Use the Query API to ask Oso complex questions

Typical application authorization logic answers a single question: “Can this user do this action on this resource?” Evaluating that question is hardcoded into your application and answering different questions requires writing new code. As the logic changes all these evaluation paths need to be updated.

Oso takes a different approach and lets you declaratively model your authorization logic. This policy and data can then be used to answer multiple questions.

If you have a complicated question like -- "What are all the users that can do this action on this resource?" -- you can ask that question directly using Oso’s Query endpoint.

With Query, you can write a rule to answer any question you have. You can query custom and builtin polar rules in different ways depending on the information you have and the information you want.

Oso has other builtin endpoints for many common questions. Authorize lets you ask if a user can do an action on a resource. List gets you all the resources a user can do that action on. Actions gives you all the actions a user can do on a resource. And you can query the facts you've inserted into Oso Cloud with Get.

You are not limited to these and can ask anything you want with the Query endpoint.

For a full guide on using query read the docs.

‍

Logs of Recent Authorizations

Logging in Oso Cloud is now enabled by default. Up until now, you had to string up your own logging system for debugging authorizations. Now, you can use the Logs page to see debugging information about every authorization request made by your application with 100% coverage.

Logs include all of the query inputs provided by your application as well as the results returned. Replay queries against your current policy and facts in the Explain view and see how rules in your policy contribute to the result.

With this tool, you can quickly identify why a recent request failed (or why it succeeded unexpectedly). The logs also show queries with wildcard arguments if you’re using the new Query API, along with a count of the results returned.

‍

Creating and deleting environments

Environments management is self-serve! We've had support for multiple environments for a couple of months. However, environments, up until this point, were provisioned manually by Oso engineers.

Spinning up additional environments is important for ensuring your application authorization service matches your development or continuous integration workflow. Now, you can create and delete environments when you want them (or not) with self-service environment management right in the Oso console.

‍

Edit your Policy Directly inside the Oso Cloud Dashboard

When using the dashboard to build your first Oso Cloud policy, you used to have to download the policy locally to then upload it into your Oso Cloud environment with oso-cloud policy. When you made changes to your policy, you had to use oso-cloud validate or install our VSCode extension to know if the policy was valid before uploading it.

To make it quicker and easier to get up and running with Oso Cloud, we’ve added a web-based editor so that you can view and modify your policy directly in the Oso Cloud dashboard. As shown in the screenshot below, the editor provides inline error messages as you write, just like our VSCode extension does.

‍

Read only API Keys

It's common for different parts of your application to need different levels of access to your authorization service. Some services might not need to modify any authorization-relevant data, they'll only need to perform authorize requests. You might also want to grant individuals, rather than applications, access to your authorization data for debugging and would prefer not to have to ask them to “promise to be extra careful not to mess with anything”.

Without a managed authorization service, you might need to then build this logic into your authorization itself, or rely on the security model of the system where you store your authorization-relevant data (usually a database). Both of these solutions can be painful to maintain over time.

With Oso Cloud, you can now solve this by issuing "Read-Only" API keys to apps/services/individuals. A "Read-Only" key can only be used to read facts and authorize actions, but not to write facts or update policies.

‍

Changelog (July - August)

• In the Explain UI: highlight the parts of the policy used in the current result to make it easier to trace through why a decision was returned.
• Add new declare keyword which tells the validation logic to accept facts matching that form, even though it is not currently used in the policy.
• Support inviting users to organizations (paid plans only)
• Add Google as an authentication provider.
• Return friendlier error message when we detect an unsupported policy.
• Support adding facts in the UI so you can quickly test policies in development.
• Fix fact deletion from the UI.
• Check for newer versions when calling the CLI.
• Add support for customizing the installation location of the CLI.
• Persist connections in the client SDK's to reduce the number of network round-trips when authorizing.
• Standardize client APIs around a simple data format to make it easier to use and understand how Oso uses application data.
• Increase internal sqlite connection to improve the request throughput
• Properly check HTTP status codes in the client to return better errors.
• Set content length header to fix a bug causing proxied requests to fail.
• Cache authentication information to reduce request latency.
• Fix infinite redirect bug in the UI when a user is logged out.
• Make it easier to read/parse the output of results from the CLI.
• Fix a bug in the CLI installer, ensuring upgrades will work.
• Better support unification in policies. Policies can now unify inputs, and will return an error message for cases that don't work.
• Support looking up facts based on integer literals in the policy.
• Update the list of potential facts on fact save, not receive. This fixes an issue in which sometimes facts wouldn't be used in a policy decision.

