Documentation
¶
Index ¶
- Constants
- Variables
- func Errorf(format string, a ...interface{}) error
- func GetPoliciesFromClaims(claims map[string]any, policyClaimName string) (set.StringSet, bool)
- func GetValuesFromClaims(claims map[string]any, claimName string) (set.StringSet, bool)
- func IsAllowedPar(policies []Policy, args Args) bool
- func IsAllowedSerial(policies []Policy, args Args) bool
- type Action
- type ActionConditionKeyMap
- type ActionSet
- func (actionSet ActionSet) Add(action Action)
- func (actionSet ActionSet) Clone() ActionSet
- func (actionSet ActionSet) Contains(action Action) bool
- func (actionSet ActionSet) Equals(sactionSet ActionSet) bool
- func (actionSet ActionSet) Intersection(sset ActionSet) ActionSet
- func (actionSet ActionSet) IsEmpty() bool
- func (actionSet ActionSet) MarshalJSON() ([]byte, error)
- func (actionSet ActionSet) Match(action Action) bool
- func (actionSet ActionSet) String() string
- func (actionSet ActionSet) ToAdminSlice() []AdminAction
- func (actionSet ActionSet) ToKMSSlice() (actions []KMSAction)
- func (actionSet ActionSet) ToSTSSlice() []STSAction
- func (actionSet ActionSet) ToSlice() []Action
- func (actionSet ActionSet) ToTableSlice() []TableAction
- func (actionSet *ActionSet) UnmarshalJSON(data []byte) error
- func (actionSet ActionSet) Validate() error
- func (actionSet ActionSet) ValidateAdmin() error
- func (actionSet ActionSet) ValidateKMS() error
- func (actionSet ActionSet) ValidateSTS() error
- func (actionSet ActionSet) ValidateTable() error
- type AdminAction
- type Args
- type BPStatement
- func NewBPStatement(sid ID, effect Effect, principal Principal, actionSet ActionSet, ...) BPStatement
- func NewBPStatementWithNotAction(sid ID, effect Effect, principal Principal, notActions ActionSet, ...) BPStatement
- func NewBPStatementWithNotResource(sid ID, effect Effect, principal Principal, actions ActionSet, ...) BPStatement
- type BucketPolicy
- func (policy *BucketPolicy) Equals(p BucketPolicy) bool
- func (policy BucketPolicy) IsAllowed(args BucketPolicyArgs) bool
- func (policy BucketPolicy) IsEmpty() bool
- func (policy BucketPolicy) MarshalJSON() ([]byte, error)
- func (policy *BucketPolicy) UnmarshalJSON(data []byte) error
- func (policy BucketPolicy) Validate(bucketName string) error
- type BucketPolicyArgs
- type Decision
- type Effect
- type Error
- type ID
- type KMSAction
- type Policy
- func (iamp *Policy) Decide(args *Args) Decision
- func (iamp *Policy) Equals(p Policy) bool
- func (iamp *Policy) HasDenyStatement() bool
- func (iamp Policy) IsAllowed(args Args) bool
- func (iamp Policy) IsAllowedActions(bucketName, objectName string, conditionValues map[string][]string) ActionSet
- func (iamp Policy) IsEmpty() bool
- func (iamp Policy) MatchResource(resource string) bool
- func (iamp *Policy) UnmarshalJSON(data []byte) error
- func (iamp Policy) Validate() error
- type Principal
- func (p Principal) Clone() Principal
- func (p Principal) Equals(pp Principal) bool
- func (p Principal) Intersection(principal Principal) set.StringSet
- func (p Principal) IsValid() bool
- func (p Principal) MarshalJSON() ([]byte, error)
- func (p Principal) Match(principal string) bool
- func (p *Principal) UnmarshalJSON(data []byte) error
- type Resource
- func (r Resource) IsValid() bool
- func (r Resource) MarshalJSON() ([]byte, error)
- func (r Resource) Match(resource string, conditionValues map[string][]string) bool
- func (r Resource) MatchResource(resource string) bool
- func (r Resource) String() string
- func (r *Resource) UnmarshalJSON(data []byte) error
- func (r Resource) Validate() error
- func (r Resource) ValidateBucket(bucketName string) error
- type ResourceARNType
- type ResourceSet
- func (resourceSet ResourceSet) Add(resource Resource)
- func (resourceSet ResourceSet) BucketResourceExists() bool
- func (resourceSet ResourceSet) Clone() ResourceSet
- func (resourceSet ResourceSet) Equals(sresourceSet ResourceSet) bool
- func (resourceSet ResourceSet) Intersection(sset ResourceSet) ResourceSet
- func (resourceSet ResourceSet) MarshalJSON() ([]byte, error)
- func (resourceSet ResourceSet) Match(resource string, conditionValues map[string][]string) bool
- func (resourceSet ResourceSet) MatchResource(resource string) bool
- func (resourceSet ResourceSet) ObjectResourceExists() bool
- func (resourceSet ResourceSet) String() string
- func (resourceSet ResourceSet) ToSlice() []Resource
- func (resourceSet *ResourceSet) UnmarshalJSON(data []byte) error
- func (resourceSet ResourceSet) ValidateBucket(bucketName string) error
- func (resourceSet ResourceSet) ValidateKMS() error
- func (resourceSet ResourceSet) ValidateS3() error
- func (resourceSet ResourceSet) ValidateTable() error
- type STSAction
- type Statement
- func NewStatement(sid ID, effect Effect, actionSet ActionSet, resourceSet ResourceSet, ...) Statement
- func NewStatementWithNotAction(sid ID, effect Effect, notActions ActionSet, resources ResourceSet, ...) Statement
- func NewStatementWithNotResource(sid ID, effect Effect, actions ActionSet, notResources ResourceSet, ...) Statement
- type TableAction
Constants ¶
View Source
const ( // AbortMultipartUploadAction - AbortMultipartUpload Rest API action. AbortMultipartUploadAction Action = "s3:AbortMultipartUpload" // CreateBucketAction - CreateBucket Rest API action. CreateBucketAction = "s3:CreateBucket" // DeleteBucketAction - DeleteBucket Rest API action. DeleteBucketAction = "s3:DeleteBucket" // ForceDeleteBucketAction - DeleteBucket Rest API action when x-minio-force-delete flag // is specified. ForceDeleteBucketAction = "s3:ForceDeleteBucket" // DeleteBucketPolicyAction - DeleteBucketPolicy Rest API action. DeleteBucketPolicyAction = "s3:DeleteBucketPolicy" // DeleteBucketCorsAction - DeleteBucketCors Rest API action. DeleteBucketCorsAction = "s3:DeleteBucketCors" // DeleteObjectAction - DeleteObject Rest API action. DeleteObjectAction = "s3:DeleteObject" // GetBucketLocationAction - GetBucketLocation Rest API action. GetBucketLocationAction = "s3:GetBucketLocation" // GetBucketNotificationAction - GetBucketNotification Rest API action. GetBucketNotificationAction = "s3:GetBucketNotification" // GetBucketPolicyAction - GetBucketPolicy Rest API action. GetBucketPolicyAction = "s3:GetBucketPolicy" // GetBucketCorsAction - GetBucketCors Rest API action. GetBucketCorsAction = "s3:GetBucketCors" // GetObjectAction - GetObject Rest API action. GetObjectAction = "s3:GetObject" // GetObjectAttributesAction - GetObjectVersionAttributes Rest API action. GetObjectAttributesAction = "s3:GetObjectAttributes" // HeadBucketAction - HeadBucket Rest API action. This action is unused in minio. HeadBucketAction = "s3:HeadBucket" // ListAllMyBucketsAction - ListAllMyBuckets (List buckets) Rest API action. ListAllMyBucketsAction = "s3:ListAllMyBuckets" // ListBucketAction - ListBucket Rest API action. ListBucketAction = "s3:ListBucket" // GetBucketPolicyStatusAction - Retrieves the policy status for a bucket. GetBucketPolicyStatusAction = "s3:GetBucketPolicyStatus" // ListBucketVersionsAction - ListBucketVersions Rest API action. ListBucketVersionsAction = "s3:ListBucketVersions" // ListBucketMultipartUploadsAction - ListMultipartUploads Rest API action. ListBucketMultipartUploadsAction = "s3:ListBucketMultipartUploads" // ListenNotificationAction - ListenNotification Rest API action. // This is MinIO extension. ListenNotificationAction = "s3:ListenNotification" // ListenBucketNotificationAction - ListenBucketNotification Rest API action. // This is MinIO extension. ListenBucketNotificationAction = "s3:ListenBucketNotification" // ListMultipartUploadPartsAction - ListParts Rest API