Documentation
¶
Index ¶
- Constants
- Variables
- func Errorf(format string, a ...interface{}) error
- func GetPoliciesFromClaims(claims map[string]any, policyClaimName string) (set.StringSet, bool)
- func GetValuesFromClaims(claims map[string]any, claimName string) (set.StringSet, bool)
- func IsAllowedPar(policies []Policy, args Args) bool
- func IsAllowedSerial(policies []Policy, args Args) bool
- type Action
- type ActionConditionKeyMap
- type ActionSet
- func (actionSet ActionSet) Add(action Action)
- func (actionSet ActionSet) Clone() ActionSet
- func (actionSet ActionSet) Contains(action Action) bool
- func (actionSet ActionSet) Equals(sactionSet ActionSet) bool
- func (actionSet ActionSet) Intersection(sset ActionSet) ActionSet
- func (actionSet ActionSet) IsEmpty() bool
- func (actionSet ActionSet) MarshalJSON() ([]byte, error)
- func (actionSet ActionSet) Match(action Action) bool
- func (actionSet ActionSet) String() string
- func (actionSet ActionSet) ToAdminSlice() []AdminAction
- func (actionSet ActionSet) ToKMSSlice() (actions []KMSAction)
- func (actionSet ActionSet) ToSTSSlice() []STSAction
- func (actionSet ActionSet) ToSlice() []Action
- func (actionSet ActionSet) ToTableSlice() []TableAction
- func (actionSet ActionSet) ToVectorsSlice() []VectorsAction
- func (actionSet *ActionSet) UnmarshalJSON(data []byte) error
- func (actionSet ActionSet) Validate() error
- func (actionSet ActionSet) ValidateAdmin() error
- func (actionSet ActionSet) ValidateKMS() error
- func (actionSet ActionSet) ValidateSTS() error
- func (actionSet ActionSet) ValidateTable() error
- func (actionSet ActionSet) ValidateVectors() error
- type AdminAction
- type Args
- type BPStatement
- func NewBPStatement(sid ID, effect Effect, principal Principal, actionSet ActionSet, ...) BPStatement
- func NewBPStatementWithNotAction(sid ID, effect Effect, principal Principal, notActions ActionSet, ...) BPStatement
- func NewBPStatementWithNotResource(sid ID, effect Effect, principal Principal, actions ActionSet, ...) BPStatement
- type BucketPolicy
- func (policy *BucketPolicy) Equals(p BucketPolicy) bool
- func (policy BucketPolicy) IsAllowed(args BucketPolicyArgs) bool
- func (policy BucketPolicy) IsEmpty() bool
- func (policy BucketPolicy) MarshalJSON() ([]byte, error)
- func (policy *BucketPolicy) UnmarshalJSON(data []byte) error
- func (policy BucketPolicy) Validate(bucketName string) error
- type BucketPolicyArgs
- type Decision
- type Effect
- type Error
- type ID
- type KMSAction
- type Policy
- func (iamp *Policy) Decide(args *Args) Decision
- func (iamp *Policy) Equals(p Policy) bool
- func (iamp *Policy) HasDenyStatement() bool
- func (iamp Policy) IsAllowed(args Args) bool
- func (iamp Policy) IsAllowedActions(bucketName, objectName string, conditionValues map[string][]string) ActionSet
- func (iamp Policy) IsEmpty() bool
- func (iamp Policy) MatchResource(resource string) bool
- func (iamp *Policy) UnmarshalJSON(data []byte) error
- func (iamp Policy) Validate() error
- func (iamp Policy) ValidateStrict() error
- type Principal
- func (p Principal) Clone() Principal
- func (p Principal) Equals(pp Principal) bool
- func (p Principal) Intersection(principal Principal) set.StringSet
- func (p Principal) IsValid() bool
- func (p Principal) MarshalJSON() ([]byte, error)
- func (p Principal) Match(principal string) bool
- func (p *Principal) UnmarshalJSON(data []byte) error
- type Resource
- func (r Resource) IsValid() bool
- func (r Resource) MarshalJSON() ([]byte, error)
- func (r Resource) Match(resource string, conditionValues map[string][]string) bool
- func (r Resource) MatchResource(resource string) bool
- func (r Resource) String() string
- func (r *Resource) UnmarshalJSON(data []byte) error
- func (r Resource) Validate() error
- func (r Resource) ValidateBucket(bucketName string) error
- type ResourceARNType
- type ResourceSet
- func (resourceSet ResourceSet) Add(resource Resource)
- func (resourceSet ResourceSet) BucketResourceExists() bool
- func (resourceSet ResourceSet) Clone() ResourceSet
- func (resourceSet ResourceSet) Equals(sresourceSet ResourceSet) bool
- func (resourceSet ResourceSet) Intersection(sset ResourceSet) ResourceSet
- func (resourceSet ResourceSet) MarshalJSON() ([]byte, error)
- func (resourceSet ResourceSet) Match(resource string, conditionValues map[string][]string) bool
- func (resourceSet ResourceSet) MatchResource(resource string) bool
- func (resourceSet ResourceSet) ObjectResourceExists() bool
- func (resourceSet ResourceSet) String() string
- func (resourceSet ResourceSet) ToSlice() []Resource
- func (resourceSet *ResourceSet) UnmarshalJSON(data []byte) error
- func (resourceSet ResourceSet) ValidateBucket(bucketName string) error
- func (resourceSet ResourceSet) ValidateKMS() error
- func (resourceSet ResourceSet) ValidateS3() error
- func (resourceSet ResourceSet) ValidateTable() error
- func (resourceSet ResourceSet) ValidateVectors() error
- type STSAction
- type Statement
- func NewStatement(sid ID, effect Effect, actionSet ActionSet, resourceSet ResourceSet, ...) Statement
- func NewStatementWithNotAction(sid ID, effect Effect, notActions ActionSet, resources ResourceSet, ...) Statement
- func NewStatementWithNotResource(sid ID, effect Effect, actions ActionSet, notResources ResourceSet, ...) Statement
- func (statement Statement) Clone() Statement
- func (statement Statement) Equals(st Statement) bool
- func (statement Statement) IsAllowed(args Args) bool
- func (statement Statement) IsAllowedPtr(args *Args) bool
- func (statement Statement) Validate() error
- func (statement Statement) ValidateStrict() error
- type TableAction
- type VectorsAction
Constants ¶
View Source
const ( // AbortMultipartUploadAction - AbortMultipartUpload Rest API action. AbortMultipartUploadAction Action = "s3:AbortMultipartUpload" // CreateBucketAction - CreateBucket Rest API action. CreateBucketAction = "s3:CreateBucket" // DeleteBucketAction - DeleteBucket Rest API action. DeleteBucketAction = "s3:DeleteBucket" // ForceDeleteBucketAction - DeleteBucket Rest API action when x-minio-force-delete flag // is specified. ForceDeleteBucketAction = "s3:ForceDeleteBucket" // DeleteBucketPolicyAction - DeleteBucketPolicy Rest API action. DeleteBucketPolicyAction = "s3:DeleteBucketPolicy" // DeleteBucketCorsAction - DeleteBucketCors Rest API action. DeleteBucketCorsAction = "s3:DeleteBucketCors" // DeleteObjectAction - DeleteObject Rest API action. DeleteObjectAction = "s3:DeleteObject" // GetBucketLocationAction - GetBucketLocation Rest API action. GetBucketLocationAction = "s3:GetBucketLocation" // GetBucketNotificationAction - GetBucketNotification Rest API action. GetBucketNotificationAction = "s3:GetBucketNotification" // GetBucketPolicyAction - GetBucketPolicy Rest API action. GetBucketPolicyAction = "s3:GetBucketPolicy" // GetBucketCorsAction - GetBucketCors Rest API action. GetBucketCorsAction = "s3:GetBucketCors" // GetObjectAction - GetObject Rest API action. GetObjectAction = "s3:GetObject" // GetObjectAttributesAction - GetObjectVersionAttributes Rest API action. GetObjectAttributesAction = "s3:GetObjectAttributes" // HeadBucketAction - HeadBucket Rest API action. This action is unused in minio. HeadBucketAction = "s3:HeadBucket" // ListAllMyBucketsAction - ListAllMyBuckets (List buckets) Rest API action. ListAllMyBucketsAction = "s3:ListAllMyBuckets" // ListBucketAction - ListBucket Rest API action. ListBucketAction = "s3:ListBucket" // GetBucketPolicyStatusAction - Retrieves the policy status for a bucket. GetBucketPolicyStatusAction = "s3:GetBucketPolicyStatus" // ListBucketVersionsAction - ListBucketVersions Rest API action. ListBucketVersionsAction = "s3:ListBucketVersions" // ListBucketMultipartUploadsAction - ListMultipartUploads Rest API action. ListBucketMultipartUploadsAction = "s3:ListBucketMultipartUploads" // ListenNotificationAction - ListenNotification Rest API action. // This is MinIO extension. ListenNotificationAction = "s3:ListenNotification" // ListenBucketNotificationAction - ListenBucketNotification Rest API action. // This is MinIO extension. ListenBucketNotificationAction = "s3:ListenBucketNotification" // ListMultipartUploadPartsAction - ListParts Rest API action. ListMultipartUploadPartsAction = "s3:ListMultipartUploadParts" // PutBucketLifecycleAction - PutBucketLifecycle Rest API action. PutBucketLifecycleAction = "s3:PutLifecycleConfiguration" // GetBucketLifecycleAction - GetBucketLifecycle Rest API action. GetBucketLifecycleAction = "s3:GetLifecycleConfiguration" // PutBucketNotificationAction - PutObjectNotification Rest API action. PutBucketNotificationAction = "s3:PutBucketNotification" // PutBucketPolicyAction - PutBucketPolicy Rest API action. PutBucketPolicyAction = "s3:PutBucketPolicy" // PutBucketCorsAction - PutBucketCors Rest API action. PutBucketCorsAction = "s3:PutBucketCors" // PutBucketQOSAction - allow set QOS configuration PutBucketQOSAction = "s3:PutBucketQOS" // GetBucketQOSAction - allow get QOS configuration GetBucketQOSAction = "s3:GetBucketQOS" // PutObjectAction - PutObject Rest API action. PutObjectAction = "s3:PutObject" // DeleteObjectVersionAction - DeleteObjectVersion Rest API action. DeleteObjectVersionAction = "s3:DeleteObjectVersion" // DeleteObjectVersionTaggingAction - DeleteObjectVersionTagging Rest API action. DeleteObjectVersionTaggingAction = "s3:DeleteObjectVersionTagging" // GetObjectVersionAction - GetObjectVersionAction Rest API action. GetObjectVersionAction = "s3:GetObjectVersion" // GetObjectVersionAttributesAction - GetObjectVersionAttributes Rest API action. GetObjectVersionAttributesAction = "s3:GetObjectVersionAttributes" // GetObjectVersionTaggingAction - GetObjectVersionTagging Rest API action. GetObjectVersionTaggingAction = "s3:GetObjectVersionTagging" // PutObjectVersionTaggingAction - PutObjectVersionTagging Rest API action. PutObjectVersionTaggingAction = "s3:PutObjectVersionTagging" // BypassGovernanceRetentionAction - bypass governance retention for PutObjectRetention, PutObject and DeleteObject Rest API action. BypassGovernanceRetentionAction = "s3:BypassGovernanceRetention" // PutObjectRetentionAction - PutObjectRetention Rest API action. PutObjectRetentionAction = "s3:PutObjectRetention" // GetObjectRetentionAction - GetObjectRetention, GetObject, HeadObject Rest API action. GetObjectRetentionAction = "s3:GetObjectRetention" // GetObjectLegalHoldAction - GetObjectLegalHold, GetObject Rest API action. GetObjectLegalHoldAction = "s3:GetObjectLegalHold" // PutObjectLegalHoldAction - PutObjectLegalHold, PutObject Rest API action. PutObjectLegalHoldAction = "s3:PutObjectLegalHold" // GetBucketObjectLockConfigurationAction - GetBucketObjectLockConfiguration Rest API action GetBucketObjectLockConfigurationAction = "s3:GetBucketObjectLockConfiguration" // PutBucketObjectLockConfigurationAction - PutBucketObjectLockConfiguration Rest API action PutBucketObjectLockConfigurationAction = "s3:PutBucketObjectLockConfiguration" // GetBucketTaggingAction - GetBucketTagging Rest API action GetBucketTaggingAction = "s3:GetBucketTagging" // PutBucketTaggingAction - PutBucketTagging Rest API action PutBucketTaggingAction = "s3:PutBucketTagging" // GetObjectTaggingAction - Get Object Tags API action GetObjectTaggingAction = "s3:GetObjectTagging" // PutObjectTaggingAction - Put Object Tags API action PutObjectTaggingAction = "s3:PutObjectTagging" // DeleteObjectTaggingAction - Delete Object Tags API action DeleteObjectTaggingAction = "s3:DeleteObjectTagging" // UpdateObjectEncryptionAction - UpdateObjectEncryption REST API action UpdateObjectEncryptionAction = "s3:UpdateObjectEncryption" // PutBucketEncryptionAction - PutBucketEncryption REST API action PutBucketEncryptionAction = "s3:PutEncryptionConfiguration" // GetBucketEncryptionAction - GetBucketEncryption REST API action GetBucketEncryptionAction = "s3:GetEncryptionConfiguration" // PutBucketVersioningAction - PutBucketVersioning REST API action PutBucketVersioningAction = "s3:PutBucketVersioning" // GetBucketVersioningAction - GetBucketVersioning REST API action GetBucketVersioningAction = "s3:GetBucketVersioning" // GetReplicationConfigurationAction - GetReplicationConfiguration REST API action GetReplicationConfigurationAction = "s3:GetReplicationConfiguration" // PutReplicationConfigurationAction - PutReplicationConfiguration REST API action PutReplicationConfigurationAction = "s3:PutReplicationConfiguration" // ReplicateObjectAction - ReplicateObject REST API action ReplicateObjectAction = "s3:ReplicateObject" // ReplicateDeleteAction - ReplicateDelete REST API action ReplicateDeleteAction = "s3:ReplicateDelete" // ReplicateTagsAction - ReplicateTags REST API action ReplicateTagsAction = "s3:ReplicateTags" // GetObjectVersionForReplicationAction - GetObjectVersionForReplication REST API action GetObjectVersionForReplicationAction = "s3:GetObjectVersionForReplication" // RestoreObjectAction - RestoreObject REST API action RestoreObjectAction = "s3:RestoreObject" // ResetBucketReplicationStateAction - MinIO extension API ResetBucketReplicationState to reset replication state // on a bucket ResetBucketReplicationStateAction = "s3:ResetBucketReplicationState" // PutObjectFanOutAction - PutObject like API action but allows PostUpload() fan-out. PutObjectFanOutAction = "s3:PutObjectFanOut" // PutInventoryConfigurationAction - Bucket inventory write operations actions PutInventoryConfigurationAction = "s3:PutInventoryConfiguration" // GetInventoryConfigurationAction - Bucket inventory read operations actions GetInventoryConfigurationAction = "s3:GetInventoryConfiguration" // CreateSessionAction - S3Express REST API action CreateSessionAction = "s3express:CreateSession" // AllActions - all API actions AllActions = "s3:*" )
View Source