‍

Quickstart & Next Steps

If you'd like to try out any of these new features get started here. If you’d like to ask questions about how to set up Oso Cloud or authorization more generally, set up a 1x1 with our engineering team.

‍New Explain Tool

When you make an authorize request, Oso Cloud tells you if a user can do a certain action on a resource. You get back a true or a false. But what do you do if you don't get the answer you were expecting? It can be hard to debug problems with the policy which is why we've added a new tool to the dashboard.

With the explain tool, you can see exactly why a query succeeded or failed. When a query is evaluated, the policy looks for the existence of certain facts. These could be has_role facts or has_permission facts or any other facts your policy uses. You can also see all the different possible sets of facts that would mean the user is allowed to do the action and which of those were actually found. It's a powerful debugging tool that we have used a lot ourselves and we know that it will help you too.

To get access to the explain tool, get started with Oso Cloud.

‍

Context Facts

We’ve heard from a lot of folks that authorization sometimes depends on information that is hard to migrate into the Oso Cloud data store. For example:

• Deep resource hierarchies: you may wish to grant permissions for items that belong to an entity in your app, such as read access for issues in a repository if you’re building an app like GitHub. You may want to be able to make authorization decisions about such items while keeping your own database as the source of truth about these sorts of relationships between entities.
• Claims from a user token: your users may get certain roles or permissions based on their authentication token (such as a JWT).
• Request-specific context: if you want to protect resources based on IP addresses, or time of day, or other ephemeral request properties.

To address this feedback, we’ve added a new feature to Oso Cloud called “context facts”. Now whenever you ask Oso Cloud an authorization question, you can include contextual information for us to take into consideration when answering the question. Context Facts are available in the CLI and all client libraries: Go, Node, Python, Ruby.

‍

Tutorial: GitCloud Sample App

To help users understand how to add authorization using Oso Cloud in a real world app composed of multiple services, we created GitCloud, a GitHub/GitLab-like sample application.

For a tutorial on how GitCloud leverages Oso Cloud, see our latest doc on securing a real world app using Oso Cloud. It covers the three main pieces involved in adding authorization: enforcement, modeling, and data management.

‍

‍Updated Policy Examples

Last, but not least, we've taken a fresh coat of paint to our example policies featured in Modeling Building Blocks and the Policy Builder.

We've expanded the sections covering the "Building Blocks" themselves to give a more conceptual overview of common policy structures. For example, we've described what we mean by Actors and Resources, how to use Roles in a policy, what a Resource Hierarchy is, and how to use generic Attributes.

All of these are reflected in the latest policy builder, making it even easier to get a full policy for your use case, with best practices built-in, in a matter of minutes!

‍

Changelog (May - July)

• Add validation that checks whether an inserted fact is valid, based on whether the current policy references it. This prevents incorrect facts from being inserted into the database.
• Improve the performance of the batch authorize_resources endpoint by constructing a single query for all resources.
• Fix a problem where a backlog of pending analytics events would gradually consume more resources and cause a performance degradation.
• Add overlay facts implementations to all clients (see above).
• Add types to the Node.js client SDK.
• Reorganize the Polar Syntax documentation for easier discoverability.
• Add a simple client-server versioning scheme.
• Improved performance for most policies by 2x, and recursive policies by up to 500x.

‍

Quickstart & Next Steps

If you'd like to try out any of these new features get started here. If you’d like to ask questions about how to set up Oso Cloud or authorization more generally, set up a 1x1 with our engineering team.

‍Docs: How Oso Cloud Works

We get a lot of questions about how Oso Cloud works, what you can do with it, and how it helps you organize authorization data and logic. To answer these, we put our ideas down in a new doc called How Oso Cloud Works.

Give it a read and get acquainted with our new managed product:

• Where does Oso Cloud fit into your infrastructure?
• What types of questions can your applications ask Oso Cloud?
• How does Oso Cloud store data about resources in your applications?
• How does Oso Cloud use permissions and resource data to make access decisions?
• How should your applications insert and update data in Oso Cloud?

‍

New Facts-Based Approach and APIs

While roles and relationships cover a wide range of authorization use cases, many companies have additional requirements involving some form of attributes. We’ve made it possible to represent attribute-based authorization so now Oso Cloud covers all commonly-seen authorization models:

• Custom Roles: allow users to dynamically create and grant custom permissions to roles.
• Default Roles: let users choose a default role for all members of their organization to inherit.
• Public Resources: grant everyone read access to a resource that has been marked as public.
• User Statuses: grant permissions only to users who are marked as active.
• Toggles: conditionally grant permissions to roles based on a resource attribute

‍

‍

The Policy Builder has examples of how to use these patterns in your Oso Cloud policies.

