Vapora/docs/adrs/0010-cedar-authorization.html

<!DOCTYPE HTML>
<html lang="en" class="light sidebar-visible" dir="ltr">
    <head>
        <!-- Book generated using mdBook -->
        <meta charset="UTF-8">
        <title>0010: Cedar Authorization - VAPORA Platform Documentation</title>


        <!-- Custom HTML head -->

        <meta name="description" content="Comprehensive documentation for VAPORA, an intelligent development orchestration platform built entirely in Rust.">
        <meta name="viewport" content="width=device-width, initial-scale=1">
        <meta name="theme-color" content="#ffffff">

        <link rel="icon" href="../favicon.svg">
        <link rel="shortcut icon" href="../favicon.png">
        <link rel="stylesheet" href="../css/variables.css">
        <link rel="stylesheet" href="../css/general.css">
        <link rel="stylesheet" href="../css/chrome.css">
        <link rel="stylesheet" href="../css/print.css" media="print">

        <!-- Fonts -->
        <link rel="stylesheet" href="../FontAwesome/css/font-awesome.css">
        <link rel="stylesheet" href="../fonts/fonts.css">

        <!-- Highlight.js Stylesheets -->
        <link rel="stylesheet" id="highlight-css" href="../highlight.css">
        <link rel="stylesheet" id="tomorrow-night-css" href="../tomorrow-night.css">
        <link rel="stylesheet" id="ayu-highlight-css" href="../ayu-highlight.css">

        <!-- Custom theme stylesheets -->


        <!-- Provide site root and default themes to javascript -->
        <script>
            const path_to_root = "../";
            const default_light_theme = "light";
            const default_dark_theme = "dark";
        </script>
        <!-- Start loading toc.js asap -->
        <script src="../toc.js"></script>
    </head>
    <body>
    <div id="mdbook-help-container">
        <div id="mdbook-help-popup">
            <h2 class="mdbook-help-title">Keyboard shortcuts</h2>
            <div>
                <p>Press <kbd>←</kbd> or <kbd>→</kbd> to navigate between chapters</p>
                <p>Press <kbd>S</kbd> or <kbd>/</kbd> to search in the book</p>
                <p>Press <kbd>?</kbd> to show this help</p>
                <p>Press <kbd>Esc</kbd> to hide this help</p>
            </div>
        </div>
    </div>
    <div id="body-container">
        <!-- Work around some values being stored in localStorage wrapped in quotes -->
        <script>
            try {
                let theme = localStorage.getItem('mdbook-theme');
                let sidebar = localStorage.getItem('mdbook-sidebar');

                if (theme.startsWith('"') && theme.endsWith('"')) {
                    localStorage.setItem('mdbook-theme', theme.slice(1, theme.length - 1));
                }

                if (sidebar.startsWith('"') && sidebar.endsWith('"')) {
                    localStorage.setItem('mdbook-sidebar', sidebar.slice(1, sidebar.length - 1));
                }
            } catch (e) { }
        </script>

        <!-- Set the theme before any content is loaded, prevents flash -->
        <script>
            const default_theme = window.matchMedia("(prefers-color-scheme: dark)").matches ? default_dark_theme : default_light_theme;
            let theme;
            try { theme = localStorage.getItem('mdbook-theme'); } catch(e) { }
            if (theme === null || theme === undefined) { theme = default_theme; }
            const html = document.documentElement;
            html.classList.remove('light')
            html.classList.add(theme);
            html.classList.add("js");
        </script>

        <input type="checkbox" id="sidebar-toggle-anchor" class="hidden">

        <!-- Hide / unhide sidebar before it is displayed -->
        <script>
            let sidebar = null;
            const sidebar_toggle = document.getElementById("sidebar-toggle-anchor");
            if (document.body.clientWidth >= 1080) {
                try { sidebar = localStorage.getItem('mdbook-sidebar'); } catch(e) { }
                sidebar = sidebar || 'visible';
            } else {
                sidebar = 'hidden';
            }
            sidebar_toggle.checked = sidebar === 'visible';
            html.classList.remove('sidebar-visible');
            html.classList.add("sidebar-" + sidebar);
        </script>

        <nav id="sidebar" class="sidebar" aria-label="Table of contents">
            <!-- populated by js -->
            <mdbook-sidebar-scrollbox class="sidebar-scrollbox"></mdbook-sidebar-scrollbox>
            <noscript>
                <iframe class="sidebar-iframe-outer" src="../toc.html"></iframe>
            </noscript>
            <div id="sidebar-resize-handle" class="sidebar-resize-handle">
                <div class="sidebar-resize-indicator"></div>
            </div>
        </nav>

