Episode 074: 12‐17‐2024 Cedarling Launch - GluuFederation/identerati-office-hours GitHub Wiki

Title: Cedarling Launch

Youtube Video

Description

Join Gluu founder Mike Schwartz and identerati Mike Neuenschwander for an update on the Janssen Project 🔥Cedarling🔥, a new embeddable PDP powered by the Amazon open source Rust Cedar Engine.

In this episode we'll discuss:

  • ⭐ Why an embedded PDP is essential--even if you don't trust the frontend
  • ⭐ Why Cedar isn't just for Amazon
  • ⭐ How to author Cedar Policies using Agama Lab Policy Designer
  • ⭐ How to run the Cedarling as a sidecar for cloud applications
  • ⭐ How to map the data in JWT tokens to Cedar entities

Homework

Takeaways

⚡ The Cedarling is actually a three part solution: 1) An embeddable Rust PDP (Cedarling), 2) Policy Authoring Tool (Agama Lab Policy Designer), 3) Enterprise Tools (Lock Server). This initial MVP includes the first two items. We plan to connect the Cedarling with the Lock Server in Jan 2025.

⚡ Cedarling MVP is a sidecar that uses OpenID Authzen as the HTTP interface for access evaluation. Authzen requests are basically PARC (Principal, Action, Resource Context), except AuthZen uses "Subject" instead of "Principal". The Cedarling accepts the OpenID id_token, Userinfo token, or OAuth access_token` for the subject--or all three. It then extract the values and maps them to Cedar entities.

⚡ Agama Lab enables developers to define Cedar schema, author policies, and publish Cedarling policy stores as a Github URL. Better versioning is coming--similar to the versioning in the Agama Lab Flow Designer, with a SHA256 checksum for integrity. It's important for the decision logs to note the version of the policy store used.

⚡ CBAC -- Cedar Based Access Control is justfied because it's more then just ABAC--it also includes a policy engine written in Rust and new possibilities for automated reasoning.

Livestream Audio Archive

here