Access Policy Engine(APE)¶

Access policy engine is a component designed to perform the following checks: whether a Request can be executed on a Resource in accordance with the established rule Chains.

Every request being executed in system has some properties:

Who sent request (actor)
What action this request are going to perform
Properties of actor (his groups, presence of MFA, etc.)
Resource on which this request will be executed (container, object, etc.)
Namespace in which this request will be executed
etc

Besides, there are some chains with rules that describe what criteria a request must satisfy to be allowed or denied. Different rule chains belongs (and respectively have an effect) to different scopes.

There are four groups of scopes rule chains can belong to:

Namespace
Group
User
Container

So before request is performed, APE (access policy engine) gets appropriate rule chains and checks if request match rules from these chains to decides allow or deny it.

Chain¶

APE chain definition can be found here.

Example¶

If request are made by "user1" (that belongs to "namespace1" and "group1") and going to do something in "container1" APE will get any rule chains that corresponds to

"namespace1" namespace
"group1" group
"user1" user
"container1" container

In this example we will check only two rules (for "container1" and "user1" scope) because there are no other appropriate chains for "namespace1" and "group1".

The request in example be allowed since rule2 allowed it (rule1 would deny request if it was made by user2).

Note

There are several places where APE chains can be fetched. Two main places:

'policy' contract
local overrides in storage node itself

Request will be denied if there is at least one chain that denies such request (priority of rules in chains can be controled by MatchType field (see APE Chain section)