Tags and Identity
In order to understand how Aporeto secures your system, you have to understand how it handles object identity. The identity of an object is established by a set of tags and a tag is a key-value pair that describes an attribute of an object.
Tags are consumed from different sources like the computing environment, the application, or Aporeto itself. Other tags can be added manually using the UI, the CLI, or any other REST API call. This powerful tag-based identity is used to define policies in Aporeto.
Types of Tags
Tag names are categorized and prefixed based on their origin.
|Attribute based tag: Auto-generated, based on object attributes.|
|Metadata Tag: Metadata are tags that can only be added at the creation.|
|Auth Tag: Tag derived from an auth token claim|
|User Defined: Tags defined by a user|
All policies in Aporeto know what objects they should apply to through the use of tags. However, as a single tag is obviously not enough to express complex policies, they use what we call a Tag Expression. A Tag Expression is basically a combination of various tags using
For example, you can create an expression like:
(size=big and color=blue) or (size=small and color=red) or (type=admin)
Aporeto represents this information in a two-dimensional array, where:
- The first dimension is
- The second dimension is
The above expression is then represented by:
[ ["size=big", "color=blue"], ["size=small", "color=red"], ["type=admin"], ]
The UI provides graphical controls to build these expressions easily, but it is important to understand the concept especially when you are leveraging the command-line tool,
It may be tempting to add a large number of tags, but in reality, remember the adage "less is more". In the end, adding a large number of tags may be more confusing than it is helpful.
For example, if you deploy a three-tier application, you may only need:
In turn, you can create a policy that will allow:
- allow from
app=myapp and role=frontend and env=productionto
app=myapp and role=backend and env=production
- allow from
app=myapp and role=backend and env=productionto
app=myapp and role=database and env=production