{"id":13457921,"url":"https://github.com/k9securityio/cedar-py","last_synced_at":"2026-04-23T02:00:52.295Z","repository":{"id":178220586,"uuid":"657702830","full_name":"k9securityio/cedar-py","owner":"k9securityio","description":"Python bindings for the Cedar Policy project.","archived":false,"fork":false,"pushed_at":"2026-04-22T16:30:28.000Z","size":350,"stargazers_count":51,"open_issues_count":4,"forks_count":8,"subscribers_count":2,"default_branch":"main","last_synced_at":"2026-04-22T18:27:33.145Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/k9securityio.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2023-06-23T16:36:53.000Z","updated_at":"2026-04-22T16:23:28.000Z","dependencies_parsed_at":"2024-12-24T18:38:47.796Z","dependency_job_id":null,"html_url":"https://github.com/k9securityio/cedar-py","commit_stats":null,"previous_names":["k9securityio/cedar-py"],"tags_count":10,"template":false,"template_full_name":null,"purl":"pkg:github/k9securityio/cedar-py","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/k9securityio%2Fcedar-py","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/k9securityio%2Fcedar-py/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/k9securityio%2Fcedar-py/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/k9securityio%2Fcedar-py/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/k9securityio","download_url":"https://codeload.github.com/k9securityio/cedar-py/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/k9securityio%2Fcedar-py/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32162611,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-22T17:06:48.269Z","status":"online","status_checked_at":"2026-04-23T02:00:06.710Z","response_time":53,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-31T09:00:39.695Z","updated_at":"2026-04-23T02:00:52.287Z","avatar_url":"https://github.com/k9securityio.png","language":"Python","readme":"# Cedar Python\n![CI (main)](https://github.com/k9securityio/cedar-py/actions/workflows/CI.yml/badge.svg?branch=main)\n\u0026nbsp;[![PyPI version](https://badge.fury.io/py/cedarpy.svg)](https://badge.fury.io/py/cedarpy)\n\n`cedarpy` helps you use the (Rust) [Cedar Policy](https://github.com/cedar-policy/cedar/tree/main) library from Python. You can use `cedarpy` to:\n* check whether a request is authorized by the [Cedar Policy](https://www.cedarpolicy.com) engine\n* validate policies against a schema\n* format policies\n\n`cedarpy` releases correspond to the following Cedar Policy engine versions:\n\u003ctable\u003e\n\u003cthead\u003e\u003ctr\u003e\u003cth\u003eCedar Policy (engine) release\u003c/th\u003e\u003cth\u003ecedarpy release\u003c/th\u003e\u003cth\u003ecedarpy branch\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\n\u003ctbody\u003e\n    \u003ctr\u003e\u003ctd\u003ev4.8.2\u003c/td\u003e\u003ctd\u003ev4.8.1\u003c/td\u003e\u003ctd\u003emain\u003c/td\u003e\u003c/tr\u003e\n    \u003ctr\u003e\u003ctd\u003ev4.7.2\u003c/td\u003e\u003ctd\u003ev4.7.1\u003c/td\u003e\u003ctd\u003erelease/4.7.x\u003c/td\u003e\u003c/tr\u003e\n    \u003ctr\u003e\u003ctd\u003ev4.1.0\u003c/td\u003e\u003ctd\u003ev4.1.0\u003c/td\u003e\u003ctd\u003erelease/4.1.x\u003c/td\u003e\u003c/tr\u003e\n    \u003ctr\u003e\u003ctd\u003ev2.2.0\u003c/td\u003e\u003ctd\u003ev0.4.1\u003c/td\u003e\u003ctd\u003erelease/2.2.x\u003c/td\u003e\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\nBeginning with v4.1.0, `cedarpy`'s version number indicates the Cedar Policy engine major and minor version that it is based on. `cedarpy` increases the patch number when releasing backwards-compatible changes and bug fixes. So the `cedarpy` and Cedar Engine patch versions can and will diverge. Select the `cedarpy` version that provides the [Cedar Policy](https://www.cedarpolicy.com/en) language and engine features you need. \n\n`cedarpy` packages are available for the following platforms:\n\u003ctable\u003e\n\u003cthead\u003e\u003ctr\u003e\u003cth\u003eOperating System\u003c/th\u003e\u003cth\u003eProcessor Architectures\u003c/th\u003e\u003cth\u003ePython\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\n\u003ctbody\u003e\n    \u003ctr\u003e\u003ctd\u003eLinux\u003c/td\u003e\u003ctd\u003ex86_64, aarch64\u003c/td\u003e\u003ctd\u003e3.9 - 3.14\u003c/td\u003e\u003c/tr\u003e\n    \u003ctr\u003e\u003ctd\u003eMac\u003c/td\u003e\u003ctd\u003ex86_64, aarch64\u003c/td\u003e\u003ctd\u003e3.11 - 3.14\u003c/td\u003e\u003c/tr\u003e\n    \u003ctr\u003e\u003ctd\u003eWindows\u003c/td\u003e\u003ctd\u003ex86_64\u003c/td\u003e\u003ctd\u003e3.9 - 3.14\u003c/td\u003e\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\n\nNote: This project is _not_ officially supported by AWS or the Cedar Policy team.\n\n## Using the library\nReleases of [`cedarpy`](https://pypi.org/project/cedarpy/) are available on PyPi.  You can install the latest release with:\n```shell\npip install cedarpy\n```\n\n(See the Developing section for how to use artifacts you've built locally.)\n\n### Authorizing access with Cedar policies in Python\nNow you can use the library to authorize access with Cedar from your Python project using the `is_authorized` function.  Here's an example of basic use:\n\n```python\nfrom cedarpy import is_authorized, AuthzResult, Decision\n\npolicies: str = \"//a string containing cedar policies\"\nentities: list = [  # a list of Cedar entities; can also be a json-formatted string of Cedar entities\n    {\"uid\": {\"__entity\": { \"type\" : \"User\", \"id\" : \"alice\" }}, \"attrs\": {}, \"parents\": []}\n    # ...\n]\nrequest = {\n    \"principal\": 'User::\"bob\"',\n    \"action\": 'Action::\"view\"',\n    \"resource\": 'Photo::\"1234-abcd\"',\n    \"context\": {}\n}\n\nauthz_result: AuthzResult = is_authorized(request, policies, entities)\n\n# so you can assert on the decision like:\nassert Decision.Allow == authz_result.decision\n\n# or use the 'allowed' convenience method \nassert authz_result.allowed\n\n# or even via AuthzResult's attribute subscripting support \nassert authz_result['allowed']\n\n```\nThe [`AuthzResult`](cedarpy/__init__.py) class also provides diagnostics and metrics for the access evaluation request. \n\nSee the [unit tests](tests/unit) for more examples of use and expected behavior.\n\n### Authorize a batch of requests\n\nYou can also authorize a batch of requests with the `is_authorized_batch` function.  `is_authorized_batch` accepts a list of requests to evaluate against shared policies, entities, and schema.\n\nBatch authorization is often _much_ more efficient (+10x) than processing authorization requests one by one with `is_authorized`.  This is because the most expensive part of the authorization process is transforming the policies, entities, and schema into objects that Cedar can evaluate.  See [RFC: support batch authorization requests](https://github.com/k9securityio/cedar-py/issues/13) for details.\n\nHere's an example of how to use `is_authorized_batch` and the optional request-result `correlation_id`:\n\n```python3\nbatch_id:str = randomstr()\nrequests: List[dict] = []\nfor action_name in action_names:\n    requests.append({\n        \"principal\": f'User::\"{user_id}\"',\n        \"action\": f'Action::\"{action_name}\"',\n        \"resource\": f'Resource::\"{resource_id}\"',\n        \"context\": context_keys,\n        \"correlation_id\": f\"authz_req::{batch_id}-{action_name}\"\n    })\n\n# ... resolve get policies, entities, schema ...\n\n# process authorizations in batch\nauthz_results: List[AuthzResult] = is_authorized_batch(requests=requests, policies=policies, entities=entities, schema=schema)\n\n# ... verify results came back in correct order via correlation_id ...\nfor request, result, in zip(requests, authz_results):\n    assert request.get('correlation_id') == result.correlation_id\n\n```\ncedar-py returns the list of `AuthzResult` objects in the same order as the list of requests provided in the batch.\n\nThe above example also supplies an optional `correlation_id` in the request so that you can verify results are returned in the correct order or otherwise map a request to a result.\n\n\n### Validating policies against a schema\n\nYou can use `validate_policies` to validate Cedar policies against a schema before deploying them. Validation catches common mistakes like typos in entity types, invalid actions, type mismatches, and unsafe access to optional attributes—errors that would otherwise cause policies to silently fail at runtime.\n\nThis is particularly useful in CI/CD pipelines to catch policy errors before they reach production. See the [Cedar validation documentation](https://docs.cedarpolicy.com/policies/validation.html) for details on what the validator checks.\n\nHere's an example of basic use:\n\n```python\nfrom cedarpy import validate_policies, ValidationResult\n\npolicies: str = \"// a string containing Cedar policies\"\nschema: str = \"// a Cedar schema as JSON string, Cedar schema string, or Python dict\"\n\nresult: ValidationResult = validate_policies(policies, schema)\n\n# so you can check validation passed like:\nassert result.validation_passed\n\n# or use ValidationResult in a boolean context\nassert result  # True if validation passed\n\n# and if validation fails, iterate over errors:\nfor error in result.errors:\n    print(f\"error: {error}\")\n\n```\nThe [`ValidationResult`](cedarpy/__init__.py) class provides the validation outcome and a list of `ValidationError` objects when validation fails.\n\nSee the [unit tests](tests/unit) for more examples of use and expected behavior.\n\n### Formatting Cedar policies\n\nYou can use `format_policies` to pretty-print Cedar policies according to\nconvention.\n\n```python\nfrom cedarpy import format_policies\n\npolicies: str = \"\"\"\n    permit(\n        principal,\n        action == Action::\"edit\",\n        resource\n    )\n    when {\n        resource.owner == principal\n    };\n\"\"\"\n\nprint(format_policies(policies))\n# permit (\n#   principal,\n#   action == Action::\"edit\",\n#   resource\n# )\n# when { resource.owner == principal };\n```\n\n## Developing\n\n\nYou'll need a few things to get started:\n\n* Python +3.9\n* Rust and `cargo`\n\nThis project is built on the [PyO3](https://docs.rs/pyo3/latest/pyo3/index.html) and [maturin](https://www.maturin.rs/index.html) projects.  These projects are designed to enable Python to use Rust code and vice versa.\n\nThe most common development commands are in the `Makefile`\n\n### Create virtual env\n\nFirst create a Python virtual environment for this project with:\n`make venv-dev`\n\nIn addition to creating a dedicated virtual environment, this will install `cedar-py`'s dependencies.\n\nIf this works you should be able to run the following command:\n``` shell\nmaturin --help\n```\n\n## Build and run `cedar-py` tests\n\nEnsure the `cedar-py` virtual environment is active by sourcing it in your shell:\n\n```shell\nsource venv-dev/bin/activate\n```\n\nNow run:\n```shell\nmake quick\n```\n\nThe `make quick` command will build the Rust source code with `maturin` and run the project's tests with `pytest`.\n\nIf all goes well, you should see output like:\n```shell\n(venv-dev) swedish-chef:cedar-py skuenzli$ make quick\nPerforming quick build\nset -e ;\\\n\tmaturin develop ;\\\n\tpytest\n📦 Including license file \"/path/to/cedar-py/LICENSE\"\n🔗 Found pyo3 bindings\n🐍 Found CPython 3.9 at /path/to/cedar-py/venv-dev/bin/python\n📡 Using build options features from pyproject.toml\nIgnoring maturin: markers 'extra == \"dev\"' don't match your environment\nIgnoring pip-tools: markers 'extra == \"dev\"' don't match your environment\nIgnoring pytest: markers 'extra == \"dev\"' don't match your