action. ListMultipartUploadPartsAction = "s3:ListMultipartUploadParts" // PutBucketLifecycleAction - PutBucketLifecycle Rest API action. PutBucketLifecycleAction = "s3:PutLifecycleConfiguration" // GetBucketLifecycleAction - GetBucketLifecycle Rest API action. GetBucketLifecycleAction = "s3:GetLifecycleConfiguration" // PutBucketNotificationAction - PutObjectNotification Rest API action. PutBucketNotificationAction = "s3:PutBucketNotification" // PutBucketPolicyAction - PutBucketPolicy Rest API action. PutBucketPolicyAction = "s3:PutBucketPolicy" // PutBucketCorsAction - PutBucketCors Rest API action. PutBucketCorsAction = "s3:PutBucketCors" // PutBucketQOSAction - allow set QOS configuration PutBucketQOSAction = "s3:PutBucketQOS" // GetBucketQOSAction - allow get QOS configuration GetBucketQOSAction = "s3:GetBucketQOS" // PutObjectAction - PutObject Rest API action. PutObjectAction = "s3:PutObject" // DeleteObjectVersionAction - DeleteObjectVersion Rest API action. DeleteObjectVersionAction = "s3:DeleteObjectVersion" // DeleteObjectVersionTaggingAction - DeleteObjectVersionTagging Rest API action. DeleteObjectVersionTaggingAction = "s3:DeleteObjectVersionTagging" // GetObjectVersionAction - GetObjectVersionAction Rest API action. GetObjectVersionAction = "s3:GetObjectVersion" // GetObjectVersionAttributesAction - GetObjectVersionAttributes Rest API action. GetObjectVersionAttributesAction = "s3:GetObjectVersionAttributes" // GetObjectVersionTaggingAction - GetObjectVersionTagging Rest API action. GetObjectVersionTaggingAction = "s3:GetObjectVersionTagging" // PutObjectVersionTaggingAction - PutObjectVersionTagging Rest API action. PutObjectVersionTaggingAction = "s3:PutObjectVersionTagging" // BypassGovernanceRetentionAction - bypass governance retention for PutObjectRetention, PutObject and DeleteObject Rest API action. BypassGovernanceRetentionAction = "s3:BypassGovernanceRetention" // PutObjectRetentionAction - PutObjectRetention Rest API action. PutObjectRetentionAction = "s3:PutObjectRetention" // GetObjectRetentionAction - GetObjectRetention, GetObject, HeadObject Rest API action. GetObjectRetentionAction = "s3:GetObjectRetention" // GetObjectLegalHoldAction - GetObjectLegalHold, GetObject Rest API action. GetObjectLegalHoldAction = "s3:GetObjectLegalHold" // PutObjectLegalHoldAction - PutObjectLegalHold, PutObject Rest API action. PutObjectLegalHoldAction = "s3:PutObjectLegalHold" // GetBucketObjectLockConfigurationAction - GetBucketObjectLockConfiguration Rest API action GetBucketObjectLockConfigurationAction = "s3:GetBucketObjectLockConfiguration" // PutBucketObjectLockConfigurationAction - PutBucketObjectLockConfiguration Rest API action PutBucketObjectLockConfigurationAction = "s3:PutBucketObjectLockConfiguration" // GetBucketTaggingAction - GetBucketTagging Rest API action GetBucketTaggingAction = "s3:GetBucketTagging" // PutBucketTaggingAction - PutBucketTagging Rest API action PutBucketTaggingAction = "s3:PutBucketTagging" // GetObjectTaggingAction - Get Object Tags API action GetObjectTaggingAction = "s3:GetObjectTagging" // PutObjectTaggingAction - Put Object Tags API action PutObjectTaggingAction = "s3:PutObjectTagging" // DeleteObjectTaggingAction - Delete Object Tags API action DeleteObjectTaggingAction = "s3:DeleteObjectTagging" // PutBucketEncryptionAction - PutBucketEncryption REST API action PutBucketEncryptionAction = "s3:PutEncryptionConfiguration" // GetBucketEncryptionAction - GetBucketEncryption REST API action GetBucketEncryptionAction = "s3:GetEncryptionConfiguration" // PutBucketVersioningAction - PutBucketVersioning REST API action PutBucketVersioningAction = "s3:PutBucketVersioning" // GetBucketVersioningAction - GetBucketVersioning REST API action GetBucketVersioningAction = "s3:GetBucketVersioning" // GetReplicationConfigurationAction - GetReplicationConfiguration REST API action GetReplicationConfigurationAction = "s3:GetReplicationConfiguration" // PutReplicationConfigurationAction - PutReplicationConfiguration REST API action PutReplicationConfigurationAction = "s3:PutReplicationConfiguration" // ReplicateObjectAction - ReplicateObject REST API action ReplicateObjectAction = "s3:ReplicateObject" // ReplicateDeleteAction - ReplicateDelete REST API action ReplicateDeleteAction = "s3:ReplicateDelete" // ReplicateTagsAction - ReplicateTags REST API action ReplicateTagsAction = "s3:ReplicateTags" // GetObjectVersionForReplicationAction - GetObjectVersionForReplication REST API action GetObjectVersionForReplicationAction = "s3:GetObjectVersionForReplication" // RestoreObjectAction - RestoreObject REST API action RestoreObjectAction = "s3:RestoreObject" // ResetBucketReplicationStateAction - MinIO extension API ResetBucketReplicationState to reset replication state // on a bucket ResetBucketReplicationStateAction = "s3:ResetBucketReplicationState" // PutObjectFanOutAction - PutObject like API action but allows PostUpload() fan-out. PutObjectFanOutAction = "s3:PutObjectFanOut" // PutInventoryConfigurationAction - Bucket inventory write operations actions PutInventoryConfigurationAction = "s3:PutInventoryConfiguration" // GetInventoryConfigurationAction - Bucket inventory read operations actions GetInventoryConfigurationAction = "s3:GetInventoryConfiguration" // CreateSessionAction - S3Express REST API action CreateSessionAction = "s3express:CreateSession" // AllActions - all API actions AllActions = "s3:*" )
View Source
const ( // HealAdminAction - allows heal command HealAdminAction = "admin:Heal" // DecommissionAdminAction - allows decomissioning of pools DecommissionAdminAction = "admin:Decommission" // RebalanceAdminAction - allows rebalancing of pools RebalanceAdminAction = "admin:Rebalance" // StorageInfoAdminAction - allow listing server info StorageInfoAdminAction = "admin:StorageInfo" // PrometheusAdminAction - prometheus info action PrometheusAdminAction = "admin:Prometheus" // DataUsageInfoAdminAction - allow listing data usage info DataUsageInfoAdminAction = "admin:DataUsageInfo" // ForceUnlockAdminAction - allow force unlocking locks ForceUnlockAdminAction = "admin:ForceUnlock" // TopLocksAdminAction - allow listing top locks TopLocksAdminAction = "admin:TopLocksInfo" // ProfilingAdminAction - allow profiling ProfilingAdminAction = "admin:Profiling" // TraceAdminAction - allow listing server trace TraceAdminAction = "admin:ServerTrace" // ConsoleLogAdminAction - allow listing console logs on terminal ConsoleLogAdminAction = "admin:ConsoleLog" // KMSCreateKeyAdminAction - allow creating a new KMS master key KMSCreateKeyAdminAction = "admin:KMSCreateKey" // KMSKeyStatusAdminAction - allow getting KMS key status KMSKeyStatusAdminAction = "admin:KMSKeyStatus" // ServerInfoAdminAction - allow listing server info ServerInfoAdminAction = "admin:ServerInfo" // HealthInfoAdminAction - allow obtaining cluster health information HealthInfoAdminAction = "admin:OBDInfo" // LicenseInfoAdminAction - allow obtaining license information LicenseInfoAdminAction = "admin:LicenseInfo" // BandwidthMonitorAction - allow monitoring bandwidth usage BandwidthMonitorAction = "admin:BandwidthMonitor" // InspectDataAction - allows downloading raw files from backend InspectDataAction = "admin:InspectData" // ServerUpdateAdminAction - allow MinIO binary update ServerUpdateAdminAction = "admin:ServerUpdate" // ServiceRestartAdminAction - allow restart of MinIO service. ServiceRestartAdminAction = "admin:ServiceRestart" // ServiceStopAdminAction - allow stopping MinIO service. ServiceStopAdminAction = "admin:ServiceStop" // ServiceFreezeAdminAction - allow freeze/unfreeze MinIO service. ServiceFreezeAdminAction = "admin:ServiceFreeze" // ServiceCordonAdminAction - allow cordon/uncordon