The Cedar Programming Language: Authorization Simplified
Amazon Web Services open sourced Cedar this Spring, a language for helping developers control access to resources such as data, compute nodes in a cluster, or workflow automation components.
Mike Hicks, a senior principal applied scientist with Amazon Web Services, demoed Cedar’s core features for The New Stack at the Open Source Summit North America last month in Vancouver, BC.
“Basically, to write a permission system for your application, what you might do normally is to write a bunch of code to implement your permission system,” Hicks said. “But instead with Cedar, you can write Cedar policies, and you can delegate access requests to the Cedar authorization engine. There’s a bunch of reasons why you might want to do that.”
The authorization engine uses automated reasoning and intensive testing to ensure it’s correct, making policies ergonomic and easy to read and write, Hicks said. The language has deterministic low latencies; a developer’s policy set is analyzable, and it provides tools to help users find bugs.
Automated reasoning and intensive testing work in some respects as a way to improve the developer experience. Automated reasoning takes the burden off the developer to verify the correctness of software systems. Intensive testing looks at the robustness of software systems. With these integrations, such capabilities as authorization become more automated and reliable.
Opening Cedar means the community can start contributing its features, such as bindings for multiple programming languages.
Cedar started its life as the policy language for Amazon Verified Permissions (AVP), now in private preview, Hicks said. AVP is a service for fine-grained permissions and authorizations within custom applications. So instead of writing authorizations inside Rust code, the developer may run the authorizations stored in that service.
Hicks said this is great when many applications want to share the same policy. It allows the developer to co-locate all the logging and auditing inside the cloud service.
But not everyone can use a cloud service. Some applications require the authorization engine local to their application, so they don’t have to pay that round trip. Customers may also have use cases that are lighter weight that they want to customize, for example, for different data models.
“And so we felt like open sourcing it is going to make those customer applications possible. And it’s going to allow us to take in community contributions and ideas to continue to make the language better.”
According to AWS, “Cedar is open-sourced under the Apache License 2.0 and includes the Cedar language specification and software development kit (SDK). The SDK provides libraries for authoring and validating policies, and authorizing access requests.”