oso 0.12.4

Other bugs & improvements

  • Fixed bug with dot lookups in the head of a rule ( #933).
  • Fixed some memory leaks in the go library ( #944).

sqlalchemy-oso 0.8.0


The Oso Roles for SQLAlchemy feature, previously published as sqlalchemy-oso-preview, is no longer in preview and included as part of the sqlalchemy-oso package.

Breaking changes


This release contains breaking changes. Be sure to follow migration steps before upgrading.

Roles Package name changes

The new roles feature that was previously published in sqlalchemy-oso-preview as sqlalchemy_oso.roles2 has been renamed to sqlalchemy_oso.roles. The old roles feature that was previously sqlalchemy_oso.roles has been moved to sqlalchemy_oso.roles_old and has been deprecated. Any code written against the old roles feature should still work by updating the python import to alias it.

import sqlalchemy_oso.roles_old as roles

Roles configuration changes

We’ve made some updates to the syntax of the resource predicate, used to configure resources & roles for sqlalchemy-oso. The goal of these changes is to improve the readability of the configuration and make the roles features more intuitive to use.

Rename “perms” -> “permissions” in resource roles configuration

The roles parameter of the resource previously included a field called perms to specify the role permissions. We have renamed this field to permissions for clarity.

Add namespaces to role names

Previously, we required role names to be globally unique. Now, role names will be internally namespaced, removing the globally unique requirement. Like permissions, the role namespace is the resource name specified in the resource predicate. Roles names must be unique within a single resource namespace. Roles associated with other resources must be referenced using the namespace. Roles within the same resource can be referenced without the namespace.

Below is an example resource predicate that reflects the above changes.

    resource(_type: Organization, "org", actions, roles) if
        actions = ["invite", "list_repos"] and
        roles = {
            member: {
                # `perms` renamed to `permissions`
                permissions: ["invite"]
            owner: {
                permissions: ["list_repos"],
                # Roles from a different resource are now referenced by namespace
                implies: ["member", "repo:reader"]

Other bugs & improvements

  • Calling sqlalchemy_oso.SQLAlchemyOso.enable_roles() more than once will now raise an error. There’s no need to call the method multiple times.

  • Using a global SQLAlchemy declarative base class would previously result in some issues when reusing the same base class across multiple sqlalchemy_oso.SQLAlchemyOso instances, e.g., when running multiple tests that construct new SQLAlchemyOso instances but reuse the same global declarative base class. The issues are now fixed by ignoring internal models when verifying that all models descending from the given base class have primary keys of the same type. For more on that requirement, see the version 0.0.4 changelog.

Connect with us on Slack

If you have any questions, or just want to talk something through, jump into Slack. An Oso engineer or one of the thousands of developers in the growing community will be happy to help.