MinIO service. ServiceCordonAdminAction = "admin:ServiceCordon" // ConfigUpdateAdminAction - allow MinIO config management ConfigUpdateAdminAction = "admin:ConfigUpdate" // CreateUserAdminAction - allow creating MinIO user CreateUserAdminAction = "admin:CreateUser" // DeleteUserAdminAction - allow deleting MinIO user DeleteUserAdminAction = "admin:DeleteUser" // ListUsersAdminAction - allow list users permission ListUsersAdminAction = "admin:ListUsers" // EnableUserAdminAction - allow enable user permission EnableUserAdminAction = "admin:EnableUser" // DisableUserAdminAction - allow disable user permission DisableUserAdminAction = "admin:DisableUser" // GetUserAdminAction - allows GET permission on user info GetUserAdminAction = "admin:GetUser" // SiteReplicationAddAction - allow adding clusters for site-level replication SiteReplicationAddAction = "admin:SiteReplicationAdd" // SiteReplicationDisableAction - allow disabling a cluster from replication SiteReplicationDisableAction = "admin:SiteReplicationDisable" // SiteReplicationRemoveAction - allow removing a cluster from replication SiteReplicationRemoveAction = "admin:SiteReplicationRemove" // SiteReplicationResyncAction - allow resyncing cluster data to another site SiteReplicationResyncAction = "admin:SiteReplicationResync" // SiteReplicationInfoAction - allow getting site replication info SiteReplicationInfoAction = "admin:SiteReplicationInfo" // SiteReplicationOperationAction - allow performing site replication // create/update/delete operations to peers SiteReplicationOperationAction = "admin:SiteReplicationOperation" // CreateServiceAccountAdminAction - allow create a service account for a user CreateServiceAccountAdminAction = "admin:CreateServiceAccount" // UpdateServiceAccountAdminAction - allow updating a service account UpdateServiceAccountAdminAction = "admin:UpdateServiceAccount" // RemoveServiceAccountAdminAction - allow removing a service account RemoveServiceAccountAdminAction = "admin:RemoveServiceAccount" // ListServiceAccountsAdminAction - allow listing service accounts ListServiceAccountsAdminAction = "admin:ListServiceAccounts" // ListTemporaryAccountsAdminAction - allow listing of temporary accounts ListTemporaryAccountsAdminAction = "admin:ListTemporaryAccounts" // AddUserToGroupAdminAction - allow adding user to group permission AddUserToGroupAdminAction = "admin:AddUserToGroup" // RemoveUserFromGroupAdminAction - allow removing user to group permission RemoveUserFromGroupAdminAction = "admin:RemoveUserFromGroup" // GetGroupAdminAction - allow getting group info GetGroupAdminAction = "admin:GetGroup" // ListGroupsAdminAction - allow list groups permission ListGroupsAdminAction = "admin:ListGroups" // EnableGroupAdminAction - allow enable group permission EnableGroupAdminAction = "admin:EnableGroup" // DisableGroupAdminAction - allow disable group permission DisableGroupAdminAction = "admin:DisableGroup" // CreatePolicyAdminAction - allow create policy permission CreatePolicyAdminAction = "admin:CreatePolicy" // DeletePolicyAdminAction - allow delete policy permission DeletePolicyAdminAction = "admin:DeletePolicy" // GetPolicyAdminAction - allow get policy permission GetPolicyAdminAction = "admin:GetPolicy" // AttachPolicyAdminAction - allows attaching a policy to a user/group AttachPolicyAdminAction = "admin:AttachUserOrGroupPolicy" // UpdatePolicyAssociationAction - allows to add/remove policy association // on a user or group. UpdatePolicyAssociationAction = "admin:UpdatePolicyAssociation" // ListUserPoliciesAdminAction - allows listing user policies ListUserPoliciesAdminAction = "admin:ListUserPolicies" // SetBucketQuotaAdminAction - allow setting bucket quota SetBucketQuotaAdminAction = "admin:SetBucketQuota" // GetBucketQuotaAdminAction - allow getting bucket quota GetBucketQuotaAdminAction = "admin:GetBucketQuota" // SetBucketTargetAction - allow setting bucket target SetBucketTargetAction = "admin:SetBucketTarget" // GetBucketTargetAction - allow getting bucket targets GetBucketTargetAction = "admin:GetBucketTarget" // ReplicationDiff - allow computing the unreplicated objects in a bucket ReplicationDiff = "admin:ReplicationDiff" // ImportBucketMetadataAction - allow importing bucket metadata ImportBucketMetadataAction = "admin:ImportBucketMetadata" // ExportBucketMetadataAction - allow exporting bucket metadata ExportBucketMetadataAction = "admin:ExportBucketMetadata" // SetTierAction - allow adding/editing a remote tier SetTierAction = "admin:SetTier" // ListTierAction - allow listing remote tiers ListTierAction = "admin:ListTier" // ExportIAMAction - allow exporting of all IAM info ExportIAMAction = "admin:ExportIAM" // ImportIAMAction - allow importing IAM info to MinIO ImportIAMAction = "admin:ImportIAM" // ListBatchJobsAction allow listing current active jobs ListBatchJobsAction = "admin:ListBatchJobs" // DescribeBatchJobAction allow getting batch job YAML DescribeBatchJobAction = "admin:DescribeBatchJob" // StartBatchJobAction allow submitting a batch job StartBatchJobAction = "admin:StartBatchJob" // CancelBatchJobAction allow canceling a batch job CancelBatchJobAction = "admin:CancelBatchJob" // GenerateBatchJobAction allow requesting batch job templates GenerateBatchJobAction = "admin:GenerateBatchJob" // InventoryControlAction - allows control of inventory jobs InventoryControlAction = "admin:InventoryControl" // ClusterInfoAction - allow cluster summary ClusterInfoAction = "admin:ClusterInfo" // PoolListAction - allow list how many pools and summary per pool PoolListAction = "admin:PoolList" // PoolInfoAction - allow pool specific summary and detail information PoolInfoAction = "admin:PoolInfo" // NodeListAction - allow listing of nodes NodeListAction = "admin:NodeList" // NodeInfoAction - allow node specific summary and detailed information NodeInfoAction = "admin:NodeInfo" // SetInfoAction - allow set specific summary and detail SetInfoAction = "admin:SetInfo" // DriveListAction - allow listing of drives DriveListAction = "admin:DriveList" // DriveInfoAction - allow drive specific summary and detail DriveInfoAction = "admin:DriveInfo" // DeltaSharingAdminAction - allow managing Delta Sharing shares and tokens DeltaSharingAdminAction = "admin:DeltaSharing" DeltaSharingCreateShareAction = "admin:DeltaSharingCreateShare" DeltaSharingDeleteShareAction = "admin:DeltaSharingDeleteShare" DeltaSharingListSharesAction = "admin:DeltaSharingListShares" DeltaSharingGetShareAction = "admin:DeltaSharingGetShare" DeltaSharingUpdateShareAction = "admin:DeltaSharingUpdateShare" // DeltaSharingCreateTokenAction - allow creating Delta Sharing tokens DeltaSharingCreateTokenAction = "admin:DeltaSharingCreateToken" // DeltaSharingDeleteTokenAction - allow deleting Delta Sharing tokens DeltaSharingDeleteTokenAction = "admin:DeltaSharingDeleteToken" // DeltaSharingListTokensAction - allow listing Delta Sharing tokens DeltaSharingListTokensAction = "admin:DeltaSharingListTokens" // AllAdminActions - provides all admin permissions AllAdminActions = "admin:*" )
View Source
const ( PolicyName = "policy" SessionPolicyName = "sessionPolicy" )
Policy claim constants
View Source