        <div id="page-wrapper" class="page-wrapper">

            <div class="page">
                <div id="menu-bar-hover-placeholder"></div>
                <div id="menu-bar" class="menu-bar sticky">
                    <div class="left-buttons">
                        <label id="sidebar-toggle" class="icon-button" for="sidebar-toggle-anchor" title="Toggle Table of Contents" aria-label="Toggle Table of Contents" aria-controls="sidebar">
                            <i class="fa fa-bars"></i>
                        </label>
                        <button id="theme-toggle" class="icon-button" type="button" title="Change theme" aria-label="Change theme" aria-haspopup="true" aria-expanded="false" aria-controls="theme-list">
                            <i class="fa fa-paint-brush"></i>
                        </button>
                        <ul id="theme-list" class="theme-popup" aria-label="Themes" role="menu">
                            <li role="none"><button role="menuitem" class="theme" id="default_theme">Auto</button></li>
                            <li role="none"><button role="menuitem" class="theme" id="light">Light</button></li>
                            <li role="none"><button role="menuitem" class="theme" id="rust">Rust</button></li>
                            <li role="none"><button role="menuitem" class="theme" id="coal">Coal</button></li>
                            <li role="none"><button role="menuitem" class="theme" id="navy">Navy</button></li>
                            <li role="none"><button role="menuitem" class="theme" id="ayu">Ayu</button></li>
                        </ul>
                        <button id="search-toggle" class="icon-button" type="button" title="Search (`/`)" aria-label="Toggle Searchbar" aria-expanded="false" aria-keyshortcuts="/ s" aria-controls="searchbar">
                            <i class="fa fa-search"></i>
                        </button>
                    </div>

                    <h1 class="menu-title">VAPORA Platform Documentation</h1>

                    <div class="right-buttons">
                        <a href="../print.html" title="Print this book" aria-label="Print this book">
                            <i id="print-button" class="fa fa-print"></i>
                        </a>
                        <a href="https://github.com/vapora-platform/vapora" title="Git repository" aria-label="Git repository">
                            <i id="git-repository-button" class="fa fa-github"></i>
                        </a>
                        <a href="https://github.com/vapora-platform/vapora/edit/main/docs/src/../adrs/0010-cedar-authorization.md" title="Suggest an edit" aria-label="Suggest an edit">
                            <i id="git-edit-button" class="fa fa-edit"></i>
                        </a>

                    </div>
                </div>

                <div id="search-wrapper" class="hidden">
                    <form id="searchbar-outer" class="searchbar-outer">
                        <input type="search" id="searchbar" name="searchbar" placeholder="Search this book ..." aria-controls="searchresults-outer" aria-describedby="searchresults-header">
                    </form>
                    <div id="searchresults-outer" class="searchresults-outer hidden">
                        <div id="searchresults-header" class="searchresults-header"></div>
                        <ul id="searchresults">
                        </ul>
                    </div>
                </div>

                <!-- Apply ARIA attributes after the sidebar and the sidebar toggle button are added to the DOM -->
                <script>
                    document.getElementById('sidebar-toggle').setAttribute('aria-expanded', sidebar === 'visible');
                    document.getElementById('sidebar').setAttribute('aria-hidden', sidebar !== 'visible');
                    Array.from(document.querySelectorAll('#sidebar a')).forEach(function(link) {
                        link.setAttribute('tabIndex', sidebar === 'visible' ? 0 : -1);
                    });
                </script>

                <div id="content" class="content">
                    <main>
                        <h1 id="adr-010-cedar-policy-engine-para-authorization"><a class="header" href="#adr-010-cedar-policy-engine-para-authorization">ADR-010: Cedar Policy Engine para Authorization</a></h1>
<p><strong>Status</strong>: Accepted | Implemented
<strong>Date</strong>: 2024-11-01
<strong>Deciders</strong>: Security Architecture Team
<strong>Technical Story</strong>: Implementing declarative RBAC with audit-friendly policies</p>
<hr />
<h2 id="decision"><a class="header" href="#decision">Decision</a></h2>
<p>Usar <strong>Cedar policy engine</strong> para autorización declarativa (no custom RBAC, no Casbin).</p>
<hr />
<h2 id="rationale"><a class="header" href="#rationale">Rationale</a></h2>
<ol>
<li><strong>Declarative Policies</strong>: Separar políticas de autorización de lógica de código</li>
<li><strong>Auditable</strong>: Políticas versionables en Git, fácil de revisar</li>
<li><strong>AWS Proven</strong>: Usado internamente en AWS, production-proven</li>
<li><strong>Type Safe</strong>: Schemas para resources y principals</li>
<li><strong>No Vendor Lock-in</strong>: Open source, portable</li>
</ol>
<hr />
<h2 id="alternatives-considered"><a class="header" href="#alternatives-considered">Alternatives Considered</a></h2>
<h3 id="-custom-rbac-implementation"><a class="header" href="#-custom-rbac-implementation">❌ Custom RBAC Implementation</a></h3>
<ul>
<li><strong>Pros</strong>: Full control</li>
<li><strong>Cons</strong>: Mantenimiento pesada, fácil de introducir vulnerabilidades</li>
</ul>
<h3 id="-casbin-policy-engine"><a class="header" href="#-casbin-policy-engine">❌ Casbin (Policy Engine)</a></h3>
<ul>
<li><strong>Pros</strong>: Flexible</li>
<li><strong>Cons</strong>: Menos maduro en Rust ecosystem que Cedar</li>
</ul>
<h3 id="-cedar-chosen"><a class="header" href="#-cedar-chosen">✅ Cedar (CHOSEN)</a></h3>
<ul>
<li>Declarative, auditable, production-proven, AWS-backed</li>
</ul>
<hr />
<h2 id="trade-offs"><a class="header" href="#trade-offs">Trade-offs</a></h2>
<p><strong>Pros</strong>:</p>
<ul>
<li>✅ Declarative policies separate from code</li>
<li>✅ Easy to audit and version control</li>
<li>✅ Type-safe schema validation</li>
<li>✅ AWS production-proven</li>
<li>✅ Support for complex hierarchies (teams, orgs)</li>
</ul>
<p><strong>Cons</strong>:</p>
<ul>
<li>⚠️ Learning curve (new policy language)</li>
<li>⚠️ Policies must be pre-compiled for performance</li>
<li>⚠️ Smaller community than Casbin</li>
</ul>
<hr />
<h2 id="implementation"><a class="header" href="#implementation">Implementation</a></h2>
<p><strong>Policy Definition</strong>:</p>
<pre><code class="language-cedar">// policies/authorization.cedar

