Authorize Requests

Authorize requests

The most common task users perform with Oso Cloud is authorizing actors' permissions for resources. We often refer to this as making "authorization decisions." Note that after making the authorization decision, you still need to enforce the decision.

To support authorization decisions, every Oso Cloud client has a built-in authorization API. However, which authorization API you use depends on where your authorization data is stored.

Some data stored locally

If your application database retains relevant authorization data, use the authorize_local command in your client.

For more details about...

  • Setting up and using list filtering (also known as the distributed check API), see Local Authorization
  • Code samples showing list filtering in action, see Enforce.

All data stored in Oso Cloud

If all relevant authorization data is stored in Oso Cloud, use the authorize command in your client.

These command generally require that you specify the actor, permission, and resource.

For example, to decide if the User identified as alice (the actor) can read (the permission) the Organization identified as acme (the resource), use the following command:

oso-cloud authorize User:alice read Organization:acme

For more detailed code samples, see Enforce.

Details

Internally, Oso Cloud clients convert authorize and authorize_local commands into queries using the allow predicate.

To support this, all Polar policies have a default allow rule, which you may override with a custom allow rule.

For instance, when writing a policy test, the test assertions are exactly what you would be passing in via the authorize API.


test "repo members can read their repositories" {
setup {
has_role(User{"alice"}, "member", Repository{"anvils"});
}
assert allow(User{"alice"}, "read", Repository{"anvils"});
}


@app.route("/repos/<str:repoId>")
def get_repo(repoId):
user = { "type": "User", "id": "alice"}
repo = { "type": "Repository", "id": "anvils" }
if not oso.authorize(user, "read", repo):
raise PermissionDenied

For more information, see Polar rules and facts: Default & custom allow rules.

Other resources

For more details about...