Alice is member at organization-A
Alice is accountant at organization-B

ie Alice have multiple roles in multiple domains

How do I write policy such that Alice can perform account Action in organization-B but not in organization-A.

Thanks for putting such a compelling library out into the world! As something like this would quickly become part of an application's core infrastructure, the "developer preview" state is slightly concerning as subsequent releases on the way to 1.0 could result in headaches for those using the library.

I was wondering if you could share:

1. What do you perceive as being the roadmap to 1.0?
2. How drastic do you predict potential API changes to be?
3. Do you have a general timeline for a stable release?

I understand that answers to the above are conjecture, and aren't commitments to a feature-set or timeline. Thanks!

This is an external tracking issue to:

1. Gauge interest from the community for this feature
2. Learn about what you'd want to see out of it if we worked on it.

So please:

1. Upvote the issue if it's important to you, and
2. Comment with any relevant info on your requirements use cases, etc.

Thanks!

PS We do all our internal engineering issue tracking separately in Notion, so you won't necessarily see regular updates to the project status here even once we begin work.

AWS Amplify / AppSync has some really great Authentication / Authorization mechanisms but mostly as primitives. Seems that Oso could level that up quite nicely.

Hi there

Is OSO a way of handling ABAC (attribute based access control)?

get_allowed_actions() returns a list of all actions an actor is allowed to take on a resource based on the policy. Currently, this is only implemented in the Python library.

We'd like to add this to the other language libraries:

• Node.js
• Go
• Ruby
• Java
• Rust

Hello there,

I appreciate very much this awesome tool that fits very well with the project I am working on.
I am wondering if there somewhere is planned a integration with font-end (Angular/Typescript) side to validate policies.

Can be very powerful to restrict component access based on roles for example.

Thanks a lot for a such awesome tool and keep going!

This is an external tracking issue to:

1. Gauge interest from the community for this feature
2. Learn about what you'd want to see out of it if we worked on it.

So please:

1. Upvote the issue if it's important to you, and
2. Comment with any relevant info on your requirements use cases, etc.

Thanks!

PS We do all our internal engineering issue tracking separately in Notion, so you won't necessarily see regular updates to the project status here even once we begin work.

Summary

We want to expose a safe (i.e., sandboxed) way for end users to write custom, dynamic Polar policies.

This is an external tracking issue to:

1. Gauge interest from the community for this feature
2. Learn about what you'd want to see out of it if we worked on it.

So please:

1. Upvote the issue if it's important to you, and
2. Comment with any relevant info on your requirements use cases, etc.

Thanks!

PS We do all our internal engineering issue tracking separately in Notion, so you won't necessarily see regular updates to the project status here even once we begin work.

Hi there! It's been fun to play with oso so far. 😃

One observation: the ruby library (probably the other languages as well?) uses JSON to communicate, and running a toy example, I've triggered a case where the trace is responsible for an evaluation that otherwise was successful.

My toy code is fib:

fib(0, 1) if cut;
fib(1, 1) if cut;
fib(n, a+b) if fib(n-1, a) and fib(n-2, b);

running this with oso fib.polar, and querying fib(12, x), I get:

Traceback (most recent call last):
        15: from b/oso:29:in `<main>'
        14: from b/oso:29:in `load'
        13: from /Users/stephan/Misc/oso/languages/ruby/bin/oso:7:in `<top (required)>'
        12: from /Users/stephan/Misc/oso/languages/ruby/lib/oso/polar/polar.rb:96:in `repl'
        11: from /Users/stephan/Misc/oso/languages/ruby/lib/oso/polar/polar.rb:96:in `loop'
        10: from /Users/stephan/Misc/oso/languages/ruby/lib/oso/polar/polar.rb:112:in `block in repl'
         9: from /Users/stephan/Misc/oso/languages/ruby/lib/oso/polar/polar.rb:112:in `to_a'
         8: from /Users/stephan/Misc/oso/languages/ruby/lib/oso/polar/polar.rb:112:in `each'
         7: from /Users/stephan/Misc/oso/languages/ruby/lib/oso/polar/polar.rb:112:in `each'
         6: from /Users/stephan/Misc/oso/languages/ruby/lib/oso/polar/polar.rb:112:in `each'
         5: from /Users/stephan/Misc/oso/languages/ruby/lib/oso/polar/query.rb:115:in `block in start'
         4: from /Users/stephan/Misc/oso/languages/ruby/lib/oso/polar/query.rb:115:in `loop'
         3: from /Users/stephan/Misc/oso/languages/ruby/lib/oso/polar/query.rb:116:in `block (2 levels) in start'
         2: from /Users/stephan/Misc/oso/languages/ruby/lib/oso/polar/ffi/query.rb:60:in `next_event'
         1: from /Users/stephan/.rbenv/versions/2.5.3/lib/ruby/2.5.0/json/common.rb:156:in `parse'
/Users/stephan/.rbenv/versions/2.5.3/lib/ruby/2.5.0/json/common.rb:156:in `parse': nesting of 101 is too deep (JSON::NestingError)

