Powered by Redocly

Subtenant Policy

Defines an authorization policy.

Polices are used to authorize requests to the REST API, authorize requests to internal APIs, and to give system wide capabilities to tenants.

Policies are defined per-tenant. A tenant can assign its policies to its subtenants and to its users and approles.

A user or approle is allowed to do everything that its assigned policies allow, and that the tenant it belongs to is allowed to do.

A tenant that has a parent tenant with the same role is allowed to do everything that its assigned policies allow, and that its parent tenant is allowed to do.

A tenant without a parent tenant with the same role (i.e., the top site-provider, or top application-owner), is allowed to do everything that its assigned policies allow, and that its role is allowed to do.

Hence, the top site-provider can do anything, and a top application-owner without any assigned policies is allowed to do anything an application-owner can do.

Create a new policy

SecurityaccessToken
Request
path Parameters
tenant-name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

name of tenant

query Parameters
validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
Request Body schema:
name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

An arbitrary name of the policy. This name is unique within the tenant.

object

Policy that is applied for requests to the REST API.

Policies are checked in a non-defined order. If any policy results in an 'allow' operation then the operation is allowed.

For a given policy the most specific policy rule is applied, ie if a path prefix has an 'allow' rule but a longer path specifies 'reject', then the result will be 'reject'.

allow-all (object) or specific (object)

A set of system wide capabilities.

When multiple policies are assigned, they are checked in the order they are defined. If the first policy defines a capability, its action is returned. Otherwise, the next policy is checked, and so on. If the capability isn't defined in any policy, the request is rejected.

object
Responses
201

Created

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

409

Conflict (instance exists)

503

Service Unavailable (strongbox sealed)

post/v1/config/tenants/{tenant-name}/policy/policies
Request samples 
name: user
rest-api:
  rules:
    - path: /**
      description: Allow access to everything.
      operations:
        all: allow
    - path: /v1/*/strongbox/identity/**
      description: Prevent user from modifying own or others credentials.
      operations:
        all: reject
    - path: /v1/*/policy/policies/**
      description: Prevent user from modifying policy rules.
      operations:
        create: reject
        read: allow
        update: reject
        delete: reject
        execute: reject
    - path: /v1/*/strongbox/token/create-root
      description: Prevent user from creating root token
      operations:
        all: reject
    - path: /v1/*/strongbox/token/disable
      description: Prevent user from disabling others tokens.
      operations:
        all: reject
    - path: /v1/*/strongbox/transit-keys/infra/**
      description: Prevent access to infra transit keys.
      operations:
        all: reject
capabilities:
  all: allow
volga:
  topics:
    - name: "*"
      operations:
        create: reject
        delete: reject
        produce: reject
        consume: allow
  infras:
    - name: "*"
      operations:
        produce: reject
        consume: allow

Retrieve the configuration of all policies

SecurityaccessToken
Request
path Parameters
tenant-name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

name of tenant

query Parameters
fields
string

Retrieve only requested fields from the resource

See section fields

validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
keys
string <enumeration>

Retrieve only the keys for the list

Value: "true"
count
string <enumeration>

Retrieve only the number of elements in the list

Value: "true"
Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

get/v1/config/tenants/{tenant-name}/policy/policies
Response samples 
- name: user
  rest-api:
    rules:
      - path: /**
        description: Allow access to everything.
        operations:
          all: allow
      - path: /v1/*/strongbox/identity/**
        description: Prevent user from modifying own or others credentials.
        operations:
          all: reject
      - path: /v1/*/policy/policies/**
        description: Prevent user from modifying policy rules.
        operations:
          create: reject
          read: allow
          update: reject
          delete: reject
          execute: reject
      - path: /v1/*/strongbox/token/create-root
        description: Prevent user from creating root token
        operations:
          all: reject
      - path: /v1/*/strongbox/token/disable
        description: Prevent user from disabling others tokens.
        operations:
          all: reject
      - path: /v1/*/strongbox/transit-keys/infra/**
        description: Prevent access to infra transit keys.
        operations:
          all: reject
  capabilities:
    all: allow
  volga:
    topics:
      - name: "*"
        operations:
          create: reject
          delete: reject
          produce: reject
          consume: allow
    infras:
      - name: "*"
        operations:
          produce: reject
          consume: allow

Update a policy

SecurityaccessToken
Request
path Parameters
tenant-name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

name of tenant

policy-name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

An arbitrary name of the policy. This name is unique within the tenant.

query Parameters
validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
Request Body schema:
name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

An arbitrary name of the policy. This name is unique within the tenant.

object

Policy that is applied for requests to the REST API.

Policies are checked in a non-defined order. If any policy results in an 'allow' operation then the operation is allowed.