// Allow owners full access to projects
permit(
    principal,
    action,
    resource
)
when {
    principal.role == "owner"
};

// Allow members to create tasks
permit(
    principal in [User],
    action == Action::"create_task",
    resource in [Project]
)
when {
    principal.team_id == resource.team_id &amp;&amp;
    principal.role in ["owner", "member"]
};

// Deny editing completed tasks
forbid(
    principal,
    action == Action::"update_task",
    resource in [Task]
)
when {
    resource.status == "done"
};

// Allow viewing with viewer role
permit(
    principal,
    action == Action::"read",
    resource
)
when {
    principal.role == "viewer"
};
</code></pre>
<p><strong>Authorization Check in Backend</strong>:</p>
<pre><pre class="playground"><code class="language-rust"><span class="boring">#![allow(unused)]
</span><span class="boring">fn main() {
</span>// crates/vapora-backend/src/api/projects.rs
use cedar_policy::{Authorizer, Request, Entity, Entities};

async fn get_project(
    State(app_state): State&lt;AppState&gt;,
    Path(project_id): Path&lt;String&gt;,
) -&gt; Result&lt;Json&lt;Project&gt;, ApiError&gt; {
    let user = get_current_user()?;

    // Create authorization request
    let request = Request::new(
        user.into_entity(),
        action("read"),
        resource("project", &amp;project_id),
        None,
    )?;

    // Load policies and entities
    let policies = app_state.cedar_policies();
    let entities = app_state.cedar_entities();

    // Authorize
    let authorizer = Authorizer::new();
    let response = authorizer.is_authorized(&amp;request, &amp;policies, &amp;entities)?;

    match response.decision {
        Decision::Allow =&gt; {
            let project = app_state
                .project_service
                .get_project(&amp;user.tenant_id, &amp;project_id)
                .await?;
            Ok(Json(project))
        }
        Decision::Deny =&gt; Err(ApiError::Forbidden),
    }
}
<span class="boring">}</span></code></pre></pre>
<p><strong>Entity Schema</strong>:</p>
<pre><pre class="playground"><code class="language-rust"><span class="boring">#![allow(unused)]
</span><span class="boring">fn main() {
</span>// crates/vapora-backend/src/auth/entities.rs
pub struct User {
    pub id: String,
    pub role: UserRole,
    pub tenant_id: String,
}

pub struct Project {
    pub id: String,
    pub tenant_id: String,
    pub status: ProjectStatus,
}

// Convert to Cedar entities
impl From&lt;User&gt; for cedar_policy::Entity {
    fn from(user: User) -&gt; Self {
        // Serialized to Cedar format
    }
}
<span class="boring">}</span></code></pre></pre>
<p><strong>Key Files</strong>:</p>
<ul>
<li><code>/crates/vapora-backend/src/auth/</code> (Cedar integration)</li>
<li><code>/crates/vapora-backend/src/api/</code> (authorization checks)</li>
<li><code>/policies/authorization.cedar</code> (policy definitions)</li>
</ul>
<hr />
<h2 id="verification"><a class="header" href="#verification">Verification</a></h2>
<pre><code class="language-bash"># Validate policy syntax
cedar validate --schema schemas/schema.json --policies policies/authorization.cedar

# Test authorization decision
cedar evaluate \
  --schema schemas/schema.json \
  --policies policies/authorization.cedar \
  --entities entities.json \
  --request '{"principal": "User:alice", "action": "Action::read", "resource": "Project:123"}'

