Summary Any project that is used by more than one person will eventually need to handle permissions for each of those users. It is certainly possible to write that logic yourself, but you’ll almost certainly do it wrong at least once. Rather than waste your time fighting with bugs in your authorization code it makes sense to use a well-maintained library that has already made and fixed all of the mistakes so that you don’t have to. In this episode Sam Scott shares the Oso framework to give you a clean separation between your authorization policies and your application code. He explains how you can call a simple function to ask if something is allowed, and then manage the complex rules that match your particular needs as a separate concern. He describes the motivation for building a domain specific language based on logic programming for policy definitions, how it integrates with the host language (such as Python), and how you can start using it in your own applications today. This is a must listen even if you never use the project because it is a great exploration of all of the incidental complexity that is involved in permissions management. Announcements Hello and welcome to Podcast.__init__, the podcast about Python and the people who make it great. When you’re ready to launch your next app or want to try a project you hear about on the show, you’ll need somewhere to deploy it, so take a look at our friends over at Linode. With the launch of their managed Kubernetes platform it’s easy to get started with the next generation of deployment and scaling, powered by the battle tested Linode platform, including simple pricing, node balancers, 40Gbit networking, dedicated CPU and GPU instances, and worldwide data centers. Go to pythonpodcast.com/linode and get a $100 credit to try out a Kubernetes cluster of your own. And don’t forget to thank them for their continued support of this show! We’ve all been asked to help with an ad-hoc request for data by the sales and marketing team. Then it becomes a critical report that they need updated every week or every day. Then what do you do? Send a CSV via email? Write some Python scripts to automate it? But what about incremental sync, API quotas, error handling, and all of the other details that eat up your time? Today, there is a better way. With Census, just write SQL or plug in your dbt models and start syncing your cloud warehouse to SaaS applications like Salesforce, Marketo, Hubspot, and many more. Go to pythonpodcast.com/census today to get a free 14-day trial. Are you bored with writing scripts to move data into SaaS tools like Salesforce, Marketo, or Facebook Ads? Hightouch is the easiest way to sync data into the platforms that your business teams rely on. The data you’re looking for is already in your data warehouse and BI tools. Connect your warehouse to Hightouch, paste a SQL query, and use their visual mapper to specify how data should appear in your SaaS systems. No more scripts, just SQL. Supercharge your business teams with customer data using Hightouch for Reverse ETL today. Get started for free at pythonpodcast.com/hightouch. Your host as usual is Tobias Macey and today I’m interviewing Sam Scott about Oso, an open source library for managing authorization in your applications Interview Introductions How did you get introduced to Python? Can you start by describing what Oso is and the story behind it? What was missing from the ecosystem of authorization libraries/frameworks that motivated you to create a new one? What are some of the most common mistakes that you see developers make when implementing authorization logic? At a high level, what is the process of using Oso to add access control policies to a piece of software? What is the motivation for using a DSL for defining policies as opposed to writing those definitions in pure Python? How have you approached the design of the policy language, particularly deciding what constraints to impose? What other policy frameworks or dialects have you drawn inspiration from? How is the Oso framework implemented? How have the goals and design of Oso changed or evolved since you first began working on it? What are some useful design patterns for integrating Oso into an application? How does the type of application (e.g. web app vs. system daemon, etc.) affect the ways that Oso is used? Given that Oso supports multiple language runtimes, what is involved in defining and enforcing policies that span multiple processes? (e.g. Python backend and Javascript frontend, Python microservice communicating with Go microservice, etc.) What are some of the common mistakes or areas of confusion for users who are getting started with Oso and Polar? What are some of the capabilities of Oso that are often overlooked or misunderstood? I noticed that you’re backed by some venture firms. What is your current product vision and how does that relate to your current open source goals? What are some of the most interesting, innovative, or unexpected ways that you have seen Oso used? What are some of the most interesting, unexpected, or challenging lessons that you have learned while working on and with oso? When is Oso the wrong choice? What do you have planned for the future of the project? Keep In Touch LinkedIn samscott89 on GitHub @samososos on Twitter Picks Tobias Chaos Walking Sam Hades video game Closing Announcements Thank you for listening! Don’t forget to check out our other show, the Data Engineering Podcast for the latest on modern data management. Visit the site to subscribe to the show, sign up for the mailing list, and read the show notes. If you’ve learned something or tried out a project from the show then tell us about it! Email hosts@podcastinit.com) with your story. To help other people find the show please leave a review on iTunes and tell your friends and co-workers Join the community in the new Zulip chat workspace at pythonpodcast.com/chat Links Oso Oso Authorization Academy Number Theory Sage Math RBAC == Role-Based Access Control ABAC == Attribute-Based Access Control Polar Policy Language Prolog Logic Programming Open Policy Agent AWS IAM XACML Google Zanzibar Rust Web Assembly (Wasm) OAuth Scopes The intro and outro music is from Requiem for a Fish The Freak Fandango Orchestra / CC BY-SA