I've added a puts event.to_s in lib/oso/polar/ffi/query.rb, and it looks like it's the trace that's too deeply nested. (The Result bindings are there, so the query was evaluated successfully.)

Skimming the ruby code, I'm not certain that the trace is actually used; however, I've found no way to have JSON.parse ignore a certain key.

Related question: have you considered using different formats for this? (Anything well-supported enough across languages, flatbuffers, protobuf, ...) I'd suspect that there's performance wins here... 🤔

When using ?= ... inline queries to verify that a Polar policy behaves as expected, in the event that a query fails the error message output by Oso doesn't indicate the query that failed but only says "inline query result was false". I encountered this with Oso 0.8.1 for Rust but looking at the code in the main branch it seems to be the same:

    fn check_inline_queries(&mut self) -> crate::Result<()> {
        while let Some(q) = self.inner.next_inline_query(false) {
            let query = Query::new(q, self.host.clone());
            match query.collect::<crate::Result<Vec<_>>>() {
                Ok(v) if !v.is_empty() => continue,
                Ok(_) => return lazy_error!("inline query result was false"),
                Err(e) => return lazy_error!("error in inline query: {}", e),
            }
        }
        check_messages!(self.inner);
        Ok(())
    }

Setting environment variable POLAR_LOG=1 helps a bit as you can work out the last query that was being executed, but it's not that easy as you have to look at the log statement indentation to try and work out where the start of the query execution was and thus what the root query being executed was.

When trying to assign a variable in a rule where one list item references an object property, I am running into a syntax parsing error "did not expect to find the token ']' at line X"

resource_scope(actor: Person, "read", "Person", filters) if
    filters = ["id", "=", actor.id];

The same rule works fine if assigning a dictionary instead of list:

resource_scope(actor: Person, "read", "Person", filters) if
    filters = { id: actor.id };

As a workaround, the following will parse correctly:

resource_scope(actor: Person, "read", "Person", filters) if
    field = actor.id and
    filters = ["id", "=", field];

Cut is pretty meaningless. It's hard for beginning Prolog students to understand. Let's name cut something
more meaningful

I suggest commit - "commit to this rule"

Alternatives are found, use_rule, only.

The cut-fail pattern is something we can encourage by providing !, fail as a primitive.
I suggest impossible. Alternatives give_up, abort, no.

A rule like:

allow(actor, action, resource: {attr: attr});

still matches even if the object passed in as resource does not have the attr attribute. This has to do with how the library handles undefined (it passed it back into Polar instead of treating it as a failed match).

This is an external tracking issue to:

1. Gauge interest from the community for this feature
2. Learn about what you'd want to see out of it if we worked on it.

So please:

1. Upvote the issue if it's important to you, and
2. Comment with any relevant info on your requirements use cases, etc.

Thanks!

PS We do all our internal engineering issue tracking separately in Notion, so you won't necessarily see regular updates to the project status here even once we begin work.

It would be great to have an example application for Oso's new Go library. Something similar to https://github.com/osohq/oso-flask-tutorial, which we use for our "Add to your application" guide in Python. We'd like to write a similar guide based on this example Go application.

Summary

Support for exposing custom roles to end users.

Today

It's currently possible to set up a custom role system and dynamically check a user's role(s) in an oso policy.

We've sketched out an example of the above in a Django sample app.

Future

Similar to the built-in roles work available today in the SQLAlchemy integration, we want to provide an out-of-the-box solution for custom roles in all of our language and framework integrations. It will be an extension of the existing roles work in the SQLAlchemy library — likely with a new custom role API for dynamically creating and managing custom roles.

This is an external tracking issue to:

1. Gauge interest from the community for this feature
2. Learn about what you'd want to see out of it if we worked on it.

So please:

1. Upvote the issue if it's important to you, and
2. Comment with any relevant info on your requirements use cases, etc.

Thanks!

PS We do all our internal engineering issue tracking separately in Notion, so you won't necessarily see regular updates to the project status here even once we begin work.

First reported by @kvokov in bjerkio/nestjs-oso#82.

I believe this is due to setting the stripInternal compiler option to true as part of #630:

Huge thanks to @audiBookning for noticing the difference between the .d.ts files included in the 0.9.0 release vs. later releases!

It can be interesting to have it in Haskell.
For example, to integrate it with an API wrote using Yesod framework.

This is an external tracking issue to:

1. Gauge interest from the community for this feature
2. Learn about what you'd want to see out of it if we worked on it.

So please:

1. Upvote the issue if it's important to you, and
2. Comment with any relevant info on your requirements use cases, etc.

Thanks!

PS We do all our internal engineering issue tracking separately in Notion, so you won't necessarily see regular updates to the project status here even once we begin work.

I really like how this is well structured. But the backend is written in dotnet core. Are they any examples to add support for c# dotnet core?

This is an external tracking issue to:

1. Gauge interest from the community for this feature
2. Learn about what you'd want to see out of it if we worked on it.

So please:

1. Upvote the issue if it's important to you, and
2. Comment with any relevant info on your requirements use cases, etc.

Thanks!

PS We do all our internal engineering issue tracking separately in Notion, so you won't necessarily see regular updates to the project status here even once we begin work.

This is an external tracking issue to:

1. Gauge interest from the community for this feature
2. Learn about what you'd want to see out of it if we worked on it.

So please:

1. Upvote the issue if it's important to you, and
2. Comment with any relevant info on your requirements use cases, etc.

Thanks!

PS We do all our internal engineering issue tracking separately in Notion, so you won't necessarily see regular updates to the project status here even once we begin work.

With r.rb as

require 'oso'

$polar=<<POLAR
test(b) if
  b = input.foo;
POLAR

input = {"foo" => "baz"}

o = Oso.new
o.load_str($polar)
o.register_constant('input', value: input)

x = Oso::Polar::Variable.new('x')
puts o.query_rule('test', x).force

I get the following output when running the script:

$ bundle exec ruby ../osoq/r.rb
Singleton variable input is unused or undefined, see <https://docs.oso.dev/using/polar-syntax.html#variables>
002:   b = input.foo;
           ^
{"x"=>"baz"}

It seems to work alright, but the warning is wrong?

This is an external tracking issue to:

1. Gauge interest from the community for this feature
2. Learn about what you'd want to see out of it if we worked on it.

So please:

1. Upvote the issue if it's important to you, and
2. Comment with any relevant info on your requirements use cases, etc.

Thanks!

PS We do all our internal engineering issue tracking separately in Notion, so you won't necessarily see regular updates to the project status here even once we begin work.

term is looking for a new maintainer

The author of the term crate does not have time to maintain it and is looking
for a new maintainer.

Some maintained alternatives you can potentially switch to instead, depending
on your needs:

• crossterm
• termcolor
• yansi

See advisory page for additional details.

This is an external tracking issue to:

Gauge interest from the community for this feature
Learn about what you'd want to see out of it if we worked on it.
So please:

Upvote the issue if it's important to you, and
Comment with any relevant info on your requirements use cases, etc.
Thanks!

PS We do all our internal engineering issue tracking separately in Notion, so you won't necessarily see regular updates to the project status here even once we begin work.

oso support for PHP

difference is unmaintained

The author of the difference crate is unresponsive.

Maintained alternatives:

• dissimilar

• treediff

• diffus

See advisory page for additional details.

Is there any particular reason why pypi is missing a 32 bit version for windows? I see the 64bit is there and 32 seems to be for all other OS's

This is an external tracking issue to:

1. Gauge interest from the community for this feature
2. Learn about what you'd want to see out of it if we worked on it.

So please:

1. Upvote the issue if it's important to you, and
2. Comment with any relevant info on your requirements use cases, etc.

Thanks!

PS We do all our internal engineering issue tracking separately in Notion, so you won't necessarily see regular updates to the project status here even once we begin work.

This looks like a great library and I think adding .NET support would be really useful.

It looks quite empty right now 😄

https://www.npmjs.com/package/oso

This would address some issues we're having in our Clojurescript / Clojure Apps. Theoretically could wrap the Node/java libraries.

This is an external tracking issue to:

1. Gauge interest from the community for this feature
2. Learn about what you'd want to see out of it if we worked on it.

So please:

1. Upvote the issue if it's important to you, and
2. Comment with any relevant info on your requirements use cases, etc.

Thanks!

