Documentation ¶
Index ¶
- Constants
- Variables
- func Errorf(format string, a ...interface{}) error
- func GetPoliciesFromClaims(claims map[string]interface{}, policyClaimName string) (set.StringSet, bool)
- type Action
- type ActionSet
- func (actionSet ActionSet) Add(action Action)
- func (actionSet ActionSet) Clone() ActionSet
- func (actionSet ActionSet) Equals(sactionSet ActionSet) bool
- func (actionSet ActionSet) Intersection(sset ActionSet) ActionSet
- func (actionSet ActionSet) IsEmpty() bool
- func (actionSet ActionSet) MarshalJSON() ([]byte, error)
- func (actionSet ActionSet) Match(action Action) bool
- func (actionSet ActionSet) String() string
- func (actionSet ActionSet) ToAdminSlice() []AdminAction
- func (actionSet ActionSet) ToSlice() []Action
- func (actionSet *ActionSet) UnmarshalJSON(data []byte) error
- func (actionSet ActionSet) Validate() error
- func (actionSet ActionSet) ValidateAdmin() error
- type AdminAction
- type Args
- type Error
- type Policy
- type Resource
- type ResourceSet
- func (resourceSet ResourceSet) Add(resource Resource)
- func (resourceSet ResourceSet) Clone() ResourceSet
- func (resourceSet ResourceSet) Equals(sresourceSet ResourceSet) bool
- func (resourceSet ResourceSet) Intersection(sset ResourceSet) ResourceSet
- func (resourceSet ResourceSet) MarshalJSON() ([]byte, error)
- func (resourceSet ResourceSet) Match(resource string, conditionValues map[string][]string) bool
- func (resourceSet ResourceSet) String() string
- func (resourceSet ResourceSet) ToSlice() []Resource
- func (resourceSet *ResourceSet) UnmarshalJSON(data []byte) error
- func (resourceSet ResourceSet) Validate() error
- type Statement
Constants ¶
const ( // AbortMultipartUploadAction - AbortMultipartUpload Rest API action. AbortMultipartUploadAction Action = "s3:AbortMultipartUpload" // CreateBucketAction - CreateBucket Rest API action. CreateBucketAction = "s3:CreateBucket" // DeleteBucketAction - DeleteBucket Rest API action. DeleteBucketAction = "s3:DeleteBucket" // ForceDeleteBucketAction - DeleteBucket Rest API action when x-minio-force-delete flag // is specified. ForceDeleteBucketAction = "s3:ForceDeleteBucket" // DeleteBucketPolicyAction - DeleteBucketPolicy Rest API action. DeleteBucketPolicyAction = "s3:DeleteBucketPolicy" // DeleteObjectAction - DeleteObject Rest API action. DeleteObjectAction = "s3:DeleteObject" // GetBucketLocationAction - GetBucketLocation Rest API action. GetBucketLocationAction = "s3:GetBucketLocation" // GetBucketNotificationAction - GetBucketNotification Rest API action. GetBucketNotificationAction = "s3:GetBucketNotification" // GetBucketPolicyAction - GetBucketPolicy Rest API action. GetBucketPolicyAction = "s3:GetBucketPolicy" // GetObjectAction - GetObject Rest API action. GetObjectAction = "s3:GetObject" // HeadBucketAction - HeadBucket Rest API action. This action is unused in minio. HeadBucketAction = "s3:HeadBucket" // ListAllMyBucketsAction - ListAllMyBuckets (List buckets) Rest API action. ListAllMyBucketsAction = "s3:ListAllMyBuckets" // ListBucketAction - ListBucket Rest API action. ListBucketAction = "s3:ListBucket" // GetBucketPolicyStatusAction - Retrieves the policy status for a bucket. GetBucketPolicyStatusAction = "s3:GetBucketPolicyStatus" // ListBucketVersionsAction - ListBucketVersions Rest API action. ListBucketVersionsAction = "s3:ListBucketVersions" // ListBucketMultipartUploadsAction - ListMultipartUploads Rest API action. ListBucketMultipartUploadsAction = "s3:ListBucketMultipartUploads" // ListenNotificationAction - ListenNotification Rest API action. // This is MinIO extension. ListenNotificationAction = "s3:ListenNotification" // ListenBucketNotificationAction - ListenBucketNotification Rest API action. // This is MinIO extension. ListenBucketNotificationAction = "s3:ListenBucketNotification" // ListMultipartUploadPartsAction - ListParts Rest API action. ListMultipartUploadPartsAction = "s3:ListMultipartUploadParts" // PutBucketLifecycleAction - PutBucketLifecycle Rest API action. PutBucketLifecycleAction = "s3:PutLifecycleConfiguration" // GetBucketLifecycleAction - GetBucketLifecycle Rest API action. GetBucketLifecycleAction = "s3:GetLifecycleConfiguration" // PutBucketNotificationAction - PutObjectNotification Rest API action. PutBucketNotificationAction = "s3:PutBucketNotification" // PutBucketPolicyAction - PutBucketPolicy Rest API action. PutBucketPolicyAction = "s3:PutBucketPolicy" // PutObjectAction - PutObject Rest API action. PutObjectAction = "s3:PutObject" // DeleteObjectVersionAction - DeleteObjectVersion Rest API action. DeleteObjectVersionAction = "s3:DeleteObjectVersion" // DeleteObjectVersionTaggingAction - DeleteObjectVersionTagging Rest API action. DeleteObjectVersionTaggingAction = "s3:DeleteObjectVersionTagging" // GetObjectVersionAction - GetObjectVersionAction Rest API action. GetObjectVersionAction = "s3:GetObjectVersion" // GetObjectVersionTaggingAction - GetObjectVersionTagging Rest API action. GetObjectVersionTaggingAction = "s3:GetObjectVersionTagging" // PutObjectVersionTaggingAction - PutObjectVersionTagging Rest API action. PutObjectVersionTaggingAction = "s3:PutObjectVersionTagging" // BypassGovernanceRetentionAction - bypass governance retention for PutObjectRetention, PutObject and DeleteObject Rest API action. BypassGovernanceRetentionAction = "s3:BypassGovernanceRetention" // PutObjectRetentionAction - PutObjectRetention Rest API action. PutObjectRetentionAction = "s3:PutObjectRetention" // GetObjectRetentionAction - GetObjectRetention, GetObject, HeadObject Rest API action. GetObjectRetentionAction = "s3:GetObjectRetention" // GetObjectLegalHoldAction - GetObjectLegalHold, GetObject Rest API action. GetObjectLegalHoldAction = "s3:GetObjectLegalHold" // PutObjectLegalHoldAction - PutObjectLegalHold, PutObject Rest API action. PutObjectLegalHoldAction = "s3:PutObjectLegalHold" // GetBucketObjectLockConfigurationAction - GetBucketObjectLockConfiguration Rest API action GetBucketObjectLockConfigurationAction = "s3:GetBucketObjectLockConfiguration" // PutBucketObjectLockConfigurationAction - PutBucketObjectLockConfiguration Rest API action PutBucketObjectLockConfigurationAction = "s3:PutBucketObjectLockConfiguration" // GetBucketTaggingAction - GetBucketTagging Rest API action GetBucketTaggingAction = "s3:GetBucketTagging" // PutBucketTaggingAction - PutBucketTagging Rest API action PutBucketTaggingAction = "s3:PutBucketTagging" // GetObjectTaggingAction - Get Object Tags API action GetObjectTaggingAction = "s3:GetObjectTagging" // PutObjectTaggingAction - Put Object Tags API action PutObjectTaggingAction = "s3:PutObjectTagging" // DeleteObjectTaggingAction - Delete Object Tags API action DeleteObjectTaggingAction = "s3:DeleteObjectTagging" // PutBucketEncryptionAction - PutBucketEncryption REST API action PutBucketEncryptionAction = "s3:PutEncryptionConfiguration" // GetBucketEncryptionAction - GetBucketEncryption REST API action GetBucketEncryptionAction = "s3:GetEncryptionConfiguration" // PutBucketVersioningAction - PutBucketVersioning REST API action PutBucketVersioningAction = "s3:PutBucketVersioning" // GetBucketVersioningAction - GetBucketVersioning REST API action GetBucketVersioningAction = "s3:GetBucketVersioning" // GetReplicationConfigurationAction - GetReplicationConfiguration REST API action