[HN Gopher] Cedar policy language is now open source
___________________________________________________________________
Cedar policy language is now open source
Author : hakejam
Score : 76 points
Date : 2023-05-10 17:47 UTC (5 hours ago)
(HTM) web link (www.cedarpolicy.com)
(TXT) w3m dump (www.cedarpolicy.com)
| sakesun wrote:
| The website is neat.
| mjb wrote:
| One angle on this I'm particularly excited about is the formal
| methods/automated reasoning work the team did on Cedar:
| https://www.amazon.science/blog/how-we-built-cedar-with-auto...
|
| "We want to assure developers that Cedar's authorization
| decisions will be correct. To provide that assurance, we follow a
| two-part process we call verification-guided development when
| we're working on Cedar. First, we use automated reasoning to
| prove important correctness properties about formal models of
| Cedar's components. Second, we use differential random testing to
| show that the models match the production code."
| iou wrote:
| Yes&
|
| If you like that angle I think you'd really like the part of
| this talk https://www.youtube.com/watch?v=k6pPcnLuOXY from
| Emina Torlak, goes into how they were able to have duel
| implementations to get both performance and formal correctness.
| stev678923 wrote:
| Great website-- its my favorite part!
| jzelinskie wrote:
| Congratulations on the OSS launch! Was it always in the cards to
| open source Cedar?
|
| I'm excited to see you've found a way to bring verification that
| exists in non-policy-based authorization solutions to Cedar. Was
| that functionality the driving factor that made the team create
| something new instead of leveraging the widely adopted
| Rego/OPA[0] stack for policy?
|
| It looks like this talk[1] briefly covers why you made Cedar, but
| I'd be eager to hear more about the trade-offs in design, because
| other policy languages are leveraging decades of formal research
| on Datalog.
|
| Disclosure: I work on SpiceDB[2], an authorization database
| inspired by Google's Zanzibar system[3], but I wouldn't say Cedar
| is directly competitive as SpiceDB is not a policy-based system.
|
| [0]: https://www.openpolicyagent.org/docs/latest/policy-language/
|
| [1]: https://youtu.be/k6pPcnLuOXY?t=2037
|
| [2]: https://github.com/authzed/spicedb
|
| [3]: https://zanzibar.tech
| orweis wrote:
| I agree with you re:"I wouldn't say Cedar is directly
| competitive as SpiceDB" - I think Zanzibar and SpiceDB in
| particular can work well together with Cedar / OPA. By syncing
| SpiceDB via OPAL[0] into edge nodes with Cedar-agents[1].
|
| [0]: https://github.com/permitio/opal
|
| [1]: https://github.com/permitio/cedar-agent
| aseipp wrote:
| Really exciting to see this and the recent renewed interest in
| more expressive ACL systems re: policy and (alternatively)
| relational access control.
|
| The pedigree of Cedar is also really interesting to me, coming
| from the angle that Torlak was previously part of the UNSAT group
| @ Washington, and was the developer of Rosette. I was hoping
| there might be a semantic description of Cedar using Rosette as
| well! Maybe writing one would be a good challenge...
| flurie wrote:
| I tried Cedar out for a small research project when it was first
| announced, and it felt incredibly clumsy compared to what I could
| have done in OPA. That was probably 8-9 months ago, so things may
| have changed.
| efitz wrote:
| Why do all the web pages have Amazon copyright footers?
| jffry wrote:
| Because it's a library made by AWS:
| https://aws.amazon.com/about-aws/whats-new/2023/05/cedar-ope...
| dang wrote:
| Related:
|
| _AWS Creates New Policy-Based Access Control Language Cedar_ -
| https://news.ycombinator.com/item?id=34865768 - Feb 2023 (83
| comments)
|
| _Cedar: A New Policy Language_ -
| https://news.ycombinator.com/item?id=34449828 - Jan 2023 (3
| comments)
___________________________________________________________________
(page generated 2023-05-10 23:01 UTC)