iampolicy

package
v0.0.0-...-0039fe4 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 26, 2024 License: Apache-2.0 Imports: 10 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// AbortMultipartUploadAction - AbortMultipartUpload Rest API action.
	AbortMultipartUploadAction Action = "s3:AbortMultipartUpload"

	// CreateBucketAction - CreateBucket Rest API action.
	CreateBucketAction = "s3:CreateBucket"

	// DeleteBucketAction - DeleteBucket Rest API action.
	DeleteBucketAction = "s3:DeleteBucket"

	// ForceDeleteBucketAction - DeleteBucket Rest API action when x-minio-force-delete flag
	// is specified.
	ForceDeleteBucketAction = "s3:ForceDeleteBucket"

	// DeleteBucketPolicyAction - DeleteBucketPolicy Rest API action.
	DeleteBucketPolicyAction = "s3:DeleteBucketPolicy"

	// DeleteObjectAction - DeleteObject Rest API action.
	DeleteObjectAction = "s3:DeleteObject"

	// GetBucketLocationAction - GetBucketLocation Rest API action.
	GetBucketLocationAction = "s3:GetBucketLocation"

	// GetBucketNotificationAction - GetBucketNotification Rest API action.
	GetBucketNotificationAction = "s3:GetBucketNotification"

	// GetBucketPolicyAction - GetBucketPolicy Rest API action.
	GetBucketPolicyAction = "s3:GetBucketPolicy"

	// GetObjectAction - GetObject Rest API action.
	GetObjectAction = "s3:GetObject"

	// HeadBucketAction - HeadBucket Rest API action. This action is unused in minio.
	HeadBucketAction = "s3:HeadBucket"

	// ListAllMyBucketsAction - ListAllMyBuckets (List buckets) Rest API action.
	ListAllMyBucketsAction = "s3:ListAllMyBuckets"

	// ListBucketAction - ListBucket Rest API action.
	ListBucketAction = "s3:ListBucket"

	// GetBucketPolicyStatusAction - Retrieves the policy status for a bucket.
	GetBucketPolicyStatusAction = "s3:GetBucketPolicyStatus"

	// ListBucketVersionsAction - ListBucketVersions Rest API action.
	ListBucketVersionsAction = "s3:ListBucketVersions"

	// ListBucketMultipartUploadsAction - ListMultipartUploads Rest API action.
	ListBucketMultipartUploadsAction = "s3:ListBucketMultipartUploads"

	// ListenNotificationAction - ListenNotification Rest API action.
	// This is MinIO extension.
	ListenNotificationAction = "s3:ListenNotification"

	// ListenBucketNotificationAction - ListenBucketNotification Rest API action.
	// This is MinIO extension.
	ListenBucketNotificationAction = "s3:ListenBucketNotification"

	// ListMultipartUploadPartsAction - ListParts Rest API action.
	ListMultipartUploadPartsAction = "s3:ListMultipartUploadParts"

	// PutBucketLifecycleAction - PutBucketLifecycle Rest API action.
	PutBucketLifecycleAction = "s3:PutLifecycleConfiguration"

	// GetBucketLifecycleAction - GetBucketLifecycle Rest API action.
	GetBucketLifecycleAction = "s3:GetLifecycleConfiguration"

	// PutBucketNotificationAction - PutObjectNotification Rest API action.
	PutBucketNotificationAction = "s3:PutBucketNotification"

	// PutBucketPolicyAction - PutBucketPolicy Rest API action.
	PutBucketPolicyAction = "s3:PutBucketPolicy"

	// PutObjectAction - PutObject Rest API action.
	PutObjectAction = "s3:PutObject"

	// DeleteObjectVersionAction - DeleteObjectVersion Rest API action.
	DeleteObjectVersionAction = "s3:DeleteObjectVersion"

	// DeleteObjectVersionTaggingAction - DeleteObjectVersionTagging Rest API action.
	DeleteObjectVersionTaggingAction = "s3:DeleteObjectVersionTagging"

	// GetObjectVersionAction - GetObjectVersionAction Rest API action.
	GetObjectVersionAction = "s3:GetObjectVersion"

	// GetObjectVersionTaggingAction - GetObjectVersionTagging Rest API action.
	GetObjectVersionTaggingAction = "s3:GetObjectVersionTagging"

	// PutObjectVersionTaggingAction - PutObjectVersionTagging Rest API action.
	PutObjectVersionTaggingAction = "s3:PutObjectVersionTagging"

	// BypassGovernanceRetentionAction - bypass governance retention for PutObjectRetention, PutObject and DeleteObject Rest API action.
	BypassGovernanceRetentionAction = "s3:BypassGovernanceRetention"

	// PutObjectRetentionAction - PutObjectRetention Rest API action.
	PutObjectRetentionAction = "s3:PutObjectRetention"

	// GetObjectRetentionAction - GetObjectRetention, GetObject, HeadObject Rest API action.
	GetObjectRetentionAction = "s3:GetObjectRetention"

	// GetObjectLegalHoldAction - GetObjectLegalHold, GetObject Rest API action.
	GetObjectLegalHoldAction = "s3:GetObjectLegalHold"

	// PutObjectLegalHoldAction - PutObjectLegalHold, PutObject Rest API action.
	PutObjectLegalHoldAction = "s3:PutObjectLegalHold"

	// GetBucketObjectLockConfigurationAction - GetBucketObjectLockConfiguration Rest API action
	GetBucketObjectLockConfigurationAction = "s3:GetBucketObjectLockConfiguration"

	// PutBucketObjectLockConfigurationAction - PutBucketObjectLockConfiguration Rest API action
	PutBucketObjectLockConfigurationAction = "s3:PutBucketObjectLockConfiguration"

	// GetBucketTaggingAction - GetBucketTagging Rest API action
	GetBucketTaggingAction = "s3:GetBucketTagging"

	// PutBucketTaggingAction - PutBucketTagging Rest API action
	PutBucketTaggingAction = "s3:PutBucketTagging"

	// GetObjectTaggingAction - Get Object Tags API action
	GetObjectTaggingAction = "s3:GetObjectTagging"

	// PutObjectTaggingAction - Put Object Tags API action
	PutObjectTaggingAction = "s3:PutObjectTagging"

	// DeleteObjectTaggingAction - Delete Object Tags API action
	DeleteObjectTaggingAction = "s3:DeleteObjectTagging"

	// PutBucketEncryptionAction - PutBucketEncryption REST API action
	PutBucketEncryptionAction = "s3:PutEncryptionConfiguration"

	// GetBucketEncryptionAction - GetBucketEncryption REST API action
	GetBucketEncryptionAction = "s3:GetEncryptionConfiguration"

	// PutBucketVersioningAction - PutBucketVersioning REST API action
	PutBucketVersioningAction = "s3:PutBucketVersioning"

	// GetBucketVersioningAction - GetBucketVersioning REST API action
	GetBucketVersioningAction = "s3:GetBucketVersioning"
	// GetReplicationConfigurationAction  - GetReplicationConfiguration REST API action
	GetReplicationConfigurationAction = "s3:GetReplicationConfiguration"
	// PutReplicationConfigurationAction  - PutReplicationConfiguration REST API action
	PutReplicationConfigurationAction = "s3:PutReplicationConfiguration"

	// ReplicateObjectAction  - ReplicateObject REST API action
	ReplicateObjectAction = "s3:ReplicateObject"

	// ReplicateDeleteAction  - ReplicateDelete REST API action
	ReplicateDeleteAction = "s3:ReplicateDelete"

	// ReplicateTagsAction  - ReplicateTags REST API action
	ReplicateTagsAction = "s3:ReplicateTags"

	// GetObjectVersionForReplicationAction  - GetObjectVersionForReplication REST API action
	GetObjectVersionForReplicationAction = "s3:GetObjectVersionForReplication"

	// AllActions - all API actions
	AllActions = "s3:*"
)
View Source
const (
	// HealAdminAction - allows heal command
	HealAdminAction = "admin:Heal"

