Python bindings for Cedar, the open-source policy language for access control.

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for mmaisel from gravatar.com mmaisel

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: Apache Software License (Apache-2.0)
  • Author: Sondera AI
  • Tags cedar , authorization , access-control , policy , security , iam
  • Requires: Python >=3.12
Classifiers
Report project as malware

Project description

Cedar Python

Python bindings for Cedar, the open-source policy language for access control. This library lets you define, validate, and evaluate authorization policies directly from Python.

Installation

pip install cedar-python

Quick Start

from cedar import Authorizer, EntityUid, Policy, PolicySet, Request

# Create policies
policies = PolicySet('''
    permit(principal == User::"alice", action == Action::"read", resource);
    forbid(principal, action == Action::"delete", resource);
''')

# Create and evaluate a request
request = Request(
    EntityUid("User", "alice"),
    EntityUid("Action", "read"),
    EntityUid("Document", "doc1"),
)

authorizer = Authorizer()
response = authorizer.is_authorized(request, policies)
print(response.allowed)  # True

Core API

Entities

from cedar import Entity, EntityUid, Context

# Entity identifiers
uid = EntityUid("User", "alice")
uid.entity_type()  # "User"
uid.id()           # "alice"

# Entities with attributes and hierarchy
user = Entity(
    uid=EntityUid("User", "alice"),
    attrs={"email": "alice@example.com", "role": "admin"},
    parents=[EntityUid("Group", "admins")]
)

# Context for requests
context = Context({"ip_address": "10.0.0.1", "authenticated": True})

Authorization

from cedar import Authorizer, Request, Response

# Authorizer with entity hierarchy
authorizer = Authorizer(entities=[user, group])

# Full request with context
request = Request(
    principal=EntityUid("User", "alice"),
    action=EntityUid("Action", "read"),
    resource=EntityUid("Document", "doc1"),
    context=Context({"time": "2024-01-01T00:00:00Z"})
)

response = authorizer.is_authorized(request, policies)
response.allowed    # bool
response.decision   # "Allow" or "Deny"
response.reason     # Policy IDs that contributed to decision
response.errors     # Any evaluation errors

Schema Validation

Validate entities, requests, and context against a schema:

from cedar import Authorizer, Context, EntityUid, Request, Schema

schema = Schema.from_json('''...''')
action = EntityUid("Action", "read")

# Validate context against schema (requires action to determine expected shape)
context = Context({"ip_address": "10.0.0.1"}, schema=schema, action=action)

# Validate request components against schema
request = Request(
    principal=EntityUid("User", "alice"),
    action=action,
    resource=EntityUid("Document", "doc1"),
    context=context,
    schema=schema
)

# Validate entities when creating the authorizer
authorizer = Authorizer(entities=[user, doc], schema=schema)

# Validate request components using stored schema
authorizer.validate_request(principal, action, resource, context)

Dynamic Entity Management

Add, update, or remove entities in an existing authorizer:

from cedar import Authorizer, Entity, EntityUid

authorizer = Authorizer()

# Add a new entity (fails if entity already exists)
alice = Entity(EntityUid("User", "alice"), {"role": "admin"})
authorizer.add_entity(alice)

# Upsert an entity (adds or replaces existing)
alice_updated = Entity(EntityUid("User", "alice"), {"role": "user"})
authorizer.upsert_entity(alice_updated)

# Remove an entity by UID
authorizer.remove_entity(EntityUid("User", "alice"))

# With schema validation
schema = Schema.from_json('''...''')
authorizer = Authorizer(schema=schema)
doc = Entity(EntityUid("Document", "doc1"), {"owner": "alice"})
authorizer.add_entity(doc)  # Validates against schema

Policies

from cedar import Policy, PolicySet

# Single policy
policy = Policy('permit(principal, action, resource);', id="policy1")
policy.id()          # "policy1"
policy.effect()      # "Permit"
policy.annotations() # {"id": "policy1"}
policy.to_cedar()    # Formatted Cedar syntax
policy.to_json()     # JSON representation

