Documentation ¶
Index ¶
- Constants
- Variables
- func Errorf(format string, a ...interface{}) error
- func GetPoliciesFromClaims(claims map[string]interface{}, policyClaimName string) (set.StringSet, bool)
- func GetValuesFromClaims(claims map[string]interface{}, claimName string) (set.StringSet, bool)
- type Action
- type ActionConditionKeyMap
- type ActionSet
- func (actionSet ActionSet) Add(action Action)
- func (actionSet ActionSet) Clone() ActionSet
- func (actionSet ActionSet) Contains(action Action) bool
- func (actionSet ActionSet) Equals(sactionSet ActionSet) bool
- func (actionSet ActionSet) Intersection(sset ActionSet) ActionSet
- func (actionSet ActionSet) IsEmpty() bool
- func (actionSet ActionSet) MarshalJSON() ([]byte, error)
- func (actionSet ActionSet) Match(action Action) bool
- func (actionSet ActionSet) String() string
- func (actionSet ActionSet) ToAdminSlice() []AdminAction
- func (actionSet ActionSet) ToKMSSlice() (actions []KMSAction)
- func (actionSet ActionSet) ToSTSSlice() []STSAction
- func (actionSet ActionSet) ToSlice() []Action
- func (actionSet *ActionSet) UnmarshalJSON(data []byte) error
- func (actionSet ActionSet) Validate() error
- func (actionSet ActionSet) ValidateAdmin() error
- func (actionSet ActionSet) ValidateKMS() error
- func (actionSet ActionSet) ValidateSTS() error
- type AdminAction
- type Args
- type BPStatement
- type BucketPolicy
- func (policy *BucketPolicy) Equals(p BucketPolicy) bool
- func (policy BucketPolicy) IsAllowed(args BucketPolicyArgs) bool
- func (policy BucketPolicy) IsEmpty() bool
- func (policy BucketPolicy) MarshalJSON() ([]byte, error)
- func (policy *BucketPolicy) UnmarshalJSON(data []byte) error
- func (policy BucketPolicy) Validate(bucketName string) error
- type BucketPolicyArgs
- type Effect
- type Error
- type ID
- type KMSAction
- type Policy
- func (iamp *Policy) Equals(p Policy) bool
- func (iamp Policy) IsAllowed(args Args) bool
- func (iamp Policy) IsAllowedActions(bucketName, objectName string, conditionValues map[string][]string) ActionSet
- func (iamp Policy) IsEmpty() bool
- func (iamp Policy) MatchResource(resource string) bool
- func (iamp *Policy) UnmarshalJSON(data []byte) error
- func (iamp Policy) Validate() error
- type Principal
- func (p Principal) Clone() Principal
- func (p Principal) Equals(pp Principal) bool
- func (p Principal) Intersection(principal Principal) set.StringSet
- func (p Principal) IsValid() bool
- func (p Principal) MarshalJSON() ([]byte, error)
- func (p Principal) Match(principal string) bool
- func (p *Principal) UnmarshalJSON(data []byte) error
- type Resource
- func (r Resource) IsValid() bool
- func (r Resource) MarshalJSON() ([]byte, error)
- func (r Resource) Match(resource string, conditionValues map[string][]string) bool
- func (r Resource) MatchResource(resource string) bool
- func (r Resource) String() string
- func (r *Resource) UnmarshalJSON(data []byte) error
- func (r Resource) Validate() error
- func (r Resource) ValidateBucket(bucketName string) error
- type ResourceSet
- func (resourceSet ResourceSet) Add(resource Resource)
- func (resourceSet ResourceSet) BucketResourceExists() bool
- func (resourceSet ResourceSet) Clone() ResourceSet
- func (resourceSet ResourceSet) Equals(sresourceSet ResourceSet) bool
- func (resourceSet ResourceSet) Intersection(sset ResourceSet) ResourceSet
- func (resourceSet ResourceSet) MarshalJSON() ([]byte, error)
- func (resourceSet ResourceSet) Match(resource string, conditionValues map[string][]string) bool
- func (resourceSet ResourceSet) MatchResource(resource string) bool
- func (resourceSet ResourceSet) ObjectResourceExists() bool
- func (resourceSet ResourceSet) String() string
- func (resourceSet ResourceSet) ToSlice() []Resource
- func (resourceSet *ResourceSet) UnmarshalJSON(data []byte) error
- func (resourceSet ResourceSet) Validate() error
- func (resourceSet ResourceSet) ValidateBucket(bucketName string) error
- type STSAction
- type Statement
Constants ¶
