Service Policy Examples
This section provides policy examples for service creation and binding.
Service permissions
The following policy establishes permissions for services resources:
service::/ {
if (permit == all) {
permit create, read, update, delete
permit bind
}
}
Service policy example 1
Policy on services is a two-way handshake. Both the service and the job must permit the binding.
For example:
service::/sandbox/tom {
if (job fqnMatch "job::/sandbox/tom") {
permit bind
}
}
job::/sandbox/tom {
if (service fqnMatch "service::/sandbox/tom") {
permit bind
}
}
Service policy example 2
The following policy block gives tom
all controls on the service::/sandbox/tom
realm and all descendant realms.
service::/sandbox/tom {
if (auth_server@apcera.me->name == "tom") {
permit all
}
if (permit == "all") {
permit create, read, update, delete
permit bind
}
if (permit == "all" && job fqnMatch "job::/sandbox/tom") {
permit bind
}
}
The last rule indicates that jobs in the realm
job::/sandbox/tom
can bind to services in theservice::/sandbox/tom
realm.