# Policy sets
policy_set = PolicySet('''
    @id("read-access")
    permit(principal, action == Action::"read", resource);
''')
policy_set.policies()      # List of Policy objects
policy_set.policy("read-access")  # Get by ID
len(policy_set)            # Number of policies

Schemas

from cedar import Schema

# From JSON
schema = Schema.from_json('''{
    "": {
        "entityTypes": {"User": {}, "Document": {}},
        "actions": {
            "read": {"appliesTo": {"principalTypes": ["User"], "resourceTypes": ["Document"]}}
        }
    }
}''')

# From Cedar schema syntax
schema = Schema.from_cedarschema('''
    entity User;
    entity Document;
    action read appliesTo { principal: User, resource: Document };
''')

schema.entity_types()  # ["User", "Document"]
schema.actions()       # ["read"]
schema.principals()    # Entity types that can be principals
schema.resources()     # Entity types that can be resources

Validation

Validate policies against a schema for type checking and error detection:

from cedar import PolicySet, Schema

# Create schema and policies
schema = Schema.from_cedarschema('''
    entity User;
    entity Document;
    action read appliesTo { principal: User, resource: Document };
''')

policies = PolicySet('''
    permit(principal == User::"alice", action == Action::"read", resource);
''')

# Validate policies against schema
result = schema.validate_policyset(policies)
result.valid     # True if validation passed
result.errors    # List of ValidationError objects
result.warnings  # List of ValidationWarning objects

# ValidationError/ValidationWarning have policy_id and message attributes
for error in result.errors:
    print(f"{error.policy_id}: {error.message}")

Schema Module

Pydantic models for building schemas programmatically:

from cedar.schema import CedarSchema, NamespaceDefinition, EntityType, Action, AppliesTo

schema = CedarSchema(root={
    "": NamespaceDefinition(
        entityTypes={"User": EntityType()},
        actions={"read": Action(appliesTo=AppliesTo(principalTypes=["User"]))}
    )
})

Lean Module (Formal Verification)

Symbolic policy analysis using cedar-lean-cli:

from cedar.lean import (
    check_equivalent,
    check_implies,
    check_disjoint,
    compare_policysets,
    analyze_policies,
)

# Check if two policies are equivalent
result = check_equivalent(policy1, policy2, schema)
result.satisfied      # True if equivalent
result.counterexample # Example where they differ (if not equivalent)

# Compare policy sets
comparison = compare_policysets(old_policies, new_policies, schema)
comparison.is_equivalent   # True if all request signatures are equivalent
comparison.more_permissive # Request envs where source allows more
comparison.less_permissive # Request envs where source allows less

CLI

# Validate a policy against a schema
cedar schema validate policy.cedar schema.json

# Run the MCP server
cedar mcp

MCP Server

For AI coding assistants, Cedar provides an MCP server with policy tools:

pip install cedar-python[mcp]
cedar mcp

Available tools: validate_policy, validate_policy_set, validate_schema, format_policy

License

Apache-2.0

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for mmaisel from gravatar.com mmaisel

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: Apache Software License (Apache-2.0)
  • Author: Sondera AI
  • Tags cedar , authorization , access-control , policy , security , iam
  • Requires: Python >=3.12
Classifiers

Release history Release notifications | RSS feed

0.1.4

0.1.2

0.1.1

This version

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

cedar_python-0.1.0.tar.gz (124.1 kB view details)

Uploaded Source

Built Distributions

If you're not sure about the file name format, learn more about wheel file names.

cedar_python-0.1.0-cp314-cp314-win_amd64.whl (3.6 MB view details)

Uploaded CPython 3.14Windows x86-64

cedar_python-0.1.0-cp314-cp314-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (4.2 MB view details)