const ( // AbortMultipartUploadAction - AbortMultipartUpload Rest API action. AbortMultipartUploadAction Action = "s3:AbortMultipartUpload" // CreateBucketAction - CreateBucket Rest API action. CreateBucketAction = "s3:CreateBucket" // DeleteBucketAction - DeleteBucket Rest API action. DeleteBucketAction = "s3:DeleteBucket" // ForceDeleteBucketAction - DeleteBucket Rest API action when x-minio-force-delete flag // is specified. ForceDeleteBucketAction = "s3:ForceDeleteBucket" // DeleteBucketPolicyAction - DeleteBucketPolicy Rest API action. DeleteBucketPolicyAction = "s3:DeleteBucketPolicy" // DeleteObjectAction - DeleteObject Rest API action. DeleteObjectAction = "s3:DeleteObject" // GetBucketLocationAction - GetBucketLocation Rest API action. GetBucketLocationAction = "s3:GetBucketLocation" // GetBucketNotificationAction - GetBucketNotification Rest API action. GetBucketNotificationAction = "s3:GetBucketNotification" // GetBucketPolicyAction - GetBucketPolicy Rest API action. GetBucketPolicyAction = "s3:GetBucketPolicy" // GetObjectAction - GetObject Rest API action. GetObjectAction = "s3:GetObject" // GetObjectAttributesAction - GetObjectVersionAttributes Rest API action. GetObjectAttributesAction = "s3:GetObjectAttributes" // HeadBucketAction - HeadBucket Rest API action. This action is unused in minio. HeadBucketAction = "s3:HeadBucket" // ListAllMyBucketsAction - ListAllMyBuckets (List buckets) Rest API action. ListAllMyBucketsAction = "s3:ListAllMyBuckets" // ListBucketAction - ListBucket Rest API action. ListBucketAction = "s3:ListBucket" // GetBucketPolicyStatusAction - Retrieves the policy status for a bucket. GetBucketPolicyStatusAction = "s3:GetBucketPolicyStatus" // ListBucketVersionsAction - ListBucketVersions Rest API action. ListBucketVersionsAction = "s3:ListBucketVersions" // ListBucketMultipartUploadsAction - ListMultipartUploads Rest API action. ListBucketMultipartUploadsAction = "s3:ListBucketMultipartUploads" // ListenNotificationAction - ListenNotification Rest API action. // This is MinIO extension. ListenNotificationAction = "s3:ListenNotification" // ListenBucketNotificationAction - ListenBucketNotification Rest API action. // This is MinIO extension. ListenBucketNotificationAction = "s3:ListenBucketNotification" // ListMultipartUploadPartsAction - ListParts Rest API action. ListMultipartUploadPartsAction = "s3:ListMultipartUploadParts" // PutBucketLifecycleAction - PutBucketLifecycle Rest API action. PutBucketLifecycleAction = "s3:PutLifecycleConfiguration" // GetBucketLifecycleAction - GetBucketLifecycle Rest API action. GetBucketLifecycleAction = "s3:GetLifecycleConfiguration" // PutBucketNotificationAction - PutObjectNotification Rest API action. PutBucketNotificationAction = "s3:PutBucketNotification" // PutBucketPolicyAction - PutBucketPolicy Rest API action. PutBucketPolicyAction = "s3:PutBucketPolicy" // PutObjectAction - PutObject Rest API action. PutObjectAction = "s3:PutObject" // DeleteObjectVersionAction - DeleteObjectVersion Rest API action. DeleteObjectVersionAction = "s3:DeleteObjectVersion" // DeleteObjectVersionTaggingAction - DeleteObjectVersionTagging Rest API action. DeleteObjectVersionTaggingAction = "s3:DeleteObjectVersionTagging" // GetObjectVersionAction - GetObjectVersionAction Rest API action. GetObjectVersionAction = "s3:GetObjectVersion" // GetObjectVersionAttributesAction - GetObjectVersionAttributes Rest API action. GetObjectVersionAttributesAction = "s3:GetObjectVersionAttributes" // GetObjectVersionTaggingAction - GetObjectVersionTagging Rest API action. GetObjectVersionTaggingAction = "s3:GetObjectVersionTagging" // PutObjectVersionTaggingAction - PutObjectVersionTagging Rest API action. PutObjectVersionTaggingAction = "s3:PutObjectVersionTagging" // BypassGovernanceRetentionAction - bypass governance retention for PutObjectRetention, PutObject and DeleteObject Rest API action. BypassGovernanceRetentionAction = "s3:BypassGovernanceRetention" // PutObjectRetentionAction - PutObjectRetention Rest API action. PutObjectRetentionAction = "s3:PutObjectRetention" // GetObjectRetentionAction - GetObjectRetention, GetObject, HeadObject Rest API action. GetObjectRetentionAction = "s3:GetObjectRetention" // GetObjectLegalHoldAction - GetObjectLegalHold, GetObject Rest API action. GetObjectLegalHoldAction = "s3:GetObjectLegalHold" // PutObjectLegalHoldAction - PutObjectLegalHold, PutObject Rest API action. PutObjectLegalHoldAction = "s3:PutObjectLegalHold" // GetBucketObjectLockConfigurationAction - GetBucketObjectLockConfiguration Rest API action GetBucketObjectLockConfigurationAction = "s3:GetBucketObjectLockConfiguration" // PutBucketObjectLockConfigurationAction - PutBucketObjectLockConfiguration Rest API action PutBucketObjectLockConfigurationAction = "s3:PutBucketObjectLockConfiguration" // GetBucketTaggingAction - GetBucketTagging Rest API action GetBucketTaggingAction = "s3:GetBucketTagging" // PutBucketTaggingAction - PutBucketTagging Rest API action PutBucketTaggingAction = "s3:PutBucketTagging" // GetObjectTaggingAction - Get Object Tags API action GetObjectTaggingAction = "s3:GetObjectTagging" // PutObjectTaggingAction - Put Object Tags API action PutObjectTaggingAction = "s3:PutObjectTagging" // DeleteObjectTaggingAction - Delete Object Tags API action DeleteObjectTaggingAction = "s3:DeleteObjectTagging" // PutBucketEncryptionAction - PutBucketEncryption REST API action PutBucketEncryptionAction = "s3:PutEncryptionConfiguration" // GetBucketEncryptionAction - GetBucketEncryption REST API action GetBucketEncryptionAction = "s3:GetEncryptionConfiguration" // PutBucketVersioningAction - PutBucketVersioning REST API action PutBucketVersioningAction = "s3:PutBucketVersioning" // GetBucketVersioningAction - GetBucketVersioning REST API action GetBucketVersioningAction = "s3:GetBucketVersioning" // GetReplicationConfigurationAction - GetReplicationConfiguration REST API action GetReplicationConfigurationAction = "s3:GetReplicationConfiguration" // PutReplicationConfigurationAction - PutReplicationConfiguration REST API action PutReplicationConfigurationAction = "s3:PutReplicationConfiguration" // ReplicateObjectAction - ReplicateObject REST API action ReplicateObjectAction = "s3:ReplicateObject" // ReplicateDeleteAction - ReplicateDelete REST API action ReplicateDeleteAction = "s3:ReplicateDelete" // ReplicateTagsAction - ReplicateTags REST API action ReplicateTagsAction = "s3:ReplicateTags" // GetObjectVersionForReplicationAction - GetObjectVersionForReplication REST API action GetObjectVersionForReplicationAction = "s3:GetObjectVersionForReplication" // RestoreObjectAction - RestoreObject REST API action RestoreObjectAction = "s3:RestoreObject" // ResetBucketReplicationStateAction - MinIO extension API ResetBucketReplicationState to reset replication state // on a bucket ResetBucketReplicationStateAction = "s3:ResetBucketReplicationState" // PutObjectFanOutAction - PutObject like API action but allows PostUpload() fan-out. PutObjectFanOutAction = "s3:PutObjectFanOut" // AllActions - all API actions AllActions = "s3:*" )
const ( // HealAdminAction - allows heal command HealAdminAction = "admin:Heal" // DecommissionAdminAction - allows decomissioning of pools DecommissionAdminAction = "admin:Decommission" // RebalanceAdminAction - allows rebalancing of pools RebalanceAdminAction = "admin:Rebalance" // StorageInfoAdminAction - allow listing server info StorageInfoAdminAction = "admin:StorageInfo" // PrometheusAdminAction - prometheus info action PrometheusAdminAction = "admin:Prometheus" // DataUsageInfoAdminAction - allow listing data usage info DataUsageInfoAdminAction = "admin:DataUsageInfo" // ForceUnlockAdminAction - allow force unlocking locks ForceUnlockAdminAction = "admin:ForceUnlock" // TopLocksAdminAction - allow listing top locks TopLocksAdminAction = "admin:TopLocksInfo" // ProfilingAdminAction - allow profiling ProfilingAdminAction = "admin:Profiling" // TraceAdminAction - allow listing server trace TraceAdminAction = "admin:ServerTrace" // ConsoleLogAdminAction - allow listing console logs on terminal ConsoleLogAdminAction = "admin:ConsoleLog" // KMSCreateKeyAdminAction - allow creating a new KMS master key KMSCreateKeyAdminAction = "admin:KMSCreateKey" // KMSKeyStatusAdminAction - allow getting KMS key status KMSKeyStatusAdminAction = "admin:KMSKeyStatus" // ServerInfoAdminAction - allow listing server info ServerInfoAdminAction = "admin:ServerInfo" // HealthInfoAdminAction - allow obtaining cluster health information HealthInfoAdminAction = "admin:OBDInfo" // BandwidthMonitorAction - allow monitoring bandwidth usage