Python bindings for Cedar, the open-source policy language for access control.

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for mmaisel from gravatar.com mmaisel

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: Apache Software License (Apache-2.0)
  • Author: Sondera
  • Tags cedar , authorization , access-control , policy , security , iam
  • Requires: Python >=3.12
Classifiers
Report project as malware

Project description

Cedar Python

Python bindings for Cedar, the open-source policy language for access control. This library lets you define, validate, and evaluate authorization policies directly from Python.

Installation

pip install cedar-python

Quick Start

from cedar import Authorizer, EntityUid, Policy, PolicySet, Request

# Create policies
policies = PolicySet('''
    permit(principal == User::"alice", action == Action::"read", resource);
    forbid(principal, action == Action::"delete", resource);
''')

# Create and evaluate a request
request = Request(
    EntityUid("User", "alice"),
    EntityUid("Action", "read"),
    EntityUid("Document", "doc1"),
)

authorizer = Authorizer()
response = authorizer.is_authorized(request, policies)
print(response.allowed)  # True

Core API

Entities

from cedar import Entity, EntityUid, Context

# Entity identifiers
uid = EntityUid("User", "alice")
uid.entity_type()  # "User"
uid.id()           # "alice"

# Entities with attributes and hierarchy
user = Entity(
    uid=EntityUid("User", "alice"),
    attrs={"email": "alice@example.com", "role": "admin"},
    parents=[EntityUid("Group", "admins")]
)

# Context for requests
context = Context({"ip_address": "10.0.0.1", "authenticated": True})

Authorization

from cedar import Authorizer, Request, Response

# Authorizer with entity hierarchy
authorizer = Authorizer(entities=[user, group])

# Full request with context
request = Request(
    principal=EntityUid("User", "alice"),
    action=EntityUid("Action", "read"),
    resource=EntityUid("Document", "doc1"),
    context=Context({"time": "2024-01-01T00:00:00Z"})
)

response = authorizer.is_authorized(request, policies)
response.allowed    # bool
response.decision   # "Allow" or "Deny"
response.reason     # Policy IDs that contributed to decision
response.errors     # Any evaluation errors

Schema Validation

Validate entities, requests, and context against a schema:

from cedar import Authorizer, Context, EntityUid, Request, Schema

schema = Schema.from_json('''...''')
action = EntityUid("Action", "read")

# Validate context against schema (requires action to determine expected shape)
context = Context({"ip_address": "10.0.0.1"}, schema=schema, action=action)

# Validate request components against schema
request = Request(
    principal=EntityUid("User", "alice"),
    action=action,
    resource=EntityUid("Document", "doc1"),
    context=context,
    schema=schema
)

# Validate entities when creating the authorizer
authorizer = Authorizer(entities=[user, doc], schema=schema)

# Validate request components using stored schema
authorizer.validate_request(principal, action, resource, context)

Dynamic Entity Management

Add, update, or remove entities in an existing authorizer:

from cedar import Authorizer, Entity, EntityUid

authorizer = Authorizer()

# Add a new entity (fails if entity already exists)
alice = Entity(EntityUid("User", "alice"), {"role": "admin"})
authorizer.add_entity(alice)

# Upsert an entity (adds or replaces existing)
alice_updated = Entity(EntityUid("User", "alice"), {"role": "user"})
authorizer.upsert_entity(alice_updated)

# Remove an entity by UID
authorizer.remove_entity(EntityUid("User", "alice"))

# With schema validation
schema = Schema.from_json('''...''')
authorizer = Authorizer(schema=schema)
doc = Entity(EntityUid("Document", "doc1"), {"owner": "alice"})
authorizer.add_entity(doc)  # Validates against schema

Policies

from cedar import Policy, PolicySet

# Single policy
policy = Policy('permit(principal, action, resource);', id="policy1")
policy.id()          # "policy1"
policy.effect()      # "Permit"
policy.annotations() # {"id": "policy1"}
policy.to_cedar()    # Formatted Cedar syntax
policy.to_json()     # JSON representation

# Policy sets
policy_set = PolicySet('''
    @id("read-access")
    permit(principal, action == Action::"read", resource);
''')
policy_set.policies()      # List of Policy objects
policy_set.policy("read-access")  # Get by ID
len(policy_set)            # Number of policies

Schemas

from cedar import Schema

# From JSON
schema = Schema.from_json('''{
    "": {
        "entityTypes": {"User": {}, "Document": {}},
        "actions": {
            "read": {"appliesTo": {"principalTypes": ["User"], "resourceTypes": ["Document"]}}
        }
    }
}''')

# From Cedar schema syntax
schema = Schema.from_cedarschema('''
    entity User;
    entity Document;
    action read appliesTo { principal: User, resource: Document };
''')

schema.entity_types()  # ["User", "Document"]
schema.actions()       # ["read"]
schema.principals()    # Entity types that can be principals
schema.resources()     # Entity types that can be resources