Uploaded CPython 3.14manylinux: glibc 2.17+ x86-64

cedar_python-0.1.0-cp314-cp314-manylinux_2_17_aarch64.manylinux2014_aarch64.whl (4.1 MB view details)

Uploaded CPython 3.14manylinux: glibc 2.17+ ARM64

cedar_python-0.1.0-cp314-cp314-macosx_11_0_arm64.whl (3.7 MB view details)

Uploaded CPython 3.14macOS 11.0+ ARM64

cedar_python-0.1.0-cp314-cp314-macosx_10_12_x86_64.whl (3.8 MB view details)

Uploaded CPython 3.14macOS 10.12+ x86-64

cedar_python-0.1.0-cp313-cp313-win_amd64.whl (3.6 MB view details)

Uploaded CPython 3.13Windows x86-64

cedar_python-0.1.0-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (4.2 MB view details)

Uploaded CPython 3.13manylinux: glibc 2.17+ x86-64

cedar_python-0.1.0-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl (4.1 MB view details)

Uploaded CPython 3.13manylinux: glibc 2.17+ ARM64

cedar_python-0.1.0-cp313-cp313-macosx_11_0_arm64.whl (3.7 MB view details)

Uploaded CPython 3.13macOS 11.0+ ARM64

cedar_python-0.1.0-cp313-cp313-macosx_10_12_x86_64.whl (3.8 MB view details)

Uploaded CPython 3.13macOS 10.12+ x86-64

cedar_python-0.1.0-cp312-cp312-win_amd64.whl (3.6 MB view details)

Uploaded CPython 3.12Windows x86-64

cedar_python-0.1.0-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (4.2 MB view details)

Uploaded CPython 3.12manylinux: glibc 2.17+ x86-64

cedar_python-0.1.0-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl (4.1 MB view details)

Uploaded CPython 3.12manylinux: glibc 2.17+ ARM64

cedar_python-0.1.0-cp312-cp312-macosx_11_0_arm64.whl (3.7 MB view details)

Uploaded CPython 3.12macOS 11.0+ ARM64

cedar_python-0.1.0-cp312-cp312-macosx_10_12_x86_64.whl (3.8 MB view details)

Uploaded CPython 3.12macOS 10.12+ x86-64

File details

Details for the file cedar_python-0.1.0.tar.gz.

File metadata

  • Download URL: cedar_python-0.1.0.tar.gz
  • Upload date:
  • Size: 124.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: maturin/1.11.5

File hashes

Hashes for cedar_python-0.1.0.tar.gz
Algorithm Hash digest
SHA256 f5584ea57d2bc41ba0963e4ae0857c0eb7a9fdc8e6fba76a28113c2dd6f60d6b
MD5 01af8ef066d75ce0ebebd08fff70601e
BLAKE2b-256 ce2171b3de437db18dac3cd4e26691b214089d1f980ca00f521c9868bca7ee16

See more details on using hashes here.

File details

Details for the file cedar_python-0.1.0-cp314-cp314-win_amd64.whl.

File metadata

File hashes

Hashes for cedar_python-0.1.0-cp314-cp314-win_amd64.whl
Algorithm Hash digest
SHA256 b5453b3d89987dab0048a831dadd3ba2a69ddabc7e89d28b050b1dc29cc35cf5
MD5 5bbd5c82f62ab09d3bae5d1e7263d6d9
BLAKE2b-256 eefdd024a56dedb70dae970ad30a3ec21ed3b40d7b82f64a26fc54492845c4a5

See more details on using hashes here.

File details

Details for the file cedar_python-0.1.0-cp314-cp314-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.

File metadata

File hashes

Hashes for cedar_python-0.1.0-cp314-cp314-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Algorithm Hash digest
SHA256 ff87dfaddef751406c7005ef147d6fc90868a77d89cbff729853ff3b17e10dd6
MD5 7a6f1f24811c4088165f95361d14a105
BLAKE2b-256 f514ccef4f739f9735b1235cfa9cee50cce1b4a7e02621a0682825c37bf5fb55

See more details on using hashes here.

