Authorize requests
The most common task users perform with Oso Cloud is authorizing actors' permissions for resources. We often refer to this as making "authorization decisions." Note that after making the authorization decision, you still need to enforce the decision.
To support authorization decisions, every Oso Cloud client has a built-in authorization API. However, which authorization API you use depends on where your authorization data is stored.
All data stored in Oso Cloud
If all relevant authorization data is stored in Oso
Cloud, use
the authorize
command in your client.
These command generally require that you specify the actor, permission, and resource.
For example, to decide if the User
identified as alice
(the actor) can
read
(the permission) the Organization
identified as acme
(the resource),
use the following command:
oso-cloud authorize User:alice read Organization:acme
For more detailed code samples, see Enforce.
Some data stored locally
If your application database retains relevant authorization
data, use the authorize_local
command in your client.
For more details about...
- Setting up and using list filtering (also known as the distributed check API), see Local Authorization
- Code samples showing list filtering in action, see Enforce.
Details
Internally, Oso Cloud clients convert authorize
and authorize_local
commands
into queries using the allow
predicate.
To support this, all Polar policies have a default allow
rule, which you may
override with a custom allow
rule.
For instance, when writing a policy test, the test assertions are exactly what
you would be passing in via the authorize
API.
test "repo members can read their repositories" { setup { has_role(User{"alice"}, "member", Repository{"anvils"}); } assert allow(User{"alice"}, "read", Repository{"anvils"});}
@app.route("/repos/<str:repoId>")def get_repo(repoId): user = { "type": "User", "id": "alice"} repo = { "type": "Repository", "id": "anvils" } if not oso.authorize(user, "read", repo): raise PermissionDenied
For more information, see Polar rules and facts: Default & custom allow
rules.
Other resources
For more details about...
- Authorization enforcement, see Integrate: Enforce
- Other types of client interactions, see Querying Oso Cloud