Ruby Client API

First, install the oso-cloud gem from RubyGems:

Before going through this guide, make sure you follow the Oso Cloud Quickstart to get your Oso API Key properly set in your environment.

Instantiating an Oso Cloud Client

The Oso Cloud client provides an OsoCloud::Oso class that takes your Oso Cloud URL and API key:

Specifying an Oso Fallback host

If you have deployed Oso Fallback nodes to your infrastructure, you may specify the host when instantiating the Oso Cloud client.

Passing application entities into the client

Under the hood, Oso Cloud represents an entity in your application as a combination of a type and an ID, which together uniquely identify the entity. The Ruby client represents these entities using the OsoCloud::Value class, a struct with both type and id properties. For example:

You will pass objects like these into nearly every function call you make to the Ruby client.

Centralized Authorization Data API

Oso Cloud clients provide an API to manage authorization data stored directly in Oso Cloud.

Add fact: oso.tell(name, *args)

Adds a fact named name with the provided arguments. Example:

oso.tell(
  "has_role",
  OsoCloud::Value.new(type: "User", id: "bob"),
  "owner",
  OsoCloud::Value.new(type: "Organization", id: "acme")
)

Add many facts: oso.bulk_tell([*[name, *args]])

Adds many facts at once. Example:

Delete fact: oso.delete(name, *args)

Deletes a fact. Does not throw an error if the fact is not found. Example:

Delete many facts: oso.bulk_delete([*[name, *args]])

Deletes many facts at once. Does not throw an error when some of the facts are not found. Example:

Transactionally delete and add facts: oso.bulk(delete: [*facts], tell: [*facts])

Deletes and adds many facts in one atomic transaction. The deletions are performed before the additions. nil can be used as a wildcard in facts in delete. Does not throw an error when the facts to delete are not found or when the facts to add already exist. Example:

Note the wildcard in the delete section; using this, all has_role facts linking User:bob and Repo:anvils will be deleted.

List facts: oso.get(name, *args)

Lists facts that are stored in Oso Cloud. Can be used to check the existence of a particular fact, or used to fetch all facts that have a particular argument:

Check API

Context facts

The Check AP lets you provide context facts with each request. When Oso Cloud performs a check, it considers the request's context facts in addition to any other centralized authorization data. Context facts are only used in the API call in which they're provided-- they do not persist across requests.

For more details, see Context Facts.

Check a permission: oso.authorize(actor, action, resource)

Determines whether or not an action is allowed, based on a combination of authorization data and policy logic. Example:

You may provide an array of context facts as an optional fourth argument to this method. Example:

Check authorized resources: oso.authorize_resources(actor, action, resources)

Returns a subset of resources on which an actor can perform a particular action. Ordering and duplicates, if any exist, are preserved.

Example:

You may provide an array of context facts as an optional fourth argument to this method. Example:

List authorized resources: oso.list(actor, action, resource_type)

Fetches a list of resource ids on which an actor can perform a particular action. Example:

You may provide an array of context facts as an optional fourth argument to this method. Example:

List authorized actions: oso.actions(actor, resource)

Fetches a list of actions which an actor can perform on a particular resource. Example:

You may provide an array of context facts as an optional third argument to this method. Example:

Query for anything: oso.query(rule)

Query Oso Cloud for any predicate and any combination of concrete and wildcard arguments. Unlike oso.get, which only lists facts you've added, you can use oso.query to list derived information about any rule in your policy. Example:

Learn more about how to query Oso Cloud.

Local Check API

The local check API lets you perform authorization using data that's distributed across Oso Cloud and your own database.

After creating your Local Authorization configuration, provide the path to the YAML file that specifies how to resolve facts in your database.

For more information, see Local Authorization.

List authorized resources with local data: oso.list_local(actor, action, resource_type, column)

Fetches a filter that can be applied to a database query to return just the resources on which an actor can perform an action. Example with Ruby on Rails:

You may use the Active Record query interface (opens in a new tab) to combine this authorization filter with other things such as ordering and pagination.

Check a permission with local data: oso.authorize_local(actor, action, resource)

Fetches a query that can be run against your database to determine whether an actor can perform an action on a resource. Example with Ruby on Rails:

List authorized actions with local data: oso.actions_local(actor, resource)

Fetches a query that can be run against your database to fetch the actions an actor can perform on a resource. Example with Ruby on Rails:

Policy API

Update the active policy: oso.policy(policy)

Updates the policy in Oso Cloud. The string passed into this method should be written in Polar. Example:

This command will run any tests defined in your policy. If one or more of these tests fail, your policy will not be updated.

Get policy metadata: oso.get_policy_metadata

Returns metadata about the currently active policy. Example:

See the Policy Metadata guide for more information on use cases.

Talk to an Oso engineer

If you'd like to learn more about using Oso Cloud in your app or have any questions about this guide, schedule a 1x1 with an Oso engineer. We're happy to help.

Get started with Oso Cloud →