File details

Details for the file cedar_python-0.1.0-cp314-cp314-manylinux_2_17_aarch64.manylinux2014_aarch64.whl.

File metadata

File hashes

Hashes for cedar_python-0.1.0-cp314-cp314-manylinux_2_17_aarch64.manylinux2014_aarch64.whl
Algorithm Hash digest
SHA256 4aa1814f78033b42b816c4b9df40728d1ace7dc4ac53b6bd3df30686acb3ef05
MD5 de97d0053008d8be563cc14355b51f9e
BLAKE2b-256 58a2e62dc248f31a36d6d7271c97e93c5b8e36c158d6775edea0f74218e91e3d

See more details on using hashes here.

File details

Details for the file cedar_python-0.1.0-cp314-cp314-macosx_11_0_arm64.whl.

File metadata

File hashes

Hashes for cedar_python-0.1.0-cp314-cp314-macosx_11_0_arm64.whl
Algorithm Hash digest
SHA256 4a10cea7539d8fb5e2786ba82b8222c2dd4fd3f10fbe1d2b0b37ae2cff3cfeed
MD5 f343d5a359baab10575e7ec447fa7c89
BLAKE2b-256 c7ba2fe7c909aa9739c7931e5b8898c396b4686baae09f674e66c7204145b1b2

See more details on using hashes here.

File details

Details for the file cedar_python-0.1.0-cp314-cp314-macosx_10_12_x86_64.whl.

File metadata

File hashes

Hashes for cedar_python-0.1.0-cp314-cp314-macosx_10_12_x86_64.whl
Algorithm Hash digest
SHA256 38dfe34e37b18b44f9a4c1a3978096857d032acf412140d6188cc684b89f6df8
MD5 38f0753dc4ea471ac4864442ffa7fa98
BLAKE2b-256 d70b4641bd32bbc598899c2bfa8f941ccd1e7be5b0bc7cf8cbfd9f4f74d36990

See more details on using hashes here.

File details

Details for the file cedar_python-0.1.0-cp313-cp313-win_amd64.whl.

File metadata

File hashes

Hashes for cedar_python-0.1.0-cp313-cp313-win_amd64.whl
Algorithm Hash digest
SHA256 664c1d4a268b4defeb6650befa639f6af1cec21afe46ab4953b49577d6aa8521
MD5 9b1370a153cbd3973f7eb7016f6b38f7
BLAKE2b-256 bd4a301db37e82ded83f71cb63b4a7fbb3ee0e5aba540fcfe754dc4c0aed7cff

See more details on using hashes here.

File details

Details for the file cedar_python-0.1.0-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.

File metadata

File hashes

Hashes for cedar_python-0.1.0-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Algorithm Hash digest
SHA256 da06a05d7c14f0dbe7d5f8091a5212cc5496481069c906cfd6e5ab2735cdbcbc
MD5 bb0472e95aa0555d31e2ebfcdc95b1ca
BLAKE2b-256 6a66cdcd07271563dbe56ebb35e835e33660e2cf1fdf7244696b43894683ee9b

See more details on using hashes here.

File details

Details for the file cedar_python-0.1.0-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl.

File metadata

File hashes

Hashes for cedar_python-0.1.0-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl
Algorithm Hash digest
SHA256 8bf4b8aff82e81cb707ac731b4c37efc183da70b908bd14697ead5c77d6318a9
MD5 51a59433ef1af9abc0e1b755ac497426
BLAKE2b-256 dde2884fbd9b5a3723e48cfff8926888d6f11f43e284234e0e5252fedea2605b

See more details on using hashes here.

File details

Details for the file cedar_python-0.1.0-cp313-cp313-macosx_11_0_arm64.whl.

