Policies and Rules
This topic explains Tanzu Data Hub policies and rules, and how to create them.
Overview
Policies are applied to identities in order to restrict how they can use service instances deployed by Tanzu Data Hub. It controls access to the data product by using the permissions understood by the selected data product. A policy can hold one more or more permissions that the data product undertsands
Different policy types include:
- Service Policies: An allow list of rules, each one of which grants a specific permission for using a particular service instance.
- For example, a MySQL policy can let identities monitor and read from a MySQL database instance, but not perform other operations such as configure it or write to it.
- Tanzu Data Hub identifies service policy types by their service, for example RabbitMQ or MySQL type policies.
- Network Policies: A CIDR range that traffic to the service instance can originate from, and the destination ports that it can be sent to.
- For example, a policy can let identities only target the TCP and Metrics ports of a MySQL instance, not the Manager port. Please note that it works only when source IP is preserved by customer infrastructure.
Service Policy Rules: The rules in a service policy are specific to a service instance. * Rule content depends on how the service organizes and its permissions; different database services configure permissions in different ways.
Create a Policy
Creating a Network Policy
To create a network policy: 1. Select Policies and click Create a Policy at upper-right: 
2. Enter a name for the policy and select the policy type as Network 
3. Enter Allowed CIDR to enable traffic to the service instances and select the specific ports to allow and click on Create 
Creating a Service Policy
To create a service policy:
-
Select Policies and click Create a Policy at upper-right:
-
Enter a name for the policy and select the policy type:
-
Configure the policy, according to the service type and add rules as per the requirement and type. Once all the required rules are added, Click on Create
Create a Rule
To create a rule for a service policy:
-
From the Policies pane, select the policy that you want to add the rule to:
- You cannot add rules to service policies managed by Tanzu Data Hub, which are listed with an asterisk (
*). These policies are created when the data plane is created, and govern access to Tanzu Data Hub itself.
- You cannot add rules to service policies managed by Tanzu Data Hub, which are listed with an asterisk (
-
From the policy details page, in the Rules section, click Add Rule.
-
Select the service instance that the rule applies to, and click Next:
Configure the rule based on the options shown, which depend on the database that the rule applies to. Click Next, review details, and click Finish.
Rule Example For PostgreSQL
- To add a rule for PostgreSQL Service, Select the Service Instance, Login & Database attributes and click on Next
- Select the Database and the required permission and click on ADD PERMISSION to add the rules.
- You can provide additional information about schemas, tables if any. Select Schemas from Dropdown and add permissions. Alternatively, you can use RegEx to add the permissions as per the requirement. RegEx example:
cluster:myins1/database:mydb1/table:mytable
- You can provide additional information about schemas, tables if any. Select Schemas from Dropdown and add permissions. Alternatively, you can use RegEx to add the permissions as per the requirement. RegEx example:
- Review the details and click on Finish
Rule Example For MySql
- To add a rule for MySql Service, Select the Service Instance, and click on Next
- Select the Database and the required permission and click on ADD PERMISSION to add the rules.
- You can provide additional information about objects, tables if any. Select Object from Dropdown, select the object type and add permissions. Alternatively, you can use RegEx to add the permissions as per the requirement. RegEx example:
cluster:mysql1/database:mydb1/table:*cluster:mysql1/database:mydb1/routine:*
- You can provide additional information about objects, tables if any. Select Object from Dropdown, select the object type and add permissions. Alternatively, you can use RegEx to add the permissions as per the requirement. RegEx example:
- Review the details and click on Finish
Rule Example For Redis
- To add a rule for Redis Service, Select the Service Instance, and click on Next
- Select the required permission and click on Next.
- You can provide custom ACL Rules for the selected instance
- You can provide custom ACL Rules for the selected instance
- Review the details and click on Finish
Rule Example For Rabbitmq
- To add a rule for Rabbitmq Service, Select the Service Instance, Management Permissions and click on Next
- Select the Echanges/RoutingKeys or Queues and the required permission and click on ADD PERMISSION to add the rules.
- You can provide custom Rules for the selected instance via Regex. RegEx Example:
cluster:rmq01/queue:queue_name
- You can provide custom Rules for the selected instance via Regex. RegEx Example:
- Review the details and click on Finish
