KSS policies consist of a series or combination of rules and rule sets. A KSS policy is defined by a rule tree encoded in YAML (see example here). The rule tree is split into sections by request type. Each request type section contains one or more rule sets (the outer list) defining the approval behavior for that request type. If any of the rule sets evaluate to be true, then the request is approved (i.e., the rule sets are OR-ed).
Rules
Rules are simple conditions evaluated to be either true or false. Rules are the basic building blocks of policies.
The KSS includes several default rule plugins (full documentation here).
MetaRule
The basic rule for approving requests is based on the file name or file path.
ProfileThrottleRule
The basic rule for applying per-profile limits on approvals.
ProfileIdRule
The basic rule for an exact match of profile ids.
TimeRangeRule
The basic rule for time ranges.
Rule Sets
A rule set can consist of one or a series of rules. For a rule set to be evaluated as true, every rule within it must also be evaluate as true. The type of rule is defined by the "rule" parameter, and additional arguments are specific to the rule being used.
For a given request type, rule sets are evaluated in the order specified in the policy. Most organizations would likely want to set a more permissive rule set ahead of a more restrictive one.
Default Auto-Approval Behavior
When not specified in the KSS policy, the following request types are automatically approved without restriction. When these request types appear in the policy, the policy exclusively defines that behavior:
create_profile
create_location.
Incompatible Request / Rule Combinations
The following is a list of request types and provided rules that are not applicable to that request type:
create_profile
profile-id-rule
per-profile-throttle-rule
meta-rule
create_location
meta-rule
search
meta-rule.
Changing KSS Policies
KSS policies can be changed by editing the keyserver.yml file. This can be done on both non-cluster and cluster modes, and on all instances while in cluster mode.
The changes can be loaded by using the following command:
atakama keyserver policy --load [path]
The following command can be used to generate a file with the current ruleset:
atakama keyserver policy --dump [PATH]
For KSS Clusters environments, after loading the policy, it will be updated in the shared database and distributed to all other instances.
Quota Management
To view a list of any profiles that are currently being throttled by any rule use the following command:
atakama keyserver quota list
You can clear profile throttling data by using the following command:
atakama keyserver quota clear
All throttling data will be reset to zero regardless of whether the profile was at quota.A user can be given a higher quota by adding a rule set specific to that user in the policy (e.g., combining per-profile-throttle-rule and profile-id-rule).