# Run authorization tests
cargo test -p vapora-backend test_cedar_authorization

# Test edge cases
cargo test -p vapora-backend test_forbidden_access
cargo test -p vapora-backend test_hierarchical_permissions
</code></pre>
<p><strong>Expected Output</strong>:</p>
<ul>
<li>Policies validate without syntax errors</li>
<li>Owners have full access</li>
<li>Members can create tasks in their team</li>
<li>Viewers can only read</li>
<li>Completed tasks cannot be edited</li>
<li>All tests pass</li>
</ul>
<hr />
<h2 id="consequences"><a class="header" href="#consequences">Consequences</a></h2>
<h3 id="authorization-model"><a class="header" href="#authorization-model">Authorization Model</a></h3>
<ul>
<li>Three roles: Owner, Member, Viewer</li>
<li>Hierarchical teams (can nest permissions)</li>
<li>Resource-scoped access (per project, per task)</li>
<li>Audit trail of policy decisions</li>
</ul>
<h3 id="policy-management"><a class="header" href="#policy-management">Policy Management</a></h3>
<ul>
<li>Policies versioned in Git</li>
<li>Policy changes require code review</li>
<li>Centralized policy repository</li>
<li>No runtime policy compilation (pre-compiled)</li>
</ul>
<h3 id="performance"><a class="header" href="#performance">Performance</a></h3>
<ul>
<li>Policy evaluation cached (policies don't change often)</li>
<li>Entity resolution cached per request</li>
<li>Negligible latency overhead (&lt;1ms)</li>
</ul>
<h3 id="scaling"><a class="header" href="#scaling">Scaling</a></h3>
<ul>
<li>Policies apply across all services</li>
<li>Cedar policies portable to other services</li>
<li>Centralized policy management</li>
</ul>
<hr />
<h2 id="references"><a class="header" href="#references">References</a></h2>
<ul>
<li><a href="https://docs.cedarpolicy.com/">Cedar Policy Language Documentation</a></li>
<li><a href="https://github.com/aws/cedar">Cedar GitHub Repository</a></li>
<li><code>/policies/authorization.cedar</code> (policy definitions)</li>
<li><code>/crates/vapora-backend/src/auth/</code> (integration code)</li>
</ul>
<hr />
<p><strong>Related ADRs</strong>: ADR-009 (Istio), ADR-025 (Multi-Tenancy)</p>

                    </main>

                    <nav class="nav-wrapper" aria-label="Page navigation">
                        <!-- Mobile navigation buttons -->
                            <a rel="prev" href="../../adrs/0009-istio-service-mesh.html" class="mobile-nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left">
                                <i class="fa fa-angle-left"></i>
                            </a>

                            <a rel="next prefetch" href="../../adrs/0011-secretumvault.html" class="mobile-nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">
                                <i class="fa fa-angle-right"></i>
                            </a>

                        <div style="clear: both"></div>
                    </nav>
                </div>
            </div>

            <nav class="nav-wide-wrapper" aria-label="Page navigation">
                    <a rel="prev" href="../../adrs/0009-istio-service-mesh.html" class="nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left">
                        <i class="fa fa-angle-left"></i>
                    </a>

                    <a rel="next prefetch" href="../../adrs/0011-secretumvault.html" class="nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">
                        <i class="fa fa-angle-right"></i>
                    </a>
            </nav>

        </div>


        <script>
            window.playground_copyable = true;
        </script>


        <script src="../elasticlunr.min.js"></script>
        <script src="../mark.min.js"></script>
        <script src="../searcher.js"></script>

        <script src="../clipboard.min.js"></script>
        <script src="../highlight.js"></script>
        <script src="../book.js"></script>

        <!-- Custom JS scripts -->


    </div>
    </body>
</html>
chore: extend doc: adr, tutorials, operations, etc 2026-01-12 03:32:47 +00:00			`<!DOCTYPE HTML>`
			`<html lang="en" class="light sidebar-visible" dir="ltr">`
			`<head>`
			`<!-- Book generated using mdBook -->`
			`<meta charset="UTF-8">`
			`<title>0010: Cedar Authorization - VAPORA Platform Documentation</title>`


			`<!-- Custom HTML head -->`

			`<meta name="description" content="Comprehensive documentation for VAPORA, an intelligent development orchestration platform built entirely in Rust.">`
			`<meta name="viewport" content="width=device-width, initial-scale=1">`
			`<meta name="theme-color" content="#ffffff">`

			`<link rel="icon" href="../favicon.svg">`
			`<link rel="shortcut icon" href="../favicon.png">`
			`<link rel="stylesheet" href="../css/variables.css">`
			`<link rel="stylesheet" href="../css/general.css">`
			`<link rel="stylesheet" href="../css/chrome.css">`
			`<link rel="stylesheet" href="../css/print.css" media="print">`

