Reference Guides

Polar Language Reference Reference guides for the Polar policy language.

Framework Integrations Oso does not provide any Java framework integrations yet. Let us know which ones we should integrate with below.

Developer Tools Oso offers several developer tools to make it easier to write and understand policies.

Glossary Oso is an authorization system: its purpose is to allow you to selectively control access to certain application resources. In this document, we’ll explore the basic concepts that Oso uses to help you accomplish this goal. Actors Actors are the subjects of authorization queries. Actors will often be application end-users, but could also represent service users, API clients, or other internal systems. They may be represented by simple strings such as usernames or email addresses, or by a structured identity token like a JWT. Actions Actions are the verbs of authorization queries. They distinguish between different kinds of queries for a given resource by indicating what the actor is attempting to do. For a web application, the action might be an HTTP request method like GET or POST. Resources Resources are the objects of authorization queries. They represent the application components that we wish to protect. They might be designated by a URI or other string, or may be an application type. Queries In Oso, an authorization query takes the form: May actor perform action on resource? Queries are made using the Oso library. Policies Oso evaluates queries using authorization logic contained in policies. Policies are written as code in a declarative policy language called Polar. Polar is designed to provide a simple but expressive syntax for authorization logic. For more information on Polar, see the language documentation, and for examples of different kinds of policies you can express with it, see the Policy Examples section. Policies are stored in Polar files (extension .polar), which are loaded into the authorization engine using the Oso Libraries. Once loaded, policies can be used to evaluate authorization queries. Policies are made up of rules. Each rule defines a statement that is either true or false. In Oso, one such rule is distinguished, and used to drive the authorization decision: the allow rule. Allow Rules A basic allow rule has the form: allow(actor, action, resource); We could read this as: actor may perform action on resource Oso answers an authorization query by matching the supplied actor, action, and resource arguments with the parameters of allow rules specified in the policy. For instance, let’s imagine we are using Oso to write an authorization system for an airport. We’ll start with a very simple policy: suppose that passengers Alice and Bob are allowed to board any flight. One simple way to write such a policy in Polar would be: allow("alice", "board", "flight"); allow("bob", "board", "flight"); Now an authorization query where actor is the string "bob", action is the string "board", and resource is the string "flight" would be evaluated as follows: the first rule would fail to match (since "bob" != "alice"), but the second matches all three arguments with the rule parameters, so the authorization query completes successfully, and access is granted. Now, what happens if an actor named "charlie" tries to board a flight? In that case, no matching rules will be found, so the authorization query fails and access is denied. Thus we see that policies are “deny by default”. `. -- Summary In Oso, authorization begins with a query, which is evaluated against a policy written in the Polar language. Policies are made up of rules, and allow rules are used to grant access from the oso.is_allowed() method. For more detailed examples of Oso in action, check out our authorization model guides.

jQuery v3.6.1 jQuery License jQuery v 3.6.1 Copyright OpenJS Foundation and other contributors, https://openjsf.org/ Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ****************************************** The jQuery JavaScript Library v3.6.1 also includes Sizzle.js Sizzle.js includes the following license: Copyright JS Foundation and other contributors, https://js.foundation/ This software consists of voluntary contributions made by many individuals. For exact contribution history, see the revision history available at https://github.com/jquery/sizzle The following license applies to all parts of this software except as documented below: ==== Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ==== All files located in the node_modules and external directories are externally maintained libraries used by this software which have their own licenses; we recommend you read them, as their terms may differ from the terms above. *********************