Creating new identities to the Reflect example

So happy I got the Reflect example working… and are taking another leap forward by now focusing on the http exercise.

in the Reflect example, the following service policies were created…

ziti edge create service-policy allbind Bind --service-roles “#all” --identity-roles “#all

ziti edge create service-policy alldial Dial --service-roles “#all” --identity-roles “#all

I am not 100% sure what they do… and will look back through some of the videos…

However… my question is more to do with what happens when I create new identities.

For example, to run the http exercise… I am going to run the following commands

ziti edge create identity user httpClient -o httpClient.jwt
ziti edge create identity user httpServer -o httpServer.jwt
ziti edge create service http-exercise
ziti edge enroll httpClient.jwt
ziti edge enroll httpServer.jwt

… so I am not sure if more policies need to be created for this to work…

Also… I am not that familiar with golang… and assume the following command is required to run the server

go run simple-server.go -i httpServer.json

To check if this is working… my goal is to install the httpClient.json identity into my mobile ziti app… and then navigate to the name of the machine… on my mobile

Does this make sense? I feel like I am missing something but not sure.

These two commands are not what I'd recommend "in general" but what this is saying is:

Any identity is authorized to 'bind' any service

ziti edge create service-policy allbind Bind --service-roles “#all” --identity-roles “#all”
A service must be bound 'somehow'. When using an SDK you specifically instruct the code that it wants to act like a server basically... This code will start a listener up and it will accept connections and reply to them. That's what a 'bind' means... So this command means the 'server' identity is authorized to listen for incoming connections. (and fwiw this will make one of those terminators for you)

Any identity is authorized to 'dial' any service

ziti edge create service-policy alldial Dial --service-roles “#all” --identity-roles “#all”
Your "client" code will need to "dial" some service - this is saying any identity can dial any service. So this code allows the 'client' sdk to dial the 'server' sdk.

How I generally do it

Refer to my zssh cheatsheat. You can see what i normall do there:

ziti edge create service-policy zsshSvc-binding Bind --service-roles @zsshSvc --identity-roles #zsshSvcServerEndpoints
ziti edge create service-policy zsshSvc-dialing Dial --service-roles @zsshSvc --identity-roles #zsshSvcClientEndpoints

It also shows you an example of how I use attributes for authorization for the endpoints (the #) vs direct association (the @) of the service. This is far more specific use of service-policies... And much more inline with what I expect most people would do in real projects.


Next...

Well - if you've made the two policies shown then it won't be a problem. ALL your identities could host or dial any/every service. So just bymaking the identities you'll be fine. Do check the zssh cheatsheat mentioned above - it might shed more light on the matter.


Next

this is how golang "compiles and runs" the program of choice. So yeah that will start the "main" function in simple-server.go.


Lastly:

This depends greatly on 'how' you run everything... And which simple-server you are running. There's one in examples and one I was working on in exercises. I'd recommend starting with the exercise one since it literally shows you the before and after for both the client and the server. Are you starting with this one?

1 Like

thx… I am going to delete those “#all” services… and replace them with individualised ones :slight_smile:

super tip.