BandwidthMonitorAction = "admin:BandwidthMonitor" // InspectDataAction - allows downloading raw files from backend InspectDataAction = "admin:InspectData" // ServerUpdateAdminAction - allow MinIO binary update ServerUpdateAdminAction = "admin:ServerUpdate" // ServiceRestartAdminAction - allow restart of MinIO service. ServiceRestartAdminAction = "admin:ServiceRestart" // ServiceStopAdminAction - allow stopping MinIO service. ServiceStopAdminAction = "admin:ServiceStop" // ServiceFreezeAdminAction - allow freeze/unfreeze MinIO service. ServiceFreezeAdminAction = "admin:ServiceFreeze" // ConfigUpdateAdminAction - allow MinIO config management ConfigUpdateAdminAction = "admin:ConfigUpdate" // CreateUserAdminAction - allow creating MinIO user CreateUserAdminAction = "admin:CreateUser" // DeleteUserAdminAction - allow deleting MinIO user DeleteUserAdminAction = "admin:DeleteUser" // ListUsersAdminAction - allow list users permission ListUsersAdminAction = "admin:ListUsers" // EnableUserAdminAction - allow enable user permission EnableUserAdminAction = "admin:EnableUser" // DisableUserAdminAction - allow disable user permission DisableUserAdminAction = "admin:DisableUser" // GetUserAdminAction - allows GET permission on user info GetUserAdminAction = "admin:GetUser" // SiteReplicationAddAction - allow adding clusters for site-level replication SiteReplicationAddAction = "admin:SiteReplicationAdd" // SiteReplicationDisableAction - allow disabling a cluster from replication SiteReplicationDisableAction = "admin:SiteReplicationDisable" // SiteReplicationRemoveAction - allow removing a cluster from replication SiteReplicationRemoveAction = "admin:SiteReplicationRemove" // SiteReplicationResyncAction - allow resyncing cluster data to another site SiteReplicationResyncAction = "admin:SiteReplicationResync" // SiteReplicationInfoAction - allow getting site replication info SiteReplicationInfoAction = "admin:SiteReplicationInfo" // SiteReplicationOperationAction - allow performing site replication // create/update/delete operations to peers SiteReplicationOperationAction = "admin:SiteReplicationOperation" // CreateServiceAccountAdminAction - allow create a service account for a user CreateServiceAccountAdminAction = "admin:CreateServiceAccount" // UpdateServiceAccountAdminAction - allow updating a service account UpdateServiceAccountAdminAction = "admin:UpdateServiceAccount" // RemoveServiceAccountAdminAction - allow removing a service account RemoveServiceAccountAdminAction = "admin:RemoveServiceAccount" // ListServiceAccountsAdminAction - allow listing service accounts ListServiceAccountsAdminAction = "admin:ListServiceAccounts" // ListTemporaryAccountsAdminAction - allow listing of temporary accounts ListTemporaryAccountsAdminAction = "admin:ListTemporaryAccounts" // AddUserToGroupAdminAction - allow adding user to group permission AddUserToGroupAdminAction = "admin:AddUserToGroup" // RemoveUserFromGroupAdminAction - allow removing user to group permission RemoveUserFromGroupAdminAction = "admin:RemoveUserFromGroup" // GetGroupAdminAction - allow getting group info GetGroupAdminAction = "admin:GetGroup" // ListGroupsAdminAction - allow list groups permission ListGroupsAdminAction = "admin:ListGroups" // EnableGroupAdminAction - allow enable group permission EnableGroupAdminAction = "admin:EnableGroup" // DisableGroupAdminAction - allow disable group permission DisableGroupAdminAction = "admin:DisableGroup" // CreatePolicyAdminAction - allow create policy permission CreatePolicyAdminAction = "admin:CreatePolicy" // DeletePolicyAdminAction - allow delete policy permission DeletePolicyAdminAction = "admin:DeletePolicy" // GetPolicyAdminAction - allow get policy permission GetPolicyAdminAction = "admin:GetPolicy" // AttachPolicyAdminAction - allows attaching a policy to a user/group AttachPolicyAdminAction = "admin:AttachUserOrGroupPolicy" // UpdatePolicyAssociationAction - allows to add/remove policy association // on a user or group. UpdatePolicyAssociationAction = "admin:UpdatePolicyAssociation" // ListUserPoliciesAdminAction - allows listing user policies ListUserPoliciesAdminAction = "admin:ListUserPolicies" // SetBucketQuotaAdminAction - allow setting bucket quota SetBucketQuotaAdminAction = "admin:SetBucketQuota" // GetBucketQuotaAdminAction - allow getting bucket quota GetBucketQuotaAdminAction = "admin:GetBucketQuota" // SetBucketTargetAction - allow setting bucket target SetBucketTargetAction = "admin:SetBucketTarget" // GetBucketTargetAction - allow getting bucket targets GetBucketTargetAction = "admin:GetBucketTarget" // ReplicationDiff - allow computing the unreplicated objects in a bucket ReplicationDiff = "admin:ReplicationDiff" // ImportBucketMetadataAction - allow importing bucket metadata ImportBucketMetadataAction = "admin:ImportBucketMetadata" // ExportBucketMetadataAction - allow exporting bucket metadata ExportBucketMetadataAction = "admin:ExportBucketMetadata" // SetTierAction - allow adding/editing a remote tier SetTierAction = "admin:SetTier" // ListTierAction - allow listing remote tiers ListTierAction = "admin:ListTier" // ExportIAMAction - allow exporting of all IAM info ExportIAMAction = "admin:ExportIAM" // ImportIAMAction - allow importing IAM info to MinIO ImportIAMAction = "admin:ImportIAM" // ListBatchJobsAction allow listing current active jobs ListBatchJobsAction = "admin:ListBatchJobs" // DescribeBatchJobAction allow getting batch job YAML DescribeBatchJobAction = "admin:DescribeBatchJob" // StartBatchJobAction allow submitting a batch job StartBatchJobAction = "admin:StartBatchJob" // CancelBatchJobAction allow canceling a batch job CancelBatchJobAction = "admin:CancelBatchJob" // AllAdminActions - provides all admin permissions AllAdminActions = "admin:*" )
const ( PolicyName = "policy" SessionPolicyName = "sessionPolicy" )
Policy claim constants
const ( // KMSCreateKeyAction - allow creating a new KMS master key KMSCreateKeyAction = "kms:CreateKey" // KMSDeleteKeyAction - allow deleting a KMS master key KMSDeleteKeyAction = "kms:DeleteKey" // KMSListKeysAction - allow getting list of KMS keys KMSListKeysAction = "kms:ListKeys" // KMSImportKeyAction - allow importing KMS key KMSImportKeyAction = "kms:ImportKey" // KMSDescribePolicyAction - allow getting KMS policy KMSDescribePolicyAction = "kms:DescribePolicy" // KMSAssignPolicyAction - allow assigning an identity to a KMS policy KMSAssignPolicyAction = "kms:AssignPolicy" // KMSDeletePolicyAction - allow deleting a policy KMSDeletePolicyAction = "kms:DeletePolicy" // KMSSetPolicyAction - allow creating or updating a policy KMSSetPolicyAction = "kms:SetPolicy" // KMSGetPolicyAction - allow getting a policy KMSGetPolicyAction = "kms:GetPolicy" // KMSListPoliciesAction - allow getting list of KMS policies KMSListPoliciesAction = "kms:ListPolicies" // KMSDescribeIdentityAction - allow getting KMS identity KMSDescribeIdentityAction = "kms:DescribeIdentity" // KMSDescribeSelfIdentityAction - allow getting self KMS identity KMSDescribeSelfIdentityAction = "kms:DescribeSelfIdentity" // KMSDeleteIdentityAction - allow deleting a policy KMSDeleteIdentityAction = "kms:DeleteIdentity" // KMSListIdentitiesAction - allow getting list of KMS identities KMSListIdentitiesAction = "kms:ListIdentities" // KMSKeyStatusAction - allow getting KMS key status KMSKeyStatusAction = "kms:KeyStatus" // KMSStatusAction - allow getting KMS status KMSStatusAction = "kms:Status" // KMSAPIAction - allow getting a list of supported API endpoints KMSAPIAction = "kms:API" // KMSMetricsAction - allow getting server metrics in the Prometheus exposition format KMSMetricsAction = "kms:Metrics" // KMSVersionAction - allow getting version information KMSVersionAction = "kms:Version" // KMSAuditLogAction - subscribes to the audit log KMSAuditLogAction = "kms:AuditLog" // KMSErrorLogAction - subscribes to the error log KMSErrorLogAction = "kms:ErrorLog" // AllKMSActions - provides all admin permissions AllKMSActions = "kms:*" )
const ( // AssumeRoleWithWebIdentityAction - STS action for AssumeRoleWithWebIdentity call AssumeRoleWithWebIdentityAction = "sts:AssumeRoleWithWebIdentity" // AllSTSActions - select all STS actions AllSTSActions = "*" )
const DefaultVersion = "2012-10-17"
DefaultVersion - default policy version as per AWS S3 specification.
const ResourceARNPrefix = "arn:aws:s3:::"
ResourceARNPrefix - resource ARN prefix as per AWS S3 specification.