GetReplicationConfigurationAction = "s3:GetReplicationConfiguration" // PutReplicationConfigurationAction - PutReplicationConfiguration REST API action PutReplicationConfigurationAction = "s3:PutReplicationConfiguration" // ReplicateObjectAction - ReplicateObject REST API action ReplicateObjectAction = "s3:ReplicateObject" // ReplicateDeleteAction - ReplicateDelete REST API action ReplicateDeleteAction = "s3:ReplicateDelete" // ReplicateTagsAction - ReplicateTags REST API action ReplicateTagsAction = "s3:ReplicateTags" // GetObjectVersionForReplicationAction - GetObjectVersionForReplication REST API action GetObjectVersionForReplicationAction = "s3:GetObjectVersionForReplication" // AllActions - all API actions AllActions = "s3:*" )
const ( // HealAdminAction - allows heal command HealAdminAction = "admin:Heal" // StorageInfoAdminAction - allow listing server info StorageInfoAdminAction = "admin:StorageInfo" // PrometheusAdminAction - prometheus info action PrometheusAdminAction = "admin:Prometheus" // DataUsageInfoAdminAction - allow listing data usage info DataUsageInfoAdminAction = "admin:DataUsageInfo" // ForceUnlockAdminAction - allow force unlocking locks ForceUnlockAdminAction = "admin:ForceUnlock" // TopLocksAdminAction - allow listing top locks TopLocksAdminAction = "admin:TopLocksInfo" // ProfilingAdminAction - allow profiling ProfilingAdminAction = "admin:Profiling" // TraceAdminAction - allow listing server trace TraceAdminAction = "admin:ServerTrace" // ConsoleLogAdminAction - allow listing console logs on terminal ConsoleLogAdminAction = "admin:ConsoleLog" // KMSCreateKeyAdminAction - allow creating a new KMS master key KMSCreateKeyAdminAction = "admin:KMSCreateKey" // KMSKeyStatusAdminAction - allow getting KMS key status KMSKeyStatusAdminAction = "admin:KMSKeyStatus" // ServerInfoAdminAction - allow listing server info ServerInfoAdminAction = "admin:ServerInfo" // HealthInfoAdminAction - allow obtaining cluster health information HealthInfoAdminAction = "admin:OBDInfo" // BandwidthMonitorAction - allow monitoring bandwidth usage BandwidthMonitorAction = "admin:BandwidthMonitor" // ServerUpdateAdminAction - allow MinIO binary update ServerUpdateAdminAction = "admin:ServerUpdate" // ServiceRestartAdminAction - allow restart of MinIO service. ServiceRestartAdminAction = "admin:ServiceRestart" // ServiceStopAdminAction - allow stopping MinIO service. ServiceStopAdminAction = "admin:ServiceStop" // ConfigUpdateAdminAction - allow MinIO config management ConfigUpdateAdminAction = "admin:ConfigUpdate" // CreateUserAdminAction - allow creating MinIO user CreateUserAdminAction = "admin:CreateUser" // DeleteUserAdminAction - allow deleting MinIO user DeleteUserAdminAction = "admin:DeleteUser" // ListUsersAdminAction - allow list users permission ListUsersAdminAction = "admin:ListUsers" // EnableUserAdminAction - allow enable user permission EnableUserAdminAction = "admin:EnableUser" // DisableUserAdminAction - allow disable user permission DisableUserAdminAction = "admin:DisableUser" // GetUserAdminAction - allows GET permission on user info GetUserAdminAction = "admin:GetUser" // CreateServiceAccountAdminAction - allow create a service account for a user CreateServiceAccountAdminAction = "admin:CreateServiceAccount" // UpdateServiceAccountAdminAction - allow updating a service account UpdateServiceAccountAdminAction = "admin:UpdateServiceAccount" // RemoveServiceAccountAdminAction - allow removing a service account RemoveServiceAccountAdminAction = "admin:RemoveServiceAccount" // ListServiceAccountsAdminAction - allow listing service accounts ListServiceAccountsAdminAction = "admin:ListServiceAccounts" // AddUserToGroupAdminAction - allow adding user to group permission AddUserToGroupAdminAction = "admin:AddUserToGroup" // RemoveUserFromGroupAdminAction - allow removing user to group permission RemoveUserFromGroupAdminAction = "admin:RemoveUserFromGroup" // GetGroupAdminAction - allow getting group info GetGroupAdminAction = "admin:GetGroup" // ListGroupsAdminAction - allow list groups permission ListGroupsAdminAction = "admin:ListGroups" // EnableGroupAdminAction - allow enable group permission EnableGroupAdminAction = "admin:EnableGroup" // DisableGroupAdminAction - allow disable group permission DisableGroupAdminAction = "admin:DisableGroup" // CreatePolicyAdminAction - allow create policy permission CreatePolicyAdminAction = "admin:CreatePolicy" // DeletePolicyAdminAction - allow delete policy permission DeletePolicyAdminAction = "admin:DeletePolicy" // GetPolicyAdminAction - allow get policy permission GetPolicyAdminAction = "admin:GetPolicy" // AttachPolicyAdminAction - allows attaching a policy to a user/group AttachPolicyAdminAction = "admin:AttachUserOrGroupPolicy" // ListUserPoliciesAdminAction - allows listing user policies ListUserPoliciesAdminAction = "admin:ListUserPolicies" // SetBucketQuotaAdminAction - allow setting bucket quota SetBucketQuotaAdminAction = "admin:SetBucketQuota" // GetBucketQuotaAdminAction - allow getting bucket quota GetBucketQuotaAdminAction = "admin:GetBucketQuota" // SetBucketTargetAction - allow setting bucket target SetBucketTargetAction = "admin:SetBucketTarget" // GetBucketTargetAction - allow getting bucket targets GetBucketTargetAction = "admin:GetBucketTarget" // AllAdminActions - provides all admin permissions AllAdminActions = "admin:*" )
const ( PolicyName = "policy" SessionPolicyName = "sessionPolicy" )
Policy claim constants
const DefaultVersion = "2012-10-17"
DefaultVersion - default policy version as per AWS S3 specification.
const ResourceARNPrefix = "arn:aws:s3:::"
ResourceARNPrefix - resource ARN prefix as per AWS S3 specification.
Variables ¶
var Admin = Policy{ Version: DefaultVersion, Statements: []Statement{ { SID: policy.ID(""), Effect: policy.Allow, Actions: NewActionSet(AllAdminActions), Resources: NewResourceSet(), Conditions: condition.NewFunctions(), }, { SID: policy.ID(""), Effect: policy.Allow, Actions: NewActionSet(AllActions), Resources: NewResourceSet(NewResource("*", "")), Conditions: condition.NewFunctions(), }, }, }
Admin - provides admin all-access canned policy
var AdminDiagnostics = Policy{ Version: DefaultVersion, Statements: []Statement{ { SID: policy.ID(""), Effect: policy.Allow, Actions: NewActionSet(ProfilingAdminAction, TraceAdminAction, ConsoleLogAdminAction, ServerInfoAdminAction, TopLocksAdminAction, HealthInfoAdminAction, BandwidthMonitorAction, PrometheusAdminAction, ), Resources: NewResourceSet(NewResource("*", "")), }, }, }
AdminDiagnostics - provides admin diagnostics access.
var ReadOnly = Policy{ Version: DefaultVersion, Statements: []Statement{ { SID: policy.ID(""), Effect: policy.Allow, Actions: NewActionSet(GetBucketLocationAction, GetObjectAction), Resources: NewResourceSet(NewResource("*", "")), }, }, }
ReadOnly - read only.
var ReadWrite = Policy{ Version: DefaultVersion, Statements: []Statement{ { SID: policy.ID(""), Effect: policy.Allow, Actions: NewActionSet(AllActions), Resources: NewResourceSet(NewResource("*", "")), }, }, }
ReadWrite - provides full access to all buckets and all objects
var WriteOnly = Policy{ Version: DefaultVersion, Statements: []Statement{ { SID: policy.ID(""), Effect: policy.Allow, Actions: NewActionSet(PutObjectAction), Resources: NewResourceSet(NewResource("*", "")), }, }, }
WriteOnly - provides write access.
