-
Notifications
You must be signed in to change notification settings - Fork 219
/
policy.json
148 lines (148 loc) · 7 KB
/
policy.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"description": "A Policy enables developers to configure fine-grained access control for Things.",
"title": "Policy",
"properties": {
"policyId": {
"type": "string",
"description": "Unique identifier representing the Policy, has to conform to the namespaced entity ID notation (see [Ditto documentation on namespaced entity IDs](https://www.eclipse.org/ditto/basic-namespaces-and-names.html#namespaced-id)).\n\nExamples for a valid Policy ID:\n * `org.eclipse.ditto:xdk_policy_53`\n * `foo:xdk_53`\n * `org.eclipse.vorto_42:xdk_policy`"
},
"entries": {
"title": "PolicyEntries",
"type": "object",
"description": "PolicyEntries containing one PolicyEntry for each arbitrary `label` key.",
"properties": {
"additionalProperties": {
"title": "Label",
"type": "object",
"description": "Single Policy entry containing Subjects and Resources.",
"properties": {
"subjects": {
"title": "Subjects",
"type": "object",
"description": "Subjects defining who is addressed.",
"additionalProperties": {
"title": "SubjectEntry",
"type": "object",
"description": "Single (Authorization) Subject entry holding its type. The key is the actual subject identifier.",
"properties": {
"type": {
"type": "string",
"title": "SubjectType",
"description": "The type of the (Authorization) Subject. This string can take an arbitrary value and is intended for documentational purposes, e.g. in order to document when it was created or with which purpose."
},
"expiry": {
"type": "string",
"description": "The optional expiry timestamp (formatted in ISO-8601) indicates how long this subject should be considered before it is automatically deleted from the Policy.",
"format": "date-time"
},
"requestedAcks": {
"title": "RequestedAcks",
"type": "object",
"description": "Settings to enable at-least-once delivery for policy announcements.",
"properties": {
"labels": {
"type": "array",
"description": "Acknowledgement labels to request when an announcement is published.",
"items": {
"type": "string"
},
"example": ["my-connection:my-issued-acknowledgement"]
},
"timeout": {
"type": "string",
"description": "How long to wait for requested announcements before retrying publication of an announcement.",
"example": "60s"
}
}
}
},
"required": [
"type"
]
}
},
"resources": {
"title": "Resources",
"type": "object",
"description": "Resources containing one or many ResourceEntries.",
"additionalProperties": {
"title": "ResourceEntry",
"type": "object",
"description": "Single Resource entry defining permissions per effect. The keys must be in the format `type:path` with `type` being one of the following `thing`, `policy` or `message` resources. See [Policy documentation](../basic-policy.html#which-resources-can-be-controlled) for detailed information.",
"properties": {
"grant": {
"type": "array",
"items": {
"type": "string",
"description": "All subjects specified in this Policy entry are granted read/write permission on the resources specified in the path, and all subsequent paths, except they are revoked at a subsequent policy label.",
"enum": [
"READ",
"WRITE"
]
}
},
"revoke": {
"type": "array",
"items": {
"type": "string",
"description": "All subjects specified in this Policy entry are prohibited to read/write on the resources specified in the path, and all subsequent paths, except they are granted again such permission at a subsequent policy label.",
"enum": [
"READ",
"WRITE"
]
}
}
},
"required": [
"grant",
"revoke"
]
}
},
"importable": {
"title": "Importable type",
"type": "string",
"description": "Controls the import behavior of this policy entry i.e. whether this policy entry is implicitly, explicitly or never imported when referenced from another policy. (`implicit` (default): the policy entry is imported without being listed in the importing policy individually, `explicit`: the policy entry is only imported if it is listed in the importing policy, `never`: the policy entry is not imported, regardless of being listed in the importing policy. If the field is not specified, default value is `implicit`.",
"enum": ["implicit", "explicit", "never"],
"default": "implicit"
}
},
"required": [
"subjects",
"resources"
]
}
}
},
"imports": {
"title": "PolicyImports",
"type": "object",
"description": "Policy imports containing one policy import for each key. The key is the policy ID of the referenced policy.",
"properties": {
"additionalProperties": {
"title": "PolicyImport",
"type": "object",
"description": "Single policy import defining which policy entries of the referenced policy are imported.",
"properties": {
"entries" : {
"title": "ImportedEntries",
"type": "array",
"description": "The policy entries to import from the referenced policy identified by their labels. In case the field is omitted or an empty array is provided, all policy entries defined as implicit (\"importable\": \"implicit\") are imported.",
"items": {
"type": "string",
"description": "Label of a policy entry to import from the referenced policy."
},
"maxItems": 10
}
}
}
}
}
},
"required": [
"policyId",
"entries"
]
}