Validation

Validate policies against a schema for type checking and error detection:

from cedar import PolicySet, Schema

# Create schema and policies
schema = Schema.from_cedarschema('''
    entity User;
    entity Document;
    action read appliesTo { principal: User, resource: Document };
''')

policies = PolicySet('''
    permit(principal == User::"alice", action == Action::"read", resource);
''')

# Validate policies against schema
result = schema.validate_policyset(policies)
result.valid     # True if validation passed
result.errors    # List of ValidationError objects
result.warnings  # List of ValidationWarning objects

# ValidationError/ValidationWarning have policy_id and message attributes
for error in result.errors:
    print(f"{error.policy_id}: {error.message}")

Schema Module

Pydantic models for building schemas programmatically:

from cedar.schema import CedarSchema, NamespaceDefinition, EntityType, Action, AppliesTo

schema = CedarSchema(root={
    "": NamespaceDefinition(
        entityTypes={"User": EntityType()},
        actions={"read": Action(appliesTo=AppliesTo(principalTypes=["User"]))}
    )
})

Lean Module (Formal Verification)

Symbolic policy analysis using cedar-lean-cli:

from cedar.lean import (
    check_equivalent,
    check_implies,
    check_disjoint,
    compare_policysets,
    analyze_policies,
)

# Check if two policies are equivalent
result = check_equivalent(policy1, policy2, schema)
result.satisfied      # True if equivalent
result.counterexample # Example where they differ (if not equivalent)

# Compare policy sets
comparison = compare_policysets(old_policies, new_policies, schema)
comparison.is_equivalent   # True if all request signatures are equivalent
comparison.more_permissive # Request envs where source allows more
comparison.less_permissive # Request envs where source allows less

CLI

# Validate a policy against a schema
cedar schema validate policy.cedar schema.json

# Run the MCP server
cedar mcp

MCP Server

For AI coding assistants, Cedar provides an MCP server with policy tools:

pip install cedar-python[mcp]
cedar mcp

Available tools: validate_policy, validate_policy_set, validate_schema, format_policy

License

Apache-2.0

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for mmaisel from gravatar.com mmaisel

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: Apache Software License (Apache-2.0)
  • Author: Sondera
  • Tags cedar , authorization , access-control , policy , security , iam
  • Requires: Python >=3.12
Classifiers

Release history Release notifications | RSS feed

0.1.4

0.1.2

This version

0.1.1

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

cedar_python-0.1.1.tar.gz (124.2 kB view details)

Uploaded Source

Built Distributions

If you're not sure about the file name format, learn more about wheel file names.

cedar_python-0.1.1-cp314-cp314-win_amd64.whl (3.6 MB view details)

Uploaded CPython 3.14Windows x86-64

cedar_python-0.1.1-cp314-cp314-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (4.2 MB view details)

Uploaded CPython 3.14manylinux: glibc 2.17+ x86-64

cedar_python-0.1.1-cp314-cp314-manylinux_2_17_aarch64.manylinux2014_aarch64.whl (4.1 MB view details)

Uploaded CPython 3.14manylinux: glibc 2.17+ ARM64

cedar_python-0.1.1-cp314-cp314-macosx_11_0_arm64.whl (3.7 MB view details)

Uploaded CPython 3.14macOS 11.0+ ARM64

cedar_python-0.1.1-cp314-cp314-macosx_10_12_x86_64.whl (3.8 MB view details)

Uploaded CPython 3.14macOS 10.12+ x86-64

cedar_python-0.1.1-cp313-cp313-win_amd64.whl (3.6 MB view details)

Uploaded CPython 3.13Windows x86-64

cedar_python-0.1.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (4.2 MB view details)

Uploaded CPython 3.13manylinux: glibc 2.17+ x86-64

cedar_python-0.1.1-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl (4.1 MB view details)

Uploaded CPython 3.13manylinux: glibc 2.17+ ARM64

cedar_python-0.1.1-cp313-cp313-macosx_11_0_arm64.whl (3.7 MB view details)

Uploaded CPython 3.13macOS 11.0+ ARM64

cedar_python-0.1.1-cp313-cp313-macosx_10_12_x86_64.whl (3.8 MB view details)

Uploaded CPython 3.13macOS 10.12+ x86-64

cedar_python-0.1.1-cp312-cp312-win_amd64.whl (3.6 MB view details)

Uploaded CPython 3.12Windows x86-64

cedar_python-0.1.1-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (4.2 MB view details)

Uploaded CPython 3.12manylinux: glibc 2.17+ x86-64

cedar_python-0.1.1-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl (4.1 MB view details)

Uploaded CPython 3.12manylinux: glibc 2.17+ ARM64

cedar_python-0.1.1-cp312-cp312-macosx_11_0_arm64.whl (3.7 MB view details)

Uploaded CPython 3.12macOS 11.0+ ARM64

cedar_python-0.1.1-cp312-cp312-macosx_10_12_x86_64.whl (3.8 MB view details)

Uploaded CPython 3.12macOS 10.12+ x86-64

File details

Details for the file cedar_python-0.1.1.tar.gz.

File metadata

  • Download URL: cedar_python-0.1.1.tar.gz
  • Upload date:
  • Size: 124.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: maturin/1.11.5

File hashes

Hashes for cedar_python-0.1.1.tar.gz
Algorithm Hash digest
SHA256 2d6e0896fa49dc03c9316cf94ce2a2bd38142529dabe5c74a8d2ec5ac4a4906d
MD5 d27a92dc284d3f6ae0873daac477fa92
BLAKE2b-256 36c64672c755475c5c078c37d9d0d2026f2f9ee280e0acf43769ba6780993c9f

See more details on using hashes here.

File details

Details for the file cedar_python-0.1.1-cp314-cp314-win_amd64.whl.

File metadata

File hashes

Hashes for cedar_python-0.1.1-cp314-cp314-win_amd64.whl
Algorithm Hash digest
SHA256 eed4b674afb0b05c2af6c06ab4bec7c5c1274d534f3ca1dd931d3328f4ea14f2
MD5 5bc3d97393751a7fccd07ccf4cd68a72
BLAKE2b-256 1616bbb90d08c469cde3f4fc6e99d58b74685a25ee3bd1038084eab0f9282986

See more details on using hashes here.

File details

Details for the file cedar_python-0.1.1-cp314-cp314-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.

File metadata

File hashes

Hashes for cedar_python-0.1.1-cp314-cp314-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Algorithm Hash digest
SHA256 9a0ec460eb8a7ce10f815c0dea6d3802cabac8da3172c30cb7db21e7436310ae
MD5 de2df694cdde403d4cbfa45446fa7263
BLAKE2b-256 283f7f4d8496f32ab68de40b06f6f96930772e4831355b566e6847ffc2e34534

See more details on using hashes here.

File details

Details for the file cedar_python-0.1.1-cp314-cp314-manylinux_2_17_aarch64.manylinux2014_aarch64.whl.

File metadata

File hashes

Hashes for cedar_python-0.1.1-cp314-cp314-manylinux_2_17_aarch64.manylinux2014_aarch64.whl
Algorithm Hash digest
SHA256 d58f59833681f0534835c505fb74b9c09d85e047e256b387353cda2b0cf7ebbb
MD5 a370348a5d621c16c29b35100ba2fdfc
BLAKE2b-256 793a6516cb2c359911d3bb12e24dbf7b3c023a22ab9aa7b37d1f30da6f316da4

See more details on using hashes here.

File details

Details for the file cedar_python-0.1.1-cp314-cp314-macosx_11_0_arm64.whl.

File metadata

File hashes

Hashes for cedar_python-0.1.1-cp314-cp314-macosx_11_0_arm64.whl
Algorithm Hash digest
SHA256 c8ea5beddb53bf96f27b0652147674330c7b9b3e0b199c35f717dcaa5f326709
MD5 3e4c6fa01368b2189a7046582c5eeffc
BLAKE2b-256 b9f68bacde154d8891ea3abbdad908309db80617f162d802c5b13494f3356f2b

See more details on using hashes here.

File details

Details for the file cedar_python-0.1.1-cp314-cp314-macosx_10_12_x86_64.whl.

File metadata

File hashes

Hashes for cedar_python-0.1.1-cp314-cp314-macosx_10_12_x86_64.whl
Algorithm Hash digest
SHA256 c574e2f641ecb6d67b699157a6046a21cffdbd11c7ac85b1e2ac05e878c296b6
MD5 915ade49b65850a9a5e96b5cadb3471a
BLAKE2b-256 b1d2e6dda6590bef50e861b27475ccc7ba1f2be6a0566af52c3abe68efe4bc4b

See more details on using hashes here.

File details

Details for the file cedar_python-0.1.1-cp313-cp313-win_amd64.whl.

File metadata

File hashes

Hashes for cedar_python-0.1.1-cp313-cp313-win_amd64.whl
Algorithm Hash digest
SHA256 2729d5e8c8d8a92a67e3027944373e0dae198c015379854e663fb43462370652
MD5 a54a36d49cb6c28bf723ab23c79e70a3
BLAKE2b-256 40fcc60c7fe1aa31665ce09bd44bc9c7b7cfddfe8c2a82111ae351ac36db2454

See more details on using hashes here.

File details

Details for the file cedar_python-0.1.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.

