Rules Conditions
As explained in the previous chapter, Security Policies are a set of rules that are evaluated at runtime to answer simple questions and return an "Allow" or "Deny" response.
Comparators
Conditions are evaluated against various metadata (see next sections) using one of the following comparator:
Comparator | Description | Value Example |
---|---|---|
String Matches | Compares with value using a regular expression. Empty value always evaluates to false. | localhost|127.0.01 |
String does not Match | Opposite of String Matches (empty values always evaluate to true) | (?i)\.txt$ |
String equals | Strict string equality | value |
Date Period | Start/end dates in ISO8601 Format | 2018-02-01T00:00+0100/2018-04-01T00:00+0100 |
Date after | Start date in ISO8601 Format | 2018-02-01T00:00+0100 |
Office Hours | Multiple recurring periods | Monday-Friday/09:00/18:30 |
CIDR Condition | Network addresses comparisons | 192.168.0.1/16 |
Request Metadata
Every request sent to the server via Cells APIs carries a set of metadata that can be used in Conditions to restrict or authorize particular accesses.
Metadata | Description |
---|---|
Server Host | Hostname to which the user has connected. This is can be used in conjunction with cells "Sites" that allow Cells to bind on different network addresses, and grant an access depending on the Site accessed. |
HTTP Method | GET, PUT, POST, DELETE, etc. |
Request URI | If you specifically want to deny access to a certain API endpoint |
HTTP Protocol | HTTP vs. HTTPS |
User-Agent | User-Agent header sent by Http client. Can be useful to prevent connection with Cells specific tools like Cells Client or Cells Sync, or with a specific Browser. |
Content-Type | Content-Type header of the incoming request. Can be used to disable sync client access by excluding "application/json+grpc" requests. |
Cookies String | Cookie header sent by browser |
Time | Server time when request is performed. |
Nodes Metadata
Many Cells REST API requests carry information about a specific "node", which is a file or folder, located in one of the authorized workspace. This node may or may not exist at the time of the request.
Typically, an upload request will "PUT" an object to "/workspace/path/to/file.ext" that does not exist yet. On the other hand, a listing or stat request will generally point to an existing file that can expose its own advanced metadata.
Metadata | Description |
---|---|
Basename | The basename of the node is the last segment of its path (e.g. file.ext) |
Full Path | Full path of the node inside the datasources global tree (.e.g pydiods1/path/to/file.ext) |
Node Type | Whether it's a file (LEAF) or folder (COLLECTION). |
Extension | Extension attached to file name |
Filesize | Size in bytes, either from existing file, or from the Content-Length header for upload queries. |
Modification Time | Timestamp of the last modification date for an existing file. |
Custom Metadata... | Any other metadata that can be generated by Cells or by users (see below). |
Using Custom Metadata
can be typically used to evaluate a condition against user-defined tags. For example, you can define a policy that hides any file tagged with a specific value (like "confidential"), or on the opposite only show files that are tagged with a specific value (like "scanned-for-viruses")