Functions ¶
Types ¶
type Action ¶
type Action string
Action - policy action. Refer https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazons3.html for more information about available actions.
type ActionSet ¶
type ActionSet map[Action]struct{}
ActionSet - set of actions.
func NewActionSet ¶
NewActionSet - creates new action set.
func (ActionSet) Equals ¶
Equals - checks whether given action set is equal to current action set or not.
func (ActionSet) Intersection ¶
Intersection - returns actions available in both ActionSet.
func (ActionSet) MarshalJSON ¶
MarshalJSON - encodes ActionSet to JSON data.
func (ActionSet) ToAdminSlice ¶
func (actionSet ActionSet) ToAdminSlice() []AdminAction
ToAdminSlice - returns slice of admin actions from the action set.
func (*ActionSet) UnmarshalJSON ¶
UnmarshalJSON - decodes JSON data to ActionSet.
func (ActionSet) ValidateAdmin ¶
ValidateAdmin checks if all actions are valid Admin actions
type AdminAction ¶
type AdminAction string
AdminAction - admin policy action.
func (AdminAction) IsValid ¶
func (action AdminAction) IsValid() bool
IsValid - checks if action is valid or not.
type Args ¶
type Args struct { AccountName string `json:"account"` Groups []string `json:"groups"` Action Action `json:"action"` BucketName string `json:"bucket"` ConditionValues map[string][]string `json:"conditions"` IsOwner bool `json:"owner"` ObjectName string `json:"object"` Claims map[string]interface{} `json:"claims"` DenyOnly bool `json:"denyOnly"` // only applies deny }
Args - arguments to policy to check whether it is allowed
type Error ¶
type Error struct {
// contains filtered or unexported fields
}
Error is the generic type for any error happening during policy parsing.
type Policy ¶
type Policy struct { ID policy.ID `json:"ID,omitempty"` Version string Statements []Statement `json:"Statement"` }
Policy - iam bucket iamp.
func ParseConfig ¶
ParseConfig - parses data in given reader to Iamp.
func (*Policy) UnmarshalJSON ¶
UnmarshalJSON - decodes JSON data to Iamp.
type Resource ¶
Resource - resource in policy statement.
func NewResource ¶
NewResource - creates new resource.
func (Resource) MarshalJSON ¶
MarshalJSON - encodes Resource to JSON data.
func (*Resource) UnmarshalJSON ¶
UnmarshalJSON - decodes JSON data to Resource.
type ResourceSet ¶
type ResourceSet map[Resource]struct{}
ResourceSet - set of resources in policy statement.
func NewResourceSet ¶
func NewResourceSet(resources ...Resource) ResourceSet
NewResourceSet - creates new resource set.
func (ResourceSet) Add ¶
func (resourceSet ResourceSet) Add(resource Resource)
Add - adds resource to resource set.
func (ResourceSet) Clone ¶
func (resourceSet ResourceSet) Clone() ResourceSet
Clone clones ResourceSet structure
func (ResourceSet) Equals ¶
func (resourceSet ResourceSet) Equals(sresourceSet ResourceSet) bool
Equals - checks whether given resource set is equal to current resource set or not.
func (ResourceSet) Intersection ¶
func (resourceSet ResourceSet) Intersection(sset ResourceSet) ResourceSet
Intersection - returns resources available in both ResourceSet.
func (ResourceSet) MarshalJSON ¶
func (resourceSet ResourceSet) MarshalJSON() ([]byte, error)
MarshalJSON - encodes ResourceSet to JSON data.
func (ResourceSet) Match ¶
func (resourceSet ResourceSet) Match(resource string, conditionValues map[string][]string) bool
Match - matches object name with anyone of resource pattern in resource set.
func (ResourceSet) String ¶
func (resourceSet ResourceSet) String() string
func (ResourceSet) ToSlice ¶
func (resourceSet ResourceSet) ToSlice() []Resource
ToSlice - returns slice of resources from the resource set.
func (*ResourceSet) UnmarshalJSON ¶
func (resourceSet *ResourceSet) UnmarshalJSON(data []byte) error
UnmarshalJSON - decodes JSON data to ResourceSet.
func (ResourceSet) Validate ¶
func (resourceSet ResourceSet) Validate() error
Validate - validates ResourceSet.
type Statement ¶
type Statement struct { SID policy.ID `json:"Sid,omitempty"` Effect policy.Effect `json:"Effect"` Actions ActionSet `json:"Action"` Resources ResourceSet `json:"Resource,omitempty"` Conditions condition.Functions `json:"Condition,omitempty"` }
Statement - iam policy statement.
func NewStatement ¶
func NewStatement(effect policy.Effect, actionSet ActionSet, resourceSet ResourceSet, conditions condition.Functions) Statement
NewStatement - creates new statement.