Common Web Console Tasks

The following lists and describes how to perform common management tasks with the web console.

Creating Jobs

You can create the following types of jobs in the web console:

Creating a job from a Docker image

By default, Docker images are assumed to be available on the public Docker hub. You can also specify the URL of a private private Docker registry and authentication credentials to access it. If the Docker image requires a volume for persistence, you can optionally specify a NFS provider to use to create the volume.

To create a job from a Docker image:

  1. Select Launch > Docker Image from the left navigation.

    Create job from Docker image

    You can also click Launch Docker Image on the main Apps view.

  2. In the Launch Docker Image form click one of the suggested public Docker images, or enter the repository and name of the desired Docker image (for example, apcerademos/nats-ping).

    App from Docker form

  3. In the App from Docker Image form enter a name for the application (or use the generated name), select a namespace, and select whether you want the app to start immediately upon creation.

    App from Docker form

  4. Configure advanced options for app creation:

    • Registry URL, Username and Password – If the Docker image you want to use is hosted on a private registry, provide the registry URL and authentication credentials.
    • Volume Provider FQN – If the Docker image you are deploying to the system specifies or requires a persisted volume you can bind the Docker job to an NFS provider and get native volume support. By default, the job is configured to ignore Docker volumes (see Using Docker peristence for details).
    • Specify RAM, Disk, CPU, Network (floor), and Netmax (ceiling) resources to allocate to your application.
  5. Click Submit. A dialog displays the progress of downloading the Docker image layers and creating the application.

    App from Docker form

    When complete, the web console displays the details page for the newly created job.

Deploying a multi-resource manifest

You can upload a multi-resource manifest using the web console. A multi-resource manifest lets you create and configure multiple jobs in a single operation. Also see the Creating Apps from Docker Images tutorial and video on the Apcera Developer site.

To deploy a multi-resource manifest:

  1. Select Launch > Manifest from the left navigation.

    sdfsdf

  2. Drag and drop your manifest file on the Upload Manifest form, or click Browse to locate it.

    Upload Manifest

  3. Click Upload.

    A dialog shows the progress of the manifest upload and app creation process.

    Manifest upload

Creating a capsule

You can use the web console to create a capsule from an OS package, such as Ubuntu. Also see the Using Capsules to Quickly Create Custom Computing Environments tutorial.

To create a capsule running Ubuntu:

  1. Select Launch > Capsule from the left navigation.

    Capsule launch

    You can also click Create Capsule on the main Capsules view.

  2. Click Ubuntu 14.04 to create a capsule running that OS, or select a package.

    Capsule create

  3. In the Create New Capsule form, enter a name for the capsule and select a namespace. Optionally, enable the Allow Egress option so you can install custom packages into the capsule manually with apt-get or other means.

    Create job from Docker image

  4. To customize job resources, click Show Advanced and enter custom values for RAM, Disk, CPU, Network (floor), and Netmax (ceiling).
  5. Click Submit to create the capsule.

    If you allowed egress on the capsule when created it, you can now SSH into the capsule using APC, for eexample:

       apc capsule connect myubuntu
       root@ip-169-254-0-7:/root#
    

Managing Jobs

You can manage jobs using the web console, including starting and stopping jobs, adding routes to jobs, and binding jobs to services. The following lists common job management tasks you can perform with the web console.

Listing jobs

The Jobs section of the left navigation menu contains menu items to list All jobs, list only Apps, or list only Capsules.

Jobs list

You can sort the job table by clicking a row heading, filter the list to only show jobs in a particular namespace, and filter the list by entering a search term.

  • To view details about a job, click its name in the list.
  • To delete a job, hover your mouse over the job's table row and click the x that appears in the right margin.
  • To filter the list of jobs, use the namespace navigator or by filtering on table data.

Viewing job details

Clicking a job name opens the job's details view. The Summary tab displays summary information about the job such as its name, fully-qualified name (FQN), status and job health information, and job resource usage.

