Add your description here
Project description
RAJA
Resource Authorization JWT Authority - Compile Cedar policies into JWT tokens for deterministic authorization.
What is RAJA?
RAJA compiles Cedar authorization policies into JWT tokens with explicit scopes. This means:
- Authorization decisions are deterministic (same token + request = same result)
- Tokens are transparent (you can see exactly what permissions are granted)
- Enforcement is fast (simple scope checking, no policy evaluation)
Quick Start
Installation
git clone https://github.com/quiltdata/raja.git
cd raja
uv sync
Deploy to AWS (Control Plane)
# Deploy infrastructure
./poe deploy
# Load Cedar policies
python scripts/load_policies.py
# Compile policies to scopes
export RAJA_API_URL="https://your-api.execute-api.us-east-1.amazonaws.com/prod"
python scripts/invoke_compiler.py
Control Plane UI
After deployment, open the API Gateway URL in your browser. The root path (/) renders a
simple admin UI with live data from /principals, /policies, and /audit.
How It Works
Cedar Policies → Compiler → JWT Scopes → Library Enforcement
- Write Cedar policies that define who can do what
- Compiler converts policies into scope strings (e.g.,
Document:doc123:read) - Token Service issues JWTs containing these scopes
- Applications validate tokens and check scopes locally
API Endpoints
When deployed to AWS, RAJA provides:
POST /compile - Compile Cedar policies into scopes
{}
→ {"message": "Policies compiled successfully", "policies_compiled": 3}
POST /token - Issue a JWT token
{"principal": "alice"}
→ {"token": "eyJ...", "scopes": ["S3Object:analytics-data/*:s3:GetObject", "S3Bucket:analytics-data:s3:ListBucket"]}
GET /principals - List principals and their scopes
→ {"principals": [{"principal": "alice", "scopes": [...]}]}
**GET /policies** - List Cedar policies
```json
→ {"policies": [{"policyId": "..."}]}
GET /audit - View audit log entries
Query params:
principal=<principal>
action=<action>
resource=<resource>
start_time=<epoch-seconds>
end_time=<epoch-seconds>
limit=<1-200>
next_token=<pagination-token>
Response fields include: timestamp, principal, action, resource, decision,
policy_store_id, request_id.
Local Development
Use the Python library standalone (no AWS required):
from raja import AuthRequest, create_token, enforce
# Create token with S3 scopes
token = create_token(
subject="alice",
scopes=[
"S3Object:analytics-data/*:s3:GetObject",
"S3Bucket:analytics-data:s3:ListBucket"
],
secret="your-secret"
)
# Check authorization for S3 GetObject
decision = enforce(
token_str=token,
request=AuthRequest(
resource_type="S3Object",
resource_id="analytics-data/reports/2024.csv",
action="s3:GetObject"
),
secret="your-secret"
)
print(decision.allowed) # True
Run Tests
./poe test-unit # Unit tests (no AWS)
./poe test # All tests
./poe check # Format, lint, typecheck
Demo RAJEE Envoy S3 Proxy
To demonstrate RAJEE's Envoy proxy correctly routing S3 operations:
./poe demo
This runs verbose integration tests showing:
- S3 operations (PUT, GET, DELETE, LIST) proxied through Envoy
- Host header rewriting (Envoy endpoint → s3.amazonaws.com)
- Multiple S3 API operations (GetObject, ListObjects, GetObjectAttributes, versioning)
- Timing metrics for each operation
- Complete request/response verification
Scope Format
Scopes follow the pattern: {ResourceType}:{ResourceId}:{Action}
Examples:
S3Object:analytics-data/reports/2024.csv:s3:GetObject- Read specific S3 objectS3Object:analytics-data/*:s3:GetObject- Read all objects in bucketS3Bucket:analytics-data:s3:ListBucket- List bucket contents*:*:*- Full admin access
Project Structure
raja/
├── src/raja/ # Core Python library
├── lambda_handlers/ # AWS Lambda handlers
├── infra/ # CDK infrastructure
├── policies/ # Sample Cedar policies
└── tests/ # Test suite
Documentation
- CLAUDE.md - Developer guide and architecture
- specs/ - Design specifications
- Module READMEs - See CLAUDE.md files in subdirectories
Contributing
See CLAUDE.md for development guidelines.
License
Apache License 2.0 - See LICENSE for details.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file raja-0.4.3.tar.gz.
File metadata
- Download URL: raja-0.4.3.tar.gz
- Upload date:
- Size: 28.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
5f95f686a3354995453e157fb848060c5b493c6e24cc7de3af0a2e713b7ac943
|
|
| MD5 |
78c6838d8155c62e54f9a1a4d2908a09
|
|
| BLAKE2b-256 |
c55599c62f1aa913ffdfc9d4e7ef284c4a7708b688c9d766aa02f1e89fe12283
|
Provenance
The following attestation bundles were made for raja-0.4.3.tar.gz:
Publisher:
release.yml on quiltdata/raja
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
raja-0.4.3.tar.gz -
Subject digest:
5f95f686a3354995453e157fb848060c5b493c6e24cc7de3af0a2e713b7ac943 - Sigstore transparency entry: 832490383
- Sigstore integration time:
-
Permalink:
quiltdata/raja@5a5bd6b59d50ad5bc30c9f211be614187be28ebd -
Branch / Tag:
refs/tags/v0.4.3 - Owner: https://github.com/quiltdata
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@5a5bd6b59d50ad5bc30c9f211be614187be28ebd -
Trigger Event:
push
-
Statement type:
File details
Details for the file raja-0.4.3-py3-none-any.whl.
File metadata
- Download URL: raja-0.4.3-py3-none-any.whl
- Upload date:
- Size: 36.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4594515fb0b879bafea150a533c735ddb42519aeb06b1f31c791c6ffe4996888
|
|
| MD5 |
1760be81866fe28a9182f8a18c807fc2
|
|
| BLAKE2b-256 |
6c6dd3376c20d03ecd51f9af901101eabebe66f41dd2bb9cd63a64b34afa6182
|
Provenance
The following attestation bundles were made for raja-0.4.3-py3-none-any.whl:
Publisher:
release.yml on quiltdata/raja
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
raja-0.4.3-py3-none-any.whl -
Subject digest:
4594515fb0b879bafea150a533c735ddb42519aeb06b1f31c791c6ffe4996888 - Sigstore transparency entry: 832490391
- Sigstore integration time:
-
Permalink:
quiltdata/raja@5a5bd6b59d50ad5bc30c9f211be614187be28ebd -
Branch / Tag:
refs/tags/v0.4.3 - Owner: https://github.com/quiltdata
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@5a5bd6b59d50ad5bc30c9f211be614187be28ebd -
Trigger Event:
push
-
Statement type:
