Working with rules
Modified: 05 Nov 2024 18:47 UTC
Rules are written in the Aperture policy language which allows you write rules in a human readable form. The access control system of the Triton Compute Service uses a subset of the Aperture policy language, and that's what we describe here.
The general form of a rule is:
CAN <actions> [IF | WHEN | WHERE] <conditions>You can use any of IF, WHEN, or WHERE to make the condition easier to read.
The default permission for all resources is to deny access. The rules of a policy enable access.
This is what rules look like:
CAN getobject and getdirectory IF sourceip = 1.2.3.0/24 OR sourceip = 3.2.1.0/24
CAN putobject IF overwrite = false
CAN getobject IF fromjob = true
CAN putobject IF day IN (Monday, Tuesday, Wednesday, Thursday, Friday)The actions for Manta and CloudAPI are listed in the tables below.
Manta actions
For Manta, the action part of a rule operates on Manta objects.
Directory actions
| Action | Manta API Endpoint | Notes |
|---|---|---|
| putdirectory | PutDirectory | create directories, update directory metadata |
| getdirectory | ListDirectory | list contents of directories |
| deletedirectory | DeleteDirectory | delete (empty) directories |
Object actions
| Action | Manta API Endpoint | Notes |
|---|---|---|
| putobject | PutObject PutMetadata |
create objects, overwrite objects, update object metadata |
| getobject | GetObject | read object, get archived job stats |
| deleteobject | DeleteObject | delete objects |
SnapLink actions
| Action | Manta API Endpoint | Notes |
|---|---|---|
| putlink | PutSnapLink | create snaplinks (You must also have getobject access on the source.) |
Job actions
| Action | Manta API Endpoint | Notes |
|---|---|---|
| createjob | CreateJob | create jobs |
| listjobs | ListJobs | list jobs |
| getjob | GetJob GetJobOutput GetJobInput GetJobFailures GetJobErrors |
get live job status, errors, inputs, and outputs |
| managejob | AddJobInputs EndJobInput CancelJob |
add input keys to jobs, end job input, cancel jobs |
CloudAPI actions
For CloudAPI, the action part of a rule operates on CloudAPI endpoints.
Account actions
| Action | CloudAPI Endpoint | Command Line Interface |
|---|---|---|
| getaccount | GetAccount | sdc-getaccount |
| updateaccount | UpdateAccount | sdc-updateaccount |
Key actions
| Action | CloudAPI Endpoint | Command Line Interface |
|---|---|---|
| listkeys | ListKeys | sdc-listkeys |
| getkey | GetKey | sdc-getkey |
| createkey | CreateKey | sdc-createkey |
| deletekey | DeleteKey | sdc-deletekey |
User actions
| Action | CloudAPI Endpoint | Command Line Interface |
|---|---|---|
| listusers | ListUsers | sdc-user list |
| getuser | GetUser | sdc-user get |
| createuser | CreateUser | sdc-user create |
| updateuser | UpdateUser | sdc-user update |
| changeuserpassword | ChangeUserPassword | sdc-user change-password |
| deleteuser | DeleteUser | sdc-user delete |
Role actions
| Action | CloudAPI Endpoint | Command Line Interface |
|---|---|---|
| listroles | ListRoles | sdc-role list |
| getrole | GetRole | sdc-role get |
| createrole | CreateRole | sdc-role create |
| updaterole | UpdateRole | sdc-role update |
| deleterole | DeleteRole | sdc-role update |
Role tag actions
| Action | CloudAPI Endpoint | Command Line Interface |
|---|---|---|
| setroletags | SetRoleTags | sdc-chmod |
Policy actions
| Action | CloudAPI Endpoint | Command Line Interface |
|---|---|---|
| listpolicies | ListPolicies | sdc-policy list |
| getpolicy | GetPolicy | sdc-policy get |
| createpolicy | CreatePolicy | sdc-policy create |
| updatepolicy | UpdatePolicy | sdc-policy update |
| deletepolicy | DeletePolicy | sdc-policy delete |
User SSH key actions
| Action | CloudAPI Endpoint | Command Line Interface |
|---|---|---|
| listuserkeys | ListUserKeys | sdc-user keys |
| getuserkey | GetUserKey | sdc-user key |
| createuserkey | CreateUserKey | sdc-user upload-key |
| deleteuserkey | DeleteUserKey | sdc-user delete-key |
Data center actions
| Action | CloudAPI Endpoint | Command Line Interface |
|---|---|---|
| listdatacenters | ListDataCenters | sdc-listdatacenters |
| getdatacenter | GetDatacenter | none |
Image actions
| Action | CloudAPI Endpoint | Command Line Interface |
|---|---|---|
| listimages | ListImages | sdc-listimages |
| getimage | GetImage | sdc-getimage |
| deleteimage | DeleteImage | sdc-deleteimage |
| exportimage | ExportImage | sdc-exportimage |
| createimagefrommachine | CreateImageFromMachine | sdc-createimagefrommachine |
| updateimage | UpdateImage | sdc-updateimage |
Package actions
| Action | CloudAPI Endpoint | Command Line Interface |
|---|---|---|
| listpackages | ListPackages | sdc-listpackages |
| getpackage | GetPackage | sdc-getpackage |
Machine actions
| Action | CloudAPI Endpoint | Command Line Interface |
|---|---|---|
| listmachines | ListMachines | sdc-listmachines |
| getmachine | GetMachine | sdc-getmachine |
| createmachine | CreateMachine | sdc-createmachine |
| stopmachine | StopMachine | sdc-stopmachine |
| startmachine | StartMachine | sdc-startmachine |