Alt text

The Info box displays the following general information about the job:

  • Job Type – The job type (for example, app, capsule, or stager).
  • FQN – The job's fully-qualified name.
  • Created by – Principal name of the user who created the job.
  • Allow SSH – Controls whether SSH access to job instances are allowed (see Controlling SSH access).
  • Allow Egress – Controls whether job instances have outbound network access (see Controlling network access).
  • Restart Mode – Restart behavior for instances: Always restart, Never restart, or only restart On Failure.
  • Labels – Create, edit or delete labels assigned to the job (see Managing job labels).

The Status box displays status and health information for the job's instances:

  • State - The job's current state.
  • Status - Possible values are OK or Warning.
  • Running Instances - The number of instances currently running the job.
  • Expected Instances - The number of expected instances (see Adding or removing job instances).
  • Health Score - The ratio of running job instances to requested instances. A ratio of less than zero puts the job in a warning status.
  • Flapping - A job is considered to be in a flapping state if it has failed three times in 5 minutes.

The Resources box displays the total resources (CPU, disk, RAM, and network) being used by the job, and the average usage per each job instance.

  • Usage/Avg. Usage - Current usage by the job and its average usage per instance.
  • Reservation - Amount of resource allocated to the job and to each job instance.
  • Quota - The resource quotas assigned to the job and each job instance.

Starting, stopping, and deleting jobs

A job's details view contains controls to start, stop and delete jobs.

Alt text

  • Click Start to start a stopped job.
  • Click Stop or Restart to stop or restart a started job.

When stopping or restarting a job, you are asked to confirm your action.

Alt text

To delete a job, click Delete and then click Yes in the confirmation dialog to complete the action, or click No to cancel

Adding and removing instances

You can increase or decrease the number of instances of a job you would like to run.

To change the number of instances running a job:

  1. On the Summary tab of the job details view, click the edit control next to the Expected Instances field.
  2. Enter the number of instances you would like to run:

    Alt text

  3. Press enter or click the check mark to save your changes, or click the the X to cancel the change.

Updating the number of requested job instances temporarily puts the job into a warning state until the number of running instances equals the number of requested instances.

Managing job labels

The Labels section on the job details Summary tab lets you create, edit and delete job labels.

To create a job label:

  1. On the Summary tab of the job details view, click the + button in the Labels section.
  2. Enter the label name and value into the form and click Submit.

    Alt text

To edit a label's name or value:

  1. Click the job label's name or value to edit.
  2. Type the new name or value and press enter, or click the check mark) to save changes.

    Editing job labels

To delete a label:

  • Hover your mouse over the label and click the X that appears.
    Deleting job labels

Controlling SSH access

To allow SSH access to job instances, check the Allow SSH checkbox; to disallow SSH, uncheck the checkbox. You must restart the job for the change to take effect.

Alt text

Controlling network egress

By default, job instances cannot make outbound network connections. To allow all outbound network connections, check the Allow Egress checkbox, or uncheck the option to disable network egress. You must restart the job for the change to take effect.

Alt text

View a job's environment information

To view information about a job's runtime environment, click the Environment tab on the job's details view.

Job environment

The Info section contains the following information:

  • Process – Name of process used to run job.
  • Staging Pipeline – The staging pipeline used to deploy the job workload.
  • Start Command – The command used to start the job.
  • Start Timeout – The number of seconds to wait for the start command to complete. Click the field to edit its value.
    Start timeout
  • Stop Command – The command used to stop the job.
  • Stop Timeout – The number of seconds to wait for the stop command to complete. As with Start Timeout, click the field to edit its value.

Viewing a job's environment variables

The Environment Variables section lists the environment variables assigned to the job (Environment section) and an aggregated list of environment variables assigned to the job's required packages (Package Environment).

Package environment variables

Click a package environment variable value to open the Package details for the package to which the environment variable is assigned.

Open package details view

Listing packages used by a job

To see what packages are being used by a job, click the Environment tab on the job details view. The Packages section lists the packages being used, their namespaces, and sizes.

For example, in the following screenshot the job being shown consists of three packages: the application package (myblog), an Nginx package (nginx-1.6.0-apc1), and an Ubuntu package (ubuntu-14.04). Click a package name to open its details view.

Alt text

Listing and deleting job instances

The Instances section of the job details Environment tab lists the job instances currently running, each instance's state, the instance manager managing the instance, the data center where the instance is running, and the instance's uptime.

Alt text

To delete an instance, hover your mouse over the instance's table row and click the X that appears in the right margin. The system will attempt to start a new instance automatically, according to the number of requested job instances (see Adding and removing job instances).

To view details about an instance manager running a given instance, click the instance manager's name to open its details view.

Viewing job resources

The Resources tab on the job details view displays graphs of CPU, RAM, disk, and network resource usage for the selected time period. For each resource type a graph displays the current usage (purple line), reserved resource amount (gray line), and 90% of the reserved resource (dashed gray line). Use the drop-down menu to change the time period for which resource usage is graphed.

You can create and delete job links on the Connections tab of the job details tab. Note that the source job must be stopped before you can add a job link to a target job.

To create a job link:

  1. Click the Connections tab on the source job's details view.
  2. In the Job Links section click Add Link.

    Note: A job must be stopped before you can a job link.

  3. In the Target Job field, select or enter the fully-qualified name of the job to link to.
  4. Enter a name for the job link in the Name field. This determines this name of the environment variable set on the source job instance.
  5. Select the port on the target job to link to from the Port pop-up menu.
  6. (Optional) In the Bound IP field, enter the IP address that the source job should use to connect to the target job.
  7. (Optional) In the Bound Port field, enter the port that the the source job should use to connect to the target job.s
  8. Click Submit to create the job link.

    Alt text

To delete a job link:

  • Hover your mouse over the job link to delete and click the X that appears in the right margin.

Manage service bindings

You can create and delete a job's service bindings on the Connections tab of the job details view.

To create a service binding:

  1. Click the Connections tab on the source job's details view.
  2. In the Service Bindings section click Add Service Binding.
  3. Select the service to bind to from the Services pop-up menu.
  4. Enter a name for the binding in the Name field. This determines this name of the environment variable set on the source job instance.
  5. In the Parameters section enter any parameter names/values expected by the service (optional). Click the add + button to create new parameters.
  6. Click Submit to create the binding.

    Add service binding

To delete a service binding:

  • Hover your mouse over the service binding to delete and click the X that appears in the right margin.

Manage routes and ports

You can use the web console to manage ports exposed on a job, as well manage job routes.

To expose a port on a job:

  1. Click the Connections tab on the job's details view.
  2. In the Ports page section, click Add Port.
  3. In the Number field, enter the port number to expose.
  4. To include the port in system health checks, check the Include In Health Check option.
  5. Click Submit to expose the port.

To delete a port:

  • Hover your mouse over the port to delete, then click the X that appears in the right margin.

To create a route:

  1. Click the Connections tab on the job's details view.
  2. In the Routes section, click Add Route.
  3. In the Endpoint field enter the desired HTTP route (for example, "foo.bar.apcera-platform.io").
  4. In the Weight field enter the proportion of traffic delivered to this route, normalized across all apps sharing the route.
  5. From the Port menu, select an exposed port where the route will be mapped to. Select 0 to a port selected automatically and exposed to the container in the PORT environment variable.
  6. Click Submit.

To open a route's URL in a web browser:

  • Click the icon next to the route URL.

    Alt text

To delete a route:

  • Hover your mouse over the route to delete, then click the X that appears in the right margin.

Joining a job to a network

You can use the web console to manage a job's membership in a virtual network. to join jobs to a network. Note that a job can only be joined to a single network at a time.

To join a job from a network:

  1. Click the Connections tab on the job's details view.
  2. In the Networks section, click Join Network. If you don't see this button it means that the job is already joined to a network. If you want to join the job to another network, you must first remove it from the current network (see below).
  3. In the Join Network form, select the FQN of the network to join.
  4. Click Submit.
  5. A confirmation dialog lets you know that the job must be restarted to join the network. Click Yes to confirm or No to cancel.

To remove a job from a network:

  • Hover your mouse over the joined network, then click the X that appears in the right margin.

You can also create networks using the web console.

Managing scheduling tags and job affinities

You can use the web console to tab to manage job scheduling tags and job affinities. Job scheduling tags let you specify whether a job with a given tag should run (or should not run) on a particular instance manager with the same tag. Job affinity lets you specify if a job should run (or should not run) on the same instance manager as a target job.

A scheduling tag or job affinity can "attract" a job to a matching IM, or "repel" a job from a matching IM. In addition, scheduling tags and job affinities can be "hard" or "soft". A hard affinity or scheduling tag means only instance managers running the target job, or with a matching scheduling tag, can run (or can't run) the job. In contrast, a soft affinity or scheduling tag means that Apcera will make a best effort to run (or not run) the job on the matched IM, but the job will be able to run on other instance managers if none satisfying this criterion are available, or those that do are sufficiently loaded.

To create an affinity with another job:

  1. Click the Scheduling tab on the job's details view.
  2. In the Job Affinity section, click Add Tag.
  3. In the New Affinity Tag form, select the affinity requirement, soft or hard, and the affinity type, attract or repel.
  4. In the Target Job FQN field, enter or select the FQN of the target job.
  5. Click Submit. You will need to restart the job for the affinity to take effect.

To add a scheduling tag to a job:

  1. Click the Scheduling tab on the job's details view.
  2. In the Target field enter the tag to associate with the job.
  3. In the Instance Manager Scheduling section, click Add Tag.
  4. In the Add New Tag form, select the scheduling requirement type, soft or hard, and the scheduling affinity type, attract or repel.
  5. Click Submit. You will need to restart the job for the scheduling tag to take effect.

Tailing job logs

To tail a job's logs, click Logs on the job's details view. By default, new log items are streamed to the console as they are created. Click Pause Stream to stop log tailing. Use the drop-down to change the number of log lines displayed.

Alt text

View policy that applies to a job

The Policy tab on the job details view lists each policy document that contains policy that applies to the current job and the job's parent namespaces, and the relevant policy from each document.

Click a policy document from the list to open it for editing in the policy editor.

Alt text

View job audit logs

The Audit tab on the job details view displays auditable events that were recorded for the job.

Alt text

Managing Packages

You can use the web console to list packages on the cluster and view details about a package. You can create, edit and delete environment variables on package.

List available packages

To view available packages click Packages in the navigation. The Packages tab displays the packages in the currently selected namespace, including each package's name, namespace, state, and size in MB. Click the package name to open its details view click its name.

Alt text

View policy on packages

The Policy tab on the Packages view lists policy documents that define policy for all packages. To open a policy document in the policy editor, click its name.

Alt text

View package audit logs

The Package tab on the main packages view displays auditable events for all packages.

Alt text

View package details

A package's details view displays the following information for the package:

  • Basic information including the package's fully-qualified name (FQN), UUID, user who created the package, and date the package was created and last updated.
  • An editable list of environment variables assigned to the package. See Editing package environment variables.
  • A list of dependencies that the package provides and a list of packages that it requires.
  • A list of jobs that use the package.

Alt text

Managing package environment variables

You can create, edit, and delete a package's environment variables in the Web Console. A package's environment variables are inherited by any jobs that use the package.

To add a new environment variable:

  1. Click Add Environment Variable in the Environment Variables section.
  2. Enter the environment variable name and value in the form that appears.
  3. Click Submit to add the environment variable.

To edit a package's environment variables:

  1. Click the environment variable's value to enter edit mode.
    Edit package environment variables
  2. Enter the new value for the environment variable.
  3. Press the Enter key to save your changes, or click the check box in the edit mode overlay. To cancel the changes, click the X in the edit mode overlay, or click away from the input field.

To delete a package environment variable:

  1. Hover your mouse over an environment variable.
  2. Click the X that appears in the right margin to delete the variable.

Managing Providers

You can manage the providers in your cluster using the web console.

List available providers

To view a list of providers on your cluster, click Providers in the left-hand navigation. The Providers tab lists each provider's name, namespace, service type, and description. To view details for a provider, click its name.

