Cedar-agent is the easiest way to deploy and run Cedar

Overview

Cedar Agent

Current Crates.io Version License

What is Cedar-Agent?

Cedar-Agent is an HTTP server designed to efficiently manage a policy store and a data store. It provides a seamless integration with Cedar, a language for defining permissions as policies.
With Cedar-Agent, you can easily control and monitor access to your application's resources by leveraging Cedar policies. If you are not familiar with Cedar, we encourage you to visit the Cedar website and playground to learn more about it.

Learn more reading these blog posts:

Policy Store Management

Cedar-Agent includes a store that allows you to create, retrieve, update, and delete policies. These policies define who should have access to what resources within your application. The policy store provides a centralized and flexible way to manage permissions, enabling fine-grained control over user access.
Featured Policy Stores :

  • In-Memory
  • Redis

Data Store Management

In addition to the policy store, Cedar-Agent also provides an in-memory data store. This data store allows you to store and manage your application's data efficiently. By integrating the data store with Cedar-Agent, you can perform authorized checks on the stored data based on incoming HTTP requests.
Featured Data Stores :

  • In-Memory
  • Redis

Authorization Checks

One of the key features of Cedar-Agent is its ability to perform authorization checks on stored policies and data.
By evaluating the Cedar policies, Cedar-Agent ensures that each user's access is restricted to the resources they are permitted to access.
Authorization checks are performed based on the incoming HTTP requests, providing an easy-to-use robust and secure mechanism for controlling access to your application.

Cedar-Agent offers a comprehensive solution for managing policies, data, and authorization checks within your application. With its seamless integration with Cedar and its robust HTTP server capabilities, Cedar-Agent empowers you to enforce fine-grained access control and protect your resources effectively.

How to Use

To use Cedar-Agent, follow the steps below:

Prerequisites

Before proceeding, ensure that you have Rust and Cargo installed on your system. If you don't have them installed, you can visit the official Rust installation page and follow the instructions specific to your operating system.

Clone the Repository

Start by cloning the Cedar-Agent repository to your local machine:

git clone https://github.com/permitio/cedar-agent.git
cd cedar-agent

Build

To build Cedar-Agent, use the following command:

cargo build

Configuration

Cedar Agent configuration is available using environment variables and command line arguments.

  • The port on which the Cedar Agent will listen for incoming HTTP requests. Defaults to 8180.
    PORT environment variable.
    --port, -p command line argument.
  • Authentication token to enforce using the Authorization header. Defaults to None.
    AUTHENTICATION environment variable.
    --authentication, -a command line argument.
  • The address of the HTTP server. Defaults to 127.0.0.1.
    ADDR environment variable.
    --addr command line argument.
  • The log level to filter logs. Defaults to info.
    LOG_LEVEL environment variable.
    --log-level, -l command line argument.

command line arguments take precedence over environment variables when configuring the Cedar Agent

Run

There are several ways to run the Cedar Agent

Run with cargo

To run Cedar-Agent, use the following command:

cargo run

to add any arguments to the command append them after --, for example:

cargo run -- --port 8080

Run the binary

To run the binary, make sure you've done the build step, and run this command:

./target/debug/cedar-agent

To check the arguments you can pass to the binary, run:

./target/debug/cedar-agent --help

Run with docker

To execute the Cedar Agent docker image, use the following command:

docker run permitio/cedar-agent

Test

To test Cedar-Agent, use the following command:

cargo test

API Endpoints

After running Cedar-Agent, the application provides comprehensive API documentation and endpoint schema using Rapidoc and Swagger UI, that you can access through the following routes:

  • http://localhost:8180/rapidoc: Visit this route in your web browser to explore the interactive API documentation powered by the Rapidoc tool. It provides detailed information about each endpoint, including their parameters, request bodies, and response structures.
  • http://localhost:8180/swagger-ui: Access this route to interact with the Swagger UI, which offers a user-friendly interface to browse the API endpoints. It presents a visual representation of the available routes, along with their descriptions, request and response schemas, and example requests.

Quickstart

  1. Run the Cedar Agent

  2. Store policy using this command:

    curl -X PUT -H "Content-Type: application/json" -d @./examples/policies.json http://localhost:8180/v1/policies
  3. Store data using this command:

    curl -X PUT -H "Content-Type: application/json" -d @./examples/data.json http://localhost:8180/v1/data
  4. Perform IsAuthorized check using this command:

    curl -X POST -H "Content-Type: application/json" -d @./examples/allowed_authorization_query.json http://localhost:8180/v1/is_authorized

    The response is:

    {
      "decision": "Allow",
      "diagnostics": {
        "reason": [
          "admins-policy"
        ],
        "errors": []
      }
    }

    As you can see the user is allowed to access the resource because policy id admins-policy permits it.
    Check for a user that is not allowed to access the resource:

    curl -X POST -H "Content-Type: application/json" -d @./examples/denied_authorization_query.json http://localhost:8180/v1/is_authorized

    The response is:

    {
    "decision": "Deny",
    "diagnostics": {
      "reason": [],
      "errors": []
      }
    }

    As you can see the user is denied access to the resource because no policy allows this request.

For more details about the performed requests you can check the examples directory

Community

Come talk to us about Cedar Agent, or authorization in general - we would love to hear from you ❤️

You can raise questions and ask for features to be added to the road-map in our GitHub discussions, report issues in GitHub issues, join our Slack community to chat about authorization, open-source, realtime communication, tech, or anything else!