To support such a wide variety of ways to think about authorization, we switched from storingroles and relations to storing more general facts. Read more about facts in How Oso Cloud Works.

In moving to this more general facts-based approach, we will soon be removing the /roles and /relations endpoints in the Oso Cloud HTTP API in favor of the more general /facts endpoint. We recommend updating to the latest versions of the Oso Cloud CLI and client libraries to prepare for this change.

‍

Support for Multiple Environments

We’ve exposed an interface for managing multiple versions of your Oso Cloud policy and data to allow for better development and testing workflows. Just as you might have both a staging and production database, now you can have a staging and production authorization engine.

Each environment in Oso Cloud uses a different API key, which you can access (and reset!) from the web interface. This means that your application code doesn’t need to know what environment it’s accessing, you can just treat your API keys the same way you treat other configuration values that vary across deployments (such as your database handles).

‍

‍

Additionally, backups can be accessed across environments, which makes it possible to copy data from one environment to another. This can make maintaining dev/prod parity much easier. You can read more here.

‍

Changelog (April - May)

• Released the Oso Cloud SDK for Ruby.
• Updated the dashboard to provide an overview of the current state of your Oso Cloud instance. This page now includes a summary of the data stored, and log of recent authorizations. If you haven’t yet tried out Oso Cloud, the dashboard will give you some simple ways to get started.
• Improved the query evaluation logic so that allowed decisions will often shortcut evaluation and return faster decisions.
• Built a load testing harness, and used this to measure best and worst case latency and throughput. We’ll share the results of this soon.
• Added a bulk deletion API so that bulk operations can be handled in a single network request.
• Added read/write APIs for the fact-based approach (see above), which also permit passing in wildcard parameters to fetch multiple facts.
• API documentation autogenerated from our OpenAPI schema to make it easier for anyone developing against the Oso Cloud API directly.
• Added a bulk authorization API authorize_resources so that applications can save the network latency of making multiple round-trips when they know ahead of time the set of resources that need to be authorized.
• Standardized errors across all endpoints to return a JSON object with an error message field to make it easier to handle errors consistently in the client.

‍

Quickstart & Next Steps

Our team is happy to help you get started with Oso Cloud. If you'd like to try out any of these new features get started here and read the docs here. If you’d like to ask questions about how to set up Oso Cloud or authorization more generally, set up a 1x1 with our engineering team.

‍

Oso Cloud is now in public beta. You can use your GitHub login to get access to the Oso Cloud Sandbox, a test environment that supports all the latest features. We’re frequently rolling out new features to the Sandbox, like our recent web and command line interfaces and client library updates (currently in Python, Go, and Node.js). Go to the Oso Cloud Sandbox to get your API key, and run through our quickstart guide to get started. For production access, reach out.

‍

Policy Builder

Many developers start by trying to understand what authorization model they have. All they’ve heard of is “roles” or “attributes.” Oso Cloud’s new Policy Builder gives you more structure than that by giving names to common patterns, like “org charts,” and showing you how to model those patterns in Oso. The Policy Builder is a tool that helps you try out different models that might apply to you and model them using Oso:

‍

Note: for more detailed documentation on these patterns, you can also read our Authorization Building Blocks guide.

‍

Guide: Add Oso Cloud to your App

Before adopting Oso Cloud, you’ll want to get a feel for what the process of adding it to your app looks like. That’s what this guide on adding Oso Cloud to your app is for — it shows you how to use the Oso Cloud client libraries (Python/Node/Go) to perform authorization checks in your app. The guide walks you through updating authorization data and enforcing authorization decisions in the language of your choice.

‍

To get started adding Oso Cloud to your app, read the guide.

‍

Oso Cloud Dashboard

We’ve built a new dashboard for Oso Cloud! It now summarizes the data you’ve added (e.g., roles and relations) and also logs for recent authorization requests to your Oso Cloud instance.

‍

Oso Cloud Audit Logs for Authorization Requests

We recently spoke with an Oso user who said: “Authorization systems are so tricky – they never tell you when they’re working.”

Not anymore :)

Now you can see that Oso Cloud is authorizing (or denying) requests in real time. The Logs page contains all recent authorization logs for authorize and list requests to your Oso Cloud instance. (For the Sandbox, we persist the last 512 logs for you. There’s no limit for production.)