For a given policy the most specific policy rule is applied, ie if a path prefix has an 'allow' rule but a longer path specifies 'reject', then the result will be 'reject'.

allow-all (object) or specific (object)

A set of system wide capabilities.

When multiple policies are assigned, they are checked in the order they are defined. If the first policy defines a capability, its action is returned. Otherwise, the next policy is checked, and so on. If the capability isn't defined in any policy, the request is rejected.

object
Responses
204

No Content

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

patch/v1/config/tenants/{tenant-name}/policy/policies/{policy-name}
Request samples 
name: user
rest-api:
  rules:
    - path: /**
      description: Allow access to everything.
      operations:
        all: allow
    - path: /v1/*/strongbox/identity/**
      description: Prevent user from modifying own or others credentials.
      operations:
        all: reject
    - path: /v1/*/policy/policies/**
      description: Prevent user from modifying policy rules.
      operations:
        create: reject
        read: allow
        update: reject
        delete: reject
        execute: reject
    - path: /v1/*/strongbox/token/create-root
      description: Prevent user from creating root token
      operations:
        all: reject
    - path: /v1/*/strongbox/token/disable
      description: Prevent user from disabling others tokens.
      operations:
        all: reject
    - path: /v1/*/strongbox/transit-keys/infra/**
      description: Prevent access to infra transit keys.
      operations:
        all: reject
capabilities:
  all: allow
volga:
  topics:
    - name: "*"
      operations:
        create: reject
        delete: reject
        produce: reject
        consume: allow
  infras:
    - name: "*"
      operations:
        produce: reject
        consume: allow

Delete a policy

SecurityaccessToken
Request
path Parameters
tenant-name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

name of tenant

policy-name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

An arbitrary name of the policy. This name is unique within the tenant.

query Parameters
validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
Responses
204

No Content

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

delete/v1/config/tenants/{tenant-name}/policy/policies/{policy-name}

Replace or create a new policy

SecurityaccessToken
Request
path Parameters
tenant-name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

name of tenant

policy-name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

An arbitrary name of the policy. This name is unique within the tenant.

query Parameters
validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
Request Body schema:
name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

An arbitrary name of the policy. This name is unique within the tenant.

object

Policy that is applied for requests to the REST API.

Policies are checked in a non-defined order. If any policy results in an 'allow' operation then the operation is allowed.

For a given policy the most specific policy rule is applied, ie if a path prefix has an 'allow' rule but a longer path specifies 'reject', then the result will be 'reject'.

allow-all (object) or specific (object)

A set of system wide capabilities.

When multiple policies are assigned, they are checked in the order they are defined. If the first policy defines a capability, its action is returned. Otherwise, the next policy is checked, and so on. If the capability isn't defined in any policy, the request is rejected.

object
Responses
201

Created

204

No Content

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

put/v1/config/tenants/{tenant-name}/policy/policies/{policy-name}
Request samples 
name: user
rest-api:
  rules:
    - path: /**
      description: Allow access to everything.
      operations:
        all: allow
    - path: /v1/*/strongbox/identity/**
      description: Prevent user from modifying own or others credentials.
      operations:
        all: reject
    - path: /v1/*/policy/policies/**
      description: Prevent user from modifying policy rules.
      operations:
        create: reject
        read: allow
        update: reject
        delete: reject
        execute: reject
    - path: /v1/*/strongbox/token/create-root
      description: Prevent user from creating root token
      operations:
        all: reject
    - path: /v1/*/strongbox/token/disable
      description: Prevent user from disabling others tokens.
      operations:
        all: reject
    - path: /v1/*/strongbox/transit-keys/infra/**
      description: Prevent access to infra transit keys.
      operations:
        all: reject
capabilities:
  all: allow
volga:
  topics:
    - name: "*"
      operations:
        create: reject
        delete: reject
        produce: reject
        consume: allow
  infras:
    - name: "*"
      operations:
        produce: reject
        consume: allow

Retrieve the configuration of a policy

SecurityaccessToken
Request
path Parameters
tenant-name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

name of tenant

policy-name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

An arbitrary name of the policy. This name is unique within the tenant.

query Parameters
fields
string

Retrieve only requested fields from the resource

See section fields

validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

get/v1/config/tenants/{tenant-name}/policy/policies/{policy-name}
Response samples 
name: user
rest-api:
  rules:
    - path: /**
      description: Allow access to everything.
      operations:
        all: allow
    - path: /v1/*/strongbox/identity/**
      description: Prevent user from modifying own or others credentials.
      operations:
        all: reject
    - path: /v1/*/policy/policies/**
      description: Prevent user from modifying policy rules.
      operations:
        create: reject
        read: allow
        update: reject
        delete: reject
        execute: reject
    - path: /v1/*/strongbox/token/create-root
      description: Prevent user from creating root token
      operations:
        all: reject
    - path: /v1/*/strongbox/token/disable
      description: Prevent user from disabling others tokens.
      operations:
        all: reject
    - path: /v1/*/strongbox/transit-keys/infra/**
      description: Prevent access to infra transit keys.
      operations:
        all: reject
capabilities:
  all: allow
volga:
  topics:
    - name: "*"
      operations:
        create: reject
        delete: reject
        produce: reject
        consume: allow
  infras:
    - name: "*"
      operations:
        produce: reject
        consume: allow

