[HN Gopher] Cedar policy language is now open source ___________________________________________________________________ Cedar policy language is now open source Author : hakejam Score : 76 points Date : 2023-05-10 17:47 UTC (5 hours ago) (HTM) web link (www.cedarpolicy.com) (TXT) w3m dump (www.cedarpolicy.com) | sakesun wrote: | The website is neat. | mjb wrote: | One angle on this I'm particularly excited about is the formal | methods/automated reasoning work the team did on Cedar: | https://www.amazon.science/blog/how-we-built-cedar-with-auto... | | "We want to assure developers that Cedar's authorization | decisions will be correct. To provide that assurance, we follow a | two-part process we call verification-guided development when | we're working on Cedar. First, we use automated reasoning to | prove important correctness properties about formal models of | Cedar's components. Second, we use differential random testing to | show that the models match the production code." | iou wrote: | Yes& | | If you like that angle I think you'd really like the part of | this talk https://www.youtube.com/watch?v=k6pPcnLuOXY from | Emina Torlak, goes into how they were able to have duel | implementations to get both performance and formal correctness. | stev678923 wrote: | Great website-- its my favorite part! | jzelinskie wrote: | Congratulations on the OSS launch! Was it always in the cards to | open source Cedar? | | I'm excited to see you've found a way to bring verification that | exists in non-policy-based authorization solutions to Cedar. Was | that functionality the driving factor that made the team create | something new instead of leveraging the widely adopted | Rego/OPA[0] stack for policy? | | It looks like this talk[1] briefly covers why you made Cedar, but | I'd be eager to hear more about the trade-offs in design, because | other policy languages are leveraging decades of formal research | on Datalog. | | Disclosure: I work on SpiceDB[2], an authorization database | inspired by Google's Zanzibar system[3], but I wouldn't say Cedar | is directly competitive as SpiceDB is not a policy-based system. | | [0]: https://www.openpolicyagent.org/docs/latest/policy-language/ | | [1]: https://youtu.be/k6pPcnLuOXY?t=2037 | | [2]: https://github.com/authzed/spicedb | | [3]: https://zanzibar.tech | orweis wrote: | I agree with you re:"I wouldn't say Cedar is directly | competitive as SpiceDB" - I think Zanzibar and SpiceDB in | particular can work well together with Cedar / OPA. By syncing | SpiceDB via OPAL[0] into edge nodes with Cedar-agents[1]. | | [0]: https://github.com/permitio/opal | | [1]: https://github.com/permitio/cedar-agent | aseipp wrote: | Really exciting to see this and the recent renewed interest in | more expressive ACL systems re: policy and (alternatively) | relational access control. | | The pedigree of Cedar is also really interesting to me, coming | from the angle that Torlak was previously part of the UNSAT group | @ Washington, and was the developer of Rosette. I was hoping | there might be a semantic description of Cedar using Rosette as | well! Maybe writing one would be a good challenge... | flurie wrote: | I tried Cedar out for a small research project when it was first | announced, and it felt incredibly clumsy compared to what I could | have done in OPA. That was probably 8-9 months ago, so things may | have changed. | efitz wrote: | Why do all the web pages have Amazon copyright footers? | jffry wrote: | Because it's a library made by AWS: | https://aws.amazon.com/about-aws/whats-new/2023/05/cedar-ope... | dang wrote: | Related: | | _AWS Creates New Policy-Based Access Control Language Cedar_ - | https://news.ycombinator.com/item?id=34865768 - Feb 2023 (83 | comments) | | _Cedar: A New Policy Language_ - | https://news.ycombinator.com/item?id=34449828 - Jan 2023 (3 | comments) ___________________________________________________________________ (page generated 2023-05-10 23:01 UTC)