File metadata

File hashes

Hashes for cedar_python-0.1.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Algorithm Hash digest
SHA256 44bbc2c8406005435132567e7ff5673079b9188a517c7b895ea677a7a6108a22
MD5 67aaf0191e22736b022b4aa61d6563f9
BLAKE2b-256 7207032266a92ba55296fba89cbdaf7ff6a3cace9cf1be80f20e6093466ee138

See more details on using hashes here.

File details

Details for the file cedar_python-0.1.1-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl.

File metadata

File hashes

Hashes for cedar_python-0.1.1-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl
Algorithm Hash digest
SHA256 a639d54016f75d671003ffcd7852abbab6d8fc0b8a5474d64f2edd9b351fa915
MD5 a4e7e598ef4c005fb824ba347ac63770
BLAKE2b-256 1774db2f91c59ee826f9ed215ecb0f4fbb10665295676622622362f49abe7800

See more details on using hashes here.

File details

Details for the file cedar_python-0.1.1-cp313-cp313-macosx_11_0_arm64.whl.

File metadata

File hashes

Hashes for cedar_python-0.1.1-cp313-cp313-macosx_11_0_arm64.whl
Algorithm Hash digest
SHA256 8111bca5178ada03512e8f74d1d0d72cda307f1bb7a8e1347e6c1dd9e16cb56e
MD5 a77417226df80d2bee05a910738c93e7
BLAKE2b-256 679946be29e7d209113f021bd8009a1df8395af058b3fd38577b9af5a5b2f73c

See more details on using hashes here.

File details

Details for the file cedar_python-0.1.1-cp313-cp313-macosx_10_12_x86_64.whl.

File metadata

File hashes

Hashes for cedar_python-0.1.1-cp313-cp313-macosx_10_12_x86_64.whl
Algorithm Hash digest
SHA256 5ab297489c4b3e5e4bea75315fcb0612e16ec792b11c9c01b153686318ece9ed
MD5 714259fc08a2e43ea72f4a42359be5da
BLAKE2b-256 ec153fc8325bf9193942b63a67cc63861d3409e46e3888b1d2f22782d842e423

See more details on using hashes here.

File details

Details for the file cedar_python-0.1.1-cp312-cp312-win_amd64.whl.

File metadata

File hashes

Hashes for cedar_python-0.1.1-cp312-cp312-win_amd64.whl
Algorithm Hash digest
SHA256 6ce02868f9f56d9464638162b1f6a8f148c3144165eb75660fc74478f02f2b6c
MD5 e35f6d3e5298e7153e78ccb67020d2fe
BLAKE2b-256 cfbdcf8a805f94e9d5c6bc46e905c89ae3bd153a154ac8d96f685f89fcd0780d

See more details on using hashes here.

File details

Details for the file cedar_python-0.1.1-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.

File metadata

File hashes

Hashes for cedar_python-0.1.1-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Algorithm Hash digest
SHA256 165aca5f4a1e81589e4f5ccae137ec29d171f0401135c26d16d194284b9549dd
MD5 e10f441ce880b77437b6e6252186a7ed
BLAKE2b-256 411e0b0d16115e7bcc9cf2dadaa725f74fdb29c8afb9d02773b449e121b5fab4

See more details on using hashes here.

File details

Details for the file cedar_python-0.1.1-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl.

File metadata

File hashes

Hashes for cedar_python-0.1.1-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl
Algorithm Hash digest
SHA256 7acebcef01551904c17baf99fc65b862a5b1e894454c5bec59ee7aed694bca5f
MD5 0fac620199b391bf1218f49730b80f8a
BLAKE2b-256 299d633e318e0bdb64691de53dbf01ebe856b2838a830d8e46211d73c7809d84

See more details on using hashes here.

File details

Details for the file cedar_python-0.1.1-cp312-cp312-macosx_11_0_arm64.whl.

File metadata

File hashes

Hashes for cedar_python-0.1.1-cp312-cp312-macosx_11_0_arm64.whl
Algorithm Hash digest
SHA256 7ec3f122564213c8f2e7d7036509231ea54b2fa584c177622feec7aa2669e59b
MD5 046e92d3a85567f9feb648f94b895a62
BLAKE2b-256 0f4a7f427f887b74295e2d6e431a7dbdb06161d962f3dcebe237068e9d0b17d2

See more details on using hashes here.

File details

Details for the file cedar_python-0.1.1-cp312-cp312-macosx_10_12_x86_64.whl.

File metadata

File hashes

Hashes for cedar_python-0.1.1-cp312-cp312-macosx_10_12_x86_64.whl
Algorithm Hash digest
SHA256 685af1ad6ea5772c43691c721f0d315864fc25885ed98b263e42d7a4b053bf2d
MD5 e2ef8b9952398fd5a117825b62fbf70b
BLAKE2b-256 5073fabb28160f19522e760416fdd633a5cff110090f69a00b56987d05a9a4b1

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page