Alt text

View provider details

The Info section of the provider details view shows the provider's Name, Namespace, Type, and Description. If the provider is running as a job within the cluster (rather than an external service) the Backing Job field displays the name of the backing job and provides a link the job's details view.

The Services using this provider section lists services any services that use the provider. For example, the following screenshot shows that the selected provider (mysql) is being used by three services. Click a service name to open it's details page.

Alt text

Registering and deleting providers

You can use the web console to register new providers and delete existing providers.

To register a provider:

  1. Click Providers in the left navigation.
  2. Click Create Provider to open the Add a Provider form.
  3. In the Name field enter a name for the provider.
  4. In the Namespace field type or select the namespace where the provider will be created.
  5. In the Type field enter or select a type.
  6. In the URL field, enter the provider's administrative connection information (for example, postgres://admin:password@example.com:5432).
  7. If the provider is an internal job on the Apcera cluster, do the following:
    • In the Backing Job FQN field select the appropriate backing job.
    • In the Backing Job Port field enter the port to use to connect to the backing job.
  8. Optionally, enter a description.
  9. Click Submit.

    Register new provider

To delete a provider:

  • Hover your mouse over the list of available providers, and click the X that appears in the right margin.

View policy that applies to a provider

The Policy tab on a provider's details view lists all policy documents that apply to the provider's FQN and the provider's parent namespaces.

Click a policy document from the list to open it for editing in the policy editor.

View provider audit logs

The Audit tab on the policy details view displays auditable events that were recorded for the provider.

Managing Services

You can use the web console to manage your cluster's services. You can list services, create and delete services, view policy on services, and view audit log entries related to services.

List available services

To view a list of services on your cluster, click Services in the left-hand navigation, then click the Services List tab. The list includes each services's name, namespace, and type, provider (if it uses a provider), and description. To view details for a service, click its name.

Alt text

View service details

To view details for a service, click its name in the main service list. The Service Info section displays the service's FQN, UUID, type, and provider (if it uses a provider).

Alt text

The Bound Apps section lists the applications that are bound to the service. Click the name of a bound app to open its job details view. To bind the service to another job, click Add Binding to open the Add New Binding form. Specify the FQN of the job to bind to the binding name, and optionally any parameters expected by the service binding.

Add binding

Creating and deleting services

You can create and delete services from the web console.

To create a service:

  1. On the services list view, click Create Service.
  2. Enter service's name in the Name field.
  3. Enter or select the service's namespace in the Namespace field.
  4. From the Type menu, select the service type.
  5. Select a provider from the Provider menu.
  6. Optionally, provide a description of the service.
  7. Click Submit.

    Alt text

To delete a service:

  • Open the service's details page and click Delete.

Managing Gateways

You can use the web console to manage your cluster's service gateways. You can list available service gateways, promote an existing job to a service gateway, and view policy on service gateways.

List service gateways

To view a list of service gateways on your cluster click Gateways in the left-hand navigation. The Gateway tab lists the following information for each service type:

  • Status – Service gateway's status.
  • Service Type – String that identifies the type of service the service gateway provides.
  • Namespace – Service gateway's namespace.
  • Services – Number of services provisioned by the service gateway.
  • Providers – Number of providers registered with the service gateway.
  • Instances – Number of expected instances to actual of the service gateway that are running.

List of service gateways

View gateway details

To view details for a service gateway, click its name in the list of service gateways.

  • The Info section displays the gateways's FQN, UUID, and principal name of the user who created the gateway. Click the gateway's FQN to view details for the service gateway job.
  • The Providers section lists the providers registered with the service gateway. Click a provider name to view its details. The Services column lists the number of services provisioned on the provider.
  • The Services section lists the services provisioned by the service gateway. Click a service name to view its details. The Provider column lists the name of the provider upon which the service is provisioned.

Service gateway details

Promoting a job to a service gateway

You can promote a job that implements Service Gateway API to a provider.