Retrieve the state of all policies

SecurityaccessToken
Request
path Parameters
tenant-name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

name of tenant

query Parameters
fields
string

Retrieve only requested fields from the resource

See section fields

site
string

Send the request to the specfifed site

content
string <enumeration>

Filter descendant nodes in the response

Enum: "config" "nonconfig"
keys
string <enumeration>

Retrieve only the keys for the list

Value: "true"
count
string <enumeration>

Retrieve only the number of elements in the list

Value: "true"
Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

get/v1/state/tenants/{tenant-name}/policy/policies
Response samples 
- name: user
  rest-api:
    rules:
      - path: /**
        description: Allow access to everything.
        operations:
          all: allow
      - path: /v1/*/strongbox/identity/**
        description: Prevent user from modifying own or others credentials.
        operations:
          all: reject
      - path: /v1/*/policy/policies/**
        description: Prevent user from modifying policy rules.
        operations:
          create: reject
          read: allow
          update: reject
          delete: reject
          execute: reject
      - path: /v1/*/strongbox/token/create-root
        description: Prevent user from creating root token
        operations:
          all: reject
      - path: /v1/*/strongbox/token/disable
        description: Prevent user from disabling others tokens.
        operations:
          all: reject
      - path: /v1/*/strongbox/transit-keys/infra/**
        description: Prevent access to infra transit keys.
        operations:
          all: reject
  capabilities:
    all: allow
  volga:
    topics:
      - name: "*"
        operations:
          create: reject
          delete: reject
          produce: reject
          consume: allow
    infras:
      - name: "*"
        operations:
          produce: reject
          consume: allow

Retrieve the state of a policy

SecurityaccessToken
Request
path Parameters
tenant-name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

name of tenant

policy-name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

An arbitrary name of the policy. This name is unique within the tenant.

query Parameters
fields
string

Retrieve only requested fields from the resource

See section fields

site
string

Send the request to the specfifed site

content
string <enumeration>

Filter descendant nodes in the response

Enum: "config" "nonconfig"
Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

get/v1/state/tenants/{tenant-name}/policy/policies/{policy-name}
Response samples 
name: user
rest-api:
  rules:
    - path: /**
      description: Allow access to everything.
      operations:
        all: allow
    - path: /v1/*/strongbox/identity/**
      description: Prevent user from modifying own or others credentials.
      operations:
        all: reject
    - path: /v1/*/policy/policies/**
      description: Prevent user from modifying policy rules.
      operations:
        create: reject
        read: allow
        update: reject
        delete: reject
        execute: reject
    - path: /v1/*/strongbox/token/create-root
      description: Prevent user from creating root token
      operations:
        all: reject
    - path: /v1/*/strongbox/token/disable
      description: Prevent user from disabling others tokens.
      operations:
        all: reject
    - path: /v1/*/strongbox/transit-keys/infra/**
      description: Prevent access to infra transit keys.
      operations:
        all: reject
capabilities:
  all: allow
volga:
  topics:
    - name: "*"
      operations:
        create: reject
        delete: reject
        produce: reject
        consume: allow
  infras:
    - name: "*"
      operations:
        produce: reject
        consume: allow

Invoke the test-rest-rule operation

This action allows testing of different paths against the current set of rules in the policy. It helps answer the question 'is a given operation allowed for a given path?'

SecurityaccessToken
Request
path Parameters
tenant-name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

name of tenant

policy-name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

An arbitrary name of the policy. This name is unique within the tenant.

Request Body schema:
path
required
string <path-spec>

A '/'-separated path, where '*' matches any component, and 'pre*' matches any component that starts with 'pre', and '**' as the last component matches any descendant path.

For example, the path '/foo/*/bar/**' matches:

  • /foo/hello/bar
  • /foo/hi/bar/bax
  • /foo/hi/bar/bax/buzz

A '/'-separated REST path, starting with '/'.

Note that the path should start with the protocol version followed by 'config' or 'state'. For example, /v1/config/strongbox/authentication/userpass

operation
required
string <enumeration>
  • create
  • read
  • update
  • delete
  • execute
Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/state/tenants/{tenant-name}/policy/policies/{policy-name}/test-rest-rule
Request samples 
path: /v1/config/strongbox/authentication/userpass
operation: update
Response samples 
action: allow
➔ Next to Subtenant Policy Log Level