environment\n💻 Using `MACOSX_DEPLOYMENT_TARGET=11.0` for aarch64-apple-darwin by default\n   Compiling cedarpy v0.1.0 (/path/to/cedar-py)\n    Finished dev [unoptimized + debuginfo] target(s) in 3.06s\n📦 Built wheel for CPython 3.9 to /var/folders/k2/tnw8n1c54tv8nt4557pfx3440000gp/T/.tmpO6aj6c/cedarpy-0.1.0-cp39-cp39-macosx_11_0_arm64.whl\n🛠 Installed cedarpy-0.1.0\n================================================================================================ test session starts ================================================================================================\nplatform darwin -- Python 3.9.12, pytest-7.4.0, pluggy-1.2.0\nrootdir: /path/to/cedar-py\nconfigfile: pyproject.toml\ntestpaths: tests/unit\ncollected 10 items\n\ntests/unit/test_authorize.py::AuthorizeTestCase::test_authorize_basic_ALLOW PASSED                                                                                                                            [ 10%]\ntests/unit/test_authorize.py::AuthorizeTestCase::test_authorize_basic_DENY PASSED                                                                                                                             [ 20%]\n\n... snip ... # a bunch of tests passing - please write more!\ntests/unit/test_import_module.py::InvokeModuleTestFunctionTestCase::test_invoke_parse_test_policy PASSED                                                                                                      [100%]\n\n================================================================================================ 10 passed in 0.51s =================================================================================================\n```\n\n### Integration tests\nThis project supports validating correctness with official Cedar integration tests. To run those tests you'll need to retrieve the `cedar-integration-tests` data with:\n\n```shell\nmake submodules\n```\n\nThen you can run:\n```shell\nmake integration-tests\n```\n\n`cedar-py` currently passes 69 of the 74 tests defined in the `example_use_cases`, `multi`, `ip`, and `decimal` suites. The integration tests also validate policies against schemas when `shouldValidate` is set in the test definition. See [test_cedar_integration_tests.py](tests/integration/test_cedar_integration_tests.py) for details.\n\n### Using locally-built artifacts\n\nIf you used `make quick` above, then a development build of the `cedarpy` module will already be installed in the virtual environment. \n\nIf you want to use your local `cedarpy` changes in another Python environment, you'll need to build a release with:\n\n```shell\nmake release\n```\n\nThe release process will build a wheel and output it into `target/wheels/`\n\nNow you can install that file with pip, e.g.:\n```shell\npip install --force-reinstall /path/to/cedar-py/target/wheels/ccedarpy-*.whl\n```\n\n\n## Contributing\n\nThis project is in its early stages and contributions are welcome. Please check the project's GitHub [issues](https://github.com/k9securityio/cedar-py/issues) for work we've already identified.\n\nSome ways to contribute are:\n* Use the project and report experience and issues\n* Document usage and limitations\n* Enhance the library with additional functionality you need\n* Add test cases, particularly those from [`cedar-integration-tests`](https://github.com/k9securityio/cedar-py/issues/3)\n\nYou can reach people interested in this project in the `#cedar-py` channel of the [Cedar Policy Slack workspace](https://communityinviter.com/apps/cedar-policy/cedar-policy-language).\n","funding_links":[],"categories":["Language and Platform Integrations"],"sub_categories":["Unofficial"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fk9securityio%2Fcedar-py","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fk9securityio%2Fcedar-py","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fk9securityio%2Fcedar-py/lists"}