First-class SQLAlchemy support for Oso Cloud
Project description
SQLAlchemy 🤝 Oso Cloud
The Oso Cloud extension for SQLAlchemy enables you to filter database queries based on your application's authorization logic.
- With Local Authorization, you don’t need all your data in one place. Let your other services own things like user roles and entitlements. We’ll stitch anything relevant into queries over your SQLAlchemy data, with no need to sync.
- Pair with other extensions like
pgvectorto build powerful, secure RAG search over private data. - First-class SQLAlchemy support for unparalleled ergonomics.
Install
pip install sqlalchemy-oso-cloud
Use
Step 1: Map SQLAlchemy Data
With the utilities in sqlalchemy_oso_cloud.orm,
bind data in your SQLAlchemy models to the Oso facts you'll use
in your authorization policy.
import sqlalchemy_oso_cloud as oso
class Document(Base, oso.Resource):
...
# maps facts like `has_relation(Document{"123"}, "organization", Organization{"acme"})`
organization_id: oso.remote_relation(remote_resource_name="Organization")
# maps facts like `has_state(Document{"123"}, "published")`
state: Mapped[str] = oso.attribute()
# maps facts like `is_public(Document{"123"})`
is_public: Mapped[bool] = oso.attribute()
class DocumentChunk(Base, oso.Resource):
...
# maps facts like `has_relation(DocumentChunk{"456"}, "document", Document{"123"})`
document: Mapped["Document"] = oso.relation()
Step 2: Write a Polar policy
Unlike SQLAlchemy models which are specific to one database, Polar is agnostic of where each piece of data comes from.
actor User {}
resource Organization {
roles = ["admin", "member"];
}
resource Document {
roles = ["author"];
permissions = ["read", "write"];
relations = {
organization: Organization
};
"read" if "author";
"read" if "admin" on "organization";
"read" if
"member" on "organization" and
has_state(resource, "published");
"read" if is_public(resource);
"write" if "author";
}
resource DocumentChunk {
permissions = ["read"];
relations = {
document: Document
};
"read" if "read" on "document";
}
Step 3: Profit
Use the .authorized method to filter based on your authorization policy.
from .models import Base, DocumentChunk
import sqlalchemy_oso_cloud
from sqlalchemy_oso_cloud import select
sqlalchemy_oso_cloud.init(Base.registry)
def authorized_rag_retrieval(user, embedding):
return select(DocumentChunk)
.order_by(DocumentChunk.embedding.l2_distance(embedding))
.authorized(user, "read")
.limit(10)
Reference
Slack
Join our Slack community where Oso users and developers hang out! It's a great place to ask questions, share feedback, and get advice.
Contributing
See the Contributing Guide
License
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file sqlalchemy_oso_cloud-0.1.0.tar.gz.
File metadata
- Download URL: sqlalchemy_oso_cloud-0.1.0.tar.gz
- Upload date:
- Size: 12.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.12.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ebd0fcfb3f80aa4f3717a750f147e7dd4c35ba6d4ccec6fe8bc937f0d5f49f87
|
|
| MD5 |
74556a273c8be226ceb7d625b186ecbd
|
|
| BLAKE2b-256 |
4a40d9aaf826d4eb50fa4f4ffdd22b1fa49e45796b50f997433fde8609bffa6b
|
Provenance
The following attestation bundles were made for sqlalchemy_oso_cloud-0.1.0.tar.gz:
Publisher:
publish.yml on osohq/sqlalchemy-oso-cloud
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
sqlalchemy_oso_cloud-0.1.0.tar.gz -
Subject digest:
ebd0fcfb3f80aa4f3717a750f147e7dd4c35ba6d4ccec6fe8bc937f0d5f49f87 - Sigstore transparency entry: 267725313
- Sigstore integration time:
-
Permalink:
osohq/sqlalchemy-oso-cloud@cc6bd28d043a793f93dbdab231ac0c794c232515 -
Branch / Tag:
refs/heads/main - Owner: https://github.com/osohq
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@cc6bd28d043a793f93dbdab231ac0c794c232515 -
Trigger Event:
workflow_dispatch
-
Statement type:
File details
Details for the file sqlalchemy_oso_cloud-0.1.0-py3-none-any.whl.
File metadata
- Download URL: sqlalchemy_oso_cloud-0.1.0-py3-none-any.whl
- Upload date:
- Size: 14.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.12.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
967e3d3bb769f438b9dcdbdce7479c43eda3502a99068e6a37c477a7d5ab32ae
|
|
| MD5 |
c3484f41882cb8913e2823b0ae84af7c
|
|
| BLAKE2b-256 |
b2ca7758189e07047da6bdeb5b56445294c8fd9be31e81dff0161a49ae61c3b9
|
Provenance
The following attestation bundles were made for sqlalchemy_oso_cloud-0.1.0-py3-none-any.whl:
Publisher:
publish.yml on osohq/sqlalchemy-oso-cloud
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
sqlalchemy_oso_cloud-0.1.0-py3-none-any.whl -
Subject digest:
967e3d3bb769f438b9dcdbdce7479c43eda3502a99068e6a37c477a7d5ab32ae - Sigstore transparency entry: 267725315
- Sigstore integration time:
-
Permalink:
osohq/sqlalchemy-oso-cloud@cc6bd28d043a793f93dbdab231ac0c794c232515 -
Branch / Tag:
refs/heads/main - Owner: https://github.com/osohq
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@cc6bd28d043a793f93dbdab231ac0c794c232515 -
Trigger Event:
workflow_dispatch
-
Statement type:
