Default Policies

Apcera Platform provides several default policies that are stored in policy documents in the root / namespace of the cluster.

The following table summarizes the default policy provided in the system.

Policy Document Description
authSettings.pol Auth token timeout; default is 24 hours.
clusterPermissions.pol Establishes the available consequent claim types and values (permissions) for each resource type. System-defined.
component.pol System-defined permissions to update system jobs and packages. Reserved for internal use.
packageResolution.pol Default settings for package resolution.
quotas.pol Default quota limit for package size (2 GB).
rolePermissions.pol Creates admin role and maps all cluster permissions to it. System-defined.

Default policies in bold are system-defined and should not be modified. Any changes will be overwritten on update. Note that the Community Edition may include additional policies not documented here.

Auth token timeout

The authSettings.pol policy document contains policy that sets the token timeout (24 hours).

Apcera Platform relese 2.2 and later

// This policy is initialized on a new cluster, but can be edited after deployment.

on auth::/oauth2/http {
    {tokenTimeout "86400s"}
}

on auth::/oauth2/nats {
    {tokenTimeout "1200s"}
}

on auth::/oauth2/apptoken {
    {tokenTimeout "1800s"}
}

Apcera Platform release 2.0 and earlier

// This policy is initialized on a new cluster, but can be edited after deployment.

on auth::/oauth2/http {
    {tokenTimeout "86400s"}
}

on auth::/oauth2/nats {
    {tokenTimeout "1200s"}
}

Cluster permissions

The clusterPermissions.pol policy document defines the available permissions for each resource type. See also Granting Permissions.

DO NOT EDIT THIS POLCY: It is a system-defined policy that will be overwritten on cluster update.

Apcera Platform relese 2.2 and later

// DO NOT EDIT: THIS IS A SYSTEM POLICY AND IT WILL BE OVERWRITTEN BY THE APCERA PLATFORM.

// Define capabilities of permit categories defined in the DefaultPermissions Policy Variable.
on all::/ {
  if (query->target fqnMatch PV->DefaultPermissions.resource && permit == PV->DefaultPermissions.from) {
     permit PV->DefaultPermissions.to
   }
 }

// Allow gateways to be used by anyone and filter gateway serviceParams.
on gateway::/apcera/service-gateways::memcache {
  { permit use }
}

on gateway::/apcera/service-gateways::mysql {
  { permit use }
  { serviceParam database }
}

on gateway::/apcera/service-gateways::nfs {
  { permit use }
}

on gateway::/apcera/service-gateways::postgres {
  { permit use }
  { serviceParam database }
}

on gateway::/apcera/service-gateways::network {
  { serviceParam ipnet, ipnets, protocol, portrange }
}

on gateway::/apcera/service-gateways::redis {
  { permit use }
  { serviceParam persistence_provider }
}

on gateway::/apcera/service-gateways::rabbitmq {
  { permit use }
  { serviceParam persistence_provider }
}

on gateway::/apcera/service-gateways::mongodb {
  { permit use }
  { serviceParam persistence_provider }
}

on gateway::/apcera/service-gateways::cloudant {
  { permit use }
  { serviceParam database }
}

on gateway::/apcera/service-gateways::ipm {
  { permit use }
  { serviceParam ip }
}

on gateway::/apcera/service-gateways::generic {
  { permit use }
}

on gateway::/apcera/service-gateways::smb {
  { permit use }
}

Apcera Platform relese 2.0 and earlier

audit::/ {
  if (permit == all) {
    permit read
  }
}

cluster::/ {
  if (permit == all) {
    permit read, update
  }
}

job::/ {
  if (permit == all) {
    permit create, read, update, delete
    permit start, stop, map, ssh, link, promote, bind
  }
}

route::/ {
  if (permit == all) {
    permit map
  }
}

package::/ {
  if (permit == all) {
    permit create, read, update, delete
    permit use
  }
}

policy::/ {
  if (permit == all) {
    permit read, update
  }
}

policydoc::/ {
  if (permit == all) {
    permit create, read, update, delete
  }
}

principal::/ {
  if (permit == all) {
    permit create, read, update, delete
  }
}

provider::/ {
  if (permit == all) {
    permit create, read, update, delete
  }
}

sempiperule::/ {
  if (permit == all) {
    permit create, read, delete
  }
}

service::/ {
  if (permit == all) {
    permit create, read, update, delete
    permit bind
  }
}

gateway::/ {
  if (permit == all) {
    permit use, promote
  }
}

gateway::/apcera/service-gateways::memcache {
  { permit use }
}

gateway::/apcera/service-gateways::mysql {
  { permit use }
}

gateway::/apcera/service-gateways::nfs {
  { permit use }
}

gateway::/apcera/service-gateways::postgres {
  { permit use }
}

gateway::/apcera/service-gateways::redis {
  { permit use }
}

gateway::/apcera/service-gateways::cloudant {
  { permit use }
}

gateway::/apcera/service-gateways::ipm {
  { permit use }
}

gateway::/apcera/service-gateways::generic {
  { permit use }
}

stagpipe::/ {
  if (permit == all) {
    permit create, read, update, delete
    permit use
  }
}

Component policy

The component.pol policy document contains policy for updating system-provided jobs and packages on cluster update.

DO NOT EDIT THIS POLCY: It is a system-defined policy that will be overwritten on cluster update.

Apcera Platform relese 2.2 and later

// DO NOT EDIT: THIS IS A SYSTEM POLICY AND IT WILL BE OVERWRITTEN BY THE APCERA PLATFORM.

on job::/ {
  if (auth_server@apcera.me->name == "api_server@apcera.me") { permit update }
  if (auth_server@apcera.me->name == "package_manager@apcera.me") { role admin }
  if (auth_server@apcera.me->name == "stagehand@apcera.me") { role admin }
  if (auth_server@apcera.me->name == "staging_coordinator@apcera.me") { role admin }
}

on service::/ {
  if (auth_server@apcera.me->name == "stagehand@apcera.me") { role admin  }
  if (auth_server@apcera.me->name == "package_manager@apcera.me") { permit bind, read }
}

on gateway::/ {
  if (auth_server@apcera.me->name == "stagehand@apcera.me") { role admin }
  if (auth_server@apcera.me->name == "package_manager@apcera.me") { permit use }
}

on package::/ {
  if (auth_server@apcera.me->name == "package_manager@apcera.me") { role admin }
  if (auth_server@apcera.me->name == "stagehand@apcera.me") { role admin }
  if (auth_server@apcera.me->name == "staging_coordinator@apcera.me") { permit use, create}
}

on route::/ {
  if (auth_server@apcera.me->name == "package_manager@apcera.me") { permit map }
  if (auth_server@apcera.me->name == "stagehand@apcera.me") { role admin }
}

Apcera Platform relese 2.0 and earlier

job::/ {
  if (auth_server@apcera.me->name == "stagehand@apcera.me") { role admin }
  if (auth_server@apcera.me->name == "package_manager@apcera.me") { permit bind }
}

service::/ {
  if (auth_server@apcera.me->name == "stagehand@apcera.me") { role admin  }
  if (auth_server@apcera.me->name == "package_manager@apcera.me") { permit bind }
}

gateway::/ {
  if (auth_server@apcera.me->name == "stagehand@apcera.me") { role admin }
  if (auth_server@apcera.me->name == "package_manager@apcera.me") { permit use }
}

Package resolution policy

The packageresolution.pol policy document sets the default policy for package resolution. The package.default rule claim breaks ties between dependencies. You may update this policy, but usually is not necessary.

Apcera Platform relese 2.2 and later

// This policy is initialized on a new cluster, but can be edited after deployment.

on job::/ {
  // For package dependency resolution.
  { package.allow "package::/apcera" }

  if (dependency equals os.linux) {
    package.default "package::/apcera/pkg/os::ubuntu-14.04-apc3"
  }
  if (dependency equals os.ubuntu) {
    package.default "package::/apcera/pkg/os::ubuntu-14.04-apc3"
  }
  if (dependency equals runtime.go) {
    package.default "package::/apcera/pkg/runtimes::go-1.6.2"
  }
  if (dependency equals runtime.ruby) {
    package.default "package::/apcera/pkg/runtimes::ruby-2.2.4"
  }
  if (dependency equals runtime.perl) {
    package.default "package::/apcera/pkg/runtimes::perl-5.22.1"
  }
  if (dependency equals runtime.java) {
    package.default "package::/apcera/pkg/runtimes::openjdk-1.8.0-u60-b23"
  }
  if (dependency equals runtime.node) {
    package.default "package::/apcera/pkg/runtimes::node-4.4.6"
  }
}

Apcera Platform relese 2.0 and earlier

job::/ {
  { package.allow "package::/apcera" }

  if (dependency equals os.linux) {
    package.default "package::/apcera/pkg/os::ubuntu-14.04"
  }
  if (dependency equals os.ubuntu) {
    package.default "package::/apcera/pkg/os::ubuntu-14.04"
  }
  if (dependency equals runtime.ruby) {
    package.default "package::/apcera/pkg/runtimes::ruby-1.9.3-p547"
  }
  if (dependency equals runtime.perl) {
    package.default "package::/apcera/pkg/runtimes::perl-5.18.2"
  }
  if (dependency equals runtime.java) {
    package.default "package::/apcera/pkg/runtimes::openjdk-1.7"
  }
  if (dependency equals runtime.node) {
    package.default "package::/apcera/pkg/runtimes::node-0.10.30"
  }
}

Quota policy

The quotas policy sets quota limits for particular resources. You may want to update this policy depending on your requirements. You can also create separate quota policy for namespaces, jobs, or instances.

quota::/ {
  { max.package.size 2GB }
}

Admin role policy

The rolePermissions.pol policy document contains policy that maps all permissions for each resource type to the admin role. A user granted membership in the admin role will have full access to resources in the cluster.

Admin role membership does not include the auth and quota resource types. Admin permissions for these resource types are not applicable. Futher, although the policy grants root policy::/ resource permissions, each user will need policy on policy for full access to policies.

DO NOT EDIT THIS POLCY: It is a system-defined policy that will be overwritten on cluster update.

Apcera Platform relese 2.2 and later

// DO NOT EDIT: THIS IS A SYSTEM POLICY AND IT WILL BE OVERWRITTEN BY THE APCERA PLATFORM.

on all::/ {
  if (query->target fqnMatch PV->DefaultAdminRole.fqn && role == PV->DefaultAdminRole.role) {
      permit PV->DefaultAdminRole.capabilities
  }
}

Apcera Platform relese 2.0 and earlier

audit::/ {
  if (role == "admin")
    { permit all }
}

cluster::/ {
  if (role == "admin")
    { permit all }
}

gateway::/ {
  if (role == "admin")
    { permit all }
}

job::/ {
  if (role == "admin")
    { permit all }
}

package::/ {
  if (role == "admin")
    { permit all }
}

policy::/ {
  if (role == "admin")
    { permit all }
}

policydoc::/ {
  if (role == "admin")
    { permit all }
}

principal::/ {
  if (role == "admin")
    { permit all }
}

provider::/ {
  if (role == "admin")
    { permit all }
}

route::/ {
  if (role == "admin")
    { permit all }
}

sempiperule::/ {
  if (role == "admin")
    { permit all }
}

service::/ {
  if (role == "admin")
    { permit all }
}

stagpipe::/ {
  if (role == "admin")
    { permit all }
}