	// StorageInfoAdminAction - allow listing server info
	StorageInfoAdminAction = "admin:StorageInfo"
	// PrometheusAdminAction - prometheus info action
	PrometheusAdminAction = "admin:Prometheus"
	// DataUsageInfoAdminAction - allow listing data usage info
	DataUsageInfoAdminAction = "admin:DataUsageInfo"
	// ForceUnlockAdminAction - allow force unlocking locks
	ForceUnlockAdminAction = "admin:ForceUnlock"
	// TopLocksAdminAction - allow listing top locks
	TopLocksAdminAction = "admin:TopLocksInfo"
	// ProfilingAdminAction - allow profiling
	ProfilingAdminAction = "admin:Profiling"
	// TraceAdminAction - allow listing server trace
	TraceAdminAction = "admin:ServerTrace"
	// ConsoleLogAdminAction - allow listing console logs on terminal
	ConsoleLogAdminAction = "admin:ConsoleLog"
	// KMSCreateKeyAdminAction - allow creating a new KMS master key
	KMSCreateKeyAdminAction = "admin:KMSCreateKey"
	// KMSKeyStatusAdminAction - allow getting KMS key status
	KMSKeyStatusAdminAction = "admin:KMSKeyStatus"
	// ServerInfoAdminAction - allow listing server info
	ServerInfoAdminAction = "admin:ServerInfo"
	// HealthInfoAdminAction - allow obtaining cluster health information
	HealthInfoAdminAction = "admin:OBDInfo"
	// BandwidthMonitorAction - allow monitoring bandwidth usage
	BandwidthMonitorAction = "admin:BandwidthMonitor"

	// ServerUpdateAdminAction - allow MinIO binary update
	ServerUpdateAdminAction = "admin:ServerUpdate"
	// ServiceRestartAdminAction - allow restart of MinIO service.
	ServiceRestartAdminAction = "admin:ServiceRestart"
	// ServiceStopAdminAction - allow stopping MinIO service.
	ServiceStopAdminAction = "admin:ServiceStop"

	// ConfigUpdateAdminAction - allow MinIO config management
	ConfigUpdateAdminAction = "admin:ConfigUpdate"

	// CreateUserAdminAction - allow creating MinIO user
	CreateUserAdminAction = "admin:CreateUser"
	// DeleteUserAdminAction - allow deleting MinIO user
	DeleteUserAdminAction = "admin:DeleteUser"
	// ListUsersAdminAction - allow list users permission
	ListUsersAdminAction = "admin:ListUsers"
	// EnableUserAdminAction - allow enable user permission
	EnableUserAdminAction = "admin:EnableUser"
	// DisableUserAdminAction - allow disable user permission
	DisableUserAdminAction = "admin:DisableUser"
	// GetUserAdminAction - allows GET permission on user info
	GetUserAdminAction = "admin:GetUser"

	// CreateServiceAccountAdminAction - allow create a service account for a user
	CreateServiceAccountAdminAction = "admin:CreateServiceAccount"
	// UpdateServiceAccountAdminAction - allow updating a service account
	UpdateServiceAccountAdminAction = "admin:UpdateServiceAccount"
	// RemoveServiceAccountAdminAction - allow removing a service account
	RemoveServiceAccountAdminAction = "admin:RemoveServiceAccount"
	// ListServiceAccountsAdminAction - allow listing service accounts
	ListServiceAccountsAdminAction = "admin:ListServiceAccounts"

	// AddUserToGroupAdminAction - allow adding user to group permission
	AddUserToGroupAdminAction = "admin:AddUserToGroup"
	// RemoveUserFromGroupAdminAction - allow removing user to group permission
	RemoveUserFromGroupAdminAction = "admin:RemoveUserFromGroup"
	// GetGroupAdminAction - allow getting group info
	GetGroupAdminAction = "admin:GetGroup"
	// ListGroupsAdminAction - allow list groups permission
	ListGroupsAdminAction = "admin:ListGroups"
	// EnableGroupAdminAction - allow enable group permission
	EnableGroupAdminAction = "admin:EnableGroup"
	// DisableGroupAdminAction - allow disable group permission
	DisableGroupAdminAction = "admin:DisableGroup"

	// CreatePolicyAdminAction - allow create policy permission
	CreatePolicyAdminAction = "admin:CreatePolicy"
	// DeletePolicyAdminAction - allow delete policy permission
	DeletePolicyAdminAction = "admin:DeletePolicy"
	// GetPolicyAdminAction - allow get policy permission
	GetPolicyAdminAction = "admin:GetPolicy"
	// AttachPolicyAdminAction - allows attaching a policy to a user/group
	AttachPolicyAdminAction = "admin:AttachUserOrGroupPolicy"
	// ListUserPoliciesAdminAction - allows listing user policies
	ListUserPoliciesAdminAction = "admin:ListUserPolicies"

	// SetBucketQuotaAdminAction - allow setting bucket quota
	SetBucketQuotaAdminAction = "admin:SetBucketQuota"
	// GetBucketQuotaAdminAction - allow getting bucket quota
	GetBucketQuotaAdminAction = "admin:GetBucketQuota"

	// SetBucketTargetAction - allow setting bucket target
	SetBucketTargetAction = "admin:SetBucketTarget"
	// GetBucketTargetAction - allow getting bucket targets
	GetBucketTargetAction = "admin:GetBucketTarget"

	// AllAdminActions - provides all admin permissions
	AllAdminActions = "admin:*"
)
View Source
const (
	PolicyName        = "policy"
	SessionPolicyName = "sessionPolicy"
)

Policy claim constants

View Source
const DefaultVersion = "2012-10-17"

DefaultVersion - default policy version as per AWS S3 specification.

View Source
const ResourceARNPrefix = "arn:aws:s3:::"

ResourceARNPrefix - resource ARN prefix as per AWS S3 specification.

Variables

View Source
var Admin = Policy{
	Version: DefaultVersion,
	Statements: []Statement{
		{
			SID:        policy.ID(""),
			Effect:     policy.Allow,
			Actions:    NewActionSet(AllAdminActions),
			Resources:  NewResourceSet(),
			Conditions: condition.NewFunctions(),
		},
		{
			SID:        policy.ID(""),
			Effect:     policy.Allow,
			Actions:    NewActionSet(AllActions),
			Resources:  NewResourceSet(NewResource("*", "")),
			Conditions: condition.NewFunctions(),
		},
	},
}

Admin - provides admin all-access canned policy

AdminDiagnostics - provides admin diagnostics access.

View Source
var ReadOnly = Policy{
	Version: DefaultVersion,
	Statements: []Statement{
		{
			SID:       policy.ID(""),
			Effect:    policy.Allow,
			Actions:   NewActionSet(GetBucketLocationAction, GetObjectAction),
			Resources: NewResourceSet(NewResource("*", "")),
		},
	},
}

ReadOnly - read only.

View Source
var ReadWrite = Policy{
	Version: DefaultVersion,
	Statements: []Statement{
		{
			SID:       policy.ID(""),
			Effect:    policy.Allow,
			Actions:   NewActionSet(AllActions),
			Resources: NewResourceSet(NewResource("*", "")),
		},
	},
}

ReadWrite - provides full access to all buckets and all objects

View Source
var WriteOnly = Policy{
	Version: DefaultVersion,
	Statements: []Statement{
		{
			SID:       policy.ID(""),
			Effect:    policy.Allow,
			Actions:   NewActionSet(PutObjectAction),
			Resources: NewResourceSet(NewResource("*", "")),
		},
	},
}

WriteOnly - provides write access.

Functions

func Errorf

func Errorf(format string, a ...interface{}) error

Errorf - formats according to a format specifier and returns the string as a value that satisfies error of type policy.Error

func GetPoliciesFromClaims

func GetPoliciesFromClaims(claims map[string]interface{}, policyClaimName string) (set.StringSet, bool)

GetPoliciesFromClaims returns the list of policies to be applied for this incoming request, extracting the information from input JWT claims.

Types

type Action

type Action string

Action - policy action. Refer https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazons3.html for more information about available actions.

func (Action) IsValid

func (action Action) IsValid() bool

IsValid - checks if action is valid or not.

func (Action) Match

func (action Action) Match(a Action) bool

Match - matches action name with action patter.

type ActionSet

type ActionSet map[Action]struct{}

ActionSet - set of actions.

func NewActionSet

func NewActionSet(actions ...Action) ActionSet

NewActionSet - creates new action set.

func (ActionSet) Add

func (actionSet ActionSet) Add(action Action)

Add - add action to the set.

func (ActionSet) Clone

func (actionSet ActionSet) Clone() ActionSet

Clone clones ActionSet structure

func (ActionSet) Equals

func (actionSet ActionSet) Equals(sactionSet ActionSet) bool

Equals - checks whether given action set is equal to current action set or not.

func (ActionSet) Intersection

func (actionSet ActionSet) Intersection(sset ActionSet) ActionSet

Intersection - returns actions available in both ActionSet.

func (ActionSet) IsEmpty

func (actionSet ActionSet) IsEmpty() bool

IsEmpty - returns if the current action set is empty

func (ActionSet) MarshalJSON

func (actionSet ActionSet) MarshalJSON() ([]byte, error)

MarshalJSON - encodes ActionSet to JSON data.

func (ActionSet) Match

func (actionSet ActionSet) Match(action Action) bool

Match - matches object name with anyone of action pattern in action set.

func (ActionSet) String

func (actionSet ActionSet) String() string

func (ActionSet) ToAdminSlice

func (actionSet ActionSet) ToAdminSlice() []AdminAction

ToAdminSlice - returns slice of admin actions from the action set.

func (ActionSet) ToSlice

func (actionSet ActionSet) ToSlice() []Action

ToSlice - returns slice of actions from the action set.

func (*ActionSet) UnmarshalJSON

func (actionSet *ActionSet) UnmarshalJSON(data []byte) error

UnmarshalJSON - decodes JSON data to ActionSet.

func (ActionSet) Validate

func (actionSet ActionSet) Validate() error

Validate checks if all actions are valid

func (ActionSet) ValidateAdmin

func (actionSet ActionSet) ValidateAdmin() error

ValidateAdmin checks if all actions are valid Admin actions

type AdminAction

type AdminAction string

AdminAction - admin policy action.

func (AdminAction) IsValid

func (action AdminAction) IsValid() bool

IsValid - checks if action is valid or not.

type Args

type Args struct {
	AccountName     string                 `json:"account"`
	Groups          []string               `json:"groups"`
	Action          Action                 `json:"action"`
	BucketName      string                 `json:"bucket"`
	ConditionValues map[string][]string    `json:"conditions"`
	IsOwner         bool                   `json:"owner"`
	ObjectName      string                 `json:"object"`
	Claims          map[string]interface{} `json:"claims"`
	DenyOnly        bool                   `json:"denyOnly"` // only applies deny
}

Args - arguments to policy to check whether it is allowed

func (Args) GetPolicies

func (a Args) GetPolicies(policyClaimName string) (set.StringSet, bool)

GetPolicies returns the list of policies to be applied for this incoming request, extracting the information from JWT claims.

type Error

type Error struct {
	// contains filtered or unexported fields
}

Error is the generic type for any error happening during policy parsing.

func (Error) Error

func (e Error) Error() string

Error 'error' compatible method.

func (Error) Unwrap

func (e Error) Unwrap() error

Unwrap the internal error.

type Policy

type Policy struct {
	ID         policy.ID `json:"ID,omitempty"`
	Version    string
	Statements []Statement `json:"Statement"`
}

Policy - iam bucket iamp.

func ParseConfig

func ParseConfig(reader io.Reader) (*Policy, error)

ParseConfig - parses data in given reader to Iamp.

func (Policy) IsAllowed

func (iamp Policy) IsAllowed(args Args) bool

IsAllowed - checks given policy args is allowed to continue the Rest API.

func (Policy) IsEmpty

func (iamp Policy) IsEmpty() bool

IsEmpty - returns whether policy is empty or not.

