FRN Specification¶
A FlexGalaxy Resource Name (FRN) is the universal, hierarchical resource identifier used across all DotID services. It is modelled on AWS ARNs.
Canonical Format¶
frn:{account-id}:{service}:{resource-path}
Four colon-delimited segments:
Position |
Segment |
Allowed Characters |
Example |
|---|---|---|---|
0 |
prefix |
Literal |
|
1 |
account-id |
|
|
2 |
service |
|
|
3 |
resource-path |
|
|
Full example:
frn:acc-xxxxxxxxxxxx:devices:device/42
Wildcards¶
Wildcards are supported in policy resource patterns (not in request FRNs).
Segments 1–2 (account-id, service)¶
* matches any single value in that position.
frn:*:devices:device/42
─── match any account-id
Segment 3 (resource-path)¶
*matches exactly one path component.**matches zero or more path components (glob-style).
frn:*:devices:device/* ← matches device/42, device/abc
frn:*:devices:device/** ← matches device/, device/42, device/a/b
frn:*:devices:** ← matches any resource path
Matching Rules¶
Matching is performed by FrnMatcher.matches(pattern, target):
Segments 1–2 are compared individually. A pattern segment of
"*"matches any target value; otherwise the comparison is an exact string match.Segment 3 (resource-path) is split on
/and matched component by component:*matches exactly one component.**matches zero or more remaining components (greedy).Any other value requires an exact match.
Examples¶
Pattern |
Target |
Result |
|---|---|---|
|
|
MATCH |
|
|
NO MATCH |
|
|
MATCH |
|
|
MATCH |
|
|
MATCH |
|
|
NO MATCH |
Validation¶
A string is a valid FRN if and only if:
It is not null or blank.
It splits into exactly 4 colon-delimited parts.
Part 0 is the literal string
frn.Parts 1–2 are each non-empty and match
^[a-zA-Z0-9_.*-]+$.Part 3 is non-empty and matches
^[a-zA-Z0-9_./*-]+$.