‍Docs: How Oso Cloud Works

We get a lot of questions about how Oso Cloud works, what you can do with it, and how it helps you organize authorization data and logic. To answer these, we put our ideas down in a new doc called How Oso Cloud Works.

Give it a read and get acquainted with our new managed product:

• Where does Oso Cloud fit into your infrastructure?
• What types of questions can your applications ask Oso Cloud?
• How does Oso Cloud store data about resources in your applications?
• How does Oso Cloud use permissions and resource data to make access decisions?
• How should your applications insert and update data in Oso Cloud?

‍

New Facts-Based Approach and APIs

While roles and relationships cover a wide range of authorization use cases, many companies have additional requirements involving some form of attributes. We’ve made it possible to represent attribute-based authorization so now Oso Cloud covers all commonly-seen authorization models:

• Custom Roles: allow users to dynamically create and grant custom permissions to roles.
• Default Roles: let users choose a default role for all members of their organization to inherit.
• Public Resources: grant everyone read access to a resource that has been marked as public.
• User Statuses: grant permissions only to users who are marked as active.
• Toggles: conditionally grant permissions to roles based on a resource attribute

‍

‍

The Policy Builder has examples of how to use these patterns in your Oso Cloud policies.

To support such a wide variety of ways to think about authorization, we switched from storingroles and relations to storing more general facts. Read more about facts in How Oso Cloud Works.

In moving to this more general facts-based approach, we will soon be removing the /roles and /relations endpoints in the Oso Cloud HTTP API in favor of the more general /facts endpoint. We recommend updating to the latest versions of the Oso Cloud CLI and client libraries to prepare for this change.

‍

Support for Multiple Environments

We’ve exposed an interface for managing multiple versions of your Oso Cloud policy and data to allow for better development and testing workflows. Just as you might have both a staging and production database, now you can have a staging and production authorization engine.

Each environment in Oso Cloud uses a different API key, which you can access (and reset!) from the web interface. This means that your application code doesn’t need to know what environment it’s accessing, you can just treat your API keys the same way you treat other configuration values that vary across deployments (such as your database handles).

‍

‍

Additionally, backups can be accessed across environments, which makes it possible to copy data from one environment to another. This can make maintaining dev/prod parity much easier. You can read more here.

‍

Changelog (April - May)

• Released the Oso Cloud SDK for Ruby.
• Updated the dashboard to provide an overview of the current state of your Oso Cloud instance. This page now includes a summary of the data stored, and log of recent authorizations. If you haven’t yet tried out Oso Cloud, the dashboard will give you some simple ways to get started.
• Improved the query evaluation logic so that allowed decisions will often shortcut evaluation and return faster decisions.
• Built a load testing harness, and used this to measure best and worst case latency and throughput. We’ll share the results of this soon.
• Added a bulk deletion API so that bulk operations can be handled in a single network request.
• Added read/write APIs for the fact-based approach (see above), which also permit passing in wildcard parameters to fetch multiple facts.
• API documentation autogenerated from our OpenAPI schema to make it easier for anyone developing against the Oso Cloud API directly.
• Added a bulk authorization API authorize_resources so that applications can save the network latency of making multiple round-trips when they know ahead of time the set of resources that need to be authorized.
• Standardized errors across all endpoints to return a JSON object with an error message field to make it easier to handle errors consistently in the client.

‍

Quickstart & Next Steps

Our team is happy to help you get started with Oso Cloud. If you'd like to try out any of these new features get started here and read the docs here. If you’d like to ask questions about how to set up Oso Cloud or authorization more generally, set up a 1x1 with our engineering team.

‍

Oso Cloud is now in public beta. You can use your GitHub login to get access to the Oso Cloud Sandbox, a test environment that supports all the latest features. We’re frequently rolling out new features to the Sandbox, like our recent web and command line interfaces and client library updates (currently in Python, Go, and Node.js). Go to the Oso Cloud Sandbox to get your API key, and run through our quickstart guide to get started. For production access, reach out.

‍

Policy Builder

Many developers start by trying to understand what authorization model they have. All they’ve heard of is “roles” or “attributes.” Oso Cloud’s new Policy Builder gives you more structure than that by giving names to common patterns, like “org charts,” and showing you how to model those patterns in Oso. The Policy Builder is a tool that helps you try out different models that might apply to you and model them using Oso:

‍

Note: for more detailed documentation on these patterns, you can also read our Authorization Building Blocks guide.

‍

Guide: Add Oso Cloud to your App

Before adopting Oso Cloud, you’ll want to get a feel for what the process of adding it to your app looks like. That’s what this guide on adding Oso Cloud to your app is for — it shows you how to use the Oso Cloud client libraries (Python/Node/Go) to perform authorization checks in your app. The guide walks you through updating authorization data and enforcing authorization decisions in the language of your choice.

‍

To get started adding Oso Cloud to your app, read the guide.

‍

Oso Cloud Dashboard

We’ve built a new dashboard for Oso Cloud! It now summarizes the data you’ve added (e.g., roles and relations) and also logs for recent authorization requests to your Oso Cloud instance.

‍

Oso Cloud Audit Logs for Authorization Requests

We recently spoke with an Oso user who said: “Authorization systems are so tricky – they never tell you when they’re working.”

Not anymore :)

Now you can see that Oso Cloud is authorizing (or denying) requests in real time. The Logs page contains all recent authorization logs for authorize and list requests to your Oso Cloud instance. (For the Sandbox, we persist the last 512 logs for you. There’s no limit for production.)

‍

Changelog (Mar - April)

• Default allow rule so most policies can skip the boilerplate
• Documentation for building blocks and patterns
• Support for multiple tenants in a single Oso instance for use in the sandbox
• Enable using the “in” operator in policies when the right-hand side is a list of strings
• Dashboard page to show CLI usage and for retrieving API credentials
• API for monitoring recent requests
• Stats API to get a summary of data stored in Oso Cloud
• Prevent infinitely recursive rules from timing out by adding a limit — recursive rules will currently work up to a maximum of 128.
• Rolling backups of data stored in Oso Cloud to S3
• API for creating and restoring specific snapshots
• Internal data model changes to make it possible to store more kinds of data, and support more authorization models — watch this space!
• Add CLI option --fail-on-deny to the authorize command, so the CLI can be used in scripting workflows
• CLI command to see recent requests as JSON
• OpenAPI schema and UI explorer for use in language without an existing Oso SDK
• Additional reference documentation
• Modified API token format to support secret scanning measures
• Guide for adding Oso to an application
• Fixed a bug causing internal server errors before validating the policy
• Consolidated validation logic between the CLI and Oso cloud so that policies that validate correctly in the CLI will work in the cloud
• Integrated an OpenAPI fuzzer to find any other error cases that aren’t currently handled

‍

Quickstart & Next Steps

Oso Cloud is in public beta. You can get started here, and read the docs here. If you’d like to ask questions about how to set up Oso Cloud or authorization more generally, set up a 1x1 with our engineering team.

‍

Here’s the latest on Oso Cloud:

Visualize Your Authorization Model

One of the hardest problems in authorization is modeling. Should you represent this as a role or a relationship? How do you represent what’s going on in your app as authorization logic? To help you understand your model better, we’re experimenting with a model visualizer.

Today, the visualizer takes your Oso policy and displays it as a graph. For instance, this is what our GitClub application looks in the visualizer:

The visualizer currently supports resource blocks, which is how you model role-based access control (RBAC) in Oso. If you want to see what the visualizer would look like for your model, set up a 1x1 with the engineer who built it.

‍

Oso Cloud Docs

Oso Cloud docs are live.

For an Introduction to Oso Cloud, Quickstart, and API docs go to: https://cloud-docs.osohq.com/.

‍

Changelog (Feb-Mar)

• APIs and CLI commands for introspecting data stored in Oso
• CLI command to fetch latest policy
• Support for global roles, e.g. global superadmins
• Data validation against policy spec
• Custom Polar predicates
• Stats endpoint to view metrics for data stored by Oso
• Support for complex compositions of relationships
• Token-based authentication
• Oso Cloud clients for Go, Node, Python & Ruby
• Support for multiple environments
• CLI binary distributed via CDN

‍

Quickstart & Next Steps

Oso Cloud is in closed beta, but we have docs available here. If you’d like to learn more about Oso Cloud or try it out, set up a 1x1 with our engineering team.

‍

‍

We’ve been thinking about Oso Cloud for 2+ years. Here’s a preview while it’s in closed beta.

‍

What is Oso Cloud

Oso Cloud is a fully-managed authorization service. You use it to provide fine-grained access to resources in your app, to define deep permission hierarchies, and to share access control logic between services in your backend.

As with the open source Oso library, you write policies in our declarative authorization language, Polar, to describe who is allowed to do what in your app, e.g., an admin role at an organization always grants users write access to resources that the organization owns. Oso can then efficiently use those policies to make authorization decisions.

‍

But in contrast to the library, Oso Cloud lives separately from your applications, and stores its own data:

‍

An Oso Cloud server exposes three APIs:

1. The write API, which updates authorization data (or keeps it in sync with your application).
2. The check API, which makes authorization decisions.
3. And the policy API, which updates your policy code.

We provide client libraries to integrate Oso Cloud with your application, as well as a CLI for development and testing.

‍

Changelog (Nov-Feb)

• Add bulk load endpoints for role & relation data
• Add delete & read endpoints for data management
• Implement CLI frontend
• Deploy Oso service to cloud for early users
• Add policy validation for supported features
• Run server in watch mode, reload when policy changes
• Integrate new polar-core into service
• Add tracing
• Error on unsupported policies
• Expose CLI for adding/deleting roles/relations
• Make unsupported Polar features (in policy) parse-time errors

‍

Quickstart & Next Steps

Oso Cloud is in closed beta, but we have a preview Quickstart Guide available here. If you’d like to learn more about Oso Cloud or try it out, set up a 1x1 with our engineering team.

‍

‍