const ( // KMSCreateKeyAction - allow creating a new KMS master key KMSCreateKeyAction = "kms:CreateKey" // KMSDeleteKeyAction - allow deleting a KMS master key KMSDeleteKeyAction = "kms:DeleteKey" // KMSListKeysAction - allow getting list of KMS keys KMSListKeysAction = "kms:ListKeys" // KMSImportKeyAction - allow importing KMS key KMSImportKeyAction = "kms:ImportKey" // KMSDescribePolicyAction - allow getting KMS policy KMSDescribePolicyAction = "kms:DescribePolicy" // KMSAssignPolicyAction - allow assigning an identity to a KMS policy KMSAssignPolicyAction = "kms:AssignPolicy" // KMSDeletePolicyAction - allow deleting a policy KMSDeletePolicyAction = "kms:DeletePolicy" // KMSSetPolicyAction - allow creating or updating a policy KMSSetPolicyAction = "kms:SetPolicy" // KMSGetPolicyAction - allow getting a policy KMSGetPolicyAction = "kms:GetPolicy" // KMSListPoliciesAction - allow getting list of KMS policies KMSListPoliciesAction = "kms:ListPolicies" // KMSDescribeIdentityAction - allow getting KMS identity KMSDescribeIdentityAction = "kms:DescribeIdentity" // KMSDescribeSelfIdentityAction - allow getting self KMS identity KMSDescribeSelfIdentityAction = "kms:DescribeSelfIdentity" // KMSDeleteIdentityAction - allow deleting a policy KMSDeleteIdentityAction = "kms:DeleteIdentity" // KMSListIdentitiesAction - allow getting list of KMS identities KMSListIdentitiesAction = "kms:ListIdentities" // KMSKeyStatusAction - allow getting KMS key status KMSKeyStatusAction = "kms:KeyStatus" // KMSStatusAction - allow getting KMS status KMSStatusAction = "kms:Status" // KMSAPIAction - allow getting a list of supported API endpoints KMSAPIAction = "kms:API" // KMSMetricsAction - allow getting server metrics in the Prometheus exposition format KMSMetricsAction = "kms:Metrics" // KMSVersionAction - allow getting version information KMSVersionAction = "kms:Version" // KMSAuditLogAction - subscribes to the audit log KMSAuditLogAction = "kms:AuditLog" // KMSErrorLogAction - subscribes to the error log KMSErrorLogAction = "kms:ErrorLog" // AllKMSActions - provides all admin permissions AllKMSActions = "kms:*" )
View Source
const ( // ResourceARNPrefix - resource S3 ARN prefix as per S3 specification. ResourceARNPrefix = "arn:aws:s3:::" // ResourceARNS3TablesPrefix - resource prefix for Amazon S3 Tables resources. ResourceARNS3TablesPrefix = "arn:aws:s3tables:::" // ResourceARNKMSPrefix is for KMS key resources. MinIO specific API. ResourceARNKMSPrefix = "arn:minio:kms:::" )
View Source
const ( // AssumeRoleAction - use to deny or allow sts:AssumeRole action under specific conditions. AssumeRoleAction = "sts:AssumeRole" // AssumeRoleLDAPIdentityAction - use to deny or allow sts:AssumeRoleLDAPIdentity action under specific conditions. AssumeRoleLDAPIdentityAction = "sts:AssumeRoleLDAPIdentity" // AssumeRoleWithCustomTokenAction - use to deny or allow sts:AssumeRoleWithCustomToken action under specific conditions. AssumeRoleWithCustomTokenAction = "sts:AssumeRoleWithCustomToken" // AssumeRoleWithWebIdentityAction - use to deny or allow sts:AssumeRoleWithWebIdentity action under specific conditions. AssumeRoleWithWebIdentityAction = "sts:AssumeRoleWithWebIdentity" // AssumeRoleWithClientGrantsAction - use to deny or allow sts:AssumeRoleWithClientGrants action under specific conditions. AssumeRoleWithClientGrantsAction = "sts:AssumeRoleWithClientGrants" // AssumeRoleWithClientCertificateAction - use to deny or allow sts:AssumeRoleWithClientCertificate action under specific conditions. AssumeRoleWithClientCertificateAction = "sts:AssumeRoleWithClientCertificate" // AllSTSActions - select all STS actions AllSTSActions = "sts:*" )
View Source
const ( // S3TablesCreateNamespaceAction maps to the AWS `CreateNamespace` S3 Tables action. S3TablesCreateNamespaceAction = "s3tables:CreateNamespace" // S3TablesCreateTableAction maps to the AWS `CreateTable` S3 Tables action. S3TablesCreateTableAction = "s3tables:CreateTable" // S3TablesDeleteNamespaceAction maps to the AWS `DeleteNamespace` S3 Tables action. S3TablesDeleteNamespaceAction = "s3tables:DeleteNamespace" // S3TablesDeleteTableAction maps to the AWS `DeleteTable` S3 Tables action. S3TablesDeleteTableAction = "s3tables:DeleteTable" // S3TablesDeleteTablePolicyAction maps to the AWS `DeleteTablePolicy` S3 Tables action. S3TablesDeleteTablePolicyAction = "s3tables:DeleteTablePolicy" // S3TablesGetNamespaceAction maps to the AWS `GetNamespace` S3 Tables action. S3TablesGetNamespaceAction = "s3tables:GetNamespace" // S3TablesGetTableAction maps to the AWS `GetTable` S3 Tables action. S3TablesGetTableAction = "s3tables:GetTable" // S3TablesGetTableDataAction maps to the AWS `GetTableData` S3 Tables action. S3TablesGetTableDataAction = "s3tables:GetTableData" // S3TablesGetTableEncryptionAction maps to the AWS `GetTableEncryption` S3 Tables action. S3TablesGetTableEncryptionAction = "s3tables:GetTableEncryption" // S3TablesGetTableMaintenanceConfigurationAction maps to the AWS `GetTableMaintenanceConfiguration` S3 Tables action. S3TablesGetTableMaintenanceConfigurationAction = "s3tables:GetTableMaintenanceConfiguration" // S3TablesGetTableMaintenanceJobStatusAction maps to the AWS `GetTableMaintenanceJobStatus` S3 Tables action. S3TablesGetTableMaintenanceJobStatusAction = "s3tables:GetTableMaintenanceJobStatus" // S3TablesGetTableMetadataLocationAction maps to the AWS `GetTableMetadataLocation` S3 Tables action. S3TablesGetTableMetadataLocationAction = "s3tables:GetTableMetadataLocation" // S3TablesGetTablePolicyAction maps to the AWS `GetTablePolicy` S3 Tables action. S3TablesGetTablePolicyAction = "s3tables:GetTablePolicy" // S3TablesListNamespacesAction maps to the AWS `ListNamespaces` S3 Tables action. S3TablesListNamespacesAction = "s3tables:ListNamespaces" // S3TablesListTablesAction maps to the AWS `ListTables` S3 Tables action. S3TablesListTablesAction = "s3tables:ListTables" // S3TablesPutTableDataAction maps to the AWS `PutTableData` S3 Tables action. S3TablesPutTableDataAction = "s3tables:PutTableData" // S3TablesPutTableEncryptionAction maps to the AWS `PutTableEncryption` S3 Tables action. S3TablesPutTableEncryptionAction = "s3tables:PutTableEncryption" // S3TablesPutTableMaintenanceConfigurationAction maps to the AWS `PutTableMaintenanceConfiguration` S3 Tables action. S3TablesPutTableMaintenanceConfigurationAction = "s3tables:PutTableMaintenanceConfiguration" // S3TablesPutTablePolicyAction maps to the AWS `PutTablePolicy` S3 Tables action. S3TablesPutTablePolicyAction = "s3tables:PutTablePolicy" // S3TablesRenameTableAction maps to the AWS `RenameTable` S3 Tables action. S3TablesRenameTableAction = "s3tables:RenameTable" // S3TablesUpdateTableMetadataLocationAction maps to the AWS `UpdateTableMetadataLocation` S3 Tables action. S3TablesUpdateTableMetadataLocationAction = "s3tables:UpdateTableMetadataLocation" // S3TablesCreateWarehouseAction is a MinIO extension for Iceberg warehouse provisioning. S3TablesCreateWarehouseAction = "s3tables:CreateWarehouse" // S3TablesCreateTableBucketAction maps to the AWS `CreateTableBucket` S3 Tables action. // Prefer using S3TablesCreateWarehouseAction instead. S3TablesCreateTableBucketAction = "s3tables:CreateTableBucket" // S3TablesDeleteWarehouseAction is a MinIO extension for deleting Iceberg warehouses. S3TablesDeleteWarehouseAction = "s3tables:DeleteWarehouse" // S3TablesDeleteTableBucketAction maps to the AWS `DeleteTableBucket` S3 Tables action. // Prefer using S3TablesDeleteWarehouseAction instead. S3TablesDeleteTableBucketAction = "s3tables:DeleteTableBucket" // S3TablesDeleteWarehouseEncryptionAction is a MinIO extension for deleting warehouse encryption configuration. S3TablesDeleteWarehouseEncryptionAction = "s3tables:DeleteWarehouseEncryption" // S3TablesDeleteTableBucketEncryptionAction maps to the AWS `DeleteTableBucketEncryption` S3 Tables action. // Prefer using S3TablesDeleteWarehouseEncryptionAction instead. S3TablesDeleteTableBucketEncryptionAction = "s3tables:DeleteTableBucketEncryption" // S3TablesDeleteWarehousePolicyAction is a MinIO extension for deleting warehouse policies. S3TablesDeleteWarehousePolicyAction = "s3tables:DeleteWarehousePolicy" // S3TablesDeleteTableBucketPolicyAction maps to the