Semantic Pipeline Policy Example

This section provides policy examples for writing semantic pipeline rules and disabling semantic pipeline generation.

Semantic pipeline rule permissions

The following permissions are granted for semantic pipelines.

sempiperule::/ {
  if (permit == all) {
    permit create, read, delete
  }
}

Semantic pipeline rule permissions example

The following policy gives "tom" all the permissions for semantic pipeline rules in /prod, whereas "bob" does not have create and delete permissions.

sempiperule::/prod {
	if (auth_server@apcera.me->name == "tom"){
    permit all
  }

	if (auth_server@apcera.me->name == "bob") {
     permit read
  }
}

Disabling automatic semantic pipeline generation

If you want to disable automatic semantic pipeline generation, you can use the sp.disable output claim type on the job::/ realm. You can specify the supported service type, service FQN, and/or provider FQN for the claim value(s).

For example:

on job::/test {
	if (auth_server@apcera.me->name=="name") {
		sp.disable postgres
		sp.disable "service::/::*","provider::/prod::MyDB"
	}
}

Note in the example that the claim sp.disable service::/::* will disable the SP for any bound service where the namespace is nil (empty) and any localname is specified. The claim sp.disable service::/:: will disable the SP where the namespace is nil (empty) and localname is specified or not.