Package Policy Examples

This section provides the permissions and examples for policy on the package::/ realm and its descendants.

Package permissions

The following policy defines all package permissions:

package::/ {
  if (permit == all) {
    permit create, read, update, delete
    permit use
  }
}

Package resources example

The following policy blocks gives tom full control over all packages in the /sandbox/tom namespace. It also indicates that any package in package::/sandbox/tom can provide packages for jobs in the /sandbox/tom namespace using a boolean antcedant claim.

package::/sandbox/tom {
  if (auth_server@apcera.me->name == "tom") {
    permit all
  }
  if (permit == "all" && job fqnMatch "job:/sandbox/tom") {
    permit create, read, update, delete, use
  }
}

## Package resolution example

Policy is used to enforce package resolution on jobs. For example:

job::/sandbox/tom {
  if (auth_server@apcera.me->name == "tom") {
    package.allow "package::/sandbox/tom"
  }
}

See Package Resolution Policy Examples for additional examples.