Managing Policy
Creating a Namespace
- Go
- Java
- Javascript
package main
import (
"context"
"log"
"github.com/opentdf/platform/protocol/go/policy/namespaces"
"github.com/opentdf/platform/sdk"
)
func main() {
platformEndpoint := "http://localhost:8080"
// Create a new client
client, err := sdk.New(
platformEndpoint,
sdk.WithClientCredentials("opentdf", "secret", nil),
)
if err != nil {
log.Fatal(err)
}
// Create Namespace
namespace := &namespaces.CreateNamespaceRequest{
Name: "opentdf.io",
}
_, err = client.Namespaces.CreateNamespace(context.Background(), namespace)
if err != nil {
log.Fatal(err)
}
}
package io.opentdf.platform;
import com.connectrpc.ResponseMessageKt;
import io.opentdf.platform.policy.namespaces.CreateNamespaceRequest;
import io.opentdf.platform.policy.namespaces.CreateNamespaceResponse;
import io.opentdf.platform.sdk.*;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import java.util.Collections;
import java.util.Objects;
public class CreateNamespace {
private static final Logger logger = LogManager.getLogger(CreateNamespace.class);
public static void main(String[] args) {
String clientId = "opentdf";
String clientSecret = "secret";
String platformEndpoint = "localhost:8080";
String namespaceName = "opentdf.io";
SDKBuilder builder = new SDKBuilder();
try (SDK sdk =
builder
.platformEndpoint(platformEndpoint)
.clientSecret(clientId, clientSecret)
.useInsecurePlaintextConnection(true)
.build()) {
CreateNamespaceRequest createNamespaceRequest =
CreateNamespaceRequest.newBuilder().setName(namespaceName).build();
CreateNamespaceResponse createNamespaceResponse =
ResponseMessageKt.getOrThrow(
sdk.getServices()
.namespaces()
.createNamespaceBlocking(createNamespaceRequest, Collections.emptyMap())
.execute());
logger.info(
"Successfully created namespace with ID: {}",
createNamespaceResponse.getNamespace().getId());
} catch (Exception e) {
if (Objects.equals(e.getMessage(), "resource unique field violation")) {
logger.error("Namespace '{}' already exists", namespaceName, e);
} else {
logger.error("Failed to create namespace", e);
}
}
}
}
List Namespaces
- Go
- Java
- Javascript
package main
import (
"context"
"log"
"github.com/opentdf/platform/protocol/go/policy/namespaces"
"github.com/opentdf/platform/sdk"
)
func main() {
platformEndpoint := "http://localhost:8080"
// Create a new client
client, err := sdk.New(
platformEndpoint,
sdk.WithClientCredentials("opentdf", "secret", nil),
)
if err != nil {
log.Fatal(err)
}
// List All Namespaces
namespaces, err := client.Namespaces.ListNamespaces(context.Background(), &namespaces.ListNamespacesRequest{})
if err != nil {
log.Fatal(err)
}
for _, namespace := range namespaces.GetNamespaces() {
log.Printf("Namespace: %s\n", namespace.GetName())
}
}
package io.opentdf.platform;
import com.connectrpc.ResponseMessageKt;
import io.opentdf.platform.policy.Namespace;
import io.opentdf.platform.policy.namespaces.ListNamespacesRequest;
import io.opentdf.platform.policy.namespaces.ListNamespacesResponse;
import io.opentdf.platform.sdk.*;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import java.util.Collections;
import java.util.List;
import java.util.stream.Collectors;
public class ListNamespaces {
private static final Logger logger = LogManager.getLogger(ListNamespaces.class);
public static void main(String[] args) {
String clientId = "opentdf";
String clientSecret = "secret";
String platformEndpoint = "localhost:8080";
SDKBuilder builder = new SDKBuilder();
try (SDK sdk =
builder
.platformEndpoint(platformEndpoint)