AWS `DeleteTableBucketPolicy` S3 Tables action. // Prefer using S3TablesDeleteWarehousePolicyAction instead. S3TablesDeleteTableBucketPolicyAction = "s3tables:DeleteTableBucketPolicy" // S3TablesGetWarehouseAction is a MinIO extension for retrieving warehouse details. S3TablesGetWarehouseAction = "s3tables:GetWarehouse" // S3TablesGetTableBucketAction maps to the AWS `GetTableBucket` S3 Tables action. // Prefer using S3TablesGetWarehouseAction instead. S3TablesGetTableBucketAction = "s3tables:GetTableBucket" // S3TablesGetWarehouseEncryptionAction is a MinIO extension for retrieving warehouse encryption configuration. S3TablesGetWarehouseEncryptionAction = "s3tables:GetWarehouseEncryption" // S3TablesGetTableBucketEncryptionAction maps to the AWS `GetTableBucketEncryption` S3 Tables action. // Prefer using S3TablesGetWarehouseEncryptionAction instead. S3TablesGetTableBucketEncryptionAction = "s3tables:GetTableBucketEncryption" // S3TablesGetWarehouseMaintenanceConfigurationAction is a MinIO extension for retrieving warehouse maintenance configuration. S3TablesGetWarehouseMaintenanceConfigurationAction = "s3tables:GetWarehouseMaintenanceConfiguration" // S3TablesGetTableBucketMaintenanceConfigurationAction maps to the AWS `GetTableBucketMaintenanceConfiguration` S3 Tables action. // Prefer using S3TablesGetWarehouseMaintenanceConfigurationAction instead. S3TablesGetTableBucketMaintenanceConfigurationAction = "s3tables:GetTableBucketMaintenanceConfiguration" // S3TablesGetWarehousePolicyAction is a MinIO extension for retrieving warehouse policies. S3TablesGetWarehousePolicyAction = "s3tables:GetWarehousePolicy" // S3TablesGetTableBucketPolicyAction maps to the AWS `GetTableBucketPolicy` S3 Tables action. // Prefer using S3TablesGetWarehousePolicyAction instead. S3TablesGetTableBucketPolicyAction = "s3tables:GetTableBucketPolicy" // S3TablesListWarehousesAction is a MinIO extension for listing Iceberg warehouses. S3TablesListWarehousesAction = "s3tables:ListWarehouses" // S3TablesListTableBucketsAction maps to the AWS `ListTableBuckets` S3 Tables action. // Prefer using S3TablesListWarehousesAction instead. S3TablesListTableBucketsAction = "s3tables:ListTableBuckets" // S3TablesPutWarehouseEncryptionAction is a MinIO extension for setting warehouse encryption configuration. S3TablesPutWarehouseEncryptionAction = "s3tables:PutWarehouseEncryption" // S3TablesPutTableBucketEncryptionAction maps to the AWS `PutTableBucketEncryption` S3 Tables action. // Prefer using S3TablesPutWarehouseEncryptionAction instead. S3TablesPutTableBucketEncryptionAction = "s3tables:PutTableBucketEncryption" // S3TablesPutWarehouseMaintenanceConfigurationAction is a MinIO extension for setting warehouse maintenance configuration. S3TablesPutWarehouseMaintenanceConfigurationAction = "s3tables:PutWarehouseMaintenanceConfiguration" // S3TablesPutTableBucketMaintenanceConfigurationAction maps to the AWS `PutTableBucketMaintenanceConfiguration` S3 Tables action. // Prefer using S3TablesPutWarehouseMaintenanceConfigurationAction instead. S3TablesPutTableBucketMaintenanceConfigurationAction = "s3tables:PutTableBucketMaintenanceConfiguration" // S3TablesPutWarehousePolicyAction is a MinIO extension for setting warehouse policies. S3TablesPutWarehousePolicyAction = "s3tables:PutWarehousePolicy" // S3TablesPutTableBucketPolicyAction maps to the AWS `PutTableBucketPolicy` S3 Tables action. // Prefer using S3TablesPutWarehousePolicyAction instead. S3TablesPutTableBucketPolicyAction = "s3tables:PutTableBucketPolicy" // S3TablesGetConfigAction is a MinIO extension for retrieving catalog configuration. S3TablesGetConfigAction = "s3tables:GetConfig" // S3TablesTableMetricsAction is a MinIO extension exposing table metrics. S3TablesTableMetricsAction = "s3tables:TableMetrics" // S3TablesUpdateTableAction is a MinIO extension for Iceberg-compatible table updates. S3TablesUpdateTableAction = "s3tables:UpdateTable" // S3TablesCreateViewAction is a MinIO extension for creating Iceberg views. S3TablesCreateViewAction = "s3tables:CreateView" // S3TablesDeleteViewAction is a MinIO extension for deleting Iceberg views. S3TablesDeleteViewAction = "s3tables:DeleteView" // S3TablesGetViewAction is a MinIO extension for retrieving Iceberg views. S3TablesGetViewAction = "s3tables:GetView" // S3TablesRenameViewAction is a MinIO extension for renaming Iceberg views. S3TablesRenameViewAction = "s3tables:RenameView" // S3TablesUpdateViewAction is a MinIO extension for updating Iceberg views. S3TablesUpdateViewAction = "s3tables:UpdateView" // S3TablesListViewsAction is a MinIO extension for listing Iceberg views. S3TablesListViewsAction = "s3tables:ListViews" // S3TablesUpdateNamespacePropertiesAction is a MinIO extension for updating namespace properties. S3TablesUpdateNamespacePropertiesAction = "s3tables:UpdateNamespaceProperties" // AllS3TablesActions - all Amazon S3 Tables actions AllS3TablesActions = "s3tables:*" )
View Source
const DefaultVersion = "2012-10-17"
DefaultVersion - default policy version as per AWS S3 specification.
Variables ¶
View Source
var ARNPrefixToType map[string]ResourceARNType
ARNPrefixToType maps prefix to types.
View Source
var ARNTypeToPrefix = map[ResourceARNType]string{ ResourceARNS3: ResourceARNPrefix, ResourceARNS3Tables: ResourceARNS3TablesPrefix, ResourceARNKMS: ResourceARNKMSPrefix, ResourceARNAll: "*", }
ARNTypeToPrefix maps the type to prefix string
View Source
var DefaultPolicies = []struct { Name string Definition Policy }{ { Name: "readwrite", Definition: Policy{ Version: DefaultVersion, Statements: []Statement{ { SID: ID(""), Effect: Allow, Actions: NewActionSet(AllActions), Resources: NewResourceSet(NewResource("*")), }, }, }, }, { Name: "readonly", Definition: Policy{ Version: DefaultVersion, Statements: []Statement{ { SID: ID(""), Effect: Allow, Actions: NewActionSet(GetBucketLocationAction, GetObjectAction), Resources: NewResourceSet(NewResource("*")), }, { SID: ID(""), Effect: Deny, Actions: NewActionSet(CreateUserAdminAction), Resources: NewResourceSet(NewResource("*")), }, }, }, }, { Name: "writeonly", Definition: Policy{ Version: DefaultVersion, Statements: []Statement{ { SID: ID(""), Effect: Allow, Actions: NewActionSet(PutObjectAction), Resources: NewResourceSet(NewResource("*")), }, }, }, }, { Name: "diagnostics", Definition: Policy{ Version: DefaultVersion, Statements: []Statement{ { SID: ID(""), Effect: Allow, Actions: NewActionSet(ProfilingAdminAction, TraceAdminAction, ConsoleLogAdminAction, ServerInfoAdminAction, TopLocksAdminAction, HealthInfoAdminAction, BandwidthMonitorAction, PrometheusAdminAction, ), Resources: NewResourceSet(NewResource("*")), }, }, }, }, { Name: "tablesAdmin", Definition: Policy{ Version: DefaultVersion, Statements: []Statement{ { SID: ID(""), Effect: Allow, Actions: NewActionSet(AllS3TablesActions), Resources: NewResourceSet(NewS3TablesResource("*")), Conditions: condition.NewFunctions(), }, }, }, }, { Name: "consoleAdmin", Definition: Policy{ Version: DefaultVersion, Statements: []Statement{ { SID: ID(""), Effect: Allow, Actions: NewActionSet(AllAdminActions), Resources: NewResourceSet(), Conditions: condition.NewFunctions(), }, { SID: ID(""), Effect: Allow, Actions: NewActionSet(AllKMSActions), Resources: NewResourceSet(), Conditions: condition.NewFunctions(), }, { SID: ID(""), Effect: Allow, Actions: NewActionSet(AllActions), Resources: NewResourceSet(NewResource("*")), Conditions: condition.NewFunctions(), }, { SID: ID(""), Effect: Allow, Actions: NewActionSet(AllS3TablesActions), Resources: NewResourceSet(NewS3TablesResource("*")), Conditions: condition.NewFunctions(), }, }, }, }, }
DefaultPolicies - list of canned policies available in MinIO.
