A policy is a set of rules that applies to a given target and defines how the rules are combined. A rule in a policy applies only if the target of the policy applies in addition to the target of the rule.
For example, the following ACL fragment shows a policy that controls the access to the broker:
1. <policy rule-combination="permit-overrides">
2. <resource type="broker" />
3. <rule effect="deny"/>
4. <rule effect="permit">
5. <subject name="Alice" />
6. <subject name="Bob" />
Line 1 defines a policy where individual rules are combined using permit-overrides
; that is, if multiple rules apply, then a "permit" overrides any "deny".
Line 2 specifies that the target of this policy is the resource type broker
. Thus, rules within this policy are evaluated only if the resource type is broker
The rule on line 3 has no target and denies all requests within this policy. This denial effectively sets the default behavior for the broker. No one can connect or administer the broker unless another rule explicitly allows it (thanks to the permit-overrides rule-comination
that was specified in line 1).
Lines 4 through 7 are a permissive rule and, according to the combination algorithm of the policy, override the deny rule on line 3 when matched.
Lines 5 and 6 define the target for the rule; it applies if the client is either Alice
Lines 7 and 8 are the closing tags for their respective elements.
This simple example shows the structure of a single policy. A micro broker ACL document can contain multiple policies and also defines how multiple policies are combined using a policy-combination setting in a similar way to rules being combined within a policy.
Parent topic: Configuring micro broker authorization: XPD622