.clientSecret(clientId, clientSecret)
.useInsecurePlaintextConnection(true)
.build()) {
ListNamespacesRequest request = ListNamespacesRequest.newBuilder().build();
ListNamespacesResponse listNamespacesResponse =
ResponseMessageKt.getOrThrow(
sdk.getServices()
.namespaces()
.listNamespacesBlocking(request, Collections.emptyMap())
.execute());
List<Namespace> namespaces = listNamespacesResponse.getNamespacesList();
logger.info(
"Successfully retrieved namespaces: [{}]",
namespaces.stream().map(Namespace::getFqn).collect(Collectors.joining(", ")));
} catch (Exception e) {
logger.error("Failed to list namespaces", e);
}
}
}
Create Attribute
- Go
- Java
- Javascript
package main
import (
"context"
"crypto/rand"
"log"
"github.com/opentdf/platform/protocol/go/policy"
"github.com/opentdf/platform/protocol/go/policy/attributes"
"github.com/opentdf/platform/protocol/go/policy/namespaces"
"github.com/opentdf/platform/sdk"
)
func main() {
platformEndpoint := "http://localhost:8080"
// Create a new client
client, err := sdk.New(
platformEndpoint,
sdk.WithClientCredentials("opentdf", "secret", nil),
)
if err != nil {
log.Fatal(err)
}
// List namespaces to get a namespace ID
listResponse, err := client.Namespaces.ListNamespaces(context.Background(), &namespaces.ListNamespacesRequest{})
if err != nil {
log.Fatalf("failed to list namespaces: %s", err)
}
if len(listResponse.GetNamespaces()) == 0 {
log.Fatal("no namespaces found")
}
namespaceID := listResponse.GetNamespaces()[0].GetId()
// Create a new attribute
attrRequest := &attributes.CreateAttributeRequest{
NamespaceId: namespaceID,
Name: "role" + "-" + rand.Text()[:4],
Rule: policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF,
Values: []string{"admin", "developer", "guest"},
}
attribute, err := client.Attributes.CreateAttribute(context.Background(), attrRequest)
if err != nil {
log.Fatal(err)
}
log.Printf("Created attribute: %s with ID: %s in namespace: %s\n", attribute.GetAttribute().Name, attribute.GetAttribute().GetId(), namespaceID)
}
package io.opentdf.platform;
import com.connectrpc.ResponseMessageKt;
import io.opentdf.platform.policy.AttributeRuleTypeEnum;
import io.opentdf.platform.policy.Namespace;
import io.opentdf.platform.policy.attributes.CreateAttributeRequest;
import io.opentdf.platform.policy.attributes.CreateAttributeResponse;
import io.opentdf.platform.policy.namespaces.GetNamespaceRequest;
import io.opentdf.platform.sdk.*;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import java.util.Collections;
import java.util.Arrays;
import java.util.Objects;
public class CreateAttribute {
private static final Logger logger = LogManager.getLogger(CreateAttribute.class);
public static void main(String[] args) {
String clientId = "opentdf";
String clientSecret = "secret";
String platformEndpoint = "localhost:8080";
String namespaceName = "opentdf.io";
SDKBuilder builder = new SDKBuilder();
try (SDK sdk =
builder
.platformEndpoint(platformEndpoint)
.clientSecret(clientId, clientSecret)
.useInsecurePlaintextConnection(true)
.build()) {
Namespace namespace =
ResponseMessageKt.getOrThrow(
sdk.getServices()
.namespaces()
.getNamespaceBlocking(
GetNamespaceRequest.newBuilder()
.setFqn("https://" + namespaceName)
.build(),
Collections.emptyMap())
.execute())
.getNamespace();
CreateAttributeRequest createAttributeRequest =
CreateAttributeRequest.newBuilder()
.setNamespaceId(namespace.getId())
.setName("test-attribute")
.setRule(
AttributeRuleTypeEnum.forNumber(
AttributeRuleTypeEnum.ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF_VALUE))
.addAllValues(Arrays.asList("test1", "test2"))
.build();
CreateAttributeResponse createAttributeResponse =
ResponseMessageKt.getOrThrow(
sdk.getServices()
.attributes()
.createAttributeBlocking(createAttributeRequest, Collections.emptyMap())
.execute());
logger.info(
"Successfully created attribute with ID: {}",
createAttributeResponse.getAttribute().getId());
} catch (Exception e) {
if (Objects.equals(e.getMessage(), "resource not found")) {
logger.error("Namespace '{}' not found", namespaceName, e);
} else if (Objects.equals(e.getMessage(), "resource unique field violation")) {
logger.error("Attribute already exists", e);
} else {
logger.error("Failed to create attribute", e);
}
}
}
}
List Attributes
- Go
- Java
- Javascript
package main
import (
"context"
"log"
"github.com/opentdf/platform/protocol/go/policy/attributes"
"github.com/opentdf/platform/sdk"
)
func main() {
platformEndpoint := "http://localhost:8080"
// Create a new client
client, err := sdk.New(
platformEndpoint,
sdk.WithClientCredentials("opentdf", "secret", nil),
)
if err != nil {
log.Fatal(err)
}
// List attributes
attrs, err := client.Attributes.ListAttributes(context.Background(), &attributes.ListAttributesRequest{})
if err != nil {
log.Fatal(err)
}
for _, attr := range attrs.GetAttributes() {
log.Printf("Attribute: %s, ID: %s, ", attr.GetName(), attr.GetId())
for _, value := range attr.Values {
log.Printf("Value: %s, ID: %s", value.GetValue(), value.GetId())
}
}
}
package io.opentdf.platform;
import com.connectrpc.ResponseMessageKt;
import io.opentdf.platform.policy.Attribute;
import io.opentdf.platform.policy.attributes.ListAttributesRequest;
import io.opentdf.platform.policy.attributes.ListAttributesResponse;
import io.opentdf.platform.sdk.*;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import java.util.Collections;
import java.util.List;
import java.util.stream.Collectors;
public class ListAttributes {
private static final Logger logger = LogManager.getLogger(ListAttributes.class);
public static void main(String[] args) {
String clientId = "opentdf";
String clientSecret = "secret";
String platformEndpoint = "localhost:8080";
String namespaceName = "opentdf.io";
SDKBuilder builder = new SDKBuilder();
try (SDK sdk =
builder
.platformEndpoint(platformEndpoint)
.clientSecret(clientId, clientSecret)
.useInsecurePlaintextConnection(true)
.build()) {
ListAttributesRequest request =
ListAttributesRequest.newBuilder().setNamespace(namespaceName).build();
ListAttributesResponse listAttributesResponse =
ResponseMessageKt.getOrThrow(
sdk.getServices()
.attributes()
.listAttributesBlocking(request, Collections.emptyMap())
.execute());
List<Attribute> attributes = listAttributesResponse.getAttributesList();
logger.info(
"Successfully retrieved attributes: [{}]",
attributes.stream().map(Attribute::getFqn).collect(Collectors.joining(", ")));
} catch (Exception e) {
logger.error("Failed to list attributes", e);
}
}
}
Create Subject Condition Set
- Go
- Java
- Javascript
package main
import (
"context"
"log"
"github.com/opentdf/platform/protocol/go/policy"
"github.com/opentdf/platform/protocol/go/policy/subjectmapping"
"github.com/opentdf/platform/sdk"
)
func main() {
platformEndpoint := "http://localhost:8080"
// Create a new client
client, err := sdk.New(
platformEndpoint,
sdk.WithClientCredentials("opentdf", "secret", nil),
)
if err != nil {
log.Fatal(err)
}
// Create Subject Condition Set
conditionset := &subjectmapping.CreateSubjectConditionSetRequest{
SubjectConditionSet: &subjectmapping.SubjectConditionSetCreate{
SubjectSets: []*policy.SubjectSet{
{
ConditionGroups: []*policy.ConditionGroup{
{
BooleanOperator: policy.ConditionBooleanTypeEnum_CONDITION_BOOLEAN_TYPE_ENUM_AND,
Conditions: []*policy.Condition{
{
SubjectExternalSelectorValue: ".clientId",
Operator: policy.SubjectMappingOperatorEnum_SUBJECT_MAPPING_OPERATOR_ENUM_IN,
SubjectExternalValues: []string{"opentdf"},
},
},
},
},
},
},
},
}
resp, err := client.SubjectMapping.CreateSubjectConditionSet(context.Background(), conditionset)
if err != nil {
log.Fatal(err)
}
log.Printf("Created Subject Condition Set with ID: %s\n", resp.GetSubjectConditionSet().GetId())
}
package io.opentdf.platform;
import com.connectrpc.ResponseMessageKt;
import io.opentdf.platform.policy.Condition;
import io.opentdf.platform.policy.ConditionBooleanTypeEnum;
import io.opentdf.platform.policy.ConditionGroup;
import io.opentdf.platform.policy.SubjectConditionSet;
import io.opentdf.platform.policy.SubjectMappingOperatorEnum;
import io.opentdf.platform.policy.SubjectSet;
import io.opentdf.platform.policy.subjectmapping.CreateSubjectConditionSetRequest;
import io.opentdf.platform.policy.subjectmapping.CreateSubjectConditionSetResponse;
import io.opentdf.platform.policy.subjectmapping.SubjectConditionSetCreate;
import io.opentdf.platform.sdk.*;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import java.util.Collections;
public class CreateSubjectConditionSet {
private static final Logger logger = LogManager.getLogger(CreateSubjectConditionSet.class);
public static void main(String[] args) {
String clientId = "opentdf";
String clientSecret = "secret";
String platformEndpoint = "localhost:8080";
SDKBuilder builder = new SDKBuilder();
try (SDK sdk =
builder
.platformEndpoint(platformEndpoint)
.clientSecret(clientId, clientSecret)
.useInsecurePlaintextConnection(true)
.build()) {
SubjectSet.Builder subjectSetBuilder =
SubjectSet.newBuilder()
.addConditionGroups(
ConditionGroup.newBuilder()
.setBooleanOperator(ConditionBooleanTypeEnum.CONDITION_BOOLEAN_TYPE_ENUM_AND)
.addConditions(
Condition.newBuilder()
.setSubjectExternalSelectorValue(".myfield")
.setOperator(
SubjectMappingOperatorEnum.SUBJECT_MAPPING_OPERATOR_ENUM_IN)
.addSubjectExternalValues("myvalue")));
CreateSubjectConditionSetRequest createSubjectConditionSetRequest =
CreateSubjectConditionSetRequest.newBuilder()
.setSubjectConditionSet(
SubjectConditionSetCreate.newBuilder().addSubjectSets(subjectSetBuilder))
.build();
CreateSubjectConditionSetResponse createSubjectConditionSetResponse =
ResponseMessageKt.getOrThrow(
sdk.getServices()
.subjectMappings()
.createSubjectConditionSetBlocking(
createSubjectConditionSetRequest, Collections.emptyMap())
.execute());
SubjectConditionSet subjectConditionSet =
createSubjectConditionSetResponse.getSubjectConditionSet();
logger.info(
"Successfully created subject condition set with ID: {}", subjectConditionSet.getId());
} catch (Exception e) {
logger.error("Failed to create subject condition set", e);
}
}
}
Create Subject Mapping
- Go
- Java
- Javascript
package main
import (
"context"
"log"
"github.com/opentdf/platform/protocol/go/policy"
"github.com/opentdf/platform/protocol/go/policy/subjectmapping"
"github.com/opentdf/platform/sdk"
)
func main() {
platformEndpoint := "http://localhost:8080"
// Create a new client
client, err := sdk.New(
platformEndpoint,
sdk.WithClientCredentials("opentdf", "secret", nil),
)
if err != nil {
log.Fatal(err)
}
// Create Subject Mapping
subjectMapping := &subjectmapping.CreateSubjectMappingRequest{