| rebootmachine | RebootMachine | sdc-rebootmachine |
| resizemachine | ResizeMachine | sdc-resizemachine |
| renamemachine | RenameMachine | sdc-renamemachine |
| enablemachinefirewall | EnableMachineFirewall | sdc-enablemachinefirewall |
| disablemachinefirewall | DisableMachineFirewall | sdc-disablemachinefirewall |
| createmachinesnapshot | Createmachinesnapshot | sdc-createmachinesnapshot |
| startmachinefromsnapshot | StartMachineFromSnapshot | sdc-startmachinefromsnapshot |
| listmachinesnapshots | ListMachineSnapshots | sdc-listmachinesnapshots |
| getmachinesnapshot | GetMachineSnapshot | sdc-getmachinesnapshot |
| deletemachinesnapshot | DeleteMachineSnapshot | sdc-deletemachinesnapshot |
| updatemachinemetadata | UpdateMachineMetadata | sdc-updatemachinemetadata |
| getmachinemetadata | GetMachineMetadata | sdc-getmachinemetadata |
| deletemachinemetadata | DeleteMachineMetadata | sdc-deletemachinemetadata |
| deleteallmachinemetadata | DeleteAllMachineMetadata | sdc-deletemachinemetadata |
| addmachinetags | AddMachineTags | sdc-addmachinetags |
| replacemachinetags | ReplaceMachineTags | sdc-replacemachinetags |
| listmachinetags | ListMachineTags | sdc-listmachinetags |
| getmachinetag | GetMachineTag | sdc-getmachinetag |
| deletemachinetag | DeleteMachineTag | sdc-deletemachinetag |
| deletemachinetags | DeleteMachineTags | sdc-deletemachinetag |
| deletemachine | DeleteMachine | sdc-deletemachine |
| machineaudit | MachineAudit | sdc-getmachineaudit |
Firewall Rule actions
| Action | CloudAPI Endpoint | Command Line Interface |
|---|---|---|
| listfirewallrules | ListFirewallRules | sdc-listfirewallrules |
| getfirewallrule | GetFirewallRule | sdc-getfirewallrule |
| createfirewallrule | CreateFirewallRule | sdc-createfirewallrule |
| updatefirewallrule | UpdateFirewallRule | sdc-updatefirewallrule |
| enablefirewallrule | EnableFirewallRule | sdc-enablefirewallrule |
| disablefirewallrule | DisableFirewallRule | sdc-disablefirewallrule |
| deletefirewallrule | DeleteFirewallRule | sdc-deletefirewallrule |
| listmachinefirewallrules | ListmachineFirewallRules | sdc-listmachinefirewallrules |
| listfirewallrulemachines | ListFirewallRuleMachines | sdc-listfirewallrulemachines |
Network actions
| Action | CloudAPI Endpoint | Command Line Interface |
|---|---|---|
| listnetworks | ListNetworks | sdc-listnetworks |
| getnetwork | GetNetwork | sdc-getnetwork |
Conditions
You can add conditions to specify when a rule is valid. For example, you may want to limit contractor access to requests from a specific IP address.
The following operators are valid in condition expressions. Operators must be delimited with spaces.
| Operator | Description |
|---|---|
| = | equal |
| != | not equal |
| < | less than |
| > | greater than |
| <= | less than or equal |
| >= | greater than or equal |
AND |
and boolean values, list separator |
OR |
or boolean values |
NOT |
boolean negation |
IN |
array membership |
(, ) |
grouping |
Lists can be given in various forms:
- bob, carol, ted, alice
- bob, carol, ted and alice
- bob, carol, ted, and alice
You can use fuzzy matches and regular expressions.
ops_* matches a string beginning with ops_. Use \ to escape asterisks: Star\*Command.
Follow JavaScript regular expressions with ::regex. If you want to keep people from using curl, you might do something like this:
CAN getobject IF user-agent != /^curl/::regex
(Note that it's very simple to change the user agent in curl.)
General conditions
| Name | Description | Example |
|---|---|---|
| activeRoles | List of active roles. | CAN listnetworks AND getnetwork WHEN activeRoles = *ops |
| date | Date of the request. | CAN getobject IF date > "25 Dec 2014" |
| day | Day of the week the request is made. Valid values: monday mon m tuesday tue t wednesday wed w thursday thu th friday fri f saturday sat s sunday sun su |
CAN createuser IF day IN (Monday, Wednesday, Friday) |
| sourceip | Source ip address of the request. | CAN listpolicies IF sourceip = 127.0.0.1 |
| time | Time of day the request was made. | CAN createrole IF time > 13:00 AND time < 21:00 |
| user-agent | User agent of the request. | CAN getobject IF user-agent != /^curl/::regex |
Time and date can be given in any format that JavaScript Date.parse() can parse. All times and dates are UTC.
IP addresses are IPv4 or IPv6. CIDR ranges are valid.
CloudAPI conditions
These conditions apply only to CloudAPI operations.
| Name | Description | Example |
|---|---|---|
| ips | List of machine IPs when if action is machine related. | CAN deletemachine WHEN ips IN (10.17.12/24) |
| tag_tagName::string | The value of a machine tag. | CAN rebootmachine IF tag_rebootable::string != never |
Manta conditions
These conditions apply only to Manta requests.
| Name | Description | Example |
|---|---|---|
| fromjob | True if the request was made from within a Manta job. | CAN putobject IF fromjob = true |
| overwrite | True if a request is overwriting an existing object or metadata. | CAN putobject IF overwrite = false |
