from Hacker News

Cedar: A New Policy Language

by cjg on 1/20/23, 6:25 AM with 3 comments

  • by rendaw on 1/20/23, 12:08 PM

    IAM policies are yet another example of something that started as a "simple" declarative specification, then people realized it wasn't actually simple and started tacking on poorly thought out language constructs until it became a new awful embedded turing complete language.

    Rather than make a new language, they should have made a WASM or eBPF API and just let people use the full power of whatever language they want.

    > Cedar is written in Rust, which makes it run in milliseconds

    This statement is so weird. Milliseconds isn't particularly fast, and does that mean it runs in that time span regardless of complexity?

  • by vlmutolo on 1/20/23, 2:34 PM

    I like the Datalog-based policy language used in Biscuits.

    https://www.biscuitsec.org/

  • by Taikonerd on 1/20/23, 2:24 PM

    So, "like IAM but generalized to all cloud providers"?

    My worry is that there will be statements that only make sense with one cloud provider -- like, you're running on Google Cloud, and you want to make some declaration that only makes sense in Google Cloud. But I guess Cedar wouldn't allow that?

    It's like SQL libraries: the ones that are supposed to be database-agnostic usually have some escape hatch to say "I need to call this Postgres-specific function."