Service Policy Examples

This section provides policy examples for service creation and binding.

Service permissions

The following policy establishes permissions for services resources:

service::/ {
  if (permit == all) {
    permit create, read, update, delete
    permit bind
  }
}

Service policy example 1

Policy on services is a two-way handshake. Both the service and the job must permit the binding.

For example:

service::/sandbox/tom {
    if (job fqnMatch "job::/sandbox/tom") {
        permit bind
    }
}

job::/sandbox/tom {
    if (service fqnMatch "service::/sandbox/tom") {
        permit bind
    }
}

Service policy example 2

The following policy block gives tom all controls on the service::/sandbox/tom realm and all descendant realms.

service::/sandbox/tom {
  if (auth_server@apcera.me->name == "tom") {
    permit all
  }
  if (permit == "all") {
    permit create, read, update, delete
    permit bind
  }
  if (permit == "all" && job fqnMatch "job::/sandbox/tom") {
    permit bind
  }
}

The last rule indicates that jobs in the realm job::/sandbox/tom can bind to services in the service::/sandbox/tom realm.