Episode 045: 09‐05‐2024 Intro to the Cedarling - GluuFederation/identerati-office-hours GitHub Wiki
Title: Intro to the Cedarling
- Host: Mike Schwartz, Founder/CEO Gluu
- Co-Host: Kevin Kampman, Senior Consulting AnalystSenior Consulting Analyst TechVision Research
Description
Cedar is a policy syntax invented by Amazon. It's used by the AWS Verified Permissions, Authz-as-a-Service offering. Gluu is working on a new product at the Janssen Project called the "Cedarling"--which leverages the Cedar policy syntax and Amazon's open source Cedar Rust engine. The Cedarling can run anywhere--as a local agent in the browser, embedded in a mobile application, or as a cloud service. It needs no data because it trusts the JWT tokens that are input to the request by the application. Beyond policy evaluation, the Cedarling agent has two other capabilities: JWT validation and audit logging. In this episode, Mike will present Gluu's current progress on the Cedarling and show a demo of the Cedarling in action!
Homework
- Emina Torlak presentation at AWS ReInvent The Science behind the Cedar Policy Engine Design - 23 min video
Extra Credit:
Takeaways
-
Cedar is performant, expressive, analyzable, and has ergonomic syntax (e.g. human readible policies). Amazon's Cedar Rust Engine is small enough to embed in a browser-based application (via WASM) or mobile app.
-
The Cedarling helps developers secure their applications where the identity data is sent via JWTs. The Cedarling never makes a database or network request to evaluate a policy. Application policies are loaded once locally or from the web.
-
The Cedarling is built in Rust, with bindings available for WASM, Android, iOS, and Python. The key advantage of Rust is that all core code is there, so there is no delta in functionality between the different Cedarling distributions.
-
The Cedarling can perform JWT signature validation and other esoteric OAuth hygiene, like checking the status of a JWT. The Cedarling also creates an "Decision Log" for every authorization request.
-
Enterprise features: If every browser and mobile application has a Cedarling component running, enterprises need a way to centralize log collection and reporting. Gluu's commercial offering will offer some of these reports which enable organizations to identify attackers and mitigate a security compromise.