Absolutely. I think it would look a little different, but at a high level would achieve the same goals - a single place to see policies and auditing of decisions.
We've done some internal proof of concepts of this, and have discussed it with various folks, and happy to share more of this with anyone interested.
> I’d also be interested to know if you’d compared the performance of oso policy vs Rego on comparable input.
Not yet, but this a great suggestion. I would be a little worried that it would be hard to do it in an unbiased way. The two have different design choices, etc.
I’m unfamiliar with the oso architecture so this might not be how it works, but I’d be interested in particular in the performance with ‘large’ input objects (~5mb+ in JSON). They have a good page in their documentation here: https://www.openpolicyagent.org/docs/latest/policy-performan... which explains the loaded data is around 20x the input - we’ve had to work around this. Though we are using OPA for something which it’s not really designed for too...
Oso seems to support this by ‘registering’ objects in the host language, e.g. https://docs.osohq.com/using/libraries/ruby/index.html#worki... in Ruby. I like the look of this and I presume that this is how you’d rather have users build more advanced policy than extending what seems to be a pretty lightweight language (https://docs.osohq.com/using/polar-syntax.html). OPA seems to have gone the other way and has a lot of functionality in the language for common cases, e.g. x509, jwt, etc. Would I be right in assuming that the current design decision is not to add such functionality to oso?
In general, you shouldn't really need to pass in large input objects to oso - it operates over the application data.
What this means practically is either the data is processed through whatever data access layer you have (i.e. SQL, or an ORM). And there's more work we're doing here to make that experience seamless [1].
Or if you do have some large input data and you iterate over it in the policy, then the oso host library (the part in your app) will just iterate through it without sending the entire object back and forth.
> I presume that this is how you’d rather have users build more advanced policy than extending what seems to be a pretty lightweight language
Yep, that's the idea. I answered a similar question here [2]. You can call class + instance methods from Polar, so if there's anything you can't do you can add it that way. We have considered/are considering adding a standard library to provide common pieces out of the box, but it's not a limiting factor for using oso currently.
There are some side benefits though that a standard library would provide - like having a robust implementation of common operations in the Rust core.
Thanks for the prompt & detailed responses in this thread.
It’ll be interesting to see what this looks like in a polyglot stack, I think that’s where having functionality in in the policy language might be really valuable.
For the time being, it’d still be possible to build a oso based policy server which applications invoke to make consistent decisions - so there are options to achieve this in the meantime too.
Agreed! And I strongly recommend to anyone thinking about doing so to join our slack [1] and come chat with us :) We'll be happy to share our thoughts on this.
All these questions are also tempting me to go and put together a demo for this too...
We've done some internal proof of concepts of this, and have discussed it with various folks, and happy to share more of this with anyone interested.
> I’d also be interested to know if you’d compared the performance of oso policy vs Rego on comparable input.
Not yet, but this a great suggestion. I would be a little worried that it would be hard to do it in an unbiased way. The two have different design choices, etc.