‍

Changelog (Mar - April)

• Default allow rule so most policies can skip the boilerplate
• Documentation for building blocks and patterns
• Support for multiple tenants in a single Oso instance for use in the sandbox
• Enable using the “in” operator in policies when the right-hand side is a list of strings
• Dashboard page to show CLI usage and for retrieving API credentials
• API for monitoring recent requests
• Stats API to get a summary of data stored in Oso Cloud
• Prevent infinitely recursive rules from timing out by adding a limit — recursive rules will currently work up to a maximum of 128.
• Rolling backups of data stored in Oso Cloud to S3
• API for creating and restoring specific snapshots
• Internal data model changes to make it possible to store more kinds of data, and support more authorization models — watch this space!
• Add CLI option --fail-on-deny to the authorize command, so the CLI can be used in scripting workflows
• CLI command to see recent requests as JSON
• OpenAPI schema and UI explorer for use in language without an existing Oso SDK
• Additional reference documentation
• Modified API token format to support secret scanning measures
• Guide for adding Oso to an application
• Fixed a bug causing internal server errors before validating the policy
• Consolidated validation logic between the CLI and Oso cloud so that policies that validate correctly in the CLI will work in the cloud
• Integrated an OpenAPI fuzzer to find any other error cases that aren’t currently handled

‍

Quickstart & Next Steps

Oso Cloud is in public beta. You can get started here, and read the docs here. If you’d like to ask questions about how to set up Oso Cloud or authorization more generally, set up a 1x1 with our engineering team.

‍

Here’s the latest on Oso Cloud:

Visualize Your Authorization Model

One of the hardest problems in authorization is modeling. Should you represent this as a role or a relationship? How do you represent what’s going on in your app as authorization logic? To help you understand your model better, we’re experimenting with a model visualizer.

Today, the visualizer takes your Oso policy and displays it as a graph. For instance, this is what our GitClub application looks in the visualizer:

The visualizer currently supports resource blocks, which is how you model role-based access control (RBAC) in Oso. If you want to see what the visualizer would look like for your model, set up a 1x1 with the engineer who built it.

‍

Oso Cloud Docs

Oso Cloud docs are live.

For an Introduction to Oso Cloud, Quickstart, and API docs go to: https://cloud-docs.osohq.com/.

‍

Changelog (Feb-Mar)

• APIs and CLI commands for introspecting data stored in Oso
• CLI command to fetch latest policy
• Support for global roles, e.g. global superadmins
• Data validation against policy spec
• Custom Polar predicates
• Stats endpoint to view metrics for data stored by Oso
• Support for complex compositions of relationships
• Token-based authentication
• Oso Cloud clients for Go, Node, Python & Ruby
• Support for multiple environments
• CLI binary distributed via CDN

‍

Quickstart & Next Steps

Oso Cloud is in closed beta, but we have docs available here. If you’d like to learn more about Oso Cloud or try it out, set up a 1x1 with our engineering team.

‍

‍

We’ve been thinking about Oso Cloud for 2+ years. Here’s a preview while it’s in closed beta.

‍

What is Oso Cloud

Oso Cloud is a fully-managed authorization service. You use it to provide fine-grained access to resources in your app, to define deep permission hierarchies, and to share access control logic between services in your backend.

As with the open source Oso library, you write policies in our declarative authorization language, Polar, to describe who is allowed to do what in your app, e.g., an admin role at an organization always grants users write access to resources that the organization owns. Oso can then efficiently use those policies to make authorization decisions.

‍

But in contrast to the library, Oso Cloud lives separately from your applications, and stores its own data:

‍

An Oso Cloud server exposes three APIs:

1. The write API, which updates authorization data (or keeps it in sync with your application).
2. The check API, which makes authorization decisions.
3. And the policy API, which updates your policy code.

We provide client libraries to integrate Oso Cloud with your application, as well as a CLI for development and testing.

‍

Changelog (Nov-Feb)

• Add bulk load endpoints for role & relation data
• Add delete & read endpoints for data management
• Implement CLI frontend
• Deploy Oso service to cloud for early users
• Add policy validation for supported features
• Run server in watch mode, reload when policy changes
• Integrate new polar-core into service
• Add tracing
• Error on unsupported policies
• Expose CLI for adding/deleting roles/relations
• Make unsupported Polar features (in policy) parse-time errors

‍

Quickstart & Next Steps

Oso Cloud is in closed beta, but we have a preview Quickstart Guide available here. If you’d like to learn more about Oso Cloud or try it out, set up a 1x1 with our engineering team.

‍

‍