Skip to content

#1638 add support for namespace root policies#2365

Closed
hu-ahmed wants to merge 1 commit intoeclipse-ditto:masterfrom
beyonnex-io:IOT-432-support-ns-root-policy
Closed

#1638 add support for namespace root policies#2365
hu-ahmed wants to merge 1 commit intoeclipse-ditto:masterfrom
beyonnex-io:IOT-432-support-ns-root-policy

Conversation

@hu-ahmed
Copy link
Contributor

@hu-ahmed hu-ahmed commented Mar 9, 2026
edited by thjaeckle
Loading

Resolves: #1638

Summary

This PR adds support for namespace root policies in Ditto policy enforcement.

A namespace can be mapped to one or more root policy IDs. During enforcer creation, Ditto transparently merges entries from those root policies into policies of that namespace.

What changed

  • Added namespace-root merge support in policy enforcer resolution.
  • Added config abstraction:
    • NamespacePoliciesConfig
    • DefaultNamespacePoliciesConfig
  • Wired namespace policy resolution into:
    • cache loader path
    • create-policy enforcement path (PolicyEnforcerActor)
  • Extended cache invalidation:
    • when a namespace root policy changes, cached policies in covered namespaces are invalidated.
  • Added canonical base config file:
    • internal/utils/config/.../ditto-namespace-policies.conf
    • included via ditto-service-base.conf
  • Updated Helm templates and values to service-scoped config (entity-creation style):
    • policies.config.namespacePolicies
    • things.config.namespacePolicies
  • Updated chart docs accordingly.

Behavior / rules

  • Only entries with importable = "implicit" are merged.
  • Entries with importable = "explicit" or importable = "never" are not merged.
  • Local policy entries win on label conflicts.
  • If a configured root policy is missing/deleted, entries are skipped and an ERROR is logged.
  • Stored policy JSON is not modified; merge happens at enforcer-build time.

Example config

policies:
  config:
    namespacePolicies:
      org.example.devices:
        - org.example:tenant-root

things:
  config:
    namespacePolicies:
      org.example.devices:
        - org.example:tenant-root

@hu-ahmed hu-ahmed force-pushed the IOT-432-support-ns-root-policy branch from f13bab1 to e785b63 Compare March 9, 2026 15:39
@thjaeckle thjaeckle added this to the 3.9.0 milestone Mar 10, 2026
@hu-ahmed hu-ahmed closed this Mar 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@hu-ahmed hu-ahmed

Labels

enhancement

Projects

Ditto Planning
Status: Done

Milestone

3.9.0

Development

Successfully merging this pull request may close these issues.

Configure certain policies to be always imported by all policies of a namespace

2 participants

@hu-ahmed @thjaeckle