1 | # |
---|
2 | # This example demonstrates intersections. An intersection is a logical-AND of |
---|
3 | # roles or osets. An intersection succeeds if the principal is in the |
---|
4 | # intersection of the sets defined by the roles. |
---|
5 | # |
---|
6 | # The policy set by Acme is that a character must both a preferred customer and |
---|
7 | # a WarnerBrothers character to buy rockets. Each of those attributes is |
---|
8 | # specified by a role. |
---|
9 | # |
---|
10 | # This example defines 4 principals, Acme, WarnerBrothers, Coyote and Batman. |
---|
11 | # Credential 1 defines the policy requiring both roles to get the buy_rockets |
---|
12 | # role. Credential 2 gives the Coyote a preferred_customer role. Credential 3 |
---|
13 | # gives Batman the preferred_customer role and Credential 4 recognizes the |
---|
14 | # Coyote as a Warner Brothers character. |
---|
15 | # |
---|
16 | #In order to buy rockets from Acme, you must be BOTH a preferred customer |
---|
17 | #AND a WarnerBros character. In this example, the following query will be |
---|
18 | #successful: |
---|
19 | # |
---|
20 | # Acme.buy_rockets <-?- Coyote |
---|
21 | # |
---|
22 | #The following query will fail (because Batman does not have the |
---|
23 | #attribute WarnerBros.character): |
---|
24 | # |
---|
25 | # Acme.buy_rockets <-?- Batman |
---|
26 | # |
---|
27 | # acme_rockets_intersection_rt0 |
---|
28 | |
---|
29 | # Credential 1 |
---|
30 | #[keyid:Acme].role:buy_rockets <- [keyid:Acme].role:preferred_customer |
---|
31 | & [keyid:WarnerBros].role:charater |
---|
32 | # Credential 2 |
---|
33 | # [keyid:Acme].role:preferred_customer <- [keyid:Coyote] |
---|
34 | |
---|
35 | # Credential 3 |
---|
36 | #[keyid:Acme].role:preferred_customer <- [keyid:Batman] |
---|
37 | |
---|
38 | # Credential 4 |
---|
39 | #[keyid:WarnerBros].role:character <- [keyid:Coyote] |
---|