We’re excited to announce that Oso Sync is generally available!
Authorization requires two things: logic and data. Authorization services use your application data to determine whether a user is allowed to perform a given action. With Oso Cloud, you can maintain a copy of that data in Oso Cloud or leave it in your application databases- but most people store at least some of their authorization data in Oso Cloud.
When you have the same data in two different places, drift is a fact of life. At some point, something will happen that makes some of the data inconsistent. A latency spike causes an asynchronous update to fail. A DBA manually updates data in one source but not the other. You need a way to detect when that happens so you can act on it before it causes problems in your application. Enter Oso Sync!
Oso Sync compares the data in your application database to the data in Oso Cloud and reports any differences between the two. It can optionally update Oso Cloud to bring it back in sync with the current state of your application database. It natively supports PostgreSQL and MongoDB. You can also load facts from a CSV if your application uses a different database engine.
How it works
You invoke Oso Sync by calling the oso-cloud reconcile CLI command. The command takes two arguments:
- The path to a configuration file
--perform-updates(optional)
The configuration file tells Oso Sync how to generate facts from your application database. For example, you could generate has_relation facts that associate repositories with organizations from PostgreSQL with a configuration like this:
version: 1
source: postgres
facts:
has_relation(Repository:_, String:parent, Organization:_):
db: app_db
query: |-
select repository.public_id, organization.public_id
from repository
join organization
on organization.id = repository.organization_id
dbs:
app_db:
connection_string: postgresql://oso:oso@somerds.instance.aws.com:5432/foo
By default, Oso Sync will only generate a report of the changes it would make. Set the --perform-updates flag to tell Oso Sync to apply those changes.
You can find comprehensive documentation for Oso Sync on our docs site.
Know that you’re in sync
Authorization is on your application’s critical path, so it’s important to be sure that your authorization data is up-to-date. If you change a person’s role in your application and that change doesn’t get to Oso Cloud, you could prevent someone from accessing something they need — or worse, give them access to something they shouldn’t have.
Sometimes, the hardest part of remediating drift is just knowing when it happens. You can run Oso Sync on a schedule to identify any drift between your production database and Oso Cloud. This lets you automatically detect inconsistencies that may be introduced. You can then use Oso Sync to update that data whenever it makes sense for you.
We’re always thinking about how to simplify authorization. Oso Sync lets you make sure your data stays up-to-date, so you can spend less time thinking about drift and more time building your application. To learn more about how to use Oso Sync, check out the docs or reach out to us on Slack.