iampolicy

package
v0.0.0-...-b4abad3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 13, 2019 License: Apache-2.0 Imports: 14 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// AbortMultipartUploadAction - AbortMultipartUpload Rest API action.
	AbortMultipartUploadAction Action = "s3:AbortMultipartUpload"

	// CreateBucketAction - CreateBucket Rest API action.
	CreateBucketAction = "s3:CreateBucket"

	// DeleteBucketAction - DeleteBucket Rest API action.
	DeleteBucketAction = "s3:DeleteBucket"

	// DeleteBucketPolicyAction - DeleteBucketPolicy Rest API action.
	DeleteBucketPolicyAction = "s3:DeleteBucketPolicy"

	// DeleteObjectAction - DeleteObject Rest API action.
	DeleteObjectAction = "s3:DeleteObject"

	// GetBucketLocationAction - GetBucketLocation Rest API action.
	GetBucketLocationAction = "s3:GetBucketLocation"

	// GetBucketNotificationAction - GetBucketNotification Rest API action.
	GetBucketNotificationAction = "s3:GetBucketNotification"

	// GetBucketPolicyAction - GetBucketPolicy Rest API action.
	GetBucketPolicyAction = "s3:GetBucketPolicy"

	// GetObjectAction - GetObject Rest API action.
	GetObjectAction = "s3:GetObject"

	// HeadBucketAction - HeadBucket Rest API action. This action is unused in minio.
	HeadBucketAction = "s3:HeadBucket"

	// ListAllMyBucketsAction - ListAllMyBuckets (List buckets) Rest API action.
	ListAllMyBucketsAction = "s3:ListAllMyBuckets"

	// ListBucketAction - ListBucket Rest API action.
	ListBucketAction = "s3:ListBucket"

	// ListBucketMultipartUploadsAction - ListMultipartUploads Rest API action.
	ListBucketMultipartUploadsAction = "s3:ListBucketMultipartUploads"

	// ListenBucketNotificationAction - ListenBucketNotification Rest API action.
	// This is MinIO extension.
	ListenBucketNotificationAction = "s3:ListenBucketNotification"

	// ListMultipartUploadPartsAction - ListParts Rest API action.
	ListMultipartUploadPartsAction = "s3:ListMultipartUploadParts"

	// PutBucketLifecycleAction - PutBucketLifecycle Rest API action.
	PutBucketLifecycleAction = "s3:PutBucketLifecycle"

	// GetBucketLifecycleAction - GetBucketLifecycle Rest API action.
	GetBucketLifecycleAction = "s3:GetBucketLifecycle"

	// PutBucketNotificationAction - PutObjectNotification Rest API action.
	PutBucketNotificationAction = "s3:PutBucketNotification"

	// PutBucketPolicyAction - PutBucketPolicy Rest API action.
	PutBucketPolicyAction = "s3:PutBucketPolicy"

	// PutObjectAction - PutObject Rest API action.
	PutObjectAction = "s3:PutObject"

	// AllActions - all API actions
	AllActions = "s3:*"
)
View Source
const (
	PolicyName        = "policy"
	SessionPolicyName = "sessionPolicy"
)

Policy claim constants

View Source
const DefaultVersion = "2012-10-17"

DefaultVersion - default policy version as per AWS S3 specification.

View Source
const ResourceARNPrefix = "arn:aws:s3:::"

ResourceARNPrefix - resource ARN prefix as per AWS S3 specification.

Variables

View Source
var ReadOnly = Policy{
	Version: DefaultVersion,
	Statements: []Statement{
		{
			SID:       policy.ID(""),
			Effect:    policy.Allow,
			Actions:   NewActionSet(GetBucketLocationAction, GetObjectAction),
			Resources: NewResourceSet(NewResource("*", "")),
		},
	},
}

ReadOnly - read only.