Variables ¶
var DefaultPolicies = []struct { Name string Definition Policy }{ { Name: "readwrite", Definition: Policy{ Version: DefaultVersion, Statements: []Statement{ { SID: ID(""), Effect: Allow, Actions: NewActionSet(AllActions), Resources: NewResourceSet(NewResource("*")), }, }, }, }, { Name: "readonly", Definition: Policy{ Version: DefaultVersion, Statements: []Statement{ { SID: ID(""), Effect: Allow, Actions: NewActionSet(GetBucketLocationAction, GetObjectAction), Resources: NewResourceSet(NewResource("*")), }, }, }, }, { Name: "writeonly", Definition: Policy{ Version: DefaultVersion, Statements: []Statement{ { SID: ID(""), Effect: Allow, Actions: NewActionSet(PutObjectAction), Resources: NewResourceSet(NewResource("*")), }, }, }, }, { Name: "diagnostics", Definition: Policy{ Version: DefaultVersion, Statements: []Statement{ { SID: ID(""), Effect: Allow, Actions: NewActionSet(ProfilingAdminAction, TraceAdminAction, ConsoleLogAdminAction, ServerInfoAdminAction, TopLocksAdminAction, HealthInfoAdminAction, BandwidthMonitorAction, PrometheusAdminAction, ), Resources: NewResourceSet(NewResource("*")), }, }, }, }, { Name: "consoleAdmin", Definition: Policy{ Version: DefaultVersion, Statements: []Statement{ { SID: ID(""), Effect: Allow, Actions: NewActionSet(AllAdminActions), Resources: NewResourceSet(), Conditions: condition.NewFunctions(), }, { SID: ID(""), Effect: Allow, Actions: NewActionSet(AllKMSActions), Resources: NewResourceSet(), Conditions: condition.NewFunctions(), }, { SID: ID(""), Effect: Allow, Actions: NewActionSet(AllActions), Resources: NewResourceSet(NewResource("*")), Conditions: condition.NewFunctions(), }, }, }, }, }
DefaultPolicies - list of canned policies available in MinIO.
var IAMActionConditionKeyMap = createActionConditionKeyMap()
IAMActionConditionKeyMap - holds mapping of supported condition key for an action.
Functions ¶
func Errorf ¶
Errorf - formats according to a format specifier and returns the string as a value that satisfies error of type policy.Error
Types ¶
type Action ¶
type Action string
Action - policy action. Refer https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazons3.html for more information about available actions.
func (Action) IsObjectAction ¶
IsObjectAction - returns whether action is object type or not.
type ActionConditionKeyMap ¶
ActionConditionKeyMap is alias for the map type used here.
type ActionSet ¶
type ActionSet map[Action]struct{}
ActionSet - set of actions.
func NewActionSet ¶
NewActionSet - creates new action set.
func (ActionSet) Equals ¶
Equals - checks whether given action set is equal to current action set or not.
func (ActionSet) Intersection ¶
Intersection - returns actions available in both ActionSet.
func (ActionSet) MarshalJSON ¶
MarshalJSON - encodes ActionSet to JSON data.
func (ActionSet) ToAdminSlice ¶
func (actionSet ActionSet) ToAdminSlice() []AdminAction
ToAdminSlice - returns slice of admin actions from the action set.
func (ActionSet) ToKMSSlice ¶
ToKMSSlice - returns slice of kms actions from the action set.
func (ActionSet) ToSTSSlice ¶ added in v2.0.9
ToSTSSlice - returns slice of STS actions from the action set.
func (*ActionSet) UnmarshalJSON ¶
UnmarshalJSON - decodes JSON data to ActionSet.
func (ActionSet) ValidateAdmin ¶
ValidateAdmin checks if all actions are valid Admin actions
func (ActionSet) ValidateKMS ¶
ValidateKMS checks if all actions are valid KMS actions
func (ActionSet) ValidateSTS ¶ added in v2.0.9
ValidateSTS checks if all actions are valid STS actions
type AdminAction ¶
type AdminAction string
AdminAction - admin policy action.
func (AdminAction) IsValid ¶
func (action AdminAction) IsValid() bool
IsValid - checks if action is valid or not.
