Job Policy Examples
This section provides policy examples for granting users permissions on job resources.
Note the following:
- To allow linking between two jobs, there must be a
permit linkclaim on both the source job and the destination job. - To allow a job to bind to a service, there must be a
permit bindclaim on both the job and service. - To allow a job to join a virtual network, there must be a
permit joinclaim on both the job and the network resource. - See also the package resolution policy example.
- Job promotion requires permission on the job and the gateway resources.
Available permissions for job resources
The following system policy defines all permissions available for resources in the job::/ realm and its descendants.
job::/ {
if (permit == all) {
permit create, read, update, delete
permit start, stop, map, ssh, link, promote, bind
}
}
Policy example
The following policy grants all allowable permissions to the named user tom on job resources in the /sandbox/tom namespace (in other words, on resources in the job::/sandbox/tom realm).
job::/sandbox/tom {
if (auth_server@apcera.me->name == "tom") {
permit all
}
if (permit == all) {
permit create, read, update, delete
permit start, stop, promote
permit map, link, bind, ssh
}
}
The following policy grants only CRUD permissions to a named user on job resources in the sandboxed namespace. The policy identifies the user by the username that is assigned by policy on the Auth Server resource when the access token is created.
job::/sandbox/bob {
if (auth_server@apcera.me->name == "bob") {
permit create, read, update, delete
}
}