View Source
var ReadWrite = Policy{
	Version: DefaultVersion,
	Statements: []Statement{
		{
			SID:       policy.ID(""),
			Effect:    policy.Allow,
			Actions:   NewActionSet(AllActions),
			Resources: NewResourceSet(NewResource("*", "")),
		},
	},
}

ReadWrite - provides full access to all buckets and all objects

View Source
var WriteOnly = Policy{
	Version: DefaultVersion,
	Statements: []Statement{
		{
			SID:       policy.ID(""),
			Effect:    policy.Allow,
			Actions:   NewActionSet(PutObjectAction),
			Resources: NewResourceSet(NewResource("*", "")),
		},
	},
}

WriteOnly - provides write access.

Functions

This section is empty.

Types

type Action

type Action string

Action - policy action. Refer https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazons3.html for more information about available actions.

func (Action) IsValid

func (action Action) IsValid() bool

IsValid - checks if action is valid or not.

func (Action) MarshalJSON

func (action Action) MarshalJSON() ([]byte, error)

MarshalJSON - encodes Action to JSON data.

func (Action) Match

func (action Action) Match(a Action) bool

Match - matches object name with resource pattern.

func (*Action) UnmarshalJSON

func (action *Action) UnmarshalJSON(data []byte) error

UnmarshalJSON - decodes JSON data to Action.

type ActionSet

type ActionSet map[Action]struct{}

ActionSet - set of actions.

func NewActionSet

func NewActionSet(actions ...Action) ActionSet

NewActionSet - creates new action set.

func (ActionSet) Add

func (actionSet ActionSet) Add(action Action)

Add - add action to the set.

func (ActionSet) Intersection

func (actionSet ActionSet) Intersection(sset ActionSet) ActionSet

Intersection - returns actions available in both ActionSet.

func (ActionSet) MarshalJSON

func (actionSet ActionSet) MarshalJSON() ([]byte, error)

MarshalJSON - encodes ActionSet to JSON data.

func (ActionSet) Match

func (actionSet ActionSet) Match(action Action) bool

Match - matches object name with anyone of action pattern in action set.

func (ActionSet) String

func (actionSet ActionSet) String() string

func (ActionSet) ToSlice

func (actionSet ActionSet) ToSlice() []Action

ToSlice - returns slice of actions from the action set.

func (*ActionSet) UnmarshalJSON

func (actionSet *ActionSet) UnmarshalJSON(data []byte) error

UnmarshalJSON - decodes JSON data to ActionSet.

type Args

type Args struct {
	AccountName     string                 `json:"account"`
	Action          Action                 `json:"action"`
	BucketName      string                 `json:"bucket"`
	ConditionValues map[string][]string    `json:"conditions"`
	IsOwner         bool                   `json:"owner"`
	ObjectName      string                 `json:"object"`
	Claims          map[string]interface{} `json:"claims"`
}

Args - arguments to policy to check whether it is allowed

type Opa

type Opa struct {
	// contains filtered or unexported fields
}

Opa - implements opa policy agent calls.

func NewOpa

func NewOpa(args OpaArgs) *Opa

NewOpa - initializes opa policy engine connector.

func (*Opa) IsAllowed

func (o *Opa) IsAllowed(args Args) (bool, error)

IsAllowed - checks given policy args is allowed to continue the REST API.

type OpaArgs

type OpaArgs struct {
	URL         *xnet.URL             `json:"url"`
	AuthToken   string                `json:"authToken"`
	Transport   http.RoundTripper     `json:"-"`
	CloseRespFn func(r io.ReadCloser) `json:"-"`
}

OpaArgs opa general purpose policy engine configuration.

func (*OpaArgs) UnmarshalJSON

func (a *OpaArgs) UnmarshalJSON(data []byte) error

UnmarshalJSON - decodes JSON data.

func (*OpaArgs) Validate

func (a *OpaArgs) Validate() error

Validate - validate opa configuration params.

type Policy

type Policy struct {
	ID         policy.ID `json:"ID,omitempty"`
	Version    string
	Statements []Statement `json:"Statement"`
}

Policy - iam bucket iamp.

func ParseConfig

func ParseConfig(reader io.Reader) (*Policy, error)

ParseConfig - parses data in given reader to Iamp.

func (Policy) IsAllowed

func (iamp Policy) IsAllowed(args Args) bool

IsAllowed - checks given policy args is allowed to continue the Rest API.

func (Policy) IsEmpty

func (iamp Policy) IsEmpty() bool

IsEmpty - returns whether policy is empty or not.

func (Policy) MarshalJSON

func (iamp Policy) MarshalJSON() ([]byte, error)

MarshalJSON - encodes Policy to JSON data.

func (*Policy) UnmarshalJSON

func (iamp *Policy) UnmarshalJSON(data []byte) error

UnmarshalJSON - decodes JSON data to Iamp.

func (Policy) Validate

func (iamp Policy) Validate() error

Validate - validates all statements are for given bucket or not.

type Resource

type Resource struct {
	BucketName string
	Pattern    string
}

Resource - resource in policy statement.

func NewResource

func NewResource(bucketName, keyName string) Resource

NewResource - creates new resource.

func (Resource) IsValid

func (r Resource) IsValid() bool

IsValid - checks whether Resource is valid or not.

func (Resource) MarshalJSON

func (r Resource) MarshalJSON() ([]byte, error)

MarshalJSON - encodes Resource to JSON data.

func (Resource) Match

func (r Resource) Match(resource string, conditionValues map[string][]string) bool

Match - matches object name with resource pattern.

func (Resource) String

func (r Resource) String() string

func (*Resource) UnmarshalJSON

func (r *Resource) UnmarshalJSON(data []byte) error

UnmarshalJSON - decodes JSON data to Resource.

func (Resource) Validate

func (r Resource) Validate() error

Validate - validates Resource is for given bucket or not.

type ResourceSet

type ResourceSet map[Resource]struct{}

ResourceSet - set of resources in policy statement.

func NewResourceSet

func NewResourceSet(resources ...Resource) ResourceSet

NewResourceSet - creates new resource set.

func (ResourceSet) Add

func (resourceSet ResourceSet) Add(resource Resource)

Add - adds resource to resource set.

func (ResourceSet) Intersection

func (resourceSet ResourceSet) Intersection(sset ResourceSet) ResourceSet

Intersection - returns resources available in both ResourceSet.

func (ResourceSet) MarshalJSON

func (resourceSet ResourceSet) MarshalJSON() ([]byte, error)

MarshalJSON - encodes ResourceSet to JSON data.

func (ResourceSet) Match

func (resourceSet ResourceSet) Match(resource string, conditionValues map[string][]string) bool

Match - matches object name with anyone of resource pattern in resource set.

func (ResourceSet) String

func (resourceSet ResourceSet) String() string

func (*ResourceSet) UnmarshalJSON

func (resourceSet *ResourceSet) UnmarshalJSON(data []byte) error

UnmarshalJSON - decodes JSON data to ResourceSet.

func (ResourceSet) Validate

func (resourceSet ResourceSet) Validate() error

Validate - validates ResourceSet.

type Statement

type Statement struct {
	SID        policy.ID           `json:"Sid,omitempty"`
	Effect     policy.Effect       `json:"Effect"`
	Actions    ActionSet           `json:"Action"`
	Resources  ResourceSet         `json:"Resource"`
	Conditions condition.Functions `json:"Condition,omitempty"`
}

Statement - iam policy statement.

func NewStatement

func NewStatement(effect policy.Effect, actionSet ActionSet, resourceSet ResourceSet, conditions condition.Functions) Statement

NewStatement - creates new statement.

func (Statement) IsAllowed

func (statement Statement) IsAllowed(args Args) bool

IsAllowed - checks given policy args is allowed to continue the Rest API.

func (Statement) MarshalJSON

func (statement Statement) MarshalJSON() ([]byte, error)

MarshalJSON - encodes JSON data to Statement.

func (*Statement) UnmarshalJSON

func (statement *Statement) UnmarshalJSON(data []byte) error

UnmarshalJSON - decodes JSON data to Statement.

func (Statement) Validate

func (statement Statement) Validate() error

Validate - validates Statement is for given bucket or not.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL