Python bindings for Cedar, the open-source policy language for access control.

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for mmaisel from gravatar.com mmaisel

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: Apache Software License (Apache-2.0)
  • Author: Sondera
  • Tags cedar , authorization , access-control , policy , security , iam
  • Requires: Python >=3.12
  • Provides-Extra: mcp
Classifiers
Report project as malware

Project description

Cedar Python

Python bindings for Cedar, the open-source policy language for access control. This library lets you define, validate, and evaluate authorization policies directly from Python.

Installation

pip install cedar-python

Quick Start

from cedar import Authorizer, EntityUid, Policy, PolicySet, Request

# Create policies
policies = PolicySet('''
    permit(principal == User::"alice", action == Action::"read", resource);
    forbid(principal, action == Action::"delete", resource);
''')

# Create and evaluate a request
request = Request(
    EntityUid("User", "alice"),
    EntityUid("Action", "read"),
    EntityUid("Document", "doc1"),
)

authorizer = Authorizer()
response = authorizer.is_authorized(request, policies)
print(response.allowed)  # True

Core API

Entities

from cedar import Entity, EntityUid, Context

# Entity identifiers
uid = EntityUid("User", "alice")
uid.entity_type()  # "User"
uid.id()           # "alice"

# Entities with attributes and hierarchy
user = Entity(
    uid=EntityUid("User", "alice"),
    attrs={"email": "alice@example.com", "role": "admin"},
    parents=[EntityUid("Group", "admins")]
)

# Context for requests
context = Context({"ip_address": "10.0.0.1", "authenticated": True})

Authorization

from cedar import Authorizer, Request, Response

# Authorizer with entity hierarchy
authorizer = Authorizer(entities=[user, group])

# Full request with context
request = Request(
    principal=EntityUid("User", "alice"),
    action=EntityUid("Action", "read"),
    resource=EntityUid("Document", "doc1"),
    context=Context({"time": "2024-01-01T00:00:00Z"})
)

response = authorizer.is_authorized(request, policies)
response.allowed    # bool
response.decision   # "Allow" or "Deny"
response.reason     # Policy IDs that contributed to decision
response.errors     # Any evaluation errors

Schema Validation

Validate entities, requests, and context against a schema:

from cedar import Authorizer, Context, EntityUid, Request, Schema

schema = Schema.from_json('''...''')
action = EntityUid("Action", "read")

# Validate context against schema (requires action to determine expected shape)
context = Context({"ip_address": "10.0.0.1"}, schema=schema, action=action)

# Validate request components against schema
request = Request(
    principal=EntityUid("User", "alice"),
    action=action,
    resource=EntityUid("Document", "doc1"),
    context=context,
    schema=schema
)

# Validate entities when creating the authorizer
authorizer = Authorizer(entities=[user, doc], schema=schema)

# Validate request components using stored schema
authorizer.validate_request(principal, action, resource, context)

Dynamic Entity Management

Add, update, or remove entities in an existing authorizer:

from cedar import Authorizer, Entity, EntityUid

authorizer = Authorizer()

# Add a new entity (fails if entity already exists)
alice = Entity(EntityUid("User", "alice"), {"role": "admin"})
authorizer.add_entity(alice)

# Upsert an entity (adds or replaces existing)
alice_updated = Entity(EntityUid("User", "alice"), {"role": "user"})
authorizer.upsert_entity(alice_updated)

# Remove an entity by UID
authorizer.remove_entity(EntityUid("User", "alice"))

# With schema validation
schema = Schema.from_json('''...''')
authorizer = Authorizer(schema=schema)
doc = Entity(EntityUid("Document", "doc1"), {"owner": "alice"})
authorizer.add_entity(doc)  # Validates against schema

Policies

from cedar import Policy, PolicySet

# Single policy
policy = Policy('permit(principal, action, resource);', id="policy1")
policy.id()          # "policy1"
policy.effect()      # "Permit"
policy.annotations() # {"id": "policy1"}
policy.to_cedar()    # Formatted Cedar syntax
policy.to_json()     # JSON representation

# Policy sets
policy_set = PolicySet('''
    @id("read-access")
    permit(principal, action == Action::"read", resource);
''')
policy_set.policies()      # List of Policy objects
policy_set.policy("read-access")  # Get by ID
len(policy_set)            # Number of policies

Schemas

from cedar import Schema

# From JSON
schema = Schema.from_json('''{
    "": {
        "entityTypes": {"User": {}, "Document": {}},
        "actions": {
            "read": {"appliesTo": {"principalTypes": ["User"], "resourceTypes": ["Document"]}}
        }
    }
}''')

# From Cedar schema syntax
schema = Schema.from_cedarschema('''
    entity User;
    entity Document;
    action read appliesTo { principal: User, resource: Document };
''')

schema.entity_types()  # ["User", "Document"]
schema.actions()       # ["read"]
schema.principals()    # Entity types that can be principals
schema.resources()     # Entity types that can be resources

Validation

Validate policies against a schema for type checking and error detection:

from cedar import PolicySet, Schema

# Create schema and policies
schema = Schema.from_cedarschema('''
    entity User;
    entity Document;
    action read appliesTo { principal: User, resource: Document };
''')

policies = PolicySet('''
    permit(principal == User::"alice", action == Action::"read", resource);
''')

# Validate policies against schema
result = schema.validate_policyset(policies)
result.valid     # True if validation passed
result.errors    # List of ValidationError objects
result.warnings  # List of ValidationWarning objects

# ValidationError/ValidationWarning have policy_id and message attributes
for error in result.errors:
    print(f"{error.policy_id}: {error.message}")

Schema Module

Pydantic models for building schemas programmatically:

from cedar.schema import CedarSchema, NamespaceDefinition, EntityType, Action, AppliesTo

schema = CedarSchema(root={
    "": NamespaceDefinition(
        entityTypes={"User": EntityType()},
        actions={"read": Action(appliesTo=AppliesTo(principalTypes=["User"]))}
    )
})

Lean Module (Formal Verification)

Symbolic policy analysis using cedar-lean-cli:

from cedar.lean import (
    check_equivalent,
    check_implies,
    check_disjoint,
    compare_policysets,
    analyze_policies,
)

# Check if two policies are equivalent
result = check_equivalent(policy1, policy2, schema)
result.satisfied      # True if equivalent
result.counterexample # Example where they differ (if not equivalent)

# Compare policy sets
comparison = compare_policysets(old_policies, new_policies, schema)
comparison.is_equivalent   # True if all request signatures are equivalent
comparison.more_permissive # Request envs where source allows more
comparison.less_permissive # Request envs where source allows less

CLI

# Validate a policy against a schema
cedar schema validate policy.cedar schema.json

# Run the MCP server
cedar mcp

MCP Server

For AI coding assistants, Cedar provides an MCP server with policy tools:

pip install cedar-python[mcp]
cedar mcp

Available tools: validate_policy, validate_policy_set, validate_schema, format_policy

License

Apache-2.0

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for mmaisel from gravatar.com mmaisel

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: Apache Software License (Apache-2.0)
  • Author: Sondera
  • Tags cedar , authorization , access-control , policy , security , iam
  • Requires: Python >=3.12
  • Provides-Extra: mcp
Classifiers

Release history Release notifications | RSS feed

This version

0.1.4

0.1.2

0.1.1

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

cedar_python-0.1.4.tar.gz (126.8 kB view details)

Uploaded Source

Built Distributions

If you're not sure about the file name format, learn more about wheel file names.

cedar_python-0.1.4-cp314-cp314-win_amd64.whl (3.7 MB view details)

Uploaded CPython 3.14Windows x86-64

cedar_python-0.1.4-cp314-cp314-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (4.3 MB view details)

Uploaded CPython 3.14manylinux: glibc 2.17+ x86-64

cedar_python-0.1.4-cp314-cp314-manylinux_2_17_aarch64.manylinux2014_aarch64.whl (4.2 MB view details)

Uploaded CPython 3.14manylinux: glibc 2.17+ ARM64

cedar_python-0.1.4-cp314-cp314-macosx_11_0_arm64.whl (3.8 MB view details)

Uploaded CPython 3.14macOS 11.0+ ARM64

cedar_python-0.1.4-cp314-cp314-macosx_10_12_x86_64.whl (4.0 MB view details)

Uploaded CPython 3.14macOS 10.12+ x86-64

cedar_python-0.1.4-cp313-cp313-win_amd64.whl (3.7 MB view details)

Uploaded CPython 3.13Windows x86-64

cedar_python-0.1.4-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (4.3 MB view details)

Uploaded CPython 3.13manylinux: glibc 2.17+ x86-64

cedar_python-0.1.4-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl (4.2 MB view details)

Uploaded CPython 3.13manylinux: glibc 2.17+ ARM64

cedar_python-0.1.4-cp313-cp313-macosx_11_0_arm64.whl (3.8 MB view details)

Uploaded CPython 3.13macOS 11.0+ ARM64

cedar_python-0.1.4-cp313-cp313-macosx_10_12_x86_64.whl (4.0 MB view details)

Uploaded CPython 3.13macOS 10.12+ x86-64

cedar_python-0.1.4-cp312-cp312-win_amd64.whl (3.7 MB view details)

Uploaded CPython 3.12Windows x86-64

cedar_python-0.1.4-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (4.3 MB view details)

Uploaded CPython 3.12manylinux: glibc 2.17+ x86-64

cedar_python-0.1.4-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl (4.2 MB view details)

Uploaded CPython 3.12manylinux: glibc 2.17+ ARM64

cedar_python-0.1.4-cp312-cp312-macosx_11_0_arm64.whl (3.8 MB view details)

Uploaded CPython 3.12macOS 11.0+ ARM64

cedar_python-0.1.4-cp312-cp312-macosx_10_12_x86_64.whl (4.0 MB view details)

Uploaded CPython 3.12macOS 10.12+ x86-64

File details

Details for the file cedar_python-0.1.4.tar.gz.

File metadata

  • Download URL: cedar_python-0.1.4.tar.gz
  • Upload date:
  • Size: 126.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for cedar_python-0.1.4.tar.gz
Algorithm Hash digest
SHA256 6006a0db7fc314bb0d157e6d6d259acb380bb02a2735c919554581145a648043
MD5 bed0fc548250946774fe167beb710baa
BLAKE2b-256 b8bceaeeb3683fb8d9a262187d42255197549458cfa5c6bf49c5ff36e0d22355

See more details on using hashes here.

File details

Details for the file cedar_python-0.1.4-cp314-cp314-win_amd64.whl.

File metadata

File hashes

Hashes for cedar_python-0.1.4-cp314-cp314-win_amd64.whl
Algorithm Hash digest
SHA256 a8781f5a01ab770e0cda1cd3e2cc6d90114091353f896c7774b371f06195f992
MD5 8cfee93baae5742859e400390a4a6425
BLAKE2b-256 61298bccab1c1fe1c03ca4b36022c04d58961a475c82ef986ce14136a8f4bc86

See more details on using hashes here.

File details

Details for the file cedar_python-0.1.4-cp314-cp314-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.

File metadata

File hashes

Hashes for cedar_python-0.1.4-cp314-cp314-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Algorithm Hash digest
SHA256 f9526b582aaa7027f601b3ab3d929768db436ff2fac5924468fd9f3db7cc91e4
MD5 0f11e7be209457f417e1f361e4f28fe7
BLAKE2b-256 68354a3bed56fcb5e1df31e7582ed8591a2c5bc62c15bd0fabf37b9032a2d4ee

See more details on using hashes here.

File details

Details for the file cedar_python-0.1.4-cp314-cp314-manylinux_2_17_aarch64.manylinux2014_aarch64.whl.

File metadata

File hashes

Hashes for cedar_python-0.1.4-cp314-cp314-manylinux_2_17_aarch64.manylinux2014_aarch64.whl
Algorithm Hash digest
SHA256 d9c4f6169b1d44d7e4fe419b46159459c669626a525c49ef5697853ee1da4457
MD5 036d08652c9e15e991afea4136042fe8
BLAKE2b-256 591260dff22827d64f6f768e748d5bac39f11fdbf2f6017a02425522a87c22dd

See more details on using hashes here.

File details

Details for the file cedar_python-0.1.4-cp314-cp314-macosx_11_0_arm64.whl.

File metadata

File hashes

Hashes for cedar_python-0.1.4-cp314-cp314-macosx_11_0_arm64.whl
Algorithm Hash digest
SHA256 b41b5b447affd68ca2bce5567d1e4b65bce222ed5d5102bdd9c8f159802a6f68
MD5 83db094c08e7f658d4ba763b0089f81f
BLAKE2b-256 f727c67c024fbf6e678c1a4cff379e290fc505fdace4b727a51065802af471b5

See more details on using hashes here.

File details

Details for the file cedar_python-0.1.4-cp314-cp314-macosx_10_12_x86_64.whl.

File metadata

File hashes

Hashes for cedar_python-0.1.4-cp314-cp314-macosx_10_12_x86_64.whl
Algorithm Hash digest
SHA256 282bdde7236645a08ba63aaf2cfc920c2d7ff391aabf1a1528e81155f64e4daa
MD5 5472ca44b0bd68914bbb15e40b5fabc3
BLAKE2b-256 6bbfae630a82bb8c75bd8969cf457275fd6d47350e0ab2b74f030603195e6e00

See more details on using hashes here.

File details

Details for the file cedar_python-0.1.4-cp313-cp313-win_amd64.whl.

File metadata

File hashes

Hashes for cedar_python-0.1.4-cp313-cp313-win_amd64.whl
Algorithm Hash digest
SHA256 b38e0c7c9acad95f1e84e561b88e178a49c54d56e51c33a40c0d6b80d07385b9
MD5 ccae031733738c85498c04ff08fe81b3
BLAKE2b-256 034f50ffdfa7fff50aef0ad81cffe1ce4883c79819a55ac6b46cba69ec09cfb9

See more details on using hashes here.

File details

Details for the file cedar_python-0.1.4-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.

File metadata

File hashes

Hashes for cedar_python-0.1.4-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Algorithm Hash digest
SHA256 e6dcd098df1e00b66f3398a1b166f70248a4c01e2a1dd8d5437b5956e6ddab5d
MD5 329cac5b53d9014e699085db8a1c4d05
BLAKE2b-256 4678d4dcc53d9967ce443ec3d47f0e74a917852a40cfa0e1682a66e738c592a4

See more details on using hashes here.

File details

Details for the file cedar_python-0.1.4-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl.

File metadata

File hashes

Hashes for cedar_python-0.1.4-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl
Algorithm Hash digest
SHA256 3343dfa00f63c8cdfa285bb516136697c23ad015f71f2212ddc18f4a3d1e8287
MD5 fc6d3706f339b9ab63d35928cb77baca
BLAKE2b-256 71c3d521b6f937814b0b3880f89eb0ced64284633e730ed9dd18c636e97a6bc3

See more details on using hashes here.

File details

Details for the file cedar_python-0.1.4-cp313-cp313-macosx_11_0_arm64.whl.

File metadata

File hashes

Hashes for cedar_python-0.1.4-cp313-cp313-macosx_11_0_arm64.whl
Algorithm Hash digest
SHA256 b6f08055fa92536791eb69d141ab3baf8ba93c5553c1c2b0893e282dbca27b49
MD5 f0db16c2c74df01942b4eea4fb58b391
BLAKE2b-256 1996dfeead1ed7cd00870cff8f7cbc482ac6c5f8d5e9f8eb94ce297a9517adca

See more details on using hashes here.

File details

Details for the file cedar_python-0.1.4-cp313-cp313-macosx_10_12_x86_64.whl.

File metadata

File hashes

Hashes for cedar_python-0.1.4-cp313-cp313-macosx_10_12_x86_64.whl
Algorithm Hash digest
SHA256 9f697cef012c95e96a40354922e461aa2b7c952fdf0d4cb3af365ee17f513b74
MD5 f41a2978d3ca9ef601ddaf912f2a44fa
BLAKE2b-256 c343c51a75d9677c2cbdc2938900b8aef30381c1bf1bb2830d00fbba2aea8ca5

See more details on using hashes here.

File details

Details for the file cedar_python-0.1.4-cp312-cp312-win_amd64.whl.

File metadata

File hashes

Hashes for cedar_python-0.1.4-cp312-cp312-win_amd64.whl
Algorithm Hash digest
SHA256 532f7fdff3a55aad8443f5ac3183fa0937effc5162098aaf5efe1ff627da6387
MD5 94f52a887b0d151a6d9fb06669e0274d
BLAKE2b-256 6ae543bc79c0289871e6195c24df06cecf13bb9012ec4a8d5ae669238d6ddbf4

See more details on using hashes here.

File details

Details for the file cedar_python-0.1.4-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.

File metadata

File hashes

Hashes for cedar_python-0.1.4-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Algorithm Hash digest
SHA256 6eca6ab21cca34c79a8770ca540c18b78006e0a8f4db4308e2697b00101c8f34
MD5 7bbcf6bc17e0c86537a5e7a71d50ebe1
BLAKE2b-256 00cdcb798acc873f3b1a844278c412b59df76c81dc3c2827041de08d7b691c7e

See more details on using hashes here.

File details

Details for the file cedar_python-0.1.4-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl.

File metadata

File hashes

Hashes for cedar_python-0.1.4-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl
Algorithm Hash digest
SHA256 6091f3a82efbdf6979eaacec92cd410903e727fddf39021811de95a031cc5d90
MD5 29bea2876ebe17f4f47e4affb0301575
BLAKE2b-256 d4e14f68a70034759b061d2aa0a8b21e2c92edae7c654e52e93146e7bc89b969

See more details on using hashes here.

File details

Details for the file cedar_python-0.1.4-cp312-cp312-macosx_11_0_arm64.whl.

File metadata

File hashes

Hashes for cedar_python-0.1.4-cp312-cp312-macosx_11_0_arm64.whl
Algorithm Hash digest
SHA256 350139ace8f9baa983538a1601128b2f8a77639ceed10de50e86f030b5405233
MD5 05452b10ae4259349110540b2ff5964e
BLAKE2b-256 4423f8f3254579695b6916297e35e566edee3b5999ca20bfd1e2a90f102dd099

See more details on using hashes here.

File details

Details for the file cedar_python-0.1.4-cp312-cp312-macosx_10_12_x86_64.whl.

File metadata

File hashes

Hashes for cedar_python-0.1.4-cp312-cp312-macosx_10_12_x86_64.whl
Algorithm Hash digest
SHA256 e85fb56f955db469898d930613c29660bb5ab76fb395b3f04089d60e228b2ebe
MD5 a0f8545deed8ee5efc40c1e1fc91490a
BLAKE2b-256 0580e05bf327f350a8ec64c94194f54740854ef77633124822f980e61a02834c

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page