PS We do all our internal engineering issue tracking separately in Notion, so you won't necessarily see regular updates to the project status here even once we begin work.

Tree-sitter is a parser generator tool and an incremental parsing library. It can build a concrete syntax tree for a source file and efficiently update the syntax tree as the source file is edited.

Tree-sitter is currently used by Atom and Neovim (in 0.5).

See https://tree-sitter.github.io/tree-sitter/ for more details

This is an external tracking issue to:

1. Gauge interest from the community for this feature
2. Learn about what you'd want to see out of it if we worked on it.

So please:

1. Upvote the issue if it's important to you, and
2. Comment with any relevant info on your requirements use cases, etc.

Thanks!

PS We do all our internal engineering issue tracking separately in Notion, so you won't necessarily see regular updates to the project status here even once we begin work.

Include a user group model in the definition of a role, so that roles can be assigned to user groups as well. Build in features for writing role-based policies over groups and relating roles from groups to the users in the group.

I known that is written in Rust... but the support for Rust is missing? Reading the documentation I can see any Rust type.

This is an external tracking issue to:

Gauge interest from the community for this feature
Learn about what you'd want to see out of it if we worked on it.
So please:

Upvote the issue if it's important to you, and
Comment with any relevant info on your requirements use cases, etc.
Thanks!

PS We do all our internal engineering issue tracking separately in Notion, so you won't necessarily see regular updates to the project status here even once we begin work.

Hi there,

thank your for an interesting library, it's very much appreciated.
I played around with sqlalchemy-oso today and encountered the following bug:

When you create a ResourceRoleModel between a generic "user" model and a resource that is not named "repository" then trying to get all the users for a specific role on a specific resource fails (e.g. oso_roles.get_resource_users_by_role(
db_session, organization, "ADMIN"
)):

sqlalchemy.exc.InvalidRequestError: Entity '<class 'app.models.organization_role.OrganizationRole'>' has no property 'repository'

In this case my resource was named "organization". The expectations was that a list of all users with the role "ADMIN" or an empty list was returned, but an exception was raised.

This is due to the fact that in the function "get_resource_users_by_role" the users query has a "filter_by" with a hardcoded "repository" property.

I can provide a pull request if this is welcome. I verified locally that you can just get the resources name and use that in the filter instead of a hardcoded value.

Let me know what you think.

All the best.

• Support for Syntax highlighting in PyCharm editor

How can I implement watcher to detect and update policy without restarting server.
load_str(polar, "role(user, role_name) if user.role = role_name;", "somefile.policy") does not saves to file.

I have background workers updating policies, assigning role to user in a organization on user creation.
I need to check newly created users policy.

This is an external tracking issue to:

1. Gauge interest from the community for this feature
2. Learn about what you'd want to see out of it if we worked on it.

So please:

1. Upvote the issue if it's important to you, and
2. Comment with any relevant info on your requirements use cases, etc.

Thanks!

PS We do all our internal engineering issue tracking separately in Notion, so you won't necessarily see regular updates to the project status here even once we begin work.

Hi,

Nearly a week ago now v0.11.0 was released according to https://www.osohq.com/post/oso-release-0-11-0 and https://github.com/osohq/oso/releases/tag/v0.11.0, yet the latest release on crates.io is https://crates.io/crates/oso/0.10.1.

Shouldn't 0.11.0 be available via crates.io?

Thanks,

Ximon

dirs is unmaintained, use dirs-next instead

The dirs crate is not maintained any more;
use dirs-next instead.

See advisory page for additional details.

We want to add support for Golang.

A TypeORM integration would include support for:

• Data filtering (see https://docs.osohq.com/python/guides/data_access.html)
• Auto-registration of TypeORM models
• Support for relevant TypeORM patterns

This is an external tracking issue to:

1. Gauge interest from the community for this feature
2. Learn about what you'd want to see out of it if we worked on it.

So please:

1. Upvote the issue if it's important to you, and
2. Comment with any relevant info on your requirements use cases, etc.

Thanks!

PS We do all our internal engineering issue tracking separately in Notion, so you won't necessarily see regular updates to the project status here even once we begin work.

This is an external tracking issue to:

1. Gauge interest from the community for this feature
2. Learn about what you'd want to see out of it if we worked on it.

So please:

1. Upvote the issue if it's important to you, and
2. Comment with any relevant info on your requirements use cases, etc.

Thanks!

PS We do all our internal engineering issue tracking separately in Notion, so you won't necessarily see regular updates to the project status here even once we begin work.