First-class SQLAlchemy support for Oso Cloud

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for oso from gravatar.com oso

Unverified details

These details have not been verified by PyPI
Meta
  • Author: Oso Security, Inc.
  • Requires: Python <4, >=3.9
Classifiers
Report project as malware

Project description

SQLAlchemy 🤝 Oso Cloud

The Oso Cloud extension for SQLAlchemy enables you to filter database queries based on your application's authorization logic.

  • With Local Authorization, you don’t need all your data in one place. Let your other services own things like user roles and entitlements. We’ll stitch anything relevant into queries over your SQLAlchemy data, with no need to sync.
  • Pair with other extensions like pgvector to build powerful, secure RAG search over private data.
  • First-class SQLAlchemy support for unparalleled ergonomics.

Install

pip install sqlalchemy-oso-cloud

Use

Step 1: Map SQLAlchemy Data

With the utilities in [sqlalchemy_oso_cloud.orm], bind data in your SQLAlchemy models to the Oso facts you'll use in your authorization policy.

import sqlalchemy_oso_cloud as oso

class Document(Base, oso.Resource):
    ...
    # TODO(iris): decide on this API
    organization: relation(remote="Organization")
    # maps facts like `has_state(Document{"123"}, "published")`
    state: Mapped[str] = oso.attribute()

class DocumentChunk(Base, oso.Resource):
    ...
    # maps facts like `has_relation(DocumentChunk{"456"}, "document", Document{"123"})`
    document: Mapped["Document"] = oso.relation()

Step 2: Write a Polar policy

Unlike SQLAlchemy models which are specific to one database, Polar is agnostic of where each piece of data comes from.

actor User {}

resource Organization {
    roles = ["admin", "member"];
}

resource Document {
    roles = ["author"];
    permissions = ["read", "write"];
    relations = {
      organization: Organization
    };

    "read" if "author";
    "read" if "admin" on "organization";
    "read" if
        "member" on "organization" and
        has_state(resource, "published");

    "write" if "author";
}

resource DocumentChunk {
    permissions = ["read"];
    relations = {
        document: Document
    };

    "read" if "read" on "document";
}

Step 3: Profit

from .models import Base, DocumentChunk
import sqlalchemy_oso_cloud

sqlalchemy_oso_cloud.init(Base.registry)

def authorized_rag_retrieval(user, embedding):
    return select(DocumentChunk)
        .order_by(DocumentChunk.embedding.l2_distance(embedding))
        .authorized(user, "read")
        .limit(10)

Reference

Slack

Join our Slack community where Oso users and developers hang out! It's a great place to ask questions, share feedback, and get advice.

Contributing

See CONTRIBUTING.md

License

Apache 2.0

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for oso from gravatar.com oso

Unverified details

These details have not been verified by PyPI
Meta
  • Author: Oso Security, Inc.
  • Requires: Python <4, >=3.9
Classifiers

Release history Release notifications | RSS feed

0.1.0

This version

0.1.0b1 pre-release

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

sqlalchemy_oso_cloud-0.1.0b1.tar.gz (9.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

sqlalchemy_oso_cloud-0.1.0b1-py3-none-any.whl (12.1 kB view details)

Uploaded Python 3

File details

Details for the file sqlalchemy_oso_cloud-0.1.0b1.tar.gz.

File metadata

  • Download URL: sqlalchemy_oso_cloud-0.1.0b1.tar.gz
  • Upload date:
  • Size: 9.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.12.9

File hashes

Hashes for sqlalchemy_oso_cloud-0.1.0b1.tar.gz
Algorithm Hash digest
SHA256 83667a77c499674cd8dc3e664d5d8b8e3334896b3e74fd806ed6b24c0021cfc6
MD5 fdd2294f8dad36f800aa9ec130ddae61
BLAKE2b-256 85f21d818b2de4b91f9c302c4fc629290b35b1355f1c10de196b3a2d3eeab26d

See more details on using hashes here.

Provenance

The following attestation bundles were made for sqlalchemy_oso_cloud-0.1.0b1.tar.gz:

Publisher: publish.yml on osohq/sqlalchemy-oso-cloud

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file sqlalchemy_oso_cloud-0.1.0b1-py3-none-any.whl.

File metadata

File hashes

Hashes for sqlalchemy_oso_cloud-0.1.0b1-py3-none-any.whl
Algorithm Hash digest
SHA256 8978552f531f59d5aa821e27237d573b9685739e4509d5652ee621911288ccdb
MD5 87ad1a4eefc4a5984a5258e08197cd50
BLAKE2b-256 20c5287d4438a8426f09a484555a780239a1996f988a63a24d445f93955cd29b

See more details on using hashes here.

Provenance

The following attestation bundles were made for sqlalchemy_oso_cloud-0.1.0b1-py3-none-any.whl:

Publisher: publish.yml on osohq/sqlalchemy-oso-cloud

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page