guides: Update for globbed namespace rules

hashicorp · Dec 12, 2018 · 4922d8a · 4922d8a
1 parent 4e59d47
commit 4922d8a
Showing 1 changed file with 30 additions and 0 deletions.
diff --git a/website/source/guides/security/acl.html.markdown b/website/source/guides/security/acl.html.markdown
@@ -253,6 +253,36 @@ namespace "default" {
 }
 ```
 
+Namespace definitions may also include globs, that can be used to provide access to a category of namespaces, while allowing more specific privileges where required. For example, the below policy allows read access to most production namespaces, but allows write access to the `"production-api"` namespace, and rejects any access to the `"production-ppi"` namespace.
+
+```
+namespace "production-*" {
+    policy = "read"
+}
+
+namespace "production-api" {
+    policy = "write"
+}
+
+namespace "production-ppi" {
+    policy = "deny"
+}
+```
+
+Namespaces are matched to their policies first by performing a lookup on any _exact match_, before falling back to performing a glob based lookup. When looking up namespaces by glob, the matching policy with the fewest number of matched characters will be chosen. For example:
+
+```
+namespace "*-ppi" {
+    policy = "deny"
+}
+
+namespace "*" {
+    policy = "write"
+}
+```
+
+Will evaluate to deny for `production-ppi`, because it is 9 characters different from the `"*-ppi"` rule, but 13 characters different from the `"*"` rule.
+
 ### Node Rules
 
 The `node` policy controls access to the [Node API](/api/nodes.html) such as listing nodes or triggering a node drain.