func (Policy) Merge

func (iamp Policy) Merge(input Policy) Policy

Merge merges two policies documents and drop duplicate statements if any.

func (*Policy) UnmarshalJSON

func (iamp *Policy) UnmarshalJSON(data []byte) error

UnmarshalJSON - decodes JSON data to Iamp.

func (Policy) Validate

func (iamp Policy) Validate() error

Validate - validates all statements are for given bucket or not.

type Resource

type Resource struct {
	BucketName string
	Pattern    string
}

Resource - resource in policy statement.

func NewResource

func NewResource(bucketName, keyName string) Resource

NewResource - creates new resource.

func (Resource) IsValid

func (r Resource) IsValid() bool

IsValid - checks whether Resource is valid or not.

func (Resource) MarshalJSON

func (r Resource) MarshalJSON() ([]byte, error)

MarshalJSON - encodes Resource to JSON data.

func (Resource) Match

func (r Resource) Match(resource string, conditionValues map[string][]string) bool

Match - matches object name with resource pattern.

func (Resource) String

func (r Resource) String() string

func (*Resource) UnmarshalJSON

func (r *Resource) UnmarshalJSON(data []byte) error

UnmarshalJSON - decodes JSON data to Resource.

func (Resource) Validate

func (r Resource) Validate() error

Validate - validates Resource is for given bucket or not.

type ResourceSet

type ResourceSet map[Resource]struct{}

ResourceSet - set of resources in policy statement.

func NewResourceSet

func NewResourceSet(resources ...Resource) ResourceSet

NewResourceSet - creates new resource set.

func (ResourceSet) Add

func (resourceSet ResourceSet) Add(resource Resource)

Add - adds resource to resource set.

func (ResourceSet) Clone

func (resourceSet ResourceSet) Clone() ResourceSet

Clone clones ResourceSet structure

func (ResourceSet) Equals

func (resourceSet ResourceSet) Equals(sresourceSet ResourceSet) bool

Equals - checks whether given resource set is equal to current resource set or not.

func (ResourceSet) Intersection

func (resourceSet ResourceSet) Intersection(sset ResourceSet) ResourceSet

Intersection - returns resources available in both ResourceSet.

func (ResourceSet) MarshalJSON

func (resourceSet ResourceSet) MarshalJSON() ([]byte, error)

MarshalJSON - encodes ResourceSet to JSON data.

func (ResourceSet) Match

func (resourceSet ResourceSet) Match(resource string, conditionValues map[string][]string) bool

Match - matches object name with anyone of resource pattern in resource set.

func (ResourceSet) String

func (resourceSet ResourceSet) String() string

func (ResourceSet) ToSlice

func (resourceSet ResourceSet) ToSlice() []Resource

ToSlice - returns slice of resources from the resource set.

func (*ResourceSet) UnmarshalJSON

func (resourceSet *ResourceSet) UnmarshalJSON(data []byte) error

UnmarshalJSON - decodes JSON data to ResourceSet.

func (ResourceSet) Validate

func (resourceSet ResourceSet) Validate() error

Validate - validates ResourceSet.

type Statement

type Statement struct {
	SID        policy.ID           `json:"Sid,omitempty"`
	Effect     policy.Effect       `json:"Effect"`
	Actions    ActionSet           `json:"Action"`
	Resources  ResourceSet         `json:"Resource,omitempty"`
	Conditions condition.Functions `json:"Condition,omitempty"`
}

Statement - iam policy statement.

func NewStatement

func NewStatement(effect policy.Effect, actionSet ActionSet, resourceSet ResourceSet, conditions condition.Functions) Statement

NewStatement - creates new statement.

func (Statement) Clone

func (statement Statement) Clone() Statement

Clone clones Statement structure

func (Statement) Equals

func (statement Statement) Equals(st Statement) bool

Equals checks if two statements are equal

func (Statement) IsAllowed

func (statement Statement) IsAllowed(args Args) bool

IsAllowed - checks given policy args is allowed to continue the Rest API.

func (Statement) Validate

func (statement Statement) Validate() error

Validate - validates Statement is for given bucket or not.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL