Project

cedar_policy

0.01
There's a lot of open issues
cedar_policyelct9620/cedar-policy-rbHomepageDocumentationSource CodeBug TrackerWiki
Ruby bindings for Cedar policy evaluation engine.
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
 Popularity
Downloads
30,260
Stars
8
Forks
4
Watchers
1
 Releases
Current version
0.7.0
Total releases
68
First release
2024-08-13
Latest release
2026-02-26
 Issues
Open Issues
2
Closed Issues
4
Total Issues
6
Issue Closure Rate
66%
 Pull Requests
Open Pull Requests
0
Closed Pull Requests
8
Merged Pull Requests
76
Pull Request Acceptance Rate
90%
 Development
Primary Language
Ruby
Licenses
Apache-2.0
Average date of last 50 commits
2025-11-16
Reverse Dependencies
0

 Dependencies
 Project Readme

Cedar Policy

Ruby bindings for Cedar policy evaluation engine.

Installation

Install the gem and add to the application's Gemfile by executing:

$ bundle add cedar_policy

If bundler is not being used to manage dependencies, install the gem by executing:

$ gem install cedar_policy

Usage

Warning

This gem is still under development and the API may change in the future.

PolicySet

Define a policy by Cedar Language:

policy = <<~POLICY
          permit(
            principal == AdminUser::"1",
            action == Action::"view",
            resource
          );
        POLICY
policy_set = CedarPolicy::PolicySet.new(policy)

Currently, the single policy is not supported.

Request

Prepare the Entity's ID via EntityUid or an object with #to_hash method which returns a hash with :type and :id keys.

principal = CedarPolicy::EntityUid.new("AdminUser", "1") # or { type: "AdminUser", id: "1" }
action = CedarPolicy::EntityUid.new("Action", "view")
resource = CedarPolicy::EntityUid.new("Image", "1")

The Context object is used to store the request context. Use Context or an object with #to_hash method which returns a hash.

ctx = CedarPolicy::Context.new({ ip: "127.0.0.1" }) # or { ip: "127.0.0.1" }

The Context object can initialize without any arguments as an empty context.

Create a Request object with the principal, action, resource, and context.

request = CedarPolicy::Request.new(principal, action, resource, ctx)

Entities

Define the entities with related this request. It should be an array of Entity objects which have #to_hash method returns a hash with :uid,:attrs, and :parents keys.

entities = CedarPolicy::Entities.new([
    CedarPolicy::Entity.new(
        CedarPolicy::EntityUid.new("User", "1"),
        { role: "admin" },
        [] # Parents' EntityUid
    ),
    {
        uid: { type: "Image", id: "1" },
        attrs: {},
        parents: []
    }
])

Authorizer

Create an Authorizer object and authorize the request with the policy set and entities.

authorizer = CedarPolicy::Authorizer.new

If boolean result is enough, use #authorized? method.

authorizer.authorized?(request, policy_set, entities) # => true

If you want to get the decision object, use #authorize method.

response = authorizer.authorize(request, policy_set, entities)
response.decision # => CedarPolicy::Decision::ALLOW

The diagnostics is not supported yet in the response.

Roadmap

  • Add DSL to improve developer experience
  • Add batch authorization support
  • Diagnostics return with response
  • Validator support
  • Schema support

Development

After checking out the repo, run bin/setup to install dependencies. Then, run rake spec to run the tests. You can also run bin/console for an interactive prompt that will allow you to experiment.

To install this gem onto your local machine, run bundle exec rake install. To release a new version, update the version number in version.rb, and then run bundle exec rake release, which will create a git tag for the version, push git commits and the created tag, and push the .gem file to rubygems.org.

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/elct9620/cedar-policy-rb.

License

The gem is available as open source under the terms of the Apache-2.0 License.