To promote a job to a service gateway:

  1. Click Gateways in the left navigation.
  2. Click Promote Job to Gateway.
  3. Select the FQN of the job to promote from the Job to Promote combo box.

    Alt text

  4. In the Gateway Type field enter the service type that the gateway will handle.
  5. Click Submit.

Managing Clusters

The web console's Cluster view lets you view cluster statistics such as resource usage, the number of instance managers, started jobs, and total instances running on the cluster. You can also list the data centers the cluster is running on.

Alt text

View cluster statistics and resource usage

The Info section on the cluster view displays the number of instance managers, started jobs, and running instances on the cluster.

Alt text

The Data Centers box lists the data centers that cluster is operating in, and the number of instance managers running in each data center. The purple Instances bar represents the ratio of the number of instances running in the data center to the total number of instances running in the cluster.

Alt text

The Resources section displays the cluster's RAM and disk usage. Capacity (gray line) indicates the total amount of RAM or disk space available to the cluster. Reservation (purple line) indicates the amount of RAM and disk reserved by jobs running on the cluster. The dotted gray line indicates 90% of capacity.

Alt text

List instance managers

To view a list of instance managers on the cluster, click the Instance Managers tab on the Clusters view. The list includes each instance manager's name, data center it's running in, number of instances its managing, uptime, and any scheduling tags attached to the instance manager.

Click an instance manager name to open its details view.

Alt text

View instance manager details

Selecting an instance manager (IM) opens its details view, which displays basic information about the IM including its uptime, number of instances, and resource usage stats and graphs. To view instances running on the instance manager, click the Instances tab.

Alt text

List instances running on an instance manager

To view a list of instances managed by a given instance manager, click the Instances on the instance manager details view. Each list item includes the instance's associated job, job namespace, and resource usage. Click the Job Name field to open the details view for the instance's associated job.

Alt text

Managing Routes

You can use the web console to view all routes defined on a cluster, view jobs assigned to a route, and add/delete jobs from a route.

List all routes

To view a list of all routes defined on the cluster, click Routes in the left navigation. Each list item displays the route type (HTTP or TCP), the route's endpoint, a list of jobs that use the route, and the number of requests-per-second and errors-per-second reported by the Apcera system router on that route.

  • To list jobs on a route, click the route endpoint.
  • To open the route's endpoint in a new browser window, click the icon to the right of the route endpoint.

You can add and remove job routes on the job details page.

Alt text

List jobs on a route

To list jobs that use a route, click the route endpoint on the main list of routes. For example, the following screenshot shows two jobs assigned to the selected route, continuum-guide and website3.

Alt text

Managing Networks

You can use the web console to manage your cluster's networks. You can list available networks, create and delete networks, and add or remove jobs from a network.

List networks

To list existing networks on a cluster, click the Networks menu in the left navigation. The list includes each network's name, namespace, assigned subnet, and number of jobs that have joined the network.

Alt text

View network details

The network Details tab displays the FQN, subnet, netmask, and IP range for jobs in the network. It also lists the jobs that belong to the network and the IPv4 address assigned to each job.

Alt text

You can join or remove jobs to a network from the network details view. You can also do this from the Connections tab of the job details view.

To join a job to the network:

  1. Click Add Job on the network details view.
  2. Enter the target job's FQN and click Submit. You must restart the job to add the job to the network. Click Yes to confirm job restart.

    Alt text

To remove a job from a network:

  • Hover your mouse over the job you want to remove, then click the X in the right margin.

Create and delete networks

You can create and delete networks in the web console.

To create a network:

  1. Click Network in the left navigation.
  2. Click Create Network.
  3. In the Name field enter the network name.
  4. In the Namespace field enter or select the namespace where the network should be created.
  5. Optionally, enter a description.
  6. Click Submit.

