Policy on Policy Examples

Policies belong to policy documents (also known as realmdocs). Policy documents contain rules on a number of arbitrary policies (realms).

Policy on the policy::/ realm permit a user to read/update existing policy documents. Note that a user can read/update policy contained in a policy document only if that user has policy permissions to read/update each realm in the policy document. (See example below.)

Policy on the policydoc::/ realm provides CRUD permissions on policy documents.

Policy permissions

The follow policy defines the permissions for resources in the policy::/ realm:

policy::/ {
  if (permit == all) {
    permit read, update
  }
}

Policydoc permissions

The follow policy define the permissions for resources in the policydoc::/ realm:

policydoc::/ {
  if (permit == all) {
    permit create, read, update, delete
  }
}

Policy read example

The following policy lets users read all policy documents in the system:

on policy::/ {
  { permit read }
}

Policy authoring example

The following policy block gives "tom" the ability to author policy for all the resource types in /prod namespace, whereas "bob" can only write policy for jobs and packages in dev namespace:

policy::/prod {
  if (auth_server@apcera.me->name == "tom") {
    permit update
  }
}

policy::/dev {
  if (auth_server@apcera.me->name == "bob@gmail.com" && ResType == "job"){
    permit update
  }
  if (auth_server@apcera.me->name == "bob@gmail.com" && ResType == "package"){
    permit update
  }
}

To constrain policy permissions to certain resoure types, you can add a condition to the rule that checks for ResType.

policy::/sandbox/[name] {
  if (auth_server@apcera.me->name==[name] && ResType == "gateway") {
    permit update
  }

  if (auth_server@apcera.me->name==[name] && ResType == "job") {
    permit update
  }

  if (auth_server@apcera.me->name==[name] && ResType == "package") {
    permit update
  }
  
  if (auth_server@apcera.me->name==[name] && ResType == "provider") {
    permit update
  }

  if (auth_server@apcera.me->name==[name] && ResType == "sempiperule") {
    permit update
  }

  if (auth_server@apcera.me->name==[name] && ResType == "service") {
    permit update
  }

  if (auth_server@apcera.me->name==[name] && ResType == "stagpipe") {
    permit update
  }
}

Policy document creation example

The following policy example shows how to use the policydoc::/ realm permissions.

policydoc::/::user-policy-student {
  if (auth_server@apcera.me->name == "student") {
    permit read, update
  }
}