Skip to content

Support ns root policy#2367

Open
hu-ahmed wants to merge 4 commits intoeclipse-ditto:masterfrom
beyonnex-io:support-ns-root-policy
Open

Support ns root policy#2367
hu-ahmed wants to merge 4 commits intoeclipse-ditto:masterfrom
beyonnex-io:support-ns-root-policy

Conversation

@hu-ahmed
Copy link
Contributor

@hu-ahmed hu-ahmed commented Mar 10, 2026
edited
Loading

Resolves: #1638

Summary

This PR adds support for namespace root policies in Ditto policy enforcement, including wildcard-based namespace mappings.

A namespace can be mapped to one or more root policy IDs. During enforcer creation, Ditto transparently merges entries from those root policies into policies of that namespace.

What changed

  • Added namespace-root merge support in policy enforcer resolution.
  • Added config abstraction:
    • NamespacePoliciesConfig
    • DefaultNamespacePoliciesConfig
  • Added support for namespace policy patterns:
    • exact namespace: org.example.devices
    • prefix wildcard: org.example.devices.*
    • catch-all: *
  • Added deterministic precedence for overlapping patterns:
    • exact namespace
    • more specific prefix wildcard
    • broader prefix wildcard
    • catch-all *
  • Wired namespace policy resolution into:
    • cache loader path
    • create-policy enforcement path (PolicyEnforcerActor)
  • Extended cache invalidation:
    • when a namespace root policy changes, cached policies in covered namespaces are invalidated
  • Added canonical base config file:
    • internal/utils/config/.../ditto-namespace-policies.conf
    • included via ditto-service-base.conf
  • Updated Helm templates and values to service-scoped config:
    • policies.config.namespacePolicies
    • things.config.namespacePolicies
  • Updated chart docs accordingly.
  • Added config validation for unsupported wildcard syntax at startup.

Behavior / rules

  • Only entries with importable = "implicit" are merged.
  • Entries with importable = "explicit" or importable = "never" are not merged.
  • Local policy entries win on label conflicts.
  • If multiple namespace root policies match, they are applied in deterministic precedence order:
    1. exact namespace
    2. more specific wildcard prefix
    3. broader wildcard prefix
    4. *
  • If a configured root policy is missing or deleted, entries are skipped and an error is logged.
  • Stored policy JSON is not modified; merging happens only at enforcer-build time.
  • Unsupported namespace policy patterns are rejected at config load time.

Supported config syntax

  • org.example.devices
  • org.example.devices.*
  • *

Unsupported examples:

  • org.*.devices
  • foo*
  • **

Example config

policies:
  config:
    namespacePolicies:
      org.example.devices:
        - org.example:tenant-root-exact
      org.example.devices.*:
        - org.example:tenant-root-devices
      org.example.*:
        - org.example:tenant-root-general

things:
  config:
    namespacePolicies:
      org.example.devices:
        - org.example:tenant-root-exact
      org.example.devices.*:
        - org.example:tenant-root-devices
      org.example.*:
        - org.example:tenant-root-general

@hu-ahmed hu-ahmed force-pushed the support-ns-root-policy branch from 56f5a83 to ef43dd8 Compare March 10, 2026 14:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Configure certain policies to be always imported by all policies of a namespace

1 participant

@hu-ahmed