			`<!-- Fonts -->`
			`<link rel="stylesheet" href="../FontAwesome/css/font-awesome.css">`
			`<link rel="stylesheet" href="../fonts/fonts.css">`

			`<!-- Highlight.js Stylesheets -->`
			`<link rel="stylesheet" id="highlight-css" href="../highlight.css">`
			`<link rel="stylesheet" id="tomorrow-night-css" href="../tomorrow-night.css">`
			`<link rel="stylesheet" id="ayu-highlight-css" href="../ayu-highlight.css">`

			`<!-- Custom theme stylesheets -->`


			`<!-- Provide site root and default themes to javascript -->`
			`<script>`
			`const path_to_root = "../";`
			`const default_light_theme = "light";`
			`const default_dark_theme = "dark";`
			`</script>`
			`<!-- Start loading toc.js asap -->`
			`<script src="../toc.js"></script>`
			`</head>`
			`<body>`
			`<div id="mdbook-help-container">`
			`<div id="mdbook-help-popup">`
			`<h2 class="mdbook-help-title">Keyboard shortcuts</h2>`
			`<div>`
			`<p>Press <kbd>←</kbd> or <kbd>→</kbd> to navigate between chapters</p>`
			`<p>Press <kbd>S</kbd> or <kbd>/</kbd> to search in the book</p>`
			`<p>Press <kbd>?</kbd> to show this help</p>`
			`<p>Press <kbd>Esc</kbd> to hide this help</p>`
			`</div>`
			`</div>`
			`</div>`
			`<div id="body-container">`
			`<!-- Work around some values being stored in localStorage wrapped in quotes -->`
			`<script>`
			`try {`
			`let theme = localStorage.getItem('mdbook-theme');`
			`let sidebar = localStorage.getItem('mdbook-sidebar');`

			`if (theme.startsWith('"') && theme.endsWith('"')) {`
			`localStorage.setItem('mdbook-theme', theme.slice(1, theme.length - 1));`
			`}`

			`if (sidebar.startsWith('"') && sidebar.endsWith('"')) {`
			`localStorage.setItem('mdbook-sidebar', sidebar.slice(1, sidebar.length - 1));`
			`}`
			`} catch (e) { }`
			`</script>`

			`<!-- Set the theme before any content is loaded, prevents flash -->`
			`<script>`
			`const default_theme = window.matchMedia("(prefers-color-scheme: dark)").matches ? default_dark_theme : default_light_theme;`
			`let theme;`
			`try { theme = localStorage.getItem('mdbook-theme'); } catch(e) { }`
			`if (theme === null \|\| theme === undefined) { theme = default_theme; }`
			`const html = document.documentElement;`
			`html.classList.remove('light')`
			`html.classList.add(theme);`
			`html.classList.add("js");`
			`</script>`

			`<input type="checkbox" id="sidebar-toggle-anchor" class="hidden">`

			`<!-- Hide / unhide sidebar before it is displayed -->`
			`<script>`
			`let sidebar = null;`
			`const sidebar_toggle = document.getElementById("sidebar-toggle-anchor");`
			`if (document.body.clientWidth >= 1080) {`
			`try { sidebar = localStorage.getItem('mdbook-sidebar'); } catch(e) { }`
			`sidebar = sidebar \|\| 'visible';`
			`} else {`
			`sidebar = 'hidden';`
			`}`
			`sidebar_toggle.checked = sidebar === 'visible';`
			`html.classList.remove('sidebar-visible');`
			`html.classList.add("sidebar-" + sidebar);`
			`</script>`

			`<nav id="sidebar" class="sidebar" aria-label="Table of contents">`
			`<!-- populated by js -->`
			`<mdbook-sidebar-scrollbox class="sidebar-scrollbox"></mdbook-sidebar-scrollbox>`
			`<noscript>`
			`<iframe class="sidebar-iframe-outer" src="../toc.html"></iframe>`
			`</noscript>`
			`<div id="sidebar-resize-handle" class="sidebar-resize-handle">`
			`<div class="sidebar-resize-indicator"></div>`
			`</div>`
			`</nav>`

