Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for using wildcard in place of feature name in policies #708

Open
thjaeckle opened this issue Jun 25, 2020 · 1 comment
Open

Support for using wildcard in place of feature name in policies #708

thjaeckle opened this issue Jun 25, 2020 · 1 comment
Labels
community-interest Issues which were explicitly asked for by the Ditto community.

Comments

@thjaeckle
Copy link
Member

thjaeckle commented Jun 25, 2020
edited
Loading

As an enhancement of #696 it should be possible to define in a policy that all features of a single thing are addressed in the resources section of the policy.
Therefore it should not be required to write all feature names in the policy as sharing policies for many things would also be very limited by this approach.

  • using the wildcard * as part of this story is only supported as replacement for the feature name
  • it shall be possible to use the wildcard for following resource types:
  • the

Example policy:

{
    "policyId": "org.eclipse.ditto:policy-1",
    "entries": {
      "owner": {
        "subjects": {
          "nginx:ditto": {
            "type": "nginx basic auth user"
          }
        },
        "resources": {
          "thing:/features/*/properties": {
            "grant": ["READ"],
            "revoke": []
          },
          "thing:/features/*/desiredProperties": {
            "grant": ["READ","WRITE"],
            "revoke": []
          },
          "message:/features/*/inbox": {
            "grant": ["WRITE"],
            "revoke": []
          },
          "message:/features/*/outbox": {
            "grant": ["READ"],
            "revoke": []
          },
          "policy:/": {
            "grant": ["READ", "WRITE"],
            "revoke": []
          }
        }
      },
      "device": {
        "subjects": {
          "pre-authenticated:hono": {
            "type": "connection to Hono"
          }
        },
        "resources": {
          "thing:/features/*/properties": {
            "grant": ["READ","WRITE"],
            "revoke": []
          },
          "thing:/features/*/desiredProperties": {
            "grant": ["READ"],
            "revoke": []
          },
          "message:/features/*/inbox": {
            "grant": ["READ"],
            "revoke": []
          },
          "message:/features/*/outbox": {
            "grant": ["WRITE"],
            "revoke": []
          }
        }
      },
      "all_features_reader": {
        "subjects": {
          "nginx:some-users": {
            "type": "a group of users"
          },
          "resources": {
            "thing:/features/*": {
              "grant": ["READ"],
              "revoke": []
            }
          }
        }
      }
    }
  }
This was referenced Jun 25, 2020
Open
Closed
@thjaeckle thjaeckle added the community-interest Issues which were explicitly asked for by the Ditto community. label Jun 25, 2020
@thjaeckle
Copy link
Member Author

I am getting interested in this again - would be very useful for e.g. defining "end user" "WRITE" permission to all "desiredProperties", but only "READ" to all "properties".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
community-interest Issues which were explicitly asked for by the Ditto community.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@thjaeckle