    Alt text

To delete a network:

  1. Click Network in the left navigation.
  2. Hover your mouse over the network to delete, then click the X in the right margin

Viewing Audit Logs

The Audit Log view displays all changes to the system made through a user-accessible endpoint (for example, APC, Web Console, or direct API call). The main Audit view (accessible by clicking Audit in the left navigation) displays all audit log items and event types (job.create or package.update for example). Each log item contains the following fields:

Field Description
Date/time Time when the action was initiated (server UTC time).
Event Type A string representation of the event type consisting of the resource type and action (for example, job.update or package.delete). See Audit log event types for a full list of event types.
User Principal name of user who initiated the action.
Resource Type Type of resource affected by the action.
Namespace Namespace of the affected resource.
Local Name Local name of the affected resource.

You can filter your queries by FQN (resource type, namespace, and local name) of the audited item, event type, and date range. You can also paginate through query results. For example, the following example uses APC to query for job.update audit log items generated on October 11, 2016 for the job::/sandbox/admin::mycap resource:

Alt text

Each auditable resource (job, network and so forth) has its own Audit tab that only shows log items for that resource. For instance, the following shows the Audit tab for the job named app2. In this case, the resource type, namespace and local name fields are not shown.

Alt text

Viewing audit log payloads

In addition to the standard audit log item fields (Date and Event Type, for example) some audit log items have an additional payload field that provides further information about the log item. To view an item's payload details, click its item in the Audit view. For example, the following shows the details for an audit log item that was generated when SSH access was removed from the corresponding job (for example, by running apc job update nats-client --remove-ssh).

Alt text

The Changes field indicates the properties were removed from the job object's JSON representation, and properties that were updated, including the old and new values. Deleted properties and old values are displayed in red text; new properties and new values are displayed in green text. The following details show new properties that were added to a job for which network egress was enabled (with apc app update nats-client --allow-egress, for example).

Alt text

Managing Policy

The Policy view lists all policy documents in your cluster. You can create and edit policy documents using the policy editor or upload policy files from your local system. The Data Tables tab lets you easily view and manage the rows of data defined by a policy variable document.

To read or update a policy document, a user must have permissions to read (or update) each realm declared in the policy document (see Policy on Policy Examples).

List policy documents

The list of policy documents displays each policy document's name, version number, timestamp for when the policy document was last updated, and name of the user who made the last update. Click a policy document's name in the list to open the policy in the editor.

Click the Realms tab to view policy on specific realms. Click Audit to view an audit log of changes to policy documents.

Policy document list

Viewing policy on realms

The web console lets you view policy defined on any combination of resource type and namespace. Policy is displayed for the currently selected namespace and all parent namespaces.

To view policy on a realm and namespace:

  1. On the main Policy view, click Resource Types.
  2. Select the resource type and namespace to view policy for.

    Each policy document that contains policy for the selected resource type and namespace (and parent namespaces) is listed, along with the relevant policy defined in each document. Click a document name to open it for editing (see Managing policy documents).

    Policy document list

Creating and editing policy documents

You can use the Web Console's built-in policy editor to create or edit policy documents, or upload documents from your local system. The policy editor validates that policy you enter follows policy syntax rules and reports any syntax errors.

To create a new policy document using the policy editor:

  1. Click Create in the Policy view.
  2. Enter a name for the new document. The name must be a combination of letters, numbers, underscores, and hyphens, only.
  3. Enter policy rules in the editor and click Apply Changes. The editor reports any syntax validation errors in the document.

    Policy editor

To upload a new policy document from your local file system:

  1. Click Upload, locate the policy document to upload and click Open.
  2. Enter a valid name for the policy document or use the default name taken from the file name. Valid names are a combination of letters, numbers, underscores, and hyphens, only.
  3. Click Apply to validate and upload the new policy document. If the document is invalid the console displays an error.

To edit a policy document:

  1. Click the policy to edit on the main Policy view.
  2. Click Edit policy to open the policy document in edit mode.
  3. Make desired changes to the document, then click Apply Changes. If the policy syntax is invalid the console displays an error.

To delete a policy document:

  1. Click the policy document to delete on the main Policy view.
  2. Click Delete then click the confirmation button.

Managing Policy Data Tables

The Data Tables view presents a policy variable's data rows in a filterable, tabular format. Policy variables allow you to separate policy rules from the data those rules operate on. See Administering Policy Variables and Data Tables for more information.