const ( // HealAdminAction - allows heal command HealAdminAction = "admin:Heal" // DecommissionAdminAction - allows decomissioning of pools DecommissionAdminAction = "admin:Decommission" // RebalanceAdminAction - allows rebalancing of pools RebalanceAdminAction = "admin:Rebalance" // StorageInfoAdminAction - allow listing server info StorageInfoAdminAction = "admin:StorageInfo" // PrometheusAdminAction - prometheus info action PrometheusAdminAction = "admin:Prometheus" // DataUsageInfoAdminAction - allow listing data usage info DataUsageInfoAdminAction = "admin:DataUsageInfo" // ForceUnlockAdminAction - allow force unlocking locks ForceUnlockAdminAction = "admin:ForceUnlock" // TopLocksAdminAction - allow listing top locks TopLocksAdminAction = "admin:TopLocksInfo" // ProfilingAdminAction - allow profiling ProfilingAdminAction = "admin:Profiling" // TraceAdminAction - allow listing server trace TraceAdminAction = "admin:ServerTrace" // ConsoleLogAdminAction - allow listing console logs on terminal ConsoleLogAdminAction = "admin:ConsoleLog" // KMSEnableAdminAction - allow enabling the builtin KMS KMSEnableAdminAction = "admin:KMSEnable" // KMSBackupAdminAction - allow backing up builtin KMS keys KMSBackupAdminAction = "admin:KMSBackup" // KMSRestoreAdminAction - allow restoring builtin KMS keys KMSRestoreAdminAction = "admin:KMSRestore" // KMSCreateKeyAdminAction - allow creating a new KMS master key KMSCreateKeyAdminAction = "admin:KMSCreateKey" // KMSKeyStatusAdminAction - allow getting KMS key status KMSKeyStatusAdminAction = "admin:KMSKeyStatus" // KMSKeyRotateAdminAction - allow rotating KMS keys KMSKeyRotateAdminAction = "admin:KMSKeyRotate" // ServerInfoAdminAction - allow listing server info ServerInfoAdminAction = "admin:ServerInfo" // HealthInfoAdminAction - allow obtaining cluster health information HealthInfoAdminAction = "admin:OBDInfo" // LicenseInfoAdminAction - allow obtaining license information LicenseInfoAdminAction = "admin:LicenseInfo" // BandwidthMonitorAction - allow monitoring bandwidth usage BandwidthMonitorAction = "admin:BandwidthMonitor" // InspectDataAction - allows downloading raw files from backend InspectDataAction = "admin:InspectData" // ServerUpdateAdminAction - allow MinIO binary update ServerUpdateAdminAction = "admin:ServerUpdate" // ServiceRestartAdminAction - allow restart of MinIO service. ServiceRestartAdminAction = "admin:ServiceRestart" // ServiceStopAdminAction - allow stopping MinIO service. ServiceStopAdminAction = "admin:ServiceStop" // ServiceFreezeAdminAction - allow freeze/unfreeze MinIO service. ServiceFreezeAdminAction = "admin:ServiceFreeze" // ServiceCordonAdminAction - allow cordon/uncordon MinIO service. ServiceCordonAdminAction = "admin:ServiceCordon" // ConfigUpdateAdminAction - allow MinIO config management ConfigUpdateAdminAction = "admin:ConfigUpdate" // CreateUserAdminAction - allow creating MinIO user CreateUserAdminAction = "admin:CreateUser" // DeleteUserAdminAction - allow deleting MinIO user DeleteUserAdminAction = "admin:DeleteUser" // ListUsersAdminAction - allow list users permission ListUsersAdminAction = "admin:ListUsers" // EnableUserAdminAction - allow enable user permission EnableUserAdminAction = "admin:EnableUser" // DisableUserAdminAction - allow disable user permission DisableUserAdminAction = "admin:DisableUser" // GetUserAdminAction - allows GET permission on user info GetUserAdminAction = "admin:GetUser" // ChangeMyPasswordAdminAction - allow changing own password ChangeMyPasswordAdminAction = "admin:ChangeMyPassword" // SiteReplicationAddAction - allow adding clusters for site-level replication SiteReplicationAddAction = "admin:SiteReplicationAdd" // SiteReplicationDisableAction - allow disabling a cluster from replication SiteReplicationDisableAction = "admin:SiteReplicationDisable" // SiteReplicationRemoveAction - allow removing a cluster from replication SiteReplicationRemoveAction = "admin:SiteReplicationRemove" // SiteReplicationResyncAction - allow resyncing cluster data to another site SiteReplicationResyncAction = "admin:SiteReplicationResync" // SiteReplicationInfoAction - allow getting site replication info SiteReplicationInfoAction = "admin:SiteReplicationInfo" // SiteReplicationOperationAction - allow performing site replication // create/update/delete operations to peers SiteReplicationOperationAction = "admin:SiteReplicationOperation" // TablesReplicationAddAction - allow adding tables replication targets TablesReplicationAddAction = "admin:TablesReplicationAdd" // TablesReplicationRemoveAction - allow removing tables replication targets TablesReplicationRemoveAction = "admin:TablesReplicationRemove" // TablesReplicationInfoAction - allow getting tables replication info/status TablesReplicationInfoAction = "admin:TablesReplicationInfo" // TablesReplicationStartFailoverAction - allow starting tables replication failover TablesReplicationStartFailoverAction = "admin:TablesReplicationStartFailover" // CreateServiceAccountAdminAction - allow create a service account for a user CreateServiceAccountAdminAction = "admin:CreateServiceAccount" // UpdateServiceAccountAdminAction - allow updating a service account UpdateServiceAccountAdminAction = "admin:UpdateServiceAccount" // RemoveServiceAccountAdminAction - allow removing a service account RemoveServiceAccountAdminAction = "admin:RemoveServiceAccount" // ListServiceAccountsAdminAction - allow listing service accounts ListServiceAccountsAdminAction = "admin:ListServiceAccounts" // ListTemporaryAccountsAdminAction - allow listing of temporary accounts ListTemporaryAccountsAdminAction = "admin:ListTemporaryAccounts" // AddUserToGroupAdminAction - allow adding user to group permission AddUserToGroupAdminAction = "admin:AddUserToGroup" // RemoveUserFromGroupAdminAction - allow removing user to group permission RemoveUserFromGroupAdminAction = "admin:RemoveUserFromGroup" // GetGroupAdminAction - allow getting group info GetGroupAdminAction = "admin:GetGroup" // ListGroupsAdminAction - allow list groups permission ListGroupsAdminAction = "admin:ListGroups" // EnableGroupAdminAction - allow enable group permission EnableGroupAdminAction = "admin:EnableGroup" // DisableGroupAdminAction - allow disable group permission DisableGroupAdminAction = "admin:DisableGroup" // CreatePolicyAdminAction - allow create policy permission CreatePolicyAdminAction = "admin:CreatePolicy" // DeletePolicyAdminAction - allow delete policy permission DeletePolicyAdminAction = "admin:DeletePolicy" // GetPolicyAdminAction - allow get policy permission GetPolicyAdminAction = "admin:GetPolicy" // AttachPolicyAdminAction - allows attaching a policy to a user/group AttachPolicyAdminAction = "admin:AttachUserOrGroupPolicy" // UpdatePolicyAssociationAction - allows to add/remove policy association // on a user or group. UpdatePolicyAssociationAction = "admin:UpdatePolicyAssociation" // ListUserPoliciesAdminAction - allows listing user policies ListUserPoliciesAdminAction = "admin:ListUserPolicies" // SetBucketQuotaAdminAction - allow setting bucket quota SetBucketQuotaAdminAction = "admin:SetBucketQuota" // GetBucketQuotaAdminAction - allow getting bucket quota GetBucketQuotaAdminAction = "admin:GetBucketQuota" // SetBucketTargetAction - allow setting bucket target SetBucketTargetAction = "admin:SetBucketTarget" // GetBucketTargetAction - allow getting bucket targets GetBucketTargetAction = "admin:GetBucketTarget" // ReplicationDiff - allow computing the unreplicated objects in a bucket ReplicationDiff = "admin:ReplicationDiff" // ImportBucketMetadataAction - allow importing bucket metadata ImportBucketMetadataAction = "admin:ImportBucketMetadata" // ExportBucketMetadataAction - allow exporting bucket metadata ExportBucketMetadataAction = "admin:ExportBucketMetadata" // SetTierAction - allow adding/editing a remote tier SetTierAction = "admin:SetTier" // ListTierAction - allow listing remote tiers ListTierAction = "admin:ListTier" // ExportIAMAction - allow exporting of all IAM info ExportIAMAction = "admin:ExportIAM" // ImportIAMAction - allow importing IAM info to MinIO ImportIAMAction = "admin:ImportIAM" // ListBatchJobsAction allow listing current active jobs ListBatchJobsAction = "admin:ListBatchJobs" // DescribeBatchJobAction allow getting batch job YAML DescribeBatchJobAction = "admin:DescribeBatchJob" // StartBatchJobAction allow submitting a batch job StartBatchJobAction = "admin:StartBatchJob" // CancelBatchJobAction allow canceling a batch job CancelBatchJobAction = "admin:CancelBatchJob" // GenerateBatchJobAction allow requesting batch job templates GenerateBatchJobAction = "admin:GenerateBatchJob" // InventoryControlAction - allows control of inventory jobs InventoryControlAction = "admin:InventoryControl" // ClusterInfoAction - allow cluster summary ClusterInfoAction = "admin:ClusterInfo" // PoolListAction - allow list how many pools and summary per pool PoolListAction = "admin:PoolList" // PoolInfoAction - allow pool specific summary and detail information PoolInfoAction = "admin:PoolInfo" // NodeListAction - allow listing of nodes NodeListAction = "admin:NodeList" // NodeInfoAction - allow node specific summary and detailed information NodeInfoAction = "admin:NodeInfo" // SetInfoAction - allow set specific summary and detail SetInfoAction = "admin:SetInfo" // DriveListAction - allow listing of drives DriveListAction = "admin:DriveList" // DriveInfoAction - allow drive specific summary and detail DriveInfoAction = "admin:DriveInfo" // DeltaSharingAdminAction - allow managing Delta Sharing shares and tokens DeltaSharingAdminAction = "admin:DeltaSharing" DeltaSharingCreateShareAction = "admin:DeltaSharingCreateShare" DeltaSharingDeleteShareAction = "admin:DeltaSharingDeleteShare" DeltaSharingListSharesAction = "admin:DeltaSharingListShares" DeltaSharingGetShareAction = "admin:DeltaSharingGetShare" DeltaSharingUpdateShareAction = "admin:DeltaSharingUpdateShare" // DeltaSharingCreateTokenAction - allow creating Delta Sharing tokens DeltaSharingCreateTokenAction = "admin:DeltaSharingCreateToken" // DeltaSharingDeleteTokenAction - allow deleting Delta Sharing tokens DeltaSharingDeleteTokenAction = "admin:DeltaSharingDeleteToken" // DeltaSharingListTokensAction - allow listing Delta Sharing tokens DeltaSharingListTokensAction = "admin:DeltaSharingListTokens" // ReadAlertsAction - allow reading stored alerts ReadAlertsAction = "admin:ReadAlerts" // ReadAPILogsAction - allow reading stored API logs ReadAPILogsAction = "admin:ReadAPILogs" // ReadErrorLogsAction - allow reading stored error logs ReadErrorLogsAction = "admin:ReadErrorLogs" // ReadAuditLogsAction - allow reading stored audit logs ReadAuditLogsAction = "admin:ReadAuditLogs" // AllAdminActions - provides all admin permissions AllAdminActions = "admin:*" )
View Source
const ( PolicyName = "policy" SessionPolicyName = "sessionPolicy" )
Policy claim constants
View Source
const ( // KMSCreateKeyAction - allow creating a new KMS master key KMSCreateKeyAction = "kms:CreateKey" // KMSDeleteKeyAction - allow deleting a KMS master key KMSDeleteKeyAction = "kms:DeleteKey" // KMSListKeysAction - allow getting list of KMS keys KMSListKeysAction = "kms:ListKeys" // KMSImportKeyAction - allow importing KMS key KMSImportKeyAction = "kms:ImportKey" // KMSDescribePolicyAction - allow getting KMS policy KMSDescribePolicyAction = "kms:DescribePolicy" // KMSAssignPolicyAction - allow assigning an identity to a KMS policy KMSAssignPolicyAction = "kms:AssignPolicy" // KMSDeletePolicyAction - allow deleting a policy KMSDeletePolicyAction = "kms:DeletePolicy" // KMSSetPolicyAction - allow creating or updating a policy KMSSetPolicyAction = "kms:SetPolicy" // KMSGetPolicyAction - allow getting a policy KMSGetPolicyAction = "kms:GetPolicy" // KMSListPoliciesAction - allow getting list of KMS policies KMSListPoliciesAction = "kms:ListPolicies" // KMSDescribeIdentityAction - allow getting KMS identity KMSDescribeIdentityAction = "kms:DescribeIdentity" // KMSDescribeSelfIdentityAction - allow getting self KMS identity KMSDescribeSelfIdentityAction = "kms:DescribeSelfIdentity" // KMSDeleteIdentityAction - allow deleting a policy KMSDeleteIdentityAction = "kms:DeleteIdentity" // KMSListIdentitiesAction - allow getting list of KMS identities KMSListIdentitiesAction = "kms:ListIdentities" // KMSKeyStatusAction - allow getting KMS key status KMSKeyStatusAction = "kms:KeyStatus" // KMSStatusAction - allow getting KMS status KMSStatusAction = "kms:Status" // KMSAPIAction - allow getting a list of supported API endpoints KMSAPIAction = "kms:API" // KMSMetricsAction - allow getting server metrics in the Prometheus exposition format KMSMetricsAction = "kms:Metrics" // KMSVersionAction - allow getting version information KMSVersionAction = "kms:Version" // KMSAuditLogAction - subscribes to the audit log KMSAuditLogAction = "kms:AuditLog" // KMSErrorLogAction - subscribes to the error log KMSErrorLogAction = "kms:ErrorLog" // AllKMSActions - provides all admin permissions AllKMSActions = "kms:*" )
View Source
const ( // ResourceARNPrefix - resource S3 ARN prefix as per S3 specification. ResourceARNPrefix = "arn:aws:s3:::" // ResourceARNS3TablesPrefix - resource prefix for Amazon S3 Tables resources. ResourceARNS3TablesPrefix = "arn:aws:s3tables:::" // ResourceARNKMSPrefix is for KMS key resources. MinIO specific API. ResourceARNKMSPrefix = "arn:minio:kms:::" )
View Source