View Source
var IAMActionConditionKeyMap = createActionConditionKeyMap()
IAMActionConditionKeyMap - holds mapping of supported condition key for an action.
View Source
var SupportedActions = map[Action]struct{}{ AbortMultipartUploadAction: {}, CreateBucketAction: {}, DeleteBucketAction: {}, ForceDeleteBucketAction: {}, DeleteBucketPolicyAction: {}, DeleteBucketCorsAction: {}, DeleteObjectAction: {}, GetBucketLocationAction: {}, GetBucketNotificationAction: {}, GetBucketPolicyAction: {}, GetBucketCorsAction: {}, GetObjectAction: {}, HeadBucketAction: {}, ListAllMyBucketsAction: {}, ListBucketAction: {}, GetBucketPolicyStatusAction: {}, ListBucketVersionsAction: {}, ListBucketMultipartUploadsAction: {}, ListenNotificationAction: {}, ListenBucketNotificationAction: {}, ListMultipartUploadPartsAction: {}, PutBucketLifecycleAction: {}, GetBucketLifecycleAction: {}, PutBucketNotificationAction: {}, PutBucketPolicyAction: {}, PutBucketCorsAction: {}, PutBucketQOSAction: {}, GetBucketQOSAction: {}, PutObjectAction: {}, BypassGovernanceRetentionAction: {}, PutObjectRetentionAction: {}, GetObjectRetentionAction: {}, GetObjectLegalHoldAction: {}, PutObjectLegalHoldAction: {}, GetBucketObjectLockConfigurationAction: {}, PutBucketObjectLockConfigurationAction: {}, GetBucketTaggingAction: {}, PutBucketTaggingAction: {}, GetObjectVersionAction: {}, GetObjectAttributesAction: {}, GetObjectVersionAttributesAction: {}, GetObjectVersionTaggingAction: {}, DeleteObjectVersionAction: {}, DeleteObjectVersionTaggingAction: {}, PutObjectVersionTaggingAction: {}, GetObjectTaggingAction: {}, PutObjectTaggingAction: {}, DeleteObjectTaggingAction: {}, PutBucketEncryptionAction: {}, GetBucketEncryptionAction: {}, PutBucketVersioningAction: {}, GetBucketVersioningAction: {}, GetReplicationConfigurationAction: {}, PutReplicationConfigurationAction: {}, ReplicateObjectAction: {}, ReplicateDeleteAction: {}, ReplicateTagsAction: {}, GetObjectVersionForReplicationAction: {}, RestoreObjectAction: {}, ResetBucketReplicationStateAction: {}, PutObjectFanOutAction: {}, PutInventoryConfigurationAction: {}, GetInventoryConfigurationAction: {}, CreateSessionAction: {}, AllActions: {}, }
SupportedActions - list of all supported actions.
View Source
var SupportedAdminActions = map[AdminAction]struct{}{ HealAdminAction: {}, StorageInfoAdminAction: {}, DataUsageInfoAdminAction: {}, TopLocksAdminAction: {}, ProfilingAdminAction: {}, PrometheusAdminAction: {}, TraceAdminAction: {}, ConsoleLogAdminAction: {}, KMSCreateKeyAdminAction: {}, KMSKeyStatusAdminAction: {}, ServerInfoAdminAction: {}, HealthInfoAdminAction: {}, LicenseInfoAdminAction: {}, BandwidthMonitorAction: {}, InspectDataAction: {}, ServerUpdateAdminAction: {}, ServiceRestartAdminAction: {}, ServiceStopAdminAction: {}, ServiceFreezeAdminAction: {}, ConfigUpdateAdminAction: {}, CreateUserAdminAction: {}, DeleteUserAdminAction: {}, ListUsersAdminAction: {}, EnableUserAdminAction: {}, DisableUserAdminAction: {}, GetUserAdminAction: {}, AddUserToGroupAdminAction: {}, RemoveUserFromGroupAdminAction: {}, GetGroupAdminAction: {}, ListGroupsAdminAction: {}, EnableGroupAdminAction: {}, DisableGroupAdminAction: {}, CreateServiceAccountAdminAction: {}, UpdateServiceAccountAdminAction: {}, RemoveServiceAccountAdminAction: {}, ListServiceAccountsAdminAction: {}, ListTemporaryAccountsAdminAction: {}, CreatePolicyAdminAction: {}, DeletePolicyAdminAction: {}, GetPolicyAdminAction: {}, AttachPolicyAdminAction: {}, UpdatePolicyAssociationAction: {}, ListUserPoliciesAdminAction: {}, SetBucketQuotaAdminAction: {}, GetBucketQuotaAdminAction: {}, SetBucketTargetAction: {}, GetBucketTargetAction: {}, ReplicationDiff: {}, SetTierAction: {}, ListTierAction: {}, DecommissionAdminAction: {}, RebalanceAdminAction: {}, SiteReplicationAddAction: {}, SiteReplicationDisableAction: {}, SiteReplicationInfoAction: {}, SiteReplicationOperationAction: {}, SiteReplicationRemoveAction: {}, SiteReplicationResyncAction: {}, ImportBucketMetadataAction: {}, ExportBucketMetadataAction: {}, ExportIAMAction: {}, ImportIAMAction: {}, ListBatchJobsAction: {}, DescribeBatchJobAction: {}, StartBatchJobAction: {}, CancelBatchJobAction: {}, InventoryControlAction: {}, ClusterInfoAction: {}, PoolListAction: {}, PoolInfoAction: {}, NodeListAction: {}, NodeInfoAction: {}, SetInfoAction: {}, DriveListAction: {}, DriveInfoAction: {}, ServiceCordonAdminAction: {}, DeltaSharingAdminAction: {}, DeltaSharingCreateShareAction: {}, DeltaSharingDeleteShareAction: {}, DeltaSharingListSharesAction: {}, DeltaSharingGetShareAction: {}, DeltaSharingUpdateShareAction: {}, DeltaSharingCreateTokenAction: {}, DeltaSharingDeleteTokenAction: {}, DeltaSharingListTokensAction: {}, AllAdminActions: {}, }
SupportedAdminActions - list of all supported admin actions.
View Source
var SupportedObjectActions = map[Action]struct{}{ AllActions: {}, AbortMultipartUploadAction: {}, DeleteObjectAction: {}, GetObjectAction: {}, ListMultipartUploadPartsAction: {}, PutObjectAction: {}, BypassGovernanceRetentionAction: {}, PutObjectRetentionAction: {}, GetObjectRetentionAction: {}, PutObjectLegalHoldAction: {}, GetObjectLegalHoldAction: {}, GetObjectTaggingAction: {}, PutObjectTaggingAction: {}, DeleteObjectTaggingAction: {}, GetObjectVersionAction: {}, GetObjectVersionTaggingAction: {}, DeleteObjectVersionAction: {}, DeleteObjectVersionTaggingAction: {}, PutObjectVersionTaggingAction: {}, ReplicateObjectAction: {}, ReplicateDeleteAction: {}, ReplicateTagsAction: {}, GetObjectVersionForReplicationAction: {}, RestoreObjectAction: {}, ResetBucketReplicationStateAction: {}, PutObjectFanOutAction: {}, GetObjectAttributesAction: {}, GetObjectVersionAttributesAction: {}, }
SupportedObjectActions - list of all supported object actions.
