Episode 122 - GluuFederation/identerati-office-hours GitHub Wiki

Title: Cedar v. Rego v. OpenFGA

• Host: Mike Schwartz, Founder/CEO Gluu
• Guest: Neha Rungta, Applied Science Director, AWS Identity
• Guest: Rohit Khare, Product Manager & Software Architect

Channels

• Linkedin Event
• Youtube Video

Description

Cedar’s simple and intuitive syntax supports common authorization use-cases with readable policies, naturally leveraging concepts from role-based, attribute-based, and relation-based access control models. In this episode we'll discuss a paper that compares Cedar to two open-source languages: OpenFGA and Rego. And why the subjective conclusion is that Cedar has equally or more readable policies, and objectively better performance.

Homework

• White Paper Cedar: A New Language for Expressive, Fast, Safe, and Analyzable Authorization
• Emina Torlak presentation at AWS ReInvent The Science behind the Cedar Policy Engine Design - 23 min video
• AWS re:Inforce 2025 - How MongoDB uses Cedar policy language for fine-grained authorization
• Video Neha Rungta Keynote ICSE2025: Engineering correctness for a domain
• Amazon Science Article (Background): A gentle introduction to automated reasoning

Takeaways

• ⚡ 2025 is the dawn of the "Golden Age of Automated Reasoning"! Cedar creates a bridge to analyzable security via some fancy math which implementers don't need to understand. This means Cedar enables enterprises to “prove” that their policies are secure by evaluating universal statements--even about the future, like "No S3 bucket may ever be public".

• ⚡ Rego fell into the "Turing tar-pit"--building a Rego analyzer would be difficult, as Datalog program equivalence is undecidable. Zanzibar lacks the search flexibility needed for complex ABAC filters. Cedar was developed to address deficiencies in the respective safety and flexibility of those existing solutions.

• ⚡ Automated reasoning scales--not just from a performance, but from a governance perspective. Enterprises can eliminate the risk of a policy delta when upgrading complex systems or databases.

• ⚡ Schema is Cedar's super power. Enterprises must define the properties of any entity about which there is a Cedar policy. That's a good thing...

• ⚡ Cedar adoption by MongoDB for fine grain authoriation is perhaps the start of a trend by database vendors. Cedar schema maps one-to-one with database models.

Livestream Audio Archive

here