const ( // AssumeRoleAction - use to deny or allow sts:AssumeRole action under specific conditions. AssumeRoleAction = "sts:AssumeRole" // AssumeRoleLDAPIdentityAction - use to deny or allow sts:AssumeRoleLDAPIdentity action under specific conditions. AssumeRoleLDAPIdentityAction = "sts:AssumeRoleLDAPIdentity" // AssumeRoleWithCustomTokenAction - use to deny or allow sts:AssumeRoleWithCustomToken action under specific conditions. AssumeRoleWithCustomTokenAction = "sts:AssumeRoleWithCustomToken" // AssumeRoleWithWebIdentityAction - use to deny or allow sts:AssumeRoleWithWebIdentity action under specific conditions. AssumeRoleWithWebIdentityAction = "sts:AssumeRoleWithWebIdentity" // AssumeRoleWithClientGrantsAction - use to deny or allow sts:AssumeRoleWithClientGrants action under specific conditions. AssumeRoleWithClientGrantsAction = "sts:AssumeRoleWithClientGrants" // AssumeRoleWithClientCertificateAction - use to deny or allow sts:AssumeRoleWithClientCertificate action under specific conditions. AssumeRoleWithClientCertificateAction = "sts:AssumeRoleWithClientCertificate" // AllSTSActions - select all STS actions AllSTSActions = "sts:*" )
View Source
const ( // S3TablesCreateNamespaceAction maps to the AWS `CreateNamespace` S3 Tables action. S3TablesCreateNamespaceAction = "s3tables:CreateNamespace" // S3TablesCreateTableAction maps to the AWS `CreateTable` S3 Tables action. S3TablesCreateTableAction = "s3tables:CreateTable" // S3TablesDeleteNamespaceAction maps to the AWS `DeleteNamespace` S3 Tables action. S3TablesDeleteNamespaceAction = "s3tables:DeleteNamespace" // S3TablesDeleteTableAction maps to the AWS `DeleteTable` S3 Tables action. S3TablesDeleteTableAction = "s3tables:DeleteTable" // S3TablesDeleteTablePolicyAction maps to the AWS `DeleteTablePolicy` S3 Tables action. S3TablesDeleteTablePolicyAction = "s3tables:DeleteTablePolicy" // S3TablesGetNamespaceAction maps to the AWS `GetNamespace` S3 Tables action. S3TablesGetNamespaceAction = "s3tables:GetNamespace" // S3TablesGetTableAction maps to the AWS `GetTable` S3 Tables action. S3TablesGetTableAction = "s3tables:GetTable" // S3TablesGetTableDataAction maps to the AWS `GetTableData` S3 Tables action. S3TablesGetTableDataAction = "s3tables:GetTableData" // S3TablesGetTableEncryptionAction maps to the AWS `GetTableEncryption` S3 Tables action. S3TablesGetTableEncryptionAction = "s3tables:GetTableEncryption" // S3TablesGetTableMaintenanceConfigurationAction maps to the AWS `GetTableMaintenanceConfiguration` S3 Tables action. S3TablesGetTableMaintenanceConfigurationAction = "s3tables:GetTableMaintenanceConfiguration" // S3TablesGetTableMaintenanceJobStatusAction maps to the AWS `GetTableMaintenanceJobStatus` S3 Tables action. S3TablesGetTableMaintenanceJobStatusAction = "s3tables:GetTableMaintenanceJobStatus" // S3TablesGetTableMetadataLocationAction maps to the AWS `GetTableMetadataLocation` S3 Tables action. S3TablesGetTableMetadataLocationAction = "s3tables:GetTableMetadataLocation" // S3TablesGetTablePolicyAction maps to the AWS `GetTablePolicy` S3 Tables action. S3TablesGetTablePolicyAction = "s3tables:GetTablePolicy" // S3TablesListNamespacesAction maps to the AWS `ListNamespaces` S3 Tables action. S3TablesListNamespacesAction = "s3tables:ListNamespaces" // S3TablesListTablesAction maps to the AWS `ListTables` S3 Tables action. S3TablesListTablesAction = "s3tables:ListTables" // S3TablesPutTableDataAction maps to the AWS `PutTableData` S3 Tables action. S3TablesPutTableDataAction = "s3tables:PutTableData" // S3TablesPutTableEncryptionAction maps to the AWS `PutTableEncryption` S3 Tables action. S3TablesPutTableEncryptionAction = "s3tables:PutTableEncryption" // S3TablesPutTableMaintenanceConfigurationAction maps to the AWS `PutTableMaintenanceConfiguration` S3 Tables action. S3TablesPutTableMaintenanceConfigurationAction = "s3tables:PutTableMaintenanceConfiguration" // S3TablesPutTablePolicyAction maps to the AWS `PutTablePolicy` S3 Tables action. S3TablesPutTablePolicyAction = "s3tables:PutTablePolicy" // S3TablesRegisterTableAction maps to the AWS `RegisterTable` S3 Tables action. S3TablesRegisterTableAction = "s3tables:RegisterTable" // S3TablesRenameTableAction maps to the AWS `RenameTable` S3 Tables action. S3TablesRenameTableAction = "s3tables:RenameTable" // S3TablesUpdateTableMetadataLocationAction maps to the AWS `UpdateTableMetadataLocation` S3 Tables action. S3TablesUpdateTableMetadataLocationAction = "s3tables:UpdateTableMetadataLocation" // S3TablesCreateWarehouseAction is a MinIO extension for Iceberg warehouse provisioning. S3TablesCreateWarehouseAction = "s3tables:CreateWarehouse" // S3TablesCreateTableBucketAction maps to the AWS `CreateTableBucket` S3 Tables action. // Prefer using S3TablesCreateWarehouseAction instead. S3TablesCreateTableBucketAction = "s3tables:CreateTableBucket" // S3TablesDeleteWarehouseAction is a MinIO extension for deleting Iceberg warehouses. S3TablesDeleteWarehouseAction = "s3tables:DeleteWarehouse" // S3TablesDeleteTableBucketAction maps to the AWS `DeleteTableBucket` S3 Tables action. // Prefer using S3TablesDeleteWarehouseAction instead. S3TablesDeleteTableBucketAction = "s3tables:DeleteTableBucket" // S3TablesDeleteWarehouseEncryptionAction is a MinIO extension for deleting warehouse encryption configuration. S3TablesDeleteWarehouseEncryptionAction = "s3tables:DeleteWarehouseEncryption" // S3TablesDeleteTableBucketEncryptionAction maps to the AWS `DeleteTableBucketEncryption` S3 Tables action. // Prefer using S3TablesDeleteWarehouseEncryptionAction instead. S3TablesDeleteTableBucketEncryptionAction = "s3tables:DeleteTableBucketEncryption" // S3TablesDeleteWarehousePolicyAction is a MinIO extension for deleting warehouse policies. S3TablesDeleteWarehousePolicyAction = "s3tables:DeleteWarehousePolicy" // S3TablesDeleteTableBucketPolicyAction maps to the AWS `DeleteTableBucketPolicy` S3 Tables action. // Prefer using S3TablesDeleteWarehousePolicyAction instead. S3TablesDeleteTableBucketPolicyAction = "s3tables:DeleteTableBucketPolicy" // S3TablesGetWarehouseAction is a MinIO extension for retrieving warehouse details. S3TablesGetWarehouseAction = "s3tables:GetWarehouse" // S3TablesGetTableBucketAction maps to the AWS `GetTableBucket` S3 Tables action. // Prefer using S3TablesGetWarehouseAction instead. S3TablesGetTableBucketAction = "s3tables:GetTableBucket" // S3TablesGetWarehouseEncryptionAction is a MinIO extension for retrieving warehouse encryption configuration. S3TablesGetWarehouseEncryptionAction = "s3tables:GetWarehouseEncryption" // S3TablesGetTableBucketEncryptionAction maps to the AWS `GetTableBucketEncryption` S3 Tables action. // Prefer using S3TablesGetWarehouseEncryptionAction instead. S3TablesGetTableBucketEncryptionAction = "s3tables:GetTableBucketEncryption" // S3TablesGetWarehouseMaintenanceConfigurationAction is a MinIO extension for retrieving warehouse maintenance configuration. S3TablesGetWarehouseMaintenanceConfigurationAction = "s3tables:GetWarehouseMaintenanceConfiguration" // S3TablesGetTableBucketMaintenanceConfigurationAction maps to the AWS `GetTableBucketMaintenanceConfiguration` S3 Tables action. // Prefer using S3TablesGetWarehouseMaintenanceConfigurationAction instead. S3TablesGetTableBucketMaintenanceConfigurationAction = "s3tables:GetTableBucketMaintenanceConfiguration" // S3TablesGetWarehousePolicyAction is a MinIO extension for retrieving warehouse policies. S3TablesGetWarehousePolicyAction = "s3tables:GetWarehousePolicy" // S3TablesGetTableBucketPolicyAction maps to the AWS `GetTableBucketPolicy` S3 Tables action. // Prefer using S3TablesGetWarehousePolicyAction instead. S3TablesGetTableBucketPolicyAction = "s3tables:GetTableBucketPolicy" // S3TablesListWarehousesAction is a MinIO extension for listing Iceberg warehouses. S3TablesListWarehousesAction = "s3tables:ListWarehouses" // S3TablesListTableBucketsAction maps to the AWS `ListTableBuckets` S3 Tables action. // Prefer using S3TablesListWarehousesAction instead. S3TablesListTableBucketsAction = "s3tables:ListTableBuckets" // S3TablesPutWarehouseEncryptionAction is a MinIO extension for setting warehouse encryption configuration. S3TablesPutWarehouseEncryptionAction = "s3tables:PutWarehouseEncryption" // S3TablesPutTableBucketEncryptionAction maps to the AWS `PutTableBucketEncryption` S3 Tables action. // Prefer using S3TablesPutWarehouseEncryptionAction instead. S3TablesPutTableBucketEncryptionAction = "s3tables:PutTableBucketEncryption" // S3TablesPutWarehouseMaintenanceConfigurationAction is a MinIO extension for setting warehouse maintenance configuration. S3TablesPutWarehouseMaintenanceConfigurationAction = "s3tables:PutWarehouseMaintenanceConfiguration" // S3TablesPutTableBucketMaintenanceConfigurationAction maps to the AWS `PutTableBucketMaintenanceConfiguration` S3 Tables action. // Prefer using S3TablesPutWarehouseMaintenanceConfigurationAction instead. S3TablesPutTableBucketMaintenanceConfigurationAction = "s3tables:PutTableBucketMaintenanceConfiguration" // S3TablesPutWarehousePolicyAction is a MinIO extension for setting warehouse policies. S3TablesPutWarehousePolicyAction = "s3tables:PutWarehousePolicy" // S3TablesPutTableBucketPolicyAction maps to the AWS `PutTableBucketPolicy` S3 Tables action. // Prefer using S3TablesPutWarehousePolicyAction instead. S3TablesPutTableBucketPolicyAction = "s3tables:PutTableBucketPolicy" // S3TablesGetConfigAction is a MinIO extension for retrieving catalog configuration. S3TablesGetConfigAction = "s3tables:GetConfig" // S3TablesTableMetricsAction is a MinIO extension exposing table metrics. S3TablesTableMetricsAction = "s3tables:TableMetrics" // S3TablesUpdateTableAction is a MinIO extension for Iceberg-compatible table updates. S3TablesUpdateTableAction = "s3tables:UpdateTable" // S3TablesCreateViewAction is a MinIO extension for creating Iceberg views. S3TablesCreateViewAction = "s3tables:CreateView" // S3TablesDeleteViewAction is a MinIO extension for deleting Iceberg views. S3TablesDeleteViewAction = "s3tables:DeleteView" // S3TablesGetViewAction is a MinIO extension for retrieving Iceberg views. S3TablesGetViewAction = "s3tables:GetView" // S3TablesRenameViewAction is a MinIO extension for renaming Iceberg views. S3TablesRenameViewAction = "s3tables:RenameView" // S3TablesUpdateViewAction is a MinIO extension for updating Iceberg views. S3TablesUpdateViewAction = "s3tables:UpdateView" // S3TablesListViewsAction is a MinIO extension for listing Iceberg views. S3TablesListViewsAction = "s3tables:ListViews" // S3TablesRegisterViewAction is a MinIO extension for registering Iceberg views. S3TablesRegisterViewAction = "s3tables:RegisterView" // S3TablesUpdateNamespacePropertiesAction is a MinIO extension for updating namespace properties. S3TablesUpdateNamespacePropertiesAction = "s3tables:UpdateNamespaceProperties" // S3TablesTagResourceAction maps to the AWS `s3tables:TagResource` action. S3TablesTagResourceAction = "s3tables:TagResource" // S3TablesUntagResourceAction maps to the AWS `s3tables:UntagResource` action. S3TablesUntagResourceAction = "s3tables:UntagResource" // S3TablesListTagsForResourceAction maps to the AWS `s3tables:ListTagsForResource` action. S3TablesListTagsForResourceAction = "s3tables:ListTagsForResource" // AllS3TablesActions - all Amazon S3 Tables actions AllS3TablesActions = "s3tables:*" )
View Source
const ( // S3VectorsCreateVectorBucketAction maps to the AWS `CreateVectorBucket` S3 Vectors action. S3VectorsCreateVectorBucketAction VectorsAction = "s3vectors:CreateVectorBucket" // S3VectorsDeleteVectorBucketAction maps to the AWS `DeleteVectorBucket` S3 Vectors action. S3VectorsDeleteVectorBucketAction = "s3vectors:DeleteVectorBucket" // S3VectorsGetVectorBucketAction maps to the AWS `GetVectorBucket` S3 Vectors action. S3VectorsGetVectorBucketAction = "s3vectors:GetVectorBucket" // S3VectorsListVectorBucketsAction maps to the AWS `ListVectorBuckets` S3 Vectors action. S3VectorsListVectorBucketsAction = "s3vectors:ListVectorBuckets" // S3VectorsCreateIndexAction maps to the AWS `CreateIndex` S3 Vectors action. S3VectorsCreateIndexAction = "s3vectors:CreateIndex" // S3VectorsDeleteIndexAction maps to the AWS `DeleteIndex` S3 Vectors action. S3VectorsDeleteIndexAction = "s3vectors:DeleteIndex" // S3VectorsGetIndexAction maps to the AWS `GetIndex` S3 Vectors action. S3VectorsGetIndexAction = "s3vectors:GetIndex" // S3VectorsListIndexesAction maps to the AWS `ListIndexes` S3 Vectors action. S3VectorsListIndexesAction = "s3vectors:ListIndexes" // S3VectorsPutVectorsAction maps to the AWS `PutVectors` S3 Vectors action. S3VectorsPutVectorsAction = "s3vectors:PutVectors" // S3VectorsGetVectorsAction maps to the AWS `GetVectors` S3 Vectors action. S3VectorsGetVectorsAction = "s3vectors:GetVectors" // S3VectorsDeleteVectorsAction maps to the AWS `DeleteVectors` S3 Vectors action. S3VectorsDeleteVectorsAction = "s3vectors:DeleteVectors" // S3VectorsListVectorsAction maps to the AWS `ListVectors` S3 Vectors action. S3VectorsListVectorsAction = "s3vectors:ListVectors" // S3VectorsQueryVectorsAction maps to the AWS `QueryVectors` S3 Vectors action. S3VectorsQueryVectorsAction = "s3vectors:QueryVectors" // AllS3VectorsActions - all Amazon S3 Vectors actions AllS3VectorsActions = "s3vectors:*" )
View Source
const DefaultVersion = "2012-10-17"
DefaultVersion - default policy version as per AWS S3 specification.
Variables ¶
View Source
var ARNPrefixToType map[string]ResourceARNType
ARNPrefixToType maps prefix to types.
View Source
var ARNTypeToPrefix = map[ResourceARNType]string{ ResourceARNS3: ResourceARNPrefix, ResourceARNS3Tables: ResourceARNS3TablesPrefix, ResourceARNKMS: ResourceARNKMSPrefix, ResourceARNAll: "*", }
ARNTypeToPrefix maps the type to prefix string
View Source
var AdminActionsWithResource = map[AdminAction]struct{}{ SetBucketQuotaAdminAction: {}, GetBucketQuotaAdminAction: {}, SetBucketTargetAction: {}, GetBucketTargetAction: {}, ReplicationDiff: {}, ImportBucketMetadataAction: {}, ExportBucketMetadataAction: {}, HealAdminAction: {}, InventoryControlAction: {}, }
AdminActionsWithResource enumerates admin actions that operate on a specific bucket resource. When a policy statement contains one of these actions *and* specifies a Resource, the resource is enforced against the target bucket. All other admin actions are resource-less; any Resource specified in the statement is ignored for them.
