eclipse-ditto
diff --git a/‎README.md
+1 b/‎README.md
+1
diff --git a/‎documentation/src/main/resources/_posts/2018-05-02-connecting-ditto-hono.md
+4-4 b/‎documentation/src/main/resources/_posts/2018-05-02-connecting-ditto-hono.md
+4-4
diff --git a/‎documentation/src/main/resources/jsonschema/connection.json
+83-18 b/‎documentation/src/main/resources/jsonschema/connection.json
+83-18
diff --git a/‎documentation/src/main/resources/pages/ditto/basic-connections.md
+77-8 b/‎documentation/src/main/resources/pages/ditto/basic-connections.md
+77-8
diff --git a/‎documentation/src/main/resources/pages/ditto/connectivity-manage-connections.md
+30 b/‎documentation/src/main/resources/pages/ditto/connectivity-manage-connections.md
+30
diff --git a/‎documentation/src/main/resources/pages/ditto/connectivity-protocol-bindings-amqp091.md
+17-8 b/‎documentation/src/main/resources/pages/ditto/connectivity-protocol-bindings-amqp091.md
+17-8
@@ -8,6 +8,7 @@
 [![Build Status](https://travis-ci.org/eclipse/ditto.svg?branch=master)](https://travis-ci.org/eclipse/ditto)
 [![Maven Central](https://img.shields.io/maven-metadata/v/http/central.maven.org/maven2/org/eclipse/ditto/ditto/maven-metadata.xml.svg)](http://search.maven.org/#search|ga|1|org.eclipse.ditto)
 [![License](https://img.shields.io/badge/License-EPL%202.0-green.svg)](https://opensource.org/licenses/EPL-2.0)
+[![Lines of code](https://img.shields.io/badge/dynamic/xml.svg?label=Lines%20of%20code&url=https%3A%2F%2Fwww.openhub.net%2Fprojects%2Feclipse-ditto.xml%3Fapi_key%3D11ac3aa12a364fd87b461559a7eedcc53e18fb5a4cf1e43e02cb7a615f1f3d4f&query=%2Fresponse%2Fresult%2Fproject%2Fanalysis%2Ftotal_code_lines&colorB=lightgrey)](https://www.openhub.net/p/eclipse-ditto)
 
 [Eclipse Ditto](https://eclipse.org/ditto/) is the open-source project of Eclipse IoT that provides a ready-to-use functionality to manage the state of Digital Twins. It provides access to them and mediates between the physical world and this digital representation.
 
 
@@ -202,13 +202,13 @@ $ curl -X POST -i -u devops:devopsPw1! -H 'Content-Type: application/json' -d '{
             "connectionType": "amqp-10",
             "connectionStatus": "open",
             "uri": "amqp://consumer@HONO:[email protected]:15672",
-            "authorizationContext": ["nginx:demo5"],
             "failoverEnabled": true,
             "sources": [{
                 "addresses": [
                     "telemetry/org.eclipse.ditto",
                     "event/org.eclipse.ditto"
-                ]
+                ],
+                "authorizationContext": ["nginx:demo5"]
             }]
         }
     }
@@ -345,13 +345,13 @@ $ curl -X POST -i -u devops:devopsPw1! -H 'Content-Type: application/json' -d '{
             "connectionType": "amqp-10",
             "connectionStatus": "open",
             "uri": "amqp://consumer@HONO:[email protected]:15672",
-            "authorizationContext": ["nginx:demo5"],
             "failoverEnabled": true,
             "sources": [{
                 "addresses": [
                     "telemetry/org.eclipse.ditto",
                     "event/org.eclipse.ditto"
-                ]
+                ],
+                "authorizationContext": ["nginx:demo5"],
             }],
             "mappingContext": {
                 "mappingEngine": "JavaScript",
 
@@ -42,22 +42,6 @@
         "amqps://user:password@localhost:5671"
       ]
     },
-    "authorizationContext": {
-      "$id": "/properties/authorizationContext",
-      "type": "array",
-      "title": "The authorization context",
-      "description": "The authorization context defines all authorization subjects associated with this connection",
-      "uniqueItems": true,
-      "items": {
-        "$id": "/properties/authorizationContext/items",
-        "type": "string",
-        "title": "Authorization Subject",
-        "description": "An authorization subject associated with this connection",
-        "examples": [
-          "myAuthorizationSubject"
-        ]
-      }
-    },
     "sources": {
       "$id": "/properties/sources",
       "type": "array",
@@ -68,7 +52,46 @@
         "$id": "/properties/sources/items",
         "type": "object",
         "title": "Source",
-        "description": "A subscription source subscribed by this connection"
+        "description": "A subscription source subscribed by this connection",
+        "properties": {
+          "addresses": {
+            "$id": "/properties/sources/properties/addresses",
+            "type": "array",
+            "uniqueItems": true,
+            "title": "Array of source addresses",
+            "description": "The source addresses this connection consumes messages from.",
+            "items": {
+              "$id": "/properties/sources/items/addresses/items",
+              "type": "string",
+              "title": "Source address",
+              "description": "A source address to consume messages from."
+            }
+          },
+          "consumerCount": {
+            "$id": "/properties/sources/items/properties/consumerCount",
+            "type": "integer",
+            "title": "Consumer count",
+            "description": "The number of consumers that should be attached to each source address.",
+            "default": 1
+          },
+          "authorizationContext": {
+            "$id": "/properties/sources/items/properties/authorizationContext",
+            "type": "array",
+            "title": "The authorisation context",
+            "description": "The authorization context defines all authorization subjects associated for this source. ",
+            "uniqueItems": true,
+            "items": {
+              "$id": "/properties/authorizationContext/items",
+              "type": "string",
+              "title": "Authorization Subject",
+              "description": "An authorization subject associated with this source. You can either use a fixed subject or use a placeholder that resolves header values from incoming messages. For example to use the `device_id` header in the subject, you can specify the placeholder `{{ header:device_id }}` which is then replaced by Ditto when a message from this source is processed. By using a placeholder you can access any header value: `{{ header:<any-header-name> }}`.",
+              "examples": [
+                "ditto:myAuthorizationSubject",
+                "device:{{ header:device-id }}"
+              ]
+            }
+          }
+        }
       }
     },
     "targets": {
@@ -81,7 +104,49 @@
         "$id": "/properties/targets/items",
         "type": "object",
         "title": "Target",
-        "description": "A publish target served by this connection"
+        "description": "A publish target served by this connection",
+        "properties": {
+          "address": {
+            "$id": "/properties/targets/properties/address",
+            "type": "string",
+            "title": "Target address",
+            "description": "The target address where events, commands and messages are published to.  The following placeholders are allowed within the target address:\n * Thing ID: `{{ thing:id }}`\n * Thing Namespace: `{{ thing:namespace }}`\n * Thing Name: `{{ thing:name }}` (the part of the ID without the namespace)"
+          },
+          "topics": {
+            "$id": "/properties/targets/items/properties/topics",
+            "type": "array",
+            "title": "Topics",
+            "description": "The topics to which this target is registered for.",
+            "uniqueItems": true,
+            "items": {
+              "type": "string",
+              "enum": [
+                "_/_/things/twin/events",
+                "_/_/things/live/commands",
+                "_/_/things/live/events",
+                "_/_/things/live/messages"
+              ],
+              "title": "Subscribed topics.",
+              "description": "Contains the type of messages that are delivered to this target. You can receive\n * Thing events: `_/_/things/twin/events` (notification about twin change) \n * Live events: `_/_/things/live/events`\n * Live commands: `_/_/things/live/commands`\n * Live messages: `_/_/things/live/messages`"
+            }
+          },
+          "authorizationContext": {
+            "$id": "/properties/targets/items/properties/authorizationContext",
+            "type": "array",
+            "title": "The authorisation context",
+            "description": "The authorization context defines all authorization subjects associated for this target. ",
+            "uniqueItems": true,
+            "items": {
+              "$id": "/properties/authorizationContext/items",
+              "type": "string",
+              "title": "Authorization Subject",
+              "description": "An authorization subject associated with this target.",
+              "examples": [
+                "ditto:myAuthorizationSubject"
+              ]
+            }
+          }
+        }
       }
     },
     "clientCount": {
 
@@ -5,17 +5,20 @@ tags: [connectivity]
 permalink: basic-connections.html
 ---
 
+## Connection model
+
   {%
-    include note.html content="To get started with connections right away, consolidate the [Manage connections](connectivity-manage-connections.html) 
-                               page. "
+    include note.html content="To get started with connections right away, consult the [Manage connections]
+    (connectivity-manage-connections.html) page. "
   %}
 
 You can integrate your Ditto instance with external messaging services such as 
 [Eclipse Hono](https://eclipse.org/hono/) or a [RabbitMQ](https://www.rabbitmq.com/) broker via custom "connections". 
 
