Job Scheduling Policy Examples

This section provides policy examples for controlling the job deployment target.

Available permissions for job resources

The job::/ realm supports the following claim types.

job::/ {
  {
    schedulingTag.hard <IM-tag>
    schedulingTag.soft <IM-tag>    
    schedulingTag.<hard or soft> "~<IM-tag>"
  }
}

Policy example 1

The following policy grants all allowable permissions to users who belong to LDAP group, teamX on jobs in the /dev/projectX namespace. All jobs in the /dev/projectX is hard tagged to "eu-west-1".

Notice that the antecedent claim is omitted on the second rule; therefore, the rule, schedulingTag.hard eu-west-1 will always apply to jobs in /dev/projectX namespace.

job::/dev/projectX {
  if (user->group == "teamX") {
    permit all
  }

  { schedulingTag.hard eu-west-1 }
}

Policy example 2

The following example uses Policy Variables to define the job realms (fqn) and its corresponding IM tags (tag).

<continuum-policy description="systemDataTableDeploymentTag">

on variables::/ {
  system policy variable {
    DeploymentTag (fqn, tag) {
      {"job::/dev/projectA", "us-west-1"}
      {"job::/dev/projectB", "us-central1"}
      {"job::/dev/projectC", "ap-southeast-2"}
      {"job::/dev/projectD", "eu-central-1"}
    }
  }
}

The following policy iterates through the DeploymentTag policy variable, and sets the job scheduling tag accordingly.

on job::/ {
    if(query->target fqnMatch PV->DeploymentTag.fqn) {
        schedulingTag.hard PV->DeploymentTag.tag
    }
}

For example, jobs in /dev/projectA namespace are hard tag to us-west-1.