View Source
var DefaultPolicies = []struct { Name string Definition Policy }{ { Name: "readwrite", Definition: Policy{ Version: DefaultVersion, Statements: []Statement{ { SID: ID(""), Effect: Allow, Actions: NewActionSet(AllActions), Resources: NewResourceSet(NewResource("*")), }, }, }, }, { Name: "readonly", Definition: Policy{ Version: DefaultVersion, Statements: []Statement{ { SID: ID(""), Effect: Allow, Actions: NewActionSet(GetBucketLocationAction, GetObjectAction), Resources: NewResourceSet(NewResource("*")), }, { SID: ID(""), Effect: Deny, Actions: NewActionSet(CreateUserAdminAction), Resources: NewResourceSet(NewResource("*")), }, }, }, }, { Name: "writeonly", Definition: Policy{ Version: DefaultVersion, Statements: []Statement{ { SID: ID(""), Effect: Allow, Actions: NewActionSet(PutObjectAction), Resources: NewResourceSet(NewResource("*")), }, }, }, }, { Name: "diagnostics", Definition: Policy{ Version: DefaultVersion, Statements: []Statement{ { SID: ID(""), Effect: Allow, Actions: NewActionSet(ProfilingAdminAction, TraceAdminAction, ConsoleLogAdminAction, ServerInfoAdminAction, TopLocksAdminAction, HealthInfoAdminAction, BandwidthMonitorAction, PrometheusAdminAction, ), Resources: NewResourceSet(NewResource("*")), }, }, }, }, { Name: "tablesAdmin", Definition: Policy{ Version: DefaultVersion, Statements: []Statement{ { SID: ID(""), Effect: Allow, Actions: NewActionSet(AllS3TablesActions), Resources: NewResourceSet(NewS3TablesResource("*")), Conditions: condition.NewFunctions(), }, }, }, }, { Name: "iamAdmin", Definition: Policy{ Version: DefaultVersion, Statements: []Statement{ { SID: ID(""), Effect: Allow, Actions: NewActionSet( CreateUserAdminAction, DeleteUserAdminAction, ListUsersAdminAction, EnableUserAdminAction, DisableUserAdminAction, GetUserAdminAction, AddUserToGroupAdminAction, RemoveUserFromGroupAdminAction, GetGroupAdminAction, ListGroupsAdminAction, EnableGroupAdminAction, DisableGroupAdminAction, CreatePolicyAdminAction, DeletePolicyAdminAction, GetPolicyAdminAction, AttachPolicyAdminAction, UpdatePolicyAssociationAction, ListUserPoliciesAdminAction, CreateServiceAccountAdminAction, UpdateServiceAccountAdminAction, RemoveServiceAccountAdminAction, ListServiceAccountsAdminAction, ListTemporaryAccountsAdminAction, ExportIAMAction, ImportIAMAction, ), Resources: NewResourceSet(), Conditions: condition.NewFunctions(), }, }, }, }, { Name: "infraAdmin", Definition: Policy{ Version: DefaultVersion, Statements: []Statement{ { SID: ID(""), Effect: Allow, Actions: NewActionSet( ServerUpdateAdminAction, ServiceRestartAdminAction, ServiceStopAdminAction, ServiceFreezeAdminAction, ServiceCordonAdminAction, ServerInfoAdminAction, StorageInfoAdminAction, ConfigUpdateAdminAction, HealAdminAction, ForceUnlockAdminAction, DecommissionAdminAction, RebalanceAdminAction, SetBucketQuotaAdminAction, GetBucketQuotaAdminAction, SetTierAction, ListTierAction, LicenseInfoAdminAction, DataUsageInfoAdminAction, ImportBucketMetadataAction, ExportBucketMetadataAction, StartBatchJobAction, ListBatchJobsAction, DescribeBatchJobAction, CancelBatchJobAction, GenerateBatchJobAction, InventoryControlAction, ClusterInfoAction, PoolListAction, PoolInfoAction, NodeListAction, NodeInfoAction, SetInfoAction, DriveListAction, DriveInfoAction, ), Resources: NewResourceSet(), Conditions: condition.NewFunctions(), }, }, }, }, { Name: "tablesReadWrite", Definition: Policy{ Version: DefaultVersion, Statements: []Statement{ { SID: ID(""), Effect: Allow, Actions: NewActionSet( S3TablesGetWarehouseAction, S3TablesGetWarehouseEncryptionAction, S3TablesGetWarehouseMaintenanceConfigurationAction, S3TablesGetWarehousePolicyAction, S3TablesListWarehousesAction, S3TablesGetNamespaceAction, S3TablesListNamespacesAction, S3TablesUpdateNamespacePropertiesAction, S3TablesGetTableAction, S3TablesListTablesAction, S3TablesGetTableDataAction, S3TablesPutTableDataAction, S3TablesGetTableEncryptionAction, S3TablesGetTableMaintenanceConfigurationAction, S3TablesGetTableMaintenanceJobStatusAction, S3TablesGetTableMetadataLocationAction, S3TablesGetTablePolicyAction, S3TablesCreateTableAction, S3TablesUpdateTableAction, S3TablesUpdateTableMetadataLocationAction, S3TablesRenameTableAction, S3TablesRegisterTableAction, S3TablesGetViewAction, S3TablesListViewsAction, S3TablesCreateViewAction, S3TablesUpdateViewAction, S3TablesRenameViewAction, S3TablesDeleteViewAction, S3TablesRegisterViewAction, S3TablesGetConfigAction, S3TablesTableMetricsAction, ), Resources: NewResourceSet(NewS3TablesResource("*")), Conditions: condition.NewFunctions(), }, }, }, }, { Name: "tablesReadOnly", Definition: Policy{ Version: DefaultVersion, Statements: []Statement{ { SID: ID(""), Effect: Allow, Actions: NewActionSet( S3TablesGetWarehouseAction, S3TablesGetWarehouseEncryptionAction, S3TablesGetWarehouseMaintenanceConfigurationAction, S3TablesGetWarehousePolicyAction, S3TablesListWarehousesAction, S3TablesGetNamespaceAction, S3TablesListNamespacesAction, S3TablesGetTableAction, S3TablesListTablesAction, S3TablesGetTableDataAction, S3TablesGetTableEncryptionAction, S3TablesGetTableMaintenanceConfigurationAction, S3TablesGetTableMaintenanceJobStatusAction, S3TablesGetTableMetadataLocationAction, S3TablesGetTablePolicyAction, S3TablesGetViewAction, S3TablesListViewsAction, S3TablesGetConfigAction, S3TablesTableMetricsAction, ), Resources: NewResourceSet(NewS3TablesResource("*")), Conditions: condition.NewFunctions(), }, }, }, }, { Name: "replicationAdmin", Definition: Policy{ Version: DefaultVersion, Statements: []Statement{ { SID: ID(""), Effect: Allow, Actions: NewActionSet( SiteReplicationAddAction, SiteReplicationDisableAction, SiteReplicationRemoveAction, SiteReplicationResyncAction, SiteReplicationInfoAction, SiteReplicationOperationAction, TablesReplicationAddAction, TablesReplicationRemoveAction, TablesReplicationInfoAction, ReplicationDiff, ), Resources: NewResourceSet(), Conditions: condition.NewFunctions(), }, { SID: ID(""), Effect: Allow, Actions: NewActionSet( GetReplicationConfigurationAction, PutReplicationConfigurationAction, ResetBucketReplicationStateAction, GetObjectVersionForReplicationAction, ), Resources: NewResourceSet(NewResource("*")), Conditions: condition.NewFunctions(), }, }, }, }, { Name: "securityAuditAdmin", Definition: Policy{ Version: DefaultVersion, Statements: []Statement{ { SID: ID(""), Effect: Allow, Actions: NewActionSet( ListUsersAdminAction, GetUserAdminAction, ListGroupsAdminAction, GetGroupAdminAction, GetPolicyAdminAction, ListUserPoliciesAdminAction, ListServiceAccountsAdminAction, ListTemporaryAccountsAdminAction, ExportIAMAction, SiteReplicationInfoAction, TablesReplicationInfoAction, ServerInfoAdminAction, StorageInfoAdminAction, DataUsageInfoAdminAction, LicenseInfoAdminAction, ClusterInfoAction, PoolListAction, PoolInfoAction, NodeListAction, NodeInfoAction, SetInfoAction, DriveListAction, DriveInfoAction, ProfilingAdminAction, TraceAdminAction, ConsoleLogAdminAction, TopLocksAdminAction, HealthInfoAdminAction, BandwidthMonitorAction, PrometheusAdminAction, ), Resources: NewResourceSet(), Conditions: condition.NewFunctions(), }, { SID: ID(""), Effect: Allow, Actions: NewActionSet( GetBucketPolicyAction, GetBucketLocationAction, GetBucketNotificationAction, GetBucketObjectLockConfigurationAction, GetBucketEncryptionAction, GetBucketTaggingAction, GetBucketVersioningAction, GetReplicationConfigurationAction, ), Resources: NewResourceSet(NewResource("*")), Conditions: condition.NewFunctions(), }, }, }, }, { Name: "consoleAdmin", Definition: Policy{ Version: DefaultVersion, Statements: []Statement{ { SID: ID(""), Effect: Allow, Actions: NewActionSet(AllAdminActions), Resources: NewResourceSet(), Conditions: condition.NewFunctions(), }, { SID: ID(""), Effect: Allow, Actions: NewActionSet(AllKMSActions), Resources: NewResourceSet(), Conditions: condition.NewFunctions(), }, { SID: ID(""), Effect: Allow, Actions: NewActionSet(AllActions), Resources: NewResourceSet(NewResource("*")), Conditions: condition.NewFunctions(), }, { SID: ID(""), Effect: Allow, Actions: NewActionSet(AllS3TablesActions), Resources: NewResourceSet(NewS3TablesResource("*")), Conditions: condition.NewFunctions(), }, }, }, }, }
DefaultPolicies - list of canned policies available in MinIO.