			`<div id="page-wrapper" class="page-wrapper">`

			`<div class="page">`
			`<div id="menu-bar-hover-placeholder"></div>`
			`<div id="menu-bar" class="menu-bar sticky">`
			`<div class="left-buttons">`
			`<label id="sidebar-toggle" class="icon-button" for="sidebar-toggle-anchor" title="Toggle Table of Contents" aria-label="Toggle Table of Contents" aria-controls="sidebar">`
			`<i class="fa fa-bars"></i>`
			`</label>`
			`<button id="theme-toggle" class="icon-button" type="button" title="Change theme" aria-label="Change theme" aria-haspopup="true" aria-expanded="false" aria-controls="theme-list">`
			`<i class="fa fa-paint-brush"></i>`
			`</button>`
			`<ul id="theme-list" class="theme-popup" aria-label="Themes" role="menu">`
			`<li role="none"><button role="menuitem" class="theme" id="default_theme">Auto</button></li>`
			`<li role="none"><button role="menuitem" class="theme" id="light">Light</button></li>`
			`<li role="none"><button role="menuitem" class="theme" id="rust">Rust</button></li>`
			`<li role="none"><button role="menuitem" class="theme" id="coal">Coal</button></li>`
			`<li role="none"><button role="menuitem" class="theme" id="navy">Navy</button></li>`
			`<li role="none"><button role="menuitem" class="theme" id="ayu">Ayu</button></li>`
			`</ul>`
			<button id="search-toggle" class="icon-button" type="button" title="Search (`/`)" aria-label="Toggle Searchbar" aria-expanded="false" aria-keyshortcuts="/ s" aria-controls="searchbar">
			`<i class="fa fa-search"></i>`
			`</button>`
			`</div>`

			`<h1 class="menu-title">VAPORA Platform Documentation</h1>`

			`<div class="right-buttons">`
			`<a href="../print.html" title="Print this book" aria-label="Print this book">`
			`<i id="print-button" class="fa fa-print"></i>`
			`</a>`
			`<a href="https://github.com/vapora-platform/vapora" title="Git repository" aria-label="Git repository">`
			`<i id="git-repository-button" class="fa fa-github"></i>`
			`</a>`
			`<a href="https://github.com/vapora-platform/vapora/edit/main/docs/src/../adrs/0010-cedar-authorization.md" title="Suggest an edit" aria-label="Suggest an edit">`
			`<i id="git-edit-button" class="fa fa-edit"></i>`
			`</a>`

			`</div>`
			`</div>`

			`<div id="search-wrapper" class="hidden">`
			`<form id="searchbar-outer" class="searchbar-outer">`
			`<input type="search" id="searchbar" name="searchbar" placeholder="Search this book ..." aria-controls="searchresults-outer" aria-describedby="searchresults-header">`
			`</form>`
			`<div id="searchresults-outer" class="searchresults-outer hidden">`
			`<div id="searchresults-header" class="searchresults-header"></div>`
			`<ul id="searchresults">`
			`</ul>`
			`</div>`
			`</div>`

			`<!-- Apply ARIA attributes after the sidebar and the sidebar toggle button are added to the DOM -->`
			`<script>`
			`document.getElementById('sidebar-toggle').setAttribute('aria-expanded', sidebar === 'visible');`
			`document.getElementById('sidebar').setAttribute('aria-hidden', sidebar !== 'visible');`
			`Array.from(document.querySelectorAll('#sidebar a')).forEach(function(link) {`
			`link.setAttribute('tabIndex', sidebar === 'visible' ? 0 : -1);`
			`});`
			`</script>`

			`<div id="content" class="content">`
			`<main>`
			`<h1 id="adr-010-cedar-policy-engine-para-authorization"><a class="header" href="#adr-010-cedar-policy-engine-para-authorization">ADR-010: Cedar Policy Engine para Authorization</a></h1>`
			`<p><strong>Status</strong>: Accepted \| Implemented`
			`<strong>Date</strong>: 2024-11-01`
			`<strong>Deciders</strong>: Security Architecture Team`
			`<strong>Technical Story</strong>: Implementing declarative RBAC with audit-friendly policies</p>`
			`<hr />`
			`<h2 id="decision"><a class="header" href="#decision">Decision</a></h2>`
			`<p>Usar <strong>Cedar policy engine</strong> para autorización declarativa (no custom RBAC, no Casbin).</p>`
			`<hr />`
			`<h2 id="rationale"><a class="header" href="#rationale">Rationale</a></h2>`
			`<ol>`
			`<li><strong>Declarative Policies</strong>: Separar políticas de autorización de lógica de código</li>`
			`<li><strong>Auditable</strong>: Políticas versionables en Git, fácil de revisar</li>`
			`<li><strong>AWS Proven</strong>: Usado internamente en AWS, production-proven</li>`
			`<li><strong>Type Safe</strong>: Schemas para resources y principals</li>`
			`<li><strong>No Vendor Lock-in</strong>: Open source, portable</li>`
			`</ol>`
			`<hr />`
			`<h2 id="alternatives-considered"><a class="header" href="#alternatives-considered">Alternatives Considered</a></h2>`
			`<h3 id="-custom-rbac-implementation"><a class="header" href="#-custom-rbac-implementation">❌ Custom RBAC Implementation</a></h3>`
			`<ul>`
			`<li><strong>Pros</strong>: Full control</li>`
			`<li><strong>Cons</strong>: Mantenimiento pesada, fácil de introducir vulnerabilidades</li>`
			`</ul>`
			`<h3 id="-casbin-policy-engine"><a class="header" href="#-casbin-policy-engine">❌ Casbin (Policy Engine)</a></h3>`
			`<ul>`
			`<li><strong>Pros</strong>: Flexible</li>`
			`<li><strong>Cons</strong>: Menos maduro en Rust ecosystem que Cedar</li>`
			`</ul>`
			`<h3 id="-cedar-chosen"><a class="header" href="#-cedar-chosen">✅ Cedar (CHOSEN)</a></h3>`
			`<ul>`
			`<li>Declarative, auditable, production-proven, AWS-backed</li>`
			`</ul>`
			`<hr />`
			`<h2 id="trade-offs"><a class="header" href="#trade-offs">Trade-offs</a></h2>`
			`<p><strong>Pros</strong>:</p>`
			`<ul>`
			`<li>✅ Declarative policies separate from code</li>`
			`<li>✅ Easy to audit and version control</li>`
			`<li>✅ Type-safe schema validation</li>`
			`<li>✅ AWS production-proven</li>`
			`<li>✅ Support for complex hierarchies (teams, orgs)</li>`
			`</ul>`
			`<p><strong>Cons</strong>:</p>`
			`<ul>`
			`<li>⚠️ Learning curve (new policy language)</li>`
			`<li>⚠️ Policies must be pre-compiled for performance</li>`
			`<li>⚠️ Smaller community than Casbin</li>`
			`</ul>`
			`<hr />`
			`<h2 id="implementation"><a class="header" href="#implementation">Implementation</a></h2>`
			`<p><strong>Policy Definition</strong>:</p>`
			`<pre><code class="language-cedar">// policies/authorization.cedar`

