy validator leverages optional typing to help policy writers avoid mistakes, but not get in their way. Cedar’s design has been finely balanced to allow for a sound and complete logical encoding, which enables precise policy analysis, e.g., to ensure that when refactoring a set of policies, the authorized permissions do not change. We have modeled Cedar in the Lean programming language, and used Lean’s proof assistant to prove important properties of Cedar’s design. We have implemented Cedar in Rust, and released it open-source. Comparing Cedar to two open-source languages, OpenFGA and Rego, we find (subjectively) that Cedar has equally or more readable policies, but (objectively) performs far better.