Kernkonzepte
Cedar is a new authorization policy language designed to be ergonomic, fast, safe, and analyzable. The authors advocate for externalizing access control rules into policies written in Cedar to improve readability, auditability, and maintainability of authorization logic.
Zusammenfassung
Cedar introduces a novel approach to authorization by externalizing access control rules into policies written in a domain-specific language. The language balances expressiveness, performance, safety, and analyzability. Cedar's design ensures precise policy analysis and efficient policy evaluation.
Key points include:
- Cedar's design aims to balance four competing goals: expressiveness, performance, safety, and analyzability.
- Policies as code approach allows developers to write authorization logic separately from application code.
- Cedar's symbolic compiler reduces policies to SMT formulas for automatic proof of access invariants.
- Validation against schemas ensures error-free policies before deployment.
Statistiken
Cedar performs 28.7×-35.2× faster than OpenFGA and 42.8×-80.8× faster than Rego.
Policy slicing in Cedar makes authorization 10.0×-18.0× faster on average.
Zitate
"Rather than embed authorization logic in an application’s code, developers can write that logic as Cedar policies."
"Cedar’s simple syntax supports common authorization use-cases with readable policies."
"Cedar has equally or more readable policies compared to other languages."