API Guide - Policies--Policy-Spec-Syntax

Policy Metadata

type Metadata struct {
	ID          string `json:"id"`
	Name        string `json:"name"`
	Description string `json:"description"`
}

Policy Spec

type Spec struct {
	Options   `json:"options"`
	Access    []Access `json:"access"`
	Exception `json:"exception"`
}

type Options

Options defines general parameters that apply to all access groups.

type Options struct {
	// DisableTLSClientAuthentication=true prevents the service from asking 
	// for a client TLS cert.
	DisableTLSClientAuthentication bool `json:"disable_tls_client_authentication"`
	// L7Protocol specifies the application-level protocol: "http", "kafka", 
	// or empty string.
	// If L7Protocol is not empty, then all Access rules must have L7Access
	// entries.
	L7Protocol string `json:"l7_protocol"`
}

type Access

Access describes the access rights for a set of roles.

type Access struct {
	// Roles is a list of roles that all have the access rights given by Rules.
	Roles []string `json:"roles"`
	// Rules lists the access rights given to principals/subjects that have 
	// any of the corresponding Roles.
	Rules `json:"rules"`
}

type Exception

Exception describes exceptional cases that bypass regular policy enforcement.

type Exception struct {
	// SrcAddr is a list of CIDRs describing source addresses that do not 
	// need to use TLS to gain access.
	SrcAddr []string `json:"src_addr"`
	// [Deprecated] TLSSrcAddr is a list of CIDRs describing source addresses 
	// that must use TLS but must not be asked to supply a client certificate 
	// in the TLS handshake.
	TLSSrcAddr []string `json:"tls_src_addr"`
}

type Rules

Rules lists a set of access rights, along with any required conditions that must be satisfied for the access rights to be enabled.

type Rules struct {
	Comment    string     `json:"_comment,omitempty"`
	L7Access   []L7Access `json:"l7_access"`
	Conditions `json:"conditions"`
}

type L7Access

L7Access specifies a set of access rights to application level (OSI Layer-7) resources.

type L7Access struct {
	// Resources are a list of application level resources.
	// Each resource can have wildcard prefix or suffix, or both.
	// A resource can be prefixed with "!", meaning DENY.
	// Any DENY rule overrides any other rule that would allow the access.
	Resources []string `json:"resources"`
	// Actions are a list of application-level actions: "READ", "WRITE", 
	// "CREATE", "UPDATE", "*".
	Actions []string `json:"actions"`
	// [Deprecated] accept either action or actions, for backward compatibility.
	Action []string `json:"action"`
}

type Conditions

Conditions specifies conditions that must be satisfied in order for access rights to be enabled.

type Conditions struct {
	// StartTime, if not empty, specifes the start time in 
	// RFC3339 format (https://tools.ietf.org/html/rfc3339).
	StartTime string `json:"start_time,omitempty"`
	// EndTime, if not empty, specifes the end time in 
	// RFC3339 format (https://tools.ietf.org/html/rfc3339).
	EndTime string `json:"end_time,omitempty"`
	// TrustLevel specifies the minimum trust level of the access 
	// ("Low", "Medium", "High").
	TrustLevel string `json:"trust_level,omitempty"`
}

Last modified: May 20, 2020