Control Center - Cedar Policy Engine
A comprehensive Cedar policy engine implementation with advanced security features, compliance checking, and anomaly detection.
Source:
provisioning/platform/control-center/
Key Features
Cedar Policy Engine
- Policy Evaluation: High-performance policy evaluation with context injection
- Versioning: Complete policy versioning with rollback capabilities
- Templates: Configuration-driven policy templates with variable substitution
- Validation: Comprehensive policy validation with syntax and semantic checking
Security & Authentication
- JWT Authentication: Secure token-based authentication
- Multi-Factor Authentication: MFA support for sensitive operations
- Role-Based Access Control: Flexible RBAC with policy integration
- Session Management: Secure session handling with timeouts
Compliance Framework
- SOC2 Type II: Complete SOC2 compliance validation
- HIPAA: Healthcare data protection compliance
- Audit Trail: Comprehensive audit logging and reporting
- Impact Analysis: Policy change impact assessment
Anomaly Detection
- Statistical Analysis: Multiple statistical methods (Z-Score, IQR, Isolation Forest)
- Real-time Detection: Continuous monitoring of policy evaluations
- Alert Management: Configurable alerting through multiple channels
- Baseline Learning: Adaptive baseline calculation for improved accuracy
Storage & Persistence
- SurrealDB Integration: High-performance graph database backend
- Policy Storage: Versioned policy storage with metadata
- Metrics Storage: Policy evaluation metrics and analytics
- Compliance Records: Complete compliance audit trails
Quick Start
Installation
cd provisioning/platform/control-center
cargo build --release
Configuration
Copy and edit the configuration:
cp config.toml.example config.toml
Configuration example:
[database]
url = "surreal://localhost:8000"
username = "root"
password = "your-password"
[auth]
jwt_secret = "your-super-secret-key"
require_mfa = true
[compliance.soc2]
enabled = true
[anomaly]
enabled = true
detection_threshold = 2.5
Start Server
./target/release/control-center server --port 8080
Test Policy Evaluation
curl -X POST http://localhost:8080/policies/evaluate \
-H "Content-Type: application/json" \
-d '{
"principal": {"id": "user123", "roles": ["Developer"]},
"action": {"id": "access"},
"resource": {"id": "sensitive-db", "classification": "confidential"},
"context": {"mfa_enabled": true, "location": "US"}
}'
Policy Examples
Multi-Factor Authentication Policy
permit(
principal,
action == Action::"access",
resource
) when {
resource has classification &&
resource.classification in ["sensitive", "confidential"] &&
principal has mfa_enabled &&
principal.mfa_enabled == true
};
Production Approval Policy
permit(
principal,
action in [Action::"deploy", Action::"modify", Action::"delete"],
resource
) when {
resource has environment &&
resource.environment == "production" &&
principal has approval &&
principal.approval.approved_by in ["ProductionAdmin", "SRE"]
};
Geographic Restrictions
permit(
principal,
action,
resource
) when {
context has geo &&
context.geo has country &&
context.geo.country in ["US", "CA", "GB", "DE"]
};
CLI Commands
Policy Management
# Validate policies
control-center policy validate policies/
# Test policy with test data
control-center policy test policies/mfa.cedar tests/data/mfa_test.json
# Analyze policy impact
control-center policy impact policies/new_policy.cedar
Compliance Checking
# Check SOC2 compliance
control-center compliance soc2
# Check HIPAA compliance
control-center compliance hipaa
# Generate compliance report
control-center compliance report --format html
API Endpoints
Policy Evaluation
POST /policies/evaluate- Evaluate policy decisionGET /policies- List all policiesPOST /policies- Create new policyPUT /policies/{id}- Update policyDELETE /policies/{id}- Delete policy
Policy Versions
GET /policies/{id}/versions- List policy versionsGET /policies/{id}/versions/{version}- Get specific versionPOST /policies/{id}/rollback/{version}- Rollback to version
Compliance
GET /compliance/soc2- SOC2 compliance checkGET /compliance/hipaa- HIPAA compliance checkGET /compliance/report- Generate compliance report
Anomaly Detection
GET /anomalies- List detected anomaliesGET /anomalies/{id}- Get anomaly detailsPOST /anomalies/detect- Trigger anomaly detection
Architecture
Core Components
-
Policy Engine (
src/policies/engine.rs)- Cedar policy evaluation
- Context injection
- Caching and optimization
-
Storage Layer (
src/storage/)- SurrealDB integration
- Policy versioning
- Metrics storage
-
Compliance Framework (
src/compliance/)- SOC2 checker
- HIPAA validator
- Report generation
-
Anomaly Detection (
src/anomaly/)- Statistical analysis
- Real-time monitoring
- Alert management
-
Authentication (
src/auth.rs)- JWT token management
- Password hashing
- Session handling
Configuration-Driven Design
The system follows PAP (Project Architecture Principles) with:
- No hardcoded values: All behavior controlled via configuration
- Dynamic loading: Policies and rules loaded from configuration
- Template-based: Policy generation through templates
- Environment-aware: Different configs for dev/test/prod
Deployment
Docker
FROM rust:1.75 as builder
WORKDIR /app
COPY . .
RUN cargo build --release
FROM debian:bookworm-slim
RUN apt-get update && apt-get install -y ca-certificates
COPY --from=builder /app/target/release/control-center /usr/local/bin/
EXPOSE 8080
CMD ["control-center", "server"]
Kubernetes
apiVersion: apps/v1
kind: Deployment
metadata:
name: control-center
spec:
replicas: 3
template:
spec:
containers:
- name: control-center
image: control-center:latest
ports:
- containerPort: 8080
env:
- name: DATABASE_URL
value: "surreal://surrealdb:8000"
Related Documentation
- Architecture: Cedar Authorization
- User Guide: Authentication Layer