Working with policies

Modified: 08 Sep 2022 04:28 UTC

Policies are lists of rules that describe access to resources. The rules are written in a human readable language that describes the action that is allowed and the context in which that rule is valid.

The default policy for all objects is to deny access always. Rules are written in terms of what is allowed. For example, the following rules say that getting a Manta object and listing a Manta directory is allowed:

CAN getobject
CAN getdirectory

All of the CLI commands involving policies are subcommands of the sdc-policy command.

$ sdc-policy help
SmartDC Account Policies

Usage:
    sdc-policy [OPTIONS] COMMAND [ARGS...]
    sdc-policy help COMMAND

Options:
    -h, -?, --help         Print help and exit.
    --version              Print version and exit.
    -d, --debug            enable debug/verbose mode (default: disabled)
    -a ARG, --account=ARG  account name. Environment: SDC_ACCOUNT=ARG
    -A ARG, --user=ARG     account sub-user login. Environment: SDC_USER=ARG
    -u ARG, --url=ARG      url for SmartDataCenter API. Environment: SDC_URL=ARG
    -k ARG, --keyId=ARG    your ssh key fingerprint. Environment: SDC_KEY_ID=ARG

Commands:
    help (?)        Help on a specific sub-command.
    list            List your Account Policies.
    get             Get an account Policy by id.
    create          Creates a new Policy for your account.
    update          Updates a Policy of your account.
    delete          Removes a Policy from your account.

Creating policies

Use sdc-policy create to create a policy. A policy must have a name and at least one rule.

$ sdc-policy create --name=read-access --rules='CAN getobject' --rules='CAN getdirectory'
{
  "name": "read-access",
  "id": "1ec51dfd-1197-41ef-ac7d-c90dd478ae32",
  "rules": [
    "CAN getobject",
    "CAN getdirectory"
  ]
}

Getting information about policies

Use sdc-policy list to get all the policies in your account.

$ sdc-policy list
[
  {
    "name": "read",
    "id": "3072e003-34f7-c4a5-9f73-a8808de40e26",
    "rules": [
      "CAN getobject"
    ]
  },
  {
    "name": "list",
    "id": "616b8f9b-9260-e34d-fcbf-f6dba02a6512",
    "rules": [
      "CAN getdirectory"
    ]
  },
. . .
]

If you've installed json, you can use this for a quick list of all your policies' names and ids.

$ sdc-policy list | json -a name id
read 3072e003-34f7-c4a5-9f73-a8808de40e26
list 616b8f9b-9260-e34d-fcbf-f6dba02a6512
read-plus f203d7e2-56aa-cf4b-8b32-8713cfa4388d
read-access 1ec51dfd-1197-41ef-ac7d-c90dd478ae32

Use sdc-policy get to get information about a specific policy by id.

$ sdc-policy get 1ec51dfd-1197-41ef-ac7d-c90dd478ae32
{
  "name": "read-access",
  "id": "1ec51dfd-1197-41ef-ac7d-c90dd478ae32",
  "rules": [
    "CAN getdirectory",
    "CAN getobject"
  ]
}

Changing policy information

Use sdc-policy update to change the name, description, rules of a policy.

When you update the rules, keep in mind that the rules you specify replace all the rules that the policy had initially.

$ sdc-policy update --rules='CAN getobject' 1ec51dfd-1197-41ef-ac7d-c90dd478ae32
{
  "name": "read-access",
  "id": "1ec51dfd-1197-41ef-ac7d-c90dd478ae32",
  "rules": [
    "CAN getobject"
  ]
}

Deleting policies

Use sdc-policy delete to delete a policy.

$ sdc-policy delete 092d22f3-36cd-e8db-cf8d-e39f6ad14b19