View Source
var SupportedTableActions = map[TableAction]struct{}{ S3TablesCreateNamespaceAction: {}, S3TablesCreateTableAction: {}, S3TablesCreateTableBucketAction: {}, S3TablesDeleteNamespaceAction: {}, S3TablesDeleteTableAction: {}, S3TablesDeleteTableBucketAction: {}, S3TablesDeleteTableBucketEncryptionAction: {}, S3TablesDeleteTableBucketPolicyAction: {}, S3TablesDeleteTablePolicyAction: {}, S3TablesGetNamespaceAction: {}, S3TablesGetTableAction: {}, S3TablesGetTableBucketAction: {}, S3TablesGetTableBucketEncryptionAction: {}, S3TablesGetTableBucketMaintenanceConfigurationAction: {}, S3TablesGetTableBucketPolicyAction: {}, S3TablesGetTableDataAction: {}, S3TablesGetTableEncryptionAction: {}, S3TablesGetTableMaintenanceConfigurationAction: {}, S3TablesGetTableMaintenanceJobStatusAction: {}, S3TablesGetTableMetadataLocationAction: {}, S3TablesGetTablePolicyAction: {}, S3TablesListNamespacesAction: {}, S3TablesListTableBucketsAction: {}, S3TablesListTablesAction: {}, S3TablesPutTableBucketEncryptionAction: {}, S3TablesPutTableBucketMaintenanceConfigurationAction: {}, S3TablesPutTableBucketPolicyAction: {}, S3TablesPutTableDataAction: {}, S3TablesPutTableEncryptionAction: {}, S3TablesPutTableMaintenanceConfigurationAction: {}, S3TablesPutTablePolicyAction: {}, S3TablesRenameTableAction: {}, S3TablesUpdateTableMetadataLocationAction: {}, S3TablesCreateWarehouseAction: {}, S3TablesDeleteWarehouseAction: {}, S3TablesDeleteWarehouseEncryptionAction: {}, S3TablesDeleteWarehousePolicyAction: {}, S3TablesGetWarehouseAction: {}, S3TablesGetWarehouseEncryptionAction: {}, S3TablesGetWarehouseMaintenanceConfigurationAction: {}, S3TablesGetWarehousePolicyAction: {}, S3TablesListWarehousesAction: {}, S3TablesPutWarehouseEncryptionAction: {}, S3TablesPutWarehouseMaintenanceConfigurationAction: {}, S3TablesPutWarehousePolicyAction: {}, S3TablesGetConfigAction: {}, S3TablesTableMetricsAction: {}, S3TablesUpdateTableAction: {}, S3TablesCreateViewAction: {}, S3TablesDeleteViewAction: {}, S3TablesGetViewAction: {}, S3TablesRenameViewAction: {}, S3TablesUpdateViewAction: {}, S3TablesListViewsAction: {}, S3TablesUpdateNamespacePropertiesAction: {}, AllS3TablesActions: {}, }
SupportedTableActions - list of all supported S3 Tables actions.
Functions ¶
func Errorf ¶
Errorf - formats according to a format specifier and returns the string as a value that satisfies error of type policy.Error
func GetPoliciesFromClaims ¶
GetPoliciesFromClaims returns the list of policies to be applied for this incoming request, extracting the information from input JWT claims.
func GetValuesFromClaims ¶
GetValuesFromClaims returns the list of values for the input claimName. Supports values in following formats - string - comma separated values - string array
func IsAllowedPar ¶ added in v3.3.2
IsAllowedPar - checks if the given Args is allowed by any one of the given policies in parallel (when len(policies) > 100).
func IsAllowedSerial ¶ added in v3.3.2
IsAllowedSerial - checks if the given Args is allowed by any one of the given policies in serial.
This is currently the fastest implementation for our basic benchmark.
Types ¶
type Action ¶
type Action string
Action - policy action. Refer https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazons3.html for more information about available actions.
func (Action) IsObjectAction ¶
IsObjectAction - returns whether action is object type or not.
type ActionConditionKeyMap ¶
ActionConditionKeyMap is alias for the map type used here.
type ActionSet ¶
type ActionSet map[Action]struct{}
ActionSet - set of actions.
func NewActionSet ¶
NewActionSet - creates new action set.
func NewActionStrings ¶ added in v3.2.2
NewActionStrings - creates new action set from strings.
func (ActionSet) Equals ¶
Equals - checks whether given action set is equal to current action set or not.
func (ActionSet) Intersection ¶
Intersection - returns actions available in both ActionSet.
func (ActionSet) MarshalJSON ¶
MarshalJSON - encodes ActionSet to JSON data.
func (ActionSet) ToAdminSlice ¶
func (actionSet ActionSet) ToAdminSlice() []AdminAction
ToAdminSlice - returns slice of admin actions from the action set.
func (ActionSet) ToKMSSlice ¶
ToKMSSlice - returns slice of kms actions from the action set.
func (ActionSet) ToSTSSlice ¶
ToSTSSlice - returns slice of STS actions from the action set.
func (ActionSet) ToTableSlice ¶ added in v3.4.3
func (actionSet ActionSet) ToTableSlice() []TableAction
ToTableSlice - returns slice of table actions from the action set.
func (*ActionSet) UnmarshalJSON ¶
UnmarshalJSON - decodes JSON data to ActionSet.
func (ActionSet) ValidateAdmin ¶
ValidateAdmin checks if all actions are valid Admin actions
func (ActionSet) ValidateKMS ¶
ValidateKMS checks if all actions are valid KMS actions
func (ActionSet) ValidateSTS ¶
ValidateSTS checks if all actions are valid STS actions
func (ActionSet) ValidateTable ¶ added in v3.4.3
ValidateTable checks if all actions are valid Table actions
type AdminAction ¶
type AdminAction string
AdminAction - admin policy action.
func (AdminAction) IsValid ¶
func (action AdminAction) IsValid() bool
IsValid - checks if action is valid or not.
type Args ¶
type Args struct {
AccountName string `json:"account"`
Groups []string `json:"groups"`
Action Action `json:"action"`
OriginalAction Action `json:"originalAction"`
BucketName string `json:"bucket"`
ConditionValues map[string][]string `json:"conditions"`
IsOwner bool `json:"owner"`
ObjectName string `json:"object"`
Claims map[string]any `json:"claims"`
DenyOnly bool `json:"denyOnly"` // only applies deny
}
Args - arguments to policy to check whether it is allowed
func (Args) GetPolicies ¶
GetPolicies returns the list of policies to be applied for this incoming request, extracting the information from JWT claims.
func (Args) GetRoleArn ¶
GetRoleArn returns the role ARN from JWT claims if present. Otherwise returns empty string.
type BPStatement ¶
type BPStatement struct {
SID ID `json:"Sid,omitempty"`
Effect Effect `json:"Effect"`
Principal Principal `json:"Principal"`
Actions ActionSet `json:"Action"`
NotActions ActionSet `json:"NotAction,omitempty"`
Resources ResourceSet `json:"Resource"`
NotResources ResourceSet `json:"NotResource,omitempty"`
Conditions condition.Functions `json:"Condition,omitempty"`
}
BPStatement - policy statement.
func NewBPStatement ¶
func NewBPStatement(sid ID, effect Effect, principal Principal, actionSet ActionSet, resourceSet ResourceSet, conditions condition.Functions) BPStatement
NewBPStatement - creates new statement.
func NewBPStatementWithNotAction ¶
func NewBPStatementWithNotAction(sid ID, effect Effect, principal Principal, notActions ActionSet, resources ResourceSet, conditions condition.Functions) BPStatement
NewBPStatementWithNotAction - creates new statement with NotAction.
func NewBPStatementWithNotResource ¶ added in v3.0.23
func NewBPStatementWithNotResource(sid ID, effect Effect, principal Principal, actions ActionSet, notResources ResourceSet, conditions condition.Functions) BPStatement
NewBPStatementWithNotResource - creates new statement with NotResource.
func (BPStatement) Clone ¶
func (statement BPStatement) Clone() BPStatement
Clone clones Statement structure
func (BPStatement) Equals ¶
func (statement BPStatement) Equals(st BPStatement) bool
Equals checks if two statements are equal
func (BPStatement) IsAllowed ¶
func (statement BPStatement) IsAllowed(args BucketPolicyArgs) bool
IsAllowed - checks given policy args is allowed to continue the Rest API.
func (BPStatement) Validate ¶
func (statement BPStatement) Validate(bucketName string) error
Validate - validates Statement is for given bucket or not.
type BucketPolicy ¶
type BucketPolicy struct {
ID ID `json:"ID,omitempty"`
Version string
Statements []BPStatement `json:"Statement"`
}
BucketPolicy - bucket policy.
func ParseBucketPolicyConfig ¶
func ParseBucketPolicyConfig(reader io.Reader, bucketName string) (*BucketPolicy, error)
ParseBucketPolicyConfig - parses data in given reader to Policy.
func (*BucketPolicy) Equals ¶
func (policy *BucketPolicy) Equals(p BucketPolicy) bool
Equals returns true if the two policies are identical
func (BucketPolicy) IsAllowed ¶
func (policy BucketPolicy) IsAllowed(args BucketPolicyArgs) bool
IsAllowed - checks given policy args is allowed to continue the Rest API.
func (BucketPolicy) IsEmpty ¶
func (policy BucketPolicy) IsEmpty() bool
IsEmpty - returns whether policy is empty or not.
func (BucketPolicy) MarshalJSON ¶
func (policy BucketPolicy) MarshalJSON() ([]byte, error)
MarshalJSON - encodes Policy to JSON data.
func (*BucketPolicy) UnmarshalJSON ¶
func (policy *BucketPolicy) UnmarshalJSON(data []byte) error
UnmarshalJSON - decodes JSON data to Policy.
func (BucketPolicy) Validate ¶
func (policy BucketPolicy) Validate(bucketName string) error
Validate - validates all statements are for given bucket or not.