			`// Allow owners full access to projects`
			`permit(`
			`principal,`
			`action,`
			`resource`
			`)`
			`when {`
			`principal.role == "owner"`
			`};`

			`// Allow members to create tasks`
			`permit(`
			`principal in [User],`
			`action == Action::"create_task",`
			`resource in [Project]`
			`)`
			`when {`
			`principal.team_id == resource.team_id &&`
			`principal.role in ["owner", "member"]`
			`};`

			`// Deny editing completed tasks`
			`forbid(`
			`principal,`
			`action == Action::"update_task",`
			`resource in [Task]`
			`)`
			`when {`
			`resource.status == "done"`
			`};`

			`// Allow viewing with viewer role`
			`permit(`
			`principal,`
			`action == Action::"read",`
			`resource`
			`)`
			`when {`
			`principal.role == "viewer"`
			`};`
			`</code></pre>`
			`<p><strong>Authorization Check in Backend</strong>:</p>`
			`<pre><pre class="playground"><code class="language-rust"><span class="boring">#![allow(unused)]`
			`</span><span class="boring">fn main() {`
			`</span>// crates/vapora-backend/src/api/projects.rs`
			`use cedar_policy::{Authorizer, Request, Entity, Entities};`

			`async fn get_project(`
			`State(app_state): State<AppState>,`
			`Path(project_id): Path<String>,`
			`) -> Result<Json<Project>, ApiError> {`
			`let user = get_current_user()?;`

			`// Create authorization request`
			`let request = Request::new(`
			`user.into_entity(),`
			`action("read"),`
			`resource("project", &project_id),`
			`None,`
			`)?;`

			`// Load policies and entities`
			`let policies = app_state.cedar_policies();`
			`let entities = app_state.cedar_entities();`

			`// Authorize`
			`let authorizer = Authorizer::new();`
			`let response = authorizer.is_authorized(&request, &policies, &entities)?;`

			`match response.decision {`
			`Decision::Allow => {`
			`let project = app_state`
			`.project_service`
			`.get_project(&user.tenant_id, &project_id)`
			`.await?;`
			`Ok(Json(project))`
			`}`
			`Decision::Deny => Err(ApiError::Forbidden),`
			`}`
			`}`
			`<span class="boring">}</span></code></pre></pre>`
			`<p><strong>Entity Schema</strong>:</p>`
			`<pre><pre class="playground"><code class="language-rust"><span class="boring">#![allow(unused)]`
			`</span><span class="boring">fn main() {`
			`</span>// crates/vapora-backend/src/auth/entities.rs`
			`pub struct User {`
			`pub id: String,`
			`pub role: UserRole,`
			`pub tenant_id: String,`
			`}`

			`pub struct Project {`
			`pub id: String,`
			`pub tenant_id: String,`
			`pub status: ProjectStatus,`
			`}`

			`// Convert to Cedar entities`
			`impl From<User> for cedar_policy::Entity {`
			`fn from(user: User) -> Self {`
			`// Serialized to Cedar format`
			`}`
			`}`
			`<span class="boring">}</span></code></pre></pre>`
			`<p><strong>Key Files</strong>:</p>`
			`<ul>`
			`<li><code>/crates/vapora-backend/src/auth/</code> (Cedar integration)</li>`
			`<li><code>/crates/vapora-backend/src/api/</code> (authorization checks)</li>`
			`<li><code>/policies/authorization.cedar</code> (policy definitions)</li>`
			`</ul>`
			`<hr />`
			`<h2 id="verification"><a class="header" href="#verification">Verification</a></h2>`
			`<pre><code class="language-bash"># Validate policy syntax`
			`cedar validate --schema schemas/schema.json --policies policies/authorization.cedar`

