授权政策文件是 SDV 服务软件包的软件定义车辆 (SDV) 通信堆栈授权配置的单一可信来源。
授权政策文件包含相应服务软件包的权限列表,用于指定该软件包可以执行哪些操作。
Proto 架构
授权政策文件使用 textproto 格式对相关信息进行编码。
授权政策的 proto 架构如下所示:
message AuthzPolicy {
// Optional. List of permissions to publish Data Tunnel publications.
repeated Publisher publisher = 4;
// Optional. List of permissions to discover and subscribe to Data Tunnel
// publications.
repeated Subscriber subscriber = 5;
// Optional. List of permissions to serve an RPC server.
repeated Server server = 6;
// Optional. List of permissions to discover and call methods of an RPC
// server.
repeated Client client = 7;
// Optional. Allow blanket "read" permission.
//
// Gives permission to discover and call all methods of all RPC servers,
// as well as discover and subscribe to all publications.
//
// WARNING: This flag grants elevated permissions and should be used with a
// good reason and for privileged agents only (e.g. Telemetry).
bool allow_read_all = 8;
}
// Defines a permission to publish Data Tunnel publications.
message Publisher {
// Required. Publication's protobuf message name.
string message = 1;
// Topic(s) to which this permission allows to publish to.
//
// Setting this field or setting 'allow_all_topics == true' is required.
repeated string topic = 2;
// Flag indicates that Service Bundle is allowed to register publication
// of the 'message' type with any 'topic'
//
// Should only be set to 'true' if the 'topic' field is not set.
bool allow_all_topics = 3;
}
// Defines a permission to discover and subscribe to Data Tunnel publications.
message Subscriber {
// Required. Publication's protobuf message name.
string message = 1;
// Topic(s) to which this permission allows to subscribe to.
//
// Setting this field or setting 'allow_all_topics == true' is required.
repeated string topic = 2;
// Flag indicates that Service Bundle is allowed to discover and subscribe to
// all publications of the 'message' type.
//
// Should only be set to 'true' if the 'topic' field is not set.
bool allow_all_topics = 3;
}
// Defines a permission to serve an RPC server.
message Server {
// Required. Server's protobuf service name.
string service = 1;
// Channel(s) which this permission allows to register.
//
// Setting this field or setting 'allow_all_channels == true' is required.
repeated string channel = 2;
// Flag indicates that Service Bundle is allowed to register RPC servers
// of the 'service' type with any 'channel'
//
// Should only be set to 'true' if the 'channel' field is not set.
bool allow_all_channels = 3;
}
// Defines a permission to discover and call methods of an RPC server.
message Client {
// Required. Server's protobuf service name.
string service = 1;
// Channel(s) which this permission allows to discover and call methods on.
//
// Setting this field or setting 'allow_all_channels == true' is required.
repeated string channel = 2;
// Flag indicates that Service Bundle is allowed to discover and call all RPC
// servers of the 'service' type.
//
// Should only be set to 'true' if the 'channel' field is not set.
bool allow_all_channels = 3;
}
示例
# Allows this SB to register publication of TireStatus type with "left_tire" topic only.
publisher {
message: "com.sdv.TireStatus"
topic: "left_tire"
}
# Allows this SB to subscribe to publication of TireStatus type with "left_tire" topic only.
subscriber {
message: "com.sdv.TireStatus"
topic: "left_tire"
}
# Allows this SB to implement and serve UserPreferencesManager service on any channel.
server {
service: "com.sdv.UserPreferencesManager"
allow_all_channels: true
}
# Allows this SB to discover and call UserPreferencesManager service on any channel.
client {
service: "com.sdv.UserPreferencesManager"
allow_all_channels: true
}
特权读取所有内容示例
# Blanket read permission for privileged agents (e.g. Telemetry).
allow_read_all: true
授权决定
系统可以做出以下授权决策:
- 允许的内容
- 正文的
AuthzPolicy包含所需的权限规则。 - 已明确拒绝
- 主题的
AuthzPolicy或虚拟机的AuthzPolicy不包含所需的权限规则。系统会返回清晰的错误消息,指明缺少相应权限。 - 已隐式拒绝
- 系统错误或无效数据,例如缺少政策文件、无法解析名称或缺少单位定义。
决策逻辑示例
当服务软件包尝试在渠道 default 上调用 com.sdv.UserPreferencesManager 时,会发生以下步骤:
- 通信堆栈会检查服务软件包的
AuthzPolicy是否具有client权限。如果缺少该权限,系统会明确拒绝相应请求,表明正文缺少权限。 - 对于通过网状网络进行的跨虚拟机通信,系统会在服务发现 (SD) 网状信息交换期间检查宿主虚拟机的权限,而不仅仅是在尝试访问期间进行检查。通信堆栈会检查宿主虚拟机的
VmAuthzPolicy,以确定虚拟机是否可以与服务互动。 - 如果正文政策和虚拟机级政策都允许该互动,则请求为允许。否则,请求为明确拒绝,表示虚拟机缺少相应权限。
如需详细了解在虚拟机之间强制执行的政策,请参阅虚拟机级权限。