 A connection represents a communication channel for the exchange of messages between any service and Ditto. It 
 requires a transport protocol, which is used to transmit [Ditto Protocol] messages. Ditto supports one-way and two-way
- communication over connections. This enables consumer/producer scenarios as well as fully-fledged command and response use cases. Nevertheless, those options might be limited by the used transport protocol and/or the other endpoint's 
+ communication over connections. This enables consumer/producer scenarios as well as fully-fledged command and response
+ use cases. Nevertheless, those options might be limited by the transport protocol or the other endpoint's
  capabilities.
 
 All connections are configured and supervised via Ditto's 
@@ -35,15 +38,81 @@ for custom payload formats. Currently the following connection types are support
 The `sources` and `targets` identifier format depends on the `connectionType` and has therefore `connectionType` 
 specific limitations. Those are documented with the corresponding protocol bindings.
 
-A connection is initiated by the connectivity service. This obsoletes the need for client authorization, because 
+A connection is initiated by the connectivity service. This obviates the need for client authorization, because
 Ditto becomes the client in this case. Nevertheless, to access resources within Ditto, the connection must know on 
-which instance’s behalf it is acting. This is controlled via the configured `authorizationContext`, which holds a list of 
-self-assigned authorization subjects. Before a connection can access a Ditto resource, one of its 
-`authorizationSubject`s must be referenced in the used authorization mechanism, having the needed access rights. You 
-can achieve this via [ACLs](basic-acl.html) or [Policies](basic-policy.html).
+whose behalf it is acting. This is controlled via the configured `authorisationContext`, which holds a list of
+self-assigned authorization subjects. Before a connection can access a Ditto resource, one of its
+`authorizationSubject`s must be granted the access rights by an authorization mechanism such as
+[ACLs](basic-acl.html) or [Policies](basic-policy.html).
 
 For more information on the `mappingContext` see the corresponding [Payload Mapping Documentation](connectivity-mapping.html)
 
+## Placeholders
+
+The configuration of a connection allows to use placeholders at certain places. This allows more fine grained control 
+over how messages are consumed or where they are published to. The general syntax of a placeholder is 
+`{% raw %}{{ placeholder }}{% endraw %}`. A missing placeholder results in an error which is passed back to the sender (if a _reply-to_
+ header was provided). Which placeholder values are available depends on the context where the placeholder is used. 
+
+### Placeholder for source authorization subjects
+Processing the messages received via a source using the _same fixed authorization subject_ may not be 
+suitable for every scenario. For example you want to declare fine-grained write permissions per device which would not 
+be possible with a fixed global subject. For this use case we introduced placeholder substitution for authorization subjects of 
+source addresses that are resolved when processing messages from a source. Of course this requires the sender of the 
+message to provide necessary information about the original issuer of the message. 
+
+  {%
+    include important.html content="Only use this kind of placeholder if you trust the source of the message. The value from the header is used as the **authorized subject**."
+  %}
+                                                                           
+You can access any header value of the incoming message by using a placeholder like `{% raw %}{{ header:name }}{% endraw %}`.
+
+Example:
+Assuming the messages received from the source _telemetry_ contain a `device_id` header (e.g. _sensor-123_), 
+you may configure your source's authorization subject as follows:
+```json
+   {
+      "id": "auth-subject-placeholder-example",
+      "sources": [
+        {
+          "addresses": [ "telemetry" ],
+          "authorizationContext": ["device:{% raw %}{{ header:device_id }}{% endraw %}"]
+        }
+      ]
+  }
+```
+The placeholder is then replaced by the value from the message headers and the message is forwarded and processed under the 
+subject _device:sensor-123_.
+In case the header cannot be resolved or the header contains unexpected characters an exception is thrown which is sent 
+back to the sender as an error message, if a valid _reply-to_ header was provided, otherwise the message is dropped.
+
+### Placeholder for target addresses
+Another use case for placeholders may be to publish thing events or live commands and events to a target address 
+containing Thing-specific information e.g. you can distribute Things from different namespaces to different target addresses.
+You can use the placeholders `{% raw %}{{ thing:id }}{% endraw %}`, `{% raw %}{{ thing:namespace }}{% endraw %}` and `{% raw %}{{ thing:name }}{% endraw %}` in the target address for this purpose.
+For a Thing with the ID _org.eclipse.ditto:device-123_ these placeholders are resolved as follows:
+
+| Placeholder | Description | Resolved value |
+|--------|------------|------------|
+| `thing:id`  | Full ID composed of _namespace_ + _:_ as a separator + _name_ | org.eclipse.ditto:device-123 |
+| `thing:namespace`  | Namespace (i.e. first part of an ID)  | org.eclipse.ditto |
+| `thing:name` | Name (i.e. second part of an ID ) | device-123 |
+
+
+Example:
+Sending live commands and events to a target address that contains the Things' namespace.
+```json
+   {
+      "id": "target-placeholder-example",
+      "targets": [
+        {
+          "addresses": [ "live/{% raw %}{{ thing:namespace }}{% endraw %}" ],
+          "authorizationContext": ["ditto:auth-subject"],
+          "topics": [ "_/_/things/live/events", "_/_/things/live/commands" ]
+        }
+      ]
+  }
+``` 
 
 [Connectivity API]: connectivity-overview.html
 [Ditto Protocol]: protocol-overview.html
@@ -77,6 +77,36 @@ The only parameter necessary for connection retrieval is the `connectionId`:
 }
 ```
 
+### Open connection
+
+The only parameter necessary for opening a connection is the `connectionId`:
+
+```json
+{
+    "targetActorSelection": "/system/sharding/connection",
+    "headers": {},
+    "piggybackCommand": {
+        "type": "connectivity.commands:openConnection",
+        "connectionId":"<connectionID>"
+    }
+}
+```
+
+### Close connection
+
+The only parameter necessary for closing a connection is the `connectionId`:
+
+```json
+{
+    "targetActorSelection": "/system/sharding/connection",
+    "headers": {},
+    "piggybackCommand": {
+        "type": "connectivity.commands:closeConnection",
+        "connectionId":"<connectionID>"
+    }
+}
+```
+
 ### Delete connection
 
 The only parameter necessary for connection deletion is the `connectionId`:
 
@@ -27,22 +27,30 @@ Supported AMQP 0.9.1 properties which are interpreted in a specific way are:
 ### Source format
 
 An AMQP 0.9.1 connection requires the protocol configuration source object to have an `addresses` property with a list
-of queue names.
+of queue names and `authorizationContext` array that contains the authorization subjects in whose context 
+incoming messages are processed. These subjects may contain placeholders, see 
+[placeholders](basic-connections.html#placeholder-for-source-authorization-subjects) section for more information.
+
 
 ```json
 {
   "addresses": [
     "<queue_name>",
     "..."
-  ]
+  ],
+  "authorizationContext": ["ditto:inbound-auth-subject", "..."]
 }
 ```
 
 ### Target format
 
 An AMQP 0.9.1 connection requires the protocol configuration target object to have an `address` property with a combined
- value of the `exchange_name` and `routing_key`. It is continued with a list of topic strings, each representing a
- subscription of a Ditto [protocol topic](protocol-specification-topic.html).
+ value of the `exchange_name` and `routing_key`. The target address may contain placeholders, see 
+ [placeholders](basic-connections.html#placeholder-for-target-addresses) section for more information. 
+ It is continued with a list of topic strings, each representing a
+ subscription of a Ditto [protocol topic](protocol-specification-topic.html) and an array of authorization subjects. 
+ Outbound messages are published to the configured target address if one of these subjects have READ permission 
+ on the Thing that is associated with a message.
 
 
 ```json
@@ -51,7 +59,8 @@ An AMQP 0.9.1 connection requires the protocol configuration target object to ha
   "topics": [
     "_/_/things/twin/events",
     "_/_/things/live/messages"
-  ]
+  ],
+  "authorizationContext": ["ditto:outbound-auth-subject", "..."]
 }
 ```
 
@@ -76,13 +85,13 @@ Example connection configuration to create a new AMQP 0.9.1 connection (e.g. in
     "connectionType": "amqp-091",
     "connectionStatus": "open",
     "failoverEnabled": true,
-    "uri": "amqp://user:password@localhost:5672",
+    "uri": "amqp://user:password@localhost:5672/vhost",
     "sources": [
       {
         "addresses": [
           "queueName"
         ],
-        "authorizationContext": ["<<<my-subject-id-included-in-policy-or-acl>>>"]
+        "authorizationContext": ["ditto:inbound-auth-subject", "..."]
       }
     ],
     "targets": [
@@ -92,7 +101,7 @@ Example connection configuration to create a new AMQP 0.9.1 connection (e.g. in
           "_/_/things/twin/events",
           "_/_/things/live/messages"
         ],
-        "authorizationContext": ["<<<my-subject-id-included-in-policy-or-acl>>>"]
+        "authorizationContext": ["ditto:outbound-auth-subject", "..."]
       }
     ]
   }