A policy is a set of rules that applies to a given target and defines how the rules are combined. A rule in a policy only applies if the target of the policy applies as well as the target of the rule.
For example, the following ACL fragment shows a policy that controls the access to the broker:
1. <policy rule-combination="permit-overrides">
2. <resource type="broker" />
3. <rule effect="deny"/>
4. <rule effect="permit">
5. <subject name="Alice" />
6. <subject name="Bob" />
Line 1 defines a policy where individual rules are combined using permit-overrides
; that is, if multiple rules apply, then a “permit” overrides any “deny”.
Line 2 specifies that the target of this policy is the resource type broker
. Thus, rules within this policy are only evaluated if the resource type is broker
The rule on line 3 has no target and denies all requests within this policy. This effectively sets the default behavior for the broker. No one can connect or administer the broker unless another rule explicitly allows it (thanks to the permit-overrides rule-comination
that was specified in line 1).
Lines 4 through 7 is a permissive rule and, according to the combination algorithm of the policy, overrides the deny rule on line 3 when matched.
Lines 5 and 6 define the target for the rule; it applies if the client is either Alice
Lines 7 and 8 are the closing tags for their respective elements.
This simple example shows the structure of a single policy. A micro broker ACL document may contain multiple policies and also defines how multiple policies are combined together using a policy-combination setting in a similar way to rules being combined within a policy.
Parent topic: Configuring micro broker authorization: XPD621