			`# Test authorization decision`
			`cedar evaluate \`
			`--schema schemas/schema.json \`
			`--policies policies/authorization.cedar \`
			`--entities entities.json \`
			`--request '{"principal": "User:alice", "action": "Action::read", "resource": "Project:123"}'`

			`# Run authorization tests`
			`cargo test -p vapora-backend test_cedar_authorization`

			`# Test edge cases`
			`cargo test -p vapora-backend test_forbidden_access`
			`cargo test -p vapora-backend test_hierarchical_permissions`
			`</code></pre>`
			`<p><strong>Expected Output</strong>:</p>`
			`<ul>`
			`<li>Policies validate without syntax errors</li>`
			`<li>Owners have full access</li>`
			`<li>Members can create tasks in their team</li>`
			`<li>Viewers can only read</li>`
			`<li>Completed tasks cannot be edited</li>`
			`<li>All tests pass</li>`
			`</ul>`
			`<hr />`
			`<h2 id="consequences"><a class="header" href="#consequences">Consequences</a></h2>`
			`<h3 id="authorization-model"><a class="header" href="#authorization-model">Authorization Model</a></h3>`
			`<ul>`
			`<li>Three roles: Owner, Member, Viewer</li>`
			`<li>Hierarchical teams (can nest permissions)</li>`
			`<li>Resource-scoped access (per project, per task)</li>`
			`<li>Audit trail of policy decisions</li>`
			`</ul>`
			`<h3 id="policy-management"><a class="header" href="#policy-management">Policy Management</a></h3>`
			`<ul>`
			`<li>Policies versioned in Git</li>`
			`<li>Policy changes require code review</li>`
			`<li>Centralized policy repository</li>`
			`<li>No runtime policy compilation (pre-compiled)</li>`
			`</ul>`
			`<h3 id="performance"><a class="header" href="#performance">Performance</a></h3>`
			`<ul>`
			`<li>Policy evaluation cached (policies don't change often)</li>`
			`<li>Entity resolution cached per request</li>`
			`<li>Negligible latency overhead (<1ms)</li>`
			`</ul>`
			`<h3 id="scaling"><a class="header" href="#scaling">Scaling</a></h3>`
			`<ul>`
			`<li>Policies apply across all services</li>`
			`<li>Cedar policies portable to other services</li>`
			`<li>Centralized policy management</li>`
			`</ul>`
			`<hr />`
			`<h2 id="references"><a class="header" href="#references">References</a></h2>`
			`<ul>`
			`<li><a href="https://docs.cedarpolicy.com/">Cedar Policy Language Documentation</a></li>`
			`<li><a href="https://github.com/aws/cedar">Cedar GitHub Repository</a></li>`
			`<li><code>/policies/authorization.cedar</code> (policy definitions)</li>`
			`<li><code>/crates/vapora-backend/src/auth/</code> (integration code)</li>`
			`</ul>`
			`<hr />`
			`<p><strong>Related ADRs</strong>: ADR-009 (Istio), ADR-025 (Multi-Tenancy)</p>`

			`</main>`

			`<nav class="nav-wrapper" aria-label="Page navigation">`
			`<!-- Mobile navigation buttons -->`
			`<a rel="prev" href="../../adrs/0009-istio-service-mesh.html" class="mobile-nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left">`
			`<i class="fa fa-angle-left"></i>`
			`</a>`

			`<a rel="next prefetch" href="../../adrs/0011-secretumvault.html" class="mobile-nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">`
			`<i class="fa fa-angle-right"></i>`
			`</a>`

			`<div style="clear: both"></div>`
			`</nav>`
			`</div>`
			`</div>`

			`<nav class="nav-wide-wrapper" aria-label="Page navigation">`
			`<a rel="prev" href="../../adrs/0009-istio-service-mesh.html" class="nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left">`
			`<i class="fa fa-angle-left"></i>`
			`</a>`

			`<a rel="next prefetch" href="../../adrs/0011-secretumvault.html" class="nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">`
			`<i class="fa fa-angle-right"></i>`
			`</a>`
			`</nav>`

			`</div>`




			`<script>`
			`window.playground_copyable = true;`
			`</script>`


			`<script src="../elasticlunr.min.js"></script>`
			`<script src="../mark.min.js"></script>`
			`<script src="../searcher.js"></script>`

			`<script src="../clipboard.min.js"></script>`
			`<script src="../highlight.js"></script>`
			`<script src="../book.js"></script>`

			`<!-- Custom JS scripts -->`


			`</div>`
			`</body>`
			`</html>`