View Source
var IAMActionConditionKeyMap = createActionConditionKeyMap()
IAMActionConditionKeyMap - holds mapping of supported condition key for an action.
View Source
var SupportedActions = map[Action]struct{}{ AbortMultipartUploadAction: {}, CreateBucketAction: {}, DeleteBucketAction: {}, ForceDeleteBucketAction: {}, DeleteBucketPolicyAction: {}, DeleteBucketCorsAction: {}, DeleteObjectAction: {}, GetBucketLocationAction: {}, GetBucketNotificationAction: {}, GetBucketPolicyAction: {}, GetBucketCorsAction: {}, GetObjectAction: {}, HeadBucketAction: {}, ListAllMyBucketsAction: {}, ListBucketAction: {}, GetBucketPolicyStatusAction: {}, ListBucketVersionsAction: {}, ListBucketMultipartUploadsAction: {}, ListenNotificationAction: {}, ListenBucketNotificationAction: {}, ListMultipartUploadPartsAction: {}, PutBucketLifecycleAction: {}, GetBucketLifecycleAction: {}, PutBucketNotificationAction: {}, PutBucketPolicyAction: {}, PutBucketCorsAction: {}, PutBucketQOSAction: {}, GetBucketQOSAction: {}, PutObjectAction: {}, BypassGovernanceRetentionAction: {}, PutObjectRetentionAction: {}, GetObjectRetentionAction: {}, GetObjectLegalHoldAction: {}, PutObjectLegalHoldAction: {}, GetBucketObjectLockConfigurationAction: {}, PutBucketObjectLockConfigurationAction: {}, GetBucketTaggingAction: {}, PutBucketTaggingAction: {}, GetObjectVersionAction: {}, GetObjectAttributesAction: {}, GetObjectVersionAttributesAction: {}, GetObjectVersionTaggingAction: {}, DeleteObjectVersionAction: {}, DeleteObjectVersionTaggingAction: {}, PutObjectVersionTaggingAction: {}, GetObjectTaggingAction: {}, PutObjectTaggingAction: {}, DeleteObjectTaggingAction: {}, UpdateObjectEncryptionAction: {}, PutBucketEncryptionAction: {}, GetBucketEncryptionAction: {}, PutBucketVersioningAction: {}, GetBucketVersioningAction: {}, GetReplicationConfigurationAction: {}, PutReplicationConfigurationAction: {}, ReplicateObjectAction: {}, ReplicateDeleteAction: {}, ReplicateTagsAction: {}, GetObjectVersionForReplicationAction: {}, RestoreObjectAction: {}, ResetBucketReplicationStateAction: {}, PutObjectFanOutAction: {}, PutInventoryConfigurationAction: {}, GetInventoryConfigurationAction: {}, CreateSessionAction: {}, AllActions: {}, }
SupportedActions - list of all supported actions.
View Source
var SupportedAdminActions = map[AdminAction]struct{}{ HealAdminAction: {}, StorageInfoAdminAction: {}, DataUsageInfoAdminAction: {}, TopLocksAdminAction: {}, ProfilingAdminAction: {}, PrometheusAdminAction: {}, TraceAdminAction: {}, ConsoleLogAdminAction: {}, KMSCreateKeyAdminAction: {}, KMSKeyStatusAdminAction: {}, ServerInfoAdminAction: {}, HealthInfoAdminAction: {}, LicenseInfoAdminAction: {}, BandwidthMonitorAction: {}, InspectDataAction: {}, ServerUpdateAdminAction: {}, ServiceRestartAdminAction: {}, ServiceStopAdminAction: {}, ServiceFreezeAdminAction: {}, ConfigUpdateAdminAction: {}, CreateUserAdminAction: {}, DeleteUserAdminAction: {}, ListUsersAdminAction: {}, EnableUserAdminAction: {}, DisableUserAdminAction: {}, GetUserAdminAction: {}, ChangeMyPasswordAdminAction: {}, AddUserToGroupAdminAction: {}, RemoveUserFromGroupAdminAction: {}, GetGroupAdminAction: {}, ListGroupsAdminAction: {}, EnableGroupAdminAction: {}, DisableGroupAdminAction: {}, CreateServiceAccountAdminAction: {}, UpdateServiceAccountAdminAction: {}, RemoveServiceAccountAdminAction: {}, ListServiceAccountsAdminAction: {}, ListTemporaryAccountsAdminAction: {}, CreatePolicyAdminAction: {}, DeletePolicyAdminAction: {}, GetPolicyAdminAction: {}, AttachPolicyAdminAction: {}, UpdatePolicyAssociationAction: {}, ListUserPoliciesAdminAction: {}, SetBucketQuotaAdminAction: {}, GetBucketQuotaAdminAction: {}, SetBucketTargetAction: {}, GetBucketTargetAction: {}, ReplicationDiff: {}, SetTierAction: {}, ListTierAction: {}, DecommissionAdminAction: {}, RebalanceAdminAction: {}, SiteReplicationAddAction: {}, SiteReplicationDisableAction: {}, SiteReplicationInfoAction: {}, SiteReplicationOperationAction: {}, SiteReplicationRemoveAction: {}, SiteReplicationResyncAction: {}, TablesReplicationAddAction: {}, TablesReplicationRemoveAction: {}, TablesReplicationInfoAction: {}, TablesReplicationStartFailoverAction: {}, ImportBucketMetadataAction: {}, ExportBucketMetadataAction: {}, ExportIAMAction: {}, ImportIAMAction: {}, ForceUnlockAdminAction: {}, ListBatchJobsAction: {}, DescribeBatchJobAction: {}, StartBatchJobAction: {}, CancelBatchJobAction: {}, GenerateBatchJobAction: {}, InventoryControlAction: {}, ClusterInfoAction: {}, PoolListAction: {}, PoolInfoAction: {}, NodeListAction: {}, NodeInfoAction: {}, SetInfoAction: {}, DriveListAction: {}, DriveInfoAction: {}, ServiceCordonAdminAction: {}, DeltaSharingAdminAction: {}, DeltaSharingCreateShareAction: {}, DeltaSharingDeleteShareAction: {}, DeltaSharingListSharesAction: {}, DeltaSharingGetShareAction: {}, DeltaSharingUpdateShareAction: {}, DeltaSharingCreateTokenAction: {}, DeltaSharingDeleteTokenAction: {}, DeltaSharingListTokensAction: {}, ReadAPILogsAction: {}, ReadErrorLogsAction: {}, ReadAuditLogsAction: {}, ReadAlertsAction: {}, AllAdminActions: {}, }
SupportedAdminActions - list of all supported admin actions.
View Source
var SupportedObjectActions = map[Action]struct{}{ AllActions: {}, AbortMultipartUploadAction: {}, DeleteObjectAction: {}, GetObjectAction: {}, ListMultipartUploadPartsAction: {}, PutObjectAction: {}, BypassGovernanceRetentionAction: {}, PutObjectRetentionAction: {}, GetObjectRetentionAction: {}, PutObjectLegalHoldAction: {}, GetObjectLegalHoldAction: {}, GetObjectTaggingAction: {}, PutObjectTaggingAction: {}, DeleteObjectTaggingAction: {}, UpdateObjectEncryptionAction: {}, GetObjectVersionAction: {}, GetObjectVersionTaggingAction: {}, DeleteObjectVersionAction