If you are using our project, please consider giving us a ⭐️

Button

Contributing

If you encounter any issues or have suggestions for improvement, please open an issue, on the Cedar-Agent GitHub repository to get assistance from the community.

  • Pull requests are welcome! (please make sure to include passing tests and docs)
  • Prior to submitting a PR - open an issue on GitHub, or make sure your PR addresses an existing issue well.
You might also like...
Figma Agent for Linux (a.k.a. Font Helper)

Figma Agent for Linux (a.k.a. Font Helper)

Rust based Kubernetes Operator to deploy K8s objects minimally.

kube-nimble nimble /ˈnɪmbl/ - quick and light in movement or action; agile. This project began from a place of curiosity about Kubernetes CRDs and the

Voila is a domain-specific language launched through CLI tool for operating with files and directories in massive amounts in a fast & reliable way.

Voila is a domain-specific language designed for doing complex operations to folders & files. It is based on a CLI tool, although you can write your V

Oxygen is a voice journal and audio analysis toolkit for people who want to change the way their voice comes across.

Oxygen Voice Journal Oxygen is a voice journal and audio analysis toolkit for people who want to change the way their voice comes across. Or rather, i

Simple, safe way to store and distribute tensors

Safetensors Ruby 🙂 Simple, safe way to store and distribute tensors Supports Torch.rb and Numo Installation Add this line to your application’s Gemfi

Style terminal outputs in a minimal, macro-based, and dead simple way.

sty 🌈 $\mathbb{\color{red}{Style \ } \color{lightblue}{terminal}\ \color{black}{outputs \ }\color{gray}{\ in\ a} \color{magenta}{\ minimal}\color{gra

The dead easy way to use config files in your rust project

Configr The dead easy way to use config files in your project This will load a config.toml file if it exists, otherwise it will create the needed fold

 ⚡️ A blazing fast way of maintaining powerful notes with connections between them.
⚡️ A blazing fast way of maintaining powerful notes with connections between them.

Zettl ⚡️ A blazing fast way of maintaining powerful notes with connections between them. Installing Zettl To install Zettl, you will need the Rust too

Irx-config - The library provides convenient way to represent/parse configuration from different sources

The irx-config library provides convenient way to represent/parse configuration from different sources. The main goals is to be very easy to use and t

Comments
  • unexpected HTML response

    unexpected HTML response

    just playing with this, I ran into a surprising HTML response -- not surprising in its error, but rather that it wasn't JSON

    % curl -X PUT -H "Content-Type: application/json" -d @./examples/policies.json http://localhost:8180/v1/policies/viewers-policy
    <!DOCTYPE html>
    <html lang="en">
    <head>
        <meta charset="utf-8">
        <title>422 Unprocessable Entity</title>
    </head>
    <body align="center">
        <div role="main" align="center">
            <h1>422: Unprocessable Entity</h1>
            <p>The request was well-formed but was unable to be followed due to semantic errors.</p>
            <hr />
        </div>
        <div role="contentinfo" align="center">
            <small>Rocket</small>
        </div>
    </body>
    </html>
    %         
    
    opened by srenatus 3
Releases(0.1.1)
Owner
Permit.io
Fullstack permissions for cloud native applications
Permit.io
Incredible.dev is an AI Coding Co-worker which can code, fix, document, deploy, test your APIs. One agent to rule everything API.

Incredible.dev Early Github preview, documentation and instruction to run coming soon in a week! Here are some highlights: AI agents that can code, fi

Incredible 27 Jun 27, 2024
🤖 just is a handy way to save and run project-specific commands.

just just is a handy way to save and run project-specific commands. (非官方中文文档,这里,快看过来!) Commands, called recipes, are stored in a file called justfile

Casey Rodarmor 8.2k Jan 5, 2023
A simple, opinionated way to run containers for tests in your Rust project.

rustainers rustainers is a simple, opinionated way to run containers for tests. TLDR More information about this crate can be found in the crate docum

wefox 4 Nov 23, 2023
Akamai Krypton CLI and SSH Agent (v2)

Akamai "Krypton" FIDO2 SSH Agent and CLI The akr command line utility is Akamai's "Krypton" SSH Agent, the successor to kr which works exclusively wit

Akamai 57 Jan 4, 2023
A Command-line tool to create, manage and deploy your python projects

PPM A Command-line tool to create, manage and deploy your python projects Table of Contents PPM Main Features Create a Project project.ini file Projec

FUSEN 6 Aug 30, 2022
A customizable MCTS planner with advanced featured tailored to multi-agent simulations and emergent narratives.

NPC engine Core:  Utils:  © 2020-2022 ETH Zurich and other contributors. See AUTHORS.txt for more details. A customizable Monte Carlo Tree Search (MCT

Game Technology Center, ETH Zurich 30 Jun 6, 2023
Create, manage and deploy p2panda schemas

fishy Create, manage and deploy p2panda schemas Releases | Contribute | Website Command-line-tool to easily create update and share your p2panda schem

null 4 Jul 28, 2023
Mini Rust CLI to deploy sites to Netlify using their API

This is a Rust CLI that uses the Netlify API to deploy sites.

Benjamin Lannon 10 May 12, 2022
Deploy dioxus-web to Vercel.

Dioxus demo This demo shows how to use Dioxus to build a static web application and deploy it to Vercel. Local development To run the demo locally, yo

Zihua Wu 8 Dec 28, 2022
This PAM module provides ssh-agent based authentication

PAM-RSSH This PAM module provides ssh-agent based authentication. The primary design goal is to avoid typing password when you sudo on remote servers.

Yuxiang Zhang 21 Dec 14, 2022