AttributeValueId: "224c9d29-2cd4-4a38-b6ad-5f025ca93a8c",
Actions: []*policy.Action{
{
Value: &policy.Action_Standard{
Standard: policy.Action_STANDARD_ACTION_DECRYPT,
},
},
},
ExistingSubjectConditionSetId: "890b26db-4ee4-447f-ae8a-2862d922eeef",
}
_, err = client.SubjectMapping.CreateSubjectMapping(context.Background(), subjectMapping)
if err != nil {
log.Fatal(err)
}
}
package io.opentdf.platform;
import com.connectrpc.ResponseMessageKt;
import io.opentdf.platform.policy.Action;
import io.opentdf.platform.policy.Attribute;
import io.opentdf.platform.policy.Condition;
import io.opentdf.platform.policy.ConditionBooleanTypeEnum;
import io.opentdf.platform.policy.ConditionGroup;
import io.opentdf.platform.policy.Namespace;
import io.opentdf.platform.policy.SubjectConditionSet;
import io.opentdf.platform.policy.SubjectMapping;
import io.opentdf.platform.policy.SubjectMappingOperatorEnum;
import io.opentdf.platform.policy.SubjectSet;
import io.opentdf.platform.policy.attributes.GetAttributeRequest;
import io.opentdf.platform.policy.namespaces.GetNamespaceRequest;
import io.opentdf.platform.policy.subjectmapping.CreateSubjectConditionSetRequest;
import io.opentdf.platform.policy.subjectmapping.CreateSubjectConditionSetResponse;
import io.opentdf.platform.policy.subjectmapping.CreateSubjectMappingRequest;
import io.opentdf.platform.policy.subjectmapping.CreateSubjectMappingResponse;
import io.opentdf.platform.policy.subjectmapping.SubjectConditionSetCreate;
import io.opentdf.platform.sdk.SDK;
import io.opentdf.platform.sdk.SDKBuilder;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import java.util.Collections;
import java.util.Objects;
public class CreateSubjectMapping {
private static final Logger logger = LogManager.getLogger(CreateSubjectMapping.class);
public static void main(String[] args) {
String clientId = "opentdf";
String clientSecret = "secret";
String platformEndpoint = "localhost:8080";
String namespaceName = "opentdf.io";
String attributeName = "test-attribute";
SDKBuilder builder = new SDKBuilder();
try (SDK sdk =
builder
.platformEndpoint(platformEndpoint)
.clientSecret(clientId, clientSecret)
.useInsecurePlaintextConnection(true)
.build()) {
Namespace namespace;
try {
namespace =
ResponseMessageKt.getOrThrow(
sdk.getServices()
.namespaces()
.getNamespaceBlocking(
GetNamespaceRequest.newBuilder()
.setFqn("https://" + namespaceName)
.build(),
Collections.emptyMap())
.execute())
.getNamespace();
} catch (Exception e) {
if (Objects.equals(e.getMessage(), "resource not found")) {
logger.error("Namespace '{}' not found", namespaceName, e);
} else {
logger.error("Failed to retrieve namespace '{}'", namespaceName, e);
}
return;
}
Attribute attribute;
String attributeFqn = namespace.getFqn() + "/attr/" + attributeName;
try {
GetAttributeRequest getAttributeRequest =
GetAttributeRequest.newBuilder().setFqn(attributeFqn).build();
attribute =
ResponseMessageKt.getOrThrow(
sdk.getServices()
.attributes()
.getAttributeBlocking(getAttributeRequest, Collections.emptyMap())
.execute())
.getAttribute();
} catch (Exception e) {
if (Objects.equals(e.getMessage(), "resource not found")) {
logger.error("Attribute '{}' not found", attributeFqn, e);
} else {
logger.error("Failed to retrieve attribute '{}'", attributeFqn, e);
}
return;
}
CreateSubjectConditionSetRequest subjectConditionSetRequest =
CreateSubjectConditionSetRequest.newBuilder()
.setSubjectConditionSet(
SubjectConditionSetCreate.newBuilder()
.addSubjectSets(
SubjectSet.newBuilder()
.addConditionGroups(
ConditionGroup.newBuilder()
.setBooleanOperator(
ConditionBooleanTypeEnum.CONDITION_BOOLEAN_TYPE_ENUM_AND)
.addConditions(
Condition.newBuilder()
.setSubjectExternalSelectorValue(".myfield")
.setOperator(
SubjectMappingOperatorEnum
.SUBJECT_MAPPING_OPERATOR_ENUM_IN)
.addSubjectExternalValues("myvalue")))))
.build();
CreateSubjectConditionSetResponse subjectConditionSetResponse =
ResponseMessageKt.getOrThrow(
sdk.getServices()
.subjectMappings()
.createSubjectConditionSetBlocking(
subjectConditionSetRequest, Collections.emptyMap())
.execute());
SubjectConditionSet subjectConditionSet =
subjectConditionSetResponse.getSubjectConditionSet();
CreateSubjectMappingRequest request =
CreateSubjectMappingRequest.newBuilder()
.setAttributeValueId(attribute.getValues(0).getId())
.addActions(Action.newBuilder().setName("read"))
.setExistingSubjectConditionSetId(subjectConditionSet.getId())
.build();
CreateSubjectMappingResponse resp =
ResponseMessageKt.getOrThrow(
sdk.getServices()
.subjectMappings()
.createSubjectMappingBlocking(request, Collections.emptyMap())
.execute());
SubjectMapping subjectMapping = resp.getSubjectMapping();
logger.info("Successfully created subject mapping with ID: {}", subjectMapping.getId());
} catch (Exception e) {
logger.error("Failed to create subject mapping", e);
}
}
}
List Subject Mappings
- Go
- Java
- Javascript
package main
import (
"context"
"log"
"github.com/opentdf/platform/protocol/go/policy/subjectmapping"
"github.com/opentdf/platform/sdk"
)
func main() {
platformEndpoint := "http://localhost:8080"
// Create a new client
client, err := sdk.New(
platformEndpoint,
sdk.WithClientCredentials("opentdf", "secret", nil),
)
if err != nil {
log.Fatal(err)
}
// List Subject Mapping
subjectmappings, err := client.SubjectMapping.ListSubjectMappings(context.Background(), &subjectmapping.ListSubjectMappingsRequest{})
if err != nil {
log.Fatal(err)
}
for _, sm := range subjectmappings.GetSubjectMappings() {
log.Printf("Subject Mapping: %s", sm.GetId())
}
}
package io.opentdf.platform;
import com.connectrpc.ResponseMessageKt;
import io.opentdf.platform.policy.SubjectMapping;
import io.opentdf.platform.policy.subjectmapping.ListSubjectMappingsRequest;
import io.opentdf.platform.policy.subjectmapping.ListSubjectMappingsResponse;
import io.opentdf.platform.sdk.*;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import java.util.Collections;
import java.util.List;
import java.util.stream.Collectors;
public class ListSubjectMappings {
private static final Logger logger = LogManager.getLogger(ListSubjectMappings.class);
public static void main(String[] args) {
String clientId = "opentdf";
String clientSecret = "secret";
String platformEndpoint = "localhost:8080";
SDKBuilder builder = new SDKBuilder();
try (SDK sdk =
builder
.platformEndpoint(platformEndpoint)
.clientSecret(clientId, clientSecret)
.useInsecurePlaintextConnection(true)
.build()) {
ListSubjectMappingsRequest listSubjectMappingsRequest =
ListSubjectMappingsRequest.newBuilder().build();
ListSubjectMappingsResponse listSubjectMappingsResponse =
ResponseMessageKt.getOrThrow(
sdk.getServices()
.subjectMappings()
.listSubjectMappingsBlocking(listSubjectMappingsRequest, Collections.emptyMap())
.execute());
List<SubjectMapping> subjectMappings = listSubjectMappingsResponse.getSubjectMappingsList();
logger.info(
"Successfully retrieved subject mappings: [{}]",
subjectMappings.stream().map(SubjectMapping::getId).collect(Collectors.joining(", ")));
} catch (Exception e) {
logger.error("Failed to list subject mappings", e);
}
}
}