Oso Summer 2022 Hackathon

2022 Oso Summer Hackathon

We did it again! The Oso team gathered in New York City and spent three days hacking. We take this opportunity to come together as a team, take a break from our usual zoom cubicles, and explore the Oso product on a different level than our day-to-day.

The projects we wrapped up had the team thinking deep about the Oso Cloud product, and we think you’ll find them interesting too! Here’s the lineup:

  • An in-browser editor for Polar policies in the Oso Cloud dashboard
  • A monitoring dashboard for Oso Cloud replicas
  • Data Filtering in an Oso Cloud + PostgreSQL foreign data wrappers
  • An explain tool to understand how Oso Cloud evaluates authorization queries
  • Implementing tabling in Oso Cloud’s logical engine

🏆 No Oso hackathon is complete without hard earned awards. Our awards are intended to be fun, comical and sometimes related to inside jokes. Enjoy!

1. Monacoso

Vijay Ramamurthy

🏆: The Jackhammer Award

A few weeks ago we wrapped up with our fifth hackathon at Oso HQ. For my hackathon project I added an in-browser editor for Polar policies in the Oso Cloud dashboard. I call the project “Monacoso” because it uses Monaco, the code editor that powers VS Code.

This in-browser editor also provides inline validation for your Polar policies in real time. To provide red squigglies for Polar code in your browser, we compile the Rust code that powers Polar into WebAssembly, and plug that into the Monaco editor. This technique is similar to one you may have read about in Gabe Jackson’s, Oso Engineer, blog post about how we built our VSCode Extension using Rust.

image.png

Once this feature ships, you’ll be able to author and save policies directly in the Oso Cloud dashboard, making it quicker and easier than ever to get up and running with Oso Cloud!

2. OSOSOSOSOSO

Graham “GK” Kaemmer, Mike Cen

🏆: The Architectural Metamorphosis Award

We built a monitoring dashboard for Oso Cloud replicas which are used to serve read traffic. Oso Cloud uses events to replicate facts and policy changes to servers all over the world, for both low latency and high availability.

We want to know at any moment which global replicas are online and properly processing those events, and which ones are offline or otherwise lagging behind. Having this visibility helps us keep reliability high and consistency lag low. If you’re interested in hearing more about Oso Cloud’s distributed architecture — we just released a page on our docs describing how it all works. Read about the Architecture of Oso Cloud.

Screen Shot 2022-06-10 at 5.03.55 PM.png

3. Postgroso

Patrick O’Doherty

🏆: Postgres with the Most-gres

For this hackathon I wanted to explore what it would look like to implement something like Data Filtering in an Oso Cloud world with the help of PostgreSQL foreign data wrappers.

The power of Data Filtering all about applying authorization scopes at the query level, allowing your application to deal only with authorized resources fetched from your database. Foreign Data Wrappers are a neat feature of PostgreSQL which you allow you to extend the domain of data that you can query using the SQL interface via an API. In our case I created an Oso Cloud foreign data wrapper which allows you to query for oso_authorized_resources and then join against the results to scope your results appropriately.

Here's an example where we're querying for all of the Organization objects that a user has read access to, which we can then use as a join or other filter constraint with other tables in the local database.

fdw-query-demo-1656538006.png

I took advantage of some great existing code to stitch all this together, namely the "multicorn" Python project which is a wrapper for writing Foreign Data Wrapper extensions in Python and which is used in many other projects.

While the code is still very much a proof of concept at the moment I was definitely impressed by Foreign Data Wrappers and would love to look more closely at building out a full featured extension like this. If you use PostgreSQL and would be interested in integrating Oso Cloud into your queries to apply authorization scopes do reach out - We’d love to talk.

4. Explainer

Jordan Killpack, Steve Olsen

🏆: Oso, you got some ‘splainin to do

We worked on a tool to help folks understand how Oso Cloud evaluates authorization queries. Oso Cloud is powerful, but if you get an authorization result you don't expect, it can be hard to understand why.

With our Explain tool, you can see exactly what Oso Cloud is doing when it evaluates an authorization query. For example, what facts would have to exist for User:alice to be able to read Repo:acme? If User:alice can read Repo:acme, why? If she can't, why not? These are the sorts of question our Explain tool can answer.

When Oso Cloud evaluates an authorization query, it asks the Polar engine for all the different ways that the query could be allowed, in terms of sets of interrelated facts. For example, Polar might say that User:alice can read Repo:acme if Oso Cloud can find the fact  has_permission(User:alice, "read", Repo:acme) in the facts database, or if it can find the facts has_relation(Repo:acme, "parent", an_org) and  has_role(User:alice, "reader", an_org) for some value of an_org.

Screen Shot 2022-06-30 at 1.46.20 PM (1).png

Our Explain tool shows you all these ways that an authorization query might succeed. If Oso Cloud was able to find a set of matching facts, it will show you those, too, and the values of variables like an_org.We've found this very useful, and we hope you will, too.

We're in the process of making it production-ready and plan to ship it very soon!

5. (┛ಠ_ಠ)┛彡┻━┻

Gabe Jackson, Sam Scott

🏆: Let’s table this discussion for another sprint

Closing out the Hackathon posts with a bang (specifically, the sound of a human performing a pro wrestling move through a folding table), it’s us implementing tabling in Oso Cloud’s logical engine.

In brief, tabling is a mechanism for recognizing infinite recursion while evaluating a query.When Oso Cloud evaluates a query allow(User:diana, "view", Folder:1), it queries its knowledge base of facts and logical rules to determine whether Diana is allowed to view Folder:1. Imagine a rule that a User can view a Folder if they have the "guest" role for that Folder:

resource Folder {
  permissions = ["view"];
  roles = ["guest"];

    "view" if "guest";
}

If Diana has been assigned the "guest" role on Folder:1, this rule will succeed and she’ll be allowed to view the Folder. However, imagine a second rule, that a User can view a Folder if they can view the Folder’s parent:

resource Folder {
  permissions = ["view"];
  roles = ["guest"];
  relations = { parent: Folder };

  "view" if "guest";
  "view" if "view" on "parent";
}

Now, Diana should be allowed to view Folder:1 if she’s been assigned the "guest" role on Folder:1... or on Folder:1's parent, or Folder:1's parent’s parent, and so on. Currently, when Oso Cloud tries to evaluate the allow(User:diana, "view", Folder:1) query against this policy, it’ll hit an artificial recursion limit that we’ve put in place to prevent the engine from infinitely looping. However, once we’ve rolled out the tabling work that Sam and I started during the Hackathon, Oso Cloud will be able to support recursive policies without any artificial limit.

Tabling basically works as a cache where we keep track of what queries we’ve already seen. When we encounter a query that we’ve already seen, we do some bookkeeping to note that it is recursive, and then we stop evaluating that logical path (since, if we continued, we’d end up back at the exact same point because… recursion).

We’ve seen performance improvement across the board from this. Here’s a slice of results from our benchmarking suite:

Untitled

Notice that the recursive cases are now between 50-500x faster!

We’re super excited to ship this new feature, which will both increase the types of policies we can support in Oso Cloud and drastically improve performance on policies that use recursion.

Try it for yourself! Sign up for Oso Cloud and visit the Policy Builder page to get an example policy with recursive groups or folders, and time how long authorization takes.

Hope you enjoyed reliving the hackathon projects with us! If this spiked interest in the work we do at Oso, join the Oso community Slack to connect with us and thousands of other developers. And if quarterly team hackathons sounds like something that would be fun to work on, we’re hiring!

Want us to remind you?
We'll email you before the event with a friendly reminder.

Write your first policy