type Args ¶
type Args struct { AccountName string `json:"account"` Groups []string `json:"groups"` Action Action `json:"action"` BucketName string `json:"bucket"` ConditionValues map[string][]string `json:"conditions"` IsOwner bool `json:"owner"` ObjectName string `json:"object"` Claims map[string]interface{} `json:"claims"` DenyOnly bool `json:"denyOnly"` // only applies deny }
Args - arguments to policy to check whether it is allowed
func (Args) GetPolicies ¶
GetPolicies returns the list of policies to be applied for this incoming request, extracting the information from JWT claims.
func (Args) GetRoleArn ¶
GetRoleArn returns the role ARN from JWT claims if present. Otherwise returns empty string.
type BPStatement ¶
type BPStatement struct { SID ID `json:"Sid,omitempty"` Effect Effect `json:"Effect"` Principal Principal `json:"Principal"` Actions ActionSet `json:"Action"` NotActions ActionSet `json:"NotAction,omitempty"` Resources ResourceSet `json:"Resource"` Conditions condition.Functions `json:"Condition,omitempty"` }
BPStatement - policy statement.
func NewBPStatement ¶
func NewBPStatement(sid ID, effect Effect, principal Principal, actionSet ActionSet, resourceSet ResourceSet, conditions condition.Functions) BPStatement
NewBPStatement - creates new statement.
func NewBPStatementWithNotAction ¶
func NewBPStatementWithNotAction(sid ID, effect Effect, principal Principal, notActions ActionSet, resources ResourceSet, conditions condition.Functions) BPStatement
NewBPStatementWithNotAction - creates new statement with NotAction.
func (BPStatement) Clone ¶
func (statement BPStatement) Clone() BPStatement
Clone clones Statement structure
func (BPStatement) Equals ¶
func (statement BPStatement) Equals(st BPStatement) bool
Equals checks if two statements are equal
func (BPStatement) IsAllowed ¶
func (statement BPStatement) IsAllowed(args BucketPolicyArgs) bool
IsAllowed - checks given policy args is allowed to continue the Rest API.
func (BPStatement) Validate ¶
func (statement BPStatement) Validate(bucketName string) error
Validate - validates Statement is for given bucket or not.
type BucketPolicy ¶
type BucketPolicy struct { ID ID `json:"ID,omitempty"` Version string Statements []BPStatement `json:"Statement"` }
BucketPolicy - bucket policy.
func ParseBucketPolicyConfig ¶
func ParseBucketPolicyConfig(reader io.Reader, bucketName string) (*BucketPolicy, error)
ParseBucketPolicyConfig - parses data in given reader to Policy.
func (*BucketPolicy) Equals ¶
func (policy *BucketPolicy) Equals(p BucketPolicy) bool
Equals returns true if the two policies are identical
func (BucketPolicy) IsAllowed ¶
func (policy BucketPolicy) IsAllowed(args BucketPolicyArgs) bool
IsAllowed - checks given policy args is allowed to continue the Rest API.
func (BucketPolicy) IsEmpty ¶
func (policy BucketPolicy) IsEmpty() bool
IsEmpty - returns whether policy is empty or not.
func (BucketPolicy) MarshalJSON ¶
func (policy BucketPolicy) MarshalJSON() ([]byte, error)
MarshalJSON - encodes Policy to JSON data.
func (*BucketPolicy) UnmarshalJSON ¶
func (policy *BucketPolicy) UnmarshalJSON(data []byte) error
UnmarshalJSON - decodes JSON data to Policy.
func (BucketPolicy) Validate ¶
func (policy BucketPolicy) Validate(bucketName string) error
Validate - validates all statements are for given bucket or not.
type BucketPolicyArgs ¶
type BucketPolicyArgs struct { AccountName string `json:"account"` Groups []string `json:"groups"` Action Action `json:"action"` BucketName string `json:"bucket"` ConditionValues map[string][]string `json:"conditions"` IsOwner bool `json:"owner"` ObjectName string `json:"object"` }
BucketPolicyArgs - arguments to policy to check whether it is allowed
type Effect ¶
type Effect string
Effect - policy statement effect Allow or Deny.
const ( // Allow - allow effect. Allow Effect = "Allow" // Deny - deny effect. Deny = "Deny" )
type Error ¶
type Error struct {
// contains filtered or unexported fields
}
Error is the generic type for any error happening during policy parsing.
type Policy ¶
type Policy struct { ID ID `json:"ID,omitempty"` Version string Statements []Statement `json:"Statement"` }
Policy - iam bucket iamp.
func MergePolicies ¶
MergePolicies merges all the given policies into a single policy dropping any duplicate statements.
func ParseConfig ¶
ParseConfig - parses data in given reader to Iamp.
func (Policy) IsAllowedActions ¶
func (iamp Policy) IsAllowedActions(bucketName, objectName string, conditionValues map[string][]string) ActionSet
IsAllowedActions returns all supported actions for this policy.
func (Policy) MatchResource ¶
MatchResource matches resource with match resource patterns
func (*Policy) UnmarshalJSON ¶
UnmarshalJSON - decodes JSON data to Iamp.
type Principal ¶
Principal - policy principal.
func NewPrincipal ¶
NewPrincipal - creates new Principal.
func (Principal) Intersection ¶
Intersection - returns principals available in both Principal.
func (Principal) MarshalJSON ¶
MarshalJSON - encodes Principal to JSON data.
func (*Principal) UnmarshalJSON ¶
UnmarshalJSON - decodes JSON data to Principal.
type Resource ¶
type Resource struct {
Pattern string
}
Resource - resource in policy statement.
func (Resource) MarshalJSON ¶
MarshalJSON - encodes Resource to JSON data.
func (Resource) Match ¶
Match - matches object name with resource pattern, including specific conditionals.
func (Resource) MatchResource ¶
MatchResource matches object name with resource pattern only.
func (*Resource) UnmarshalJSON ¶
UnmarshalJSON - decodes JSON data to Resource.
func (Resource) ValidateBucket ¶
ValidateBucket - validates that given bucketName is matched by Resource.
type ResourceSet ¶
type ResourceSet map[Resource]struct{}
ResourceSet - set of resources in policy statement.
func NewResourceSet ¶
func NewResourceSet(resources ...Resource) ResourceSet
NewResourceSet - creates new resource set.
func (ResourceSet) Add ¶
func (resourceSet ResourceSet) Add(resource Resource)
Add - adds resource to resource set.
func (ResourceSet) BucketResourceExists ¶
func (resourceSet ResourceSet) BucketResourceExists() bool
BucketResourceExists - checks if at least one bucket resource exists in the set.
func (ResourceSet) Clone ¶
func (resourceSet ResourceSet) Clone() ResourceSet
Clone clones ResourceSet structure
func (ResourceSet) Equals ¶
func (resourceSet ResourceSet) Equals(sresourceSet ResourceSet) bool
Equals - checks whether given resource set is equal to current resource set or not.
func (ResourceSet) Intersection ¶
func (resourceSet ResourceSet) Intersection(sset ResourceSet) ResourceSet
Intersection - returns resources available in both ResourceSet.
func (ResourceSet) MarshalJSON ¶
func (resourceSet ResourceSet) MarshalJSON() ([]byte, error)
MarshalJSON - encodes ResourceSet to JSON data.
func (ResourceSet) Match ¶
func (resourceSet ResourceSet) Match(resource string, conditionValues map[string][]string) bool
Match - matches object name with anyone of resource pattern in resource set.
func (ResourceSet) MatchResource ¶
func (resourceSet ResourceSet) MatchResource(resource string) bool
MatchResource matches object name with resource patterns only.
func (ResourceSet) ObjectResourceExists ¶
func (resourceSet ResourceSet) ObjectResourceExists() bool
ObjectResourceExists - checks if at least one object resource exists in the set.
func (ResourceSet) String ¶
func (resourceSet ResourceSet) String() string
func (ResourceSet) ToSlice ¶
func (resourceSet ResourceSet) ToSlice() []Resource
ToSlice - returns slice of resources from the resource set.
func (*ResourceSet) UnmarshalJSON ¶
func (resourceSet *ResourceSet) UnmarshalJSON(data []byte) error
UnmarshalJSON - decodes JSON data to ResourceSet.
func (ResourceSet) Validate ¶
func (resourceSet ResourceSet) Validate() error
Validate - validates ResourceSet.
func (ResourceSet) ValidateBucket ¶
func (resourceSet ResourceSet) ValidateBucket(bucketName string) error
ValidateBucket - validates ResourceSet is for given bucket or not.
type Statement ¶
type Statement struct { SID ID `json:"Sid,omitempty"` Effect Effect `json:"Effect"` Actions ActionSet `json:"Action"` NotActions ActionSet `json:"NotAction,omitempty"` Resources ResourceSet `json:"Resource,omitempty"` Conditions condition.Functions `json:"Condition,omitempty"` }
Statement - iam policy statement.
func NewStatement ¶
func NewStatement(sid ID, effect Effect, actionSet ActionSet, resourceSet ResourceSet, conditions condition.Functions) Statement
NewStatement - creates new statement.
func NewStatementWithNotAction ¶
func NewStatementWithNotAction(sid ID, effect Effect, notActions ActionSet, resources ResourceSet, conditions condition.Functions) Statement
NewStatementWithNotAction - creates new statement with NotAction.