Skip to content

Policy Mapper defines packages for use in mapping of Identity Policy between Hexa IDQL and other formats.

License

Notifications You must be signed in to change notification settings

hexa-org/policy-mapper

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Hexa

Hexa Policy Mapper Project

The Hexa Policy-Mapper Project provides administrative tools and development libraries for provisioning and mapping various policy systems into a common policy format known as IDQL. With Policy Mapper and IDQL, you can manage all your access policies consistently across software providers and cloud systems. The project includes a number of prebuilt integrations (we call them providers) as well as guidance on how to build your own providers.

This project provides:

  • a GoLang SDK which can be used in open source and commercial implementations to leverage this community library.
  • a Hexa CLI command line tool which can be used to provision policies to web accessible policy systems.
  • a GoLang interface (policyprovider.Provider) enabling the development of new policy provisioning providers.

Tip

Policy-Orchestrator is available as a sample web server implementation that uses Policy-Mapper.

Note

This project is currently under initial development and documentation may be out of date.

Supported Provider Integrations

Policy Mapper supports the following capabilities:

Syntactical Mapping : Policy formats that have a parsable format or language, and can be represented in a "tuple" (subject, action, resource, conditions, scope) are considered "syntactical". Policy-Mapper can map these formats to and from IDQL JSON format. Examples include: IDQL, Cedar, GCP Bind among others. Syntactical Mapping support is provided for:

* Google Bind Policy and Google Conditional Expression Language (CEL)
* AWS Verified Permissions and Cedar policy language including support for CEL

RBAC API Mapping : Some systems do not directly have a policy language but support role or group based access control settings through an API.

Policy Provisioning : Policy Mapper combines a set of Providers that call APIs to retrieve and map access policy as well as be able to set policy.

Policy Validation : IDQL Policies may be validated against a Policy Information Model which specifies entities (subjects, resources), their schema, and how actions may be applied by subject entities against resource entities.

Policy Entity Syntax : New policy syntax is available that may be used in conjunction with Policy Validation. This is also useful when mapping to and from Cedar Policy Language.

Provisioning support is provided for:

Getting Started

Installation

Install go 1.21, clone and build the project as follows:

git clone https://github.com/hexa-org/policy-mapper.git

cd policy-mapper

sh ./build.sh

Hexa CLI Tool

To test the Hexa SDK and or develop using scripts, use the Hexa CLI tool.

To run the Hexa CLI, simply type hexa at the command line once installed.

Note

Hexa CLI currently does not support filenames with spaces. Valid example: add gcp --file=my_key.json

Hexa Developer Documentation

To start using the Hexa Mapper SDK in your GoLang project, perform the following get command:

go get github.com/hexa-org/policy-mapper

For more details on how to map or provision policy in either console (shell) form or GoLang, see: Developer documentation.

Provider Documentation

Each provider in the providers directory structure has its own README.md that describes the provider and its capabilities and limitations.

Provider Folder Description Type Support
AWS AVP providers/aws/avpProvider Mapping to/from Cedar Policy language with Get/Set/Reconcile using AVP API Syntactic Map SDK,Console
AWS API Gateway providers/aws/awsapigwProvider Support for the Amazon API Gateway (experimental) RBAC SDK,Console
AWS Cognito providers/aws/cognitoProvider Virtual policy support using Cognito Userpools and Groups RBAC SDK,Console
Azure Provider providers/azure/azureProvider Support for Azure Application Role Policy RBAC SDK,Console
Google Cloud IAP Provider providers/googlecloud/iapProvider Mapping to/from Google Bind policy and IAP support for Google App Engine and GKE Syntactic Map SDK,Console
Open Policy Agent providers/openpolicyagent Integrates with Hexa Policy-OPA and interprets IDQL directly with conditions clause support IDQL Interpreter SDK,Console

About

Policy Mapper defines packages for use in mapping of Identity Policy between Hexa IDQL and other formats.

Topics

Resources

License

Stars

Watchers

Forks

Contributors 4

  •  
  •  
  •  
  •  

Languages