Morio Settings: access
Optional
The access settings are optional. Without them, Morio will fall back to the default policy.
The access settings control access control in Morio.
Specifically, they allow you to configure an
policy that controls
who has access to what inside Morio.
The access settings only apply to HTTP-based access to Morio.
Access to Morio’s Kafka API is always authenticated by .
access.[rule_id]
Optional
The entire access key is optional, as are rules under it.
This creates an access policy rule with the given rule_id. Note that the order of rules is important.
access.[rule_id].then
Mandatory
If you defined a rule, you must include the then action, and its value must be either allow or deny.
The then action holds the action to take when the rule matches. It holds a string that is one of:
allow: Allow access when the rule matchesdeny: Deny access when the rule matches
access:
example:
when: # See below
then: allow
access.[rule_id].when
The when block in a rule holds conditions. The following conditions are supported:
| Field | Matches Against | Type | Description |
|---|---|---|---|
url | Request URL path | String/Pattern/Operator | The URL being accessed |
method | HTTP method | String/Pattern/Operator | GET, POST, PUT, DELETE, etc. |
role | User’s role | String/Pattern/Operator | User’s current role |
user | Username | String/Pattern/Operator | The authenticated username |
provider | Auth provider | String/Pattern/Operator | Authentication provider name |
label | User labels | String/Pattern/Operator | Matches if user has ANY matching label |
access.[rule_id].when.[condition]
Refer to the Conditions below for details on how to write conditions in your rules.
Conditions
Valid values
method
Common HTTP methods (case-sensitive):
GET,POST,PUT,DELETE,PATCH,HEAD,OPTIONS,CONNECT,TRACE
then
allow- Grant accessdeny- Deny access
role
The various Morio roles:
usermanageroperatorengineerroot
provider
Depends on configured authentication providers:
local,apikey,mrt,myOidcProvider, etc.
label
Format: <provider-type>/<provider-name>/<attribute-type>/<attribute-value>
Examples:
oidc/sso/group/engineeringoidc/sso/email/user@example.comldap/corporate/ou/IT
url
Any URL path string. Examples:
/api/metrics/api/logs/production/app.log/health
Simple String Match
method: GET
Exact string comparison.
Pattern Object
Match using patterns with one of:
| Pattern Type | Syntax | Example | Description |
|---|---|---|---|
is | is: <string> | is: GET | Exact match |
is_not | is_not: <string> | is_not: guest | Does not match exactly |
glob | glob: <pattern> | glob: "/clients/*/details" | Glob pattern |
glob_not | glob_not: <pattern> | glob_not: "/clients/*/details" | Does not match glob pattern |
regex | regex: <pattern> | regex: "^/api/v[0-9]+" | Regular expression |
regex_not | regex_not: <pattern> | regex_not: "^/test" | Does not match regex |
Only one pattern type is allowed per object.
Logical Operators
Combine multiple conditions with operators:
| Operator | Logic | Syntax | Description |
|---|---|---|---|
or | ANY match | or: [<conditions>] | Matches if ANY condition is true |
and | ALL match | and: [<conditions>] | Matches if ALL conditions are true |
or_not | NOT ANY | or_not: [<conditions>] | Does NOT match any condition |
and_not | NOT ALL | and_not: [<conditions>] | Does NOT match all conditions |
Operators accept either:
- An array of strings:
or: [GET, POST] - An array of pattern objects:
or: [{is: GET}, {is: POST}] - A single string:
or: GET - A single pattern object:
or: {is: GET}
Syntax Examples
Simple String Match
url: /api/metrics
method: GET
role: engineer
Pattern Match
url:
is: /api/metrics
url:
glob: "/api/metrics/*"
url:
regex: "^/api/(logs|metrics)"
Negation
role:
is_not: guest
url:
glob_not: "/admin/*"
label:
regex_not: "^restricted-"
OR Operator
method:
or:
- is: GET
- is: POST
url:
or:
- glob: "/api/logs/*"
- glob: "/api/metrics/*"
- is: /health
AND Operator
label:
and:
- is: "oidc/sso/group/engineering"
- is: "oidc/sso/status/active"
OR_NOT Operator
role:
or_not:
- is: admin
- is: root
AND_NOT Operator
label:
and_not:
- is: "oidc/sso/group/restricted"
- is: "oidc/sso/status/suspended"
Mixed Operators and Patterns
url:
or:
- is: /health
- glob: "/api/metrics/*"
- regex: "^/api/v[0-9]+/status$"
method:
or_not:
- is: DELETE
- is: PUT
Evaluation Rules
- Policies are evaluated in order (top-to-bottom)
- First match wins - evaluation stops at first matching policy
- Top-level conditions use AND - all specified
whenfields must match - Omitted conditions match anything - only specify what you need to check
- Labels use array matching - user must have at least one matching label
- No match = fallback to RBAC - if no policy matches, role-based access control applies