type BucketPolicyArgs ¶
type BucketPolicyArgs struct {
AccountName string `json:"account"`
Groups []string `json:"groups"`
Action Action `json:"action"`
BucketName string `json:"bucket"`
ConditionValues map[string][]string `json:"conditions"`
IsOwner bool `json:"owner"`
ObjectName string `json:"object"`
}
BucketPolicyArgs - arguments to policy to check whether it is allowed
type Decision ¶ added in v3.3.2
type Decision uint8
Decision is an enum type representing the decision made by the policy for the given arguments.
type Effect ¶
type Effect string
Effect - policy statement effect Allow or Deny.
const ( // Allow - allow effect. Allow Effect = "Allow" // Deny - deny effect. Deny = "Deny" )
type Error ¶
type Error struct {
// contains filtered or unexported fields
}
Error is the generic type for any error happening during policy parsing.
type Policy ¶
type Policy struct {
ID ID `json:"ID,omitempty"`
Version string
Statements []Statement `json:"Statement"`
// contains filtered or unexported fields
}
Policy - iam bucket iamp.
func MergePolicies ¶
MergePolicies merges all the given policies into a single policy dropping any duplicate statements.
func ParseConfig ¶
ParseConfig - parses data in given reader to Iamp.
func (*Policy) Decide ¶ added in v3.3.2
Decide - decides whether the given args is allowed or not. If no policy statement explicitly allows or denies the operation in the Args, it returns `noDecision`. It is upto the caller to handle such cases.
func (*Policy) HasDenyStatement ¶ added in v3.3.3
HasDenyStatement returns if the policy has a deny statement.
func (Policy) IsAllowedActions ¶
func (iamp Policy) IsAllowedActions(bucketName, objectName string, conditionValues map[string][]string) ActionSet
IsAllowedActions returns all supported actions for this policy.
func (Policy) MatchResource ¶
MatchResource matches resource with match resource patterns
func (*Policy) UnmarshalJSON ¶
UnmarshalJSON - decodes JSON data to Iamp.
type Principal ¶
Principal - policy principal.
func NewPrincipal ¶
NewPrincipal - creates new Principal.
func (Principal) Intersection ¶
Intersection - returns principals available in both Principal.
func (Principal) MarshalJSON ¶
MarshalJSON - encodes Principal to JSON data.
func (*Principal) UnmarshalJSON ¶
UnmarshalJSON - decodes JSON data to Principal.
type Resource ¶
type Resource struct {
Pattern string
Type ResourceARNType
}
Resource - resource in policy statement.
func NewKMSResource ¶ added in v3.0.8
NewKMSResource - creates new resource with type KMS
func NewResource ¶
NewResource - creates new resource with the default ARN type of S3.
func NewS3TablesResource ¶ added in v3.6.0
NewS3TablesResource - creates new resource with type S3 Tables
func ParseResource ¶ added in v3.4.2
ParseResource - parses string to Resource.
func (Resource) MarshalJSON ¶
MarshalJSON - encodes Resource to JSON data.
func (Resource) Match ¶
Match - matches object name with resource pattern, including specific conditionals.
func (Resource) MatchResource ¶
MatchResource matches object name with resource pattern only.
func (*Resource) UnmarshalJSON ¶
UnmarshalJSON - decodes JSON data to Resource.
func (Resource) ValidateBucket ¶
ValidateBucket - validates that given bucketName is matched by Resource.
type ResourceARNType ¶ added in v3.0.8
type ResourceARNType uint32
ResourceARNType - ARN prefix type
const ( // ResourceARNS3 is the ARN prefix type for S3 resources. ResourceARNS3 ResourceARNType // ResourceARNS3Tables is the ARN prefix type for Amazon S3 Tables resources. ResourceARNS3Tables // ResourceARNKMS is the ARN prefix type for MinIO KMS resources. ResourceARNKMS // ResourceARNAll is the ARN '*' ResourceARNAll )
func (ResourceARNType) String ¶ added in v3.0.8
func (a ResourceARNType) String() string
type ResourceSet ¶
type ResourceSet map[Resource]struct{}
ResourceSet - set of resources in policy statement.
func NewResourceSet ¶
func NewResourceSet(resources ...Resource) ResourceSet
NewResourceSet - creates new resource set.
func NewResourceStrings ¶ added in v3.2.2
func NewResourceStrings(resources ...string) ResourceSet
NewResourceStrings - creates new resource set from strings
func (ResourceSet) Add ¶
func (resourceSet ResourceSet) Add(resource Resource)
Add - adds resource to resource set.
func (ResourceSet) BucketResourceExists ¶
func (resourceSet ResourceSet) BucketResourceExists() bool
BucketResourceExists - checks if at least one bucket resource exists in the set.
func (ResourceSet) Clone ¶
func (resourceSet ResourceSet) Clone() ResourceSet
Clone clones ResourceSet structure
func (ResourceSet) Equals ¶
func (resourceSet ResourceSet) Equals(sresourceSet ResourceSet) bool
Equals - checks whether given resource set is equal to current resource set or not.
func (ResourceSet) Intersection ¶
func (resourceSet ResourceSet) Intersection(sset ResourceSet) ResourceSet
Intersection - returns resources available in both ResourceSet.
func (ResourceSet) MarshalJSON ¶
func (resourceSet ResourceSet) MarshalJSON() ([]byte, error)
MarshalJSON - encodes ResourceSet to JSON data.
func (ResourceSet) Match ¶
func (resourceSet ResourceSet) Match(resource string, conditionValues map[string][]string) bool
Match - matches object name with anyone of resource pattern in resource set.
func (ResourceSet) MatchResource ¶
func (resourceSet ResourceSet) MatchResource(resource string) bool
MatchResource matches object name with resource patterns only.
func (ResourceSet) ObjectResourceExists ¶
func (resourceSet ResourceSet) ObjectResourceExists() bool
ObjectResourceExists - checks if at least one object resource exists in the set.
func (ResourceSet) String ¶
func (resourceSet ResourceSet) String() string
func (ResourceSet) ToSlice ¶
func (resourceSet ResourceSet) ToSlice() []Resource
ToSlice - returns slice of resources from the resource set.
func (*ResourceSet) UnmarshalJSON ¶
func (resourceSet *ResourceSet) UnmarshalJSON(data []byte) error
UnmarshalJSON - decodes JSON data to ResourceSet.
func (ResourceSet) ValidateBucket ¶
func (resourceSet ResourceSet) ValidateBucket(bucketName string) error
ValidateBucket - validates ResourceSet is for given bucket or not.
func (ResourceSet) ValidateKMS ¶ added in v3.0.8
func (resourceSet ResourceSet) ValidateKMS() error
ValidateKMS - validates ResourceSet is KMS.
func (ResourceSet) ValidateS3 ¶ added in v3.0.8
func (resourceSet ResourceSet) ValidateS3() error
ValidateS3 - validates ResourceSet is S3.
func (ResourceSet) ValidateTable ¶ added in v3.4.3
func (resourceSet ResourceSet) ValidateTable() error
ValidateTable - validates ResourceSet is S3 Tables.
type Statement ¶
type Statement struct {
SID ID `json:"Sid,omitempty"`
Effect Effect `json:"Effect"`
Actions ActionSet `json:"Action,omitempty"`
NotActions ActionSet `json:"NotAction,omitempty"`
Resources ResourceSet `json:"Resource,omitempty"`
NotResources ResourceSet `json:"NotResource,omitempty"`
Conditions condition.Functions `json:"Condition,omitempty"`
}
Statement - iam policy statement.
func NewStatement ¶
func NewStatement(sid ID, effect Effect, actionSet ActionSet, resourceSet ResourceSet, conditions condition.Functions) Statement
NewStatement - creates new statement.
func NewStatementWithNotAction ¶
func NewStatementWithNotAction(sid ID, effect Effect, notActions ActionSet, resources ResourceSet, conditions condition.Functions) Statement
NewStatementWithNotAction - creates new statement with NotAction.
func NewStatementWithNotResource ¶ added in v3.0.28
func NewStatementWithNotResource(sid ID, effect Effect, actions ActionSet, notResources ResourceSet, conditions condition.Functions) Statement
NewStatementWithNotResource - creates new statement with NotAction.
func (Statement) IsAllowed ¶
IsAllowed - checks given policy args is allowed to continue the Rest API.
func (Statement) IsAllowedPtr ¶ added in v3.3.2
IsAllowedPtr - checks given policy args is allowed to continue the Rest API.
type TableAction ¶ added in v3.4.3
type TableAction string
TableAction - S3 Tables policy action.
func (TableAction) IsValid ¶ added in v3.4.3
func (action TableAction) IsValid() bool
IsValid - checks if action is valid or not.
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.