File metadata

File hashes

Hashes for cedar_python-0.1.0-cp313-cp313-macosx_11_0_arm64.whl
Algorithm Hash digest
SHA256 4c3fccd38c3e9f7e466a114c4273a847bc88dd5fb3987fc93fbecdac4789583d
MD5 a590c7e445bae9c03aca20f97020ee01
BLAKE2b-256 314e57cc2ca900ecfd9337db9973860fc88e9b680ece615b958370a837333bf3

See more details on using hashes here.

File details

Details for the file cedar_python-0.1.0-cp313-cp313-macosx_10_12_x86_64.whl.

File metadata

File hashes

Hashes for cedar_python-0.1.0-cp313-cp313-macosx_10_12_x86_64.whl
Algorithm Hash digest
SHA256 c40723b5473706ea8e54addc97917063024914419dc1eaf3c28a0c2210470c06
MD5 3f5caf8ce6cd812183dded651e805562
BLAKE2b-256 e5b8ef0ed991707b01e7302ee8ee85500710984c508ec4b602c652e1ad1ac873

See more details on using hashes here.

File details

Details for the file cedar_python-0.1.0-cp312-cp312-win_amd64.whl.

File metadata

File hashes

Hashes for cedar_python-0.1.0-cp312-cp312-win_amd64.whl
Algorithm Hash digest
SHA256 7872c294a398a8cf3f7b94c344a747e47735abd43e12d7c2899fb90ddb2f46ff
MD5 daa2497d65109b42388a3c9911920650
BLAKE2b-256 6196f0e5b1260e81cbe89238d9558a41004db4320bdc4e92454acd884804db39

See more details on using hashes here.

File details

Details for the file cedar_python-0.1.0-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.

File metadata

File hashes

Hashes for cedar_python-0.1.0-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Algorithm Hash digest
SHA256 91256cada95a3cc095534faa707e4750978f1f0a1aa6794054469796bf6c90ef
MD5 4926198428a34532cb2e4b81b9f9475a
BLAKE2b-256 6c5a2b5fc8cf2428681dc0e91dd85489a6b4784fabaa1d014fa41c6af9e01f7c

See more details on using hashes here.

File details

Details for the file cedar_python-0.1.0-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl.

File metadata

File hashes

Hashes for cedar_python-0.1.0-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl
Algorithm Hash digest
SHA256 0617c6713e1df415fc72ab57ad0b77ce8ba612c44d54cea89e0b708908e5ec54
MD5 6e8a4e8a62990cee1aed0d6390d8b0eb
BLAKE2b-256 aa7ea8a0fc8301b090ead4cfd36dfae6f59392ba868dbb82be907e5409d35cf6

See more details on using hashes here.

File details

Details for the file cedar_python-0.1.0-cp312-cp312-macosx_11_0_arm64.whl.

File metadata

File hashes

Hashes for cedar_python-0.1.0-cp312-cp312-macosx_11_0_arm64.whl
Algorithm Hash digest
SHA256 48def0dc3a7806c8b9a8be489bb9a885ce084e110933dd843cf448c421d8785b
MD5 8e2f36e1c6ef98585accb48392213d35
BLAKE2b-256 632304d052db96e0df3796047787b3eed8465edf0121bb75db90bdcef0041597

See more details on using hashes here.

File details

Details for the file cedar_python-0.1.0-cp312-cp312-macosx_10_12_x86_64.whl.

File metadata

File hashes

Hashes for cedar_python-0.1.0-cp312-cp312-macosx_10_12_x86_64.whl
Algorithm Hash digest
SHA256 eea8ddfc0791b9fd94c0a371b2adcf5d31da133ee8c0059f125fe969d914ad4e
MD5 7ba6c1d4d30d1efc66d602ed522981c4
BLAKE2b-256 1e63ba82955f444b4176baa2a42eba4748758d9b2811a8638c48f48e57376118

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page