The Hexa Policy-Mapper Project provides administrative tools and development libraries for provisioning and mapping various policy systems into a common policy format known as IDQL. With Policy Mapper and IDQL, you can manage all your access policies consistently across software providers and cloud systems. The project includes a number of prebuilt integrations (we call them providers) as well as guidance on how to build your own providers.
This project provides:
- a GoLang SDK which can be used in open source and commercial implementations to leverage this community library.
- a Hexa CLI command line tool which can be used to provision policies to web accessible policy systems.
- a GoLang interface (policyprovider.Provider) enabling the development of new policy provisioning providers.
Tip
Policy-Orchestrator is available as a sample web server implementation that uses Policy-Mapper.
Note
This project is currently under initial development and documentation may be out of date.
Policy Mapper supports the following capabilities:
Syntactical Mapping : Policy formats that have a parsable format or language, and can be represented in a "tuple" (subject, action, resource, conditions, scope) are considered "syntactical". Policy-Mapper can map these formats to and from IDQL JSON format. Examples include: IDQL, Cedar, GCP Bind among others. Syntactical Mapping support is provided for:
* Google Bind Policy and Google Conditional Expression Language (CEL)
* AWS Verified Permissions and Cedar policy language including support for CEL
RBAC API Mapping : Some systems do not directly have a policy language but support role or group based access control settings through an API.
Policy Provisioning : Policy Mapper combines a set of Providers that call APIs to retrieve and map access policy as well as be able to set policy.
Policy Validation : IDQL Policies may be validated against a Policy Information Model which specifies entities (subjects, resources), their schema, and how actions may be applied by subject entities against resource entities.
Policy Entity Syntax : New policy syntax is available that may be used in conjunction with Policy Validation. This is also useful when mapping to and from Cedar Policy Language.
Provisioning support is provided for:
- Google Policy for IAP Secured Resources (Application Engine and Compute Engine)
- Amazon Verified Permissions
- OPA Open Policy Agent with Extensions to Support IDQL and an OPA Extension Plugin to support ABAC policy (conditions) processing
- Provisioning to RBAC based policy systems including (to be ported from hexa-org/policy-orchestrator):
- Amazon
- Microsoft Azure
Install go 1.21, clone and build the project as follows:
git clone https://github.com/hexa-org/policy-mapper.git
cd policy-mapper
sh ./build.sh
To test the Hexa SDK and or develop using scripts, use the Hexa CLI tool.
To run the Hexa CLI, simply type hexa
at the command line once installed.
Note
Hexa CLI currently does not support filenames with spaces. Valid example: add gcp --file=my_key.json
To start using the Hexa Mapper SDK in your GoLang project, perform the following get command:
go get github.com/hexa-org/policy-mapper
For more details on how to map or provision policy in either console (shell) form or GoLang, see: Developer documentation.
Each provider in the providers
directory structure has its own README.md
that describes the provider and its capabilities and limitations.
Provider | Folder | Description | Type | Support |
---|---|---|---|---|
AWS AVP | providers/aws/avpProvider | Mapping to/from Cedar Policy language with Get/Set/Reconcile using AVP API | Syntactic Map | SDK,Console |
AWS API Gateway | providers/aws/awsapigwProvider | Support for the Amazon API Gateway (experimental) | RBAC | SDK,Console |
AWS Cognito | providers/aws/cognitoProvider | Virtual policy support using Cognito Userpools and Groups | RBAC | SDK,Console |
Azure Provider | providers/azure/azureProvider | Support for Azure Application Role Policy | RBAC | SDK,Console |
Google Cloud IAP Provider | providers/googlecloud/iapProvider | Mapping to/from Google Bind policy and IAP support for Google App Engine and GKE | Syntactic Map | SDK,Console |
Open Policy Agent | providers/openpolicyagent | Integrates with Hexa Policy-OPA and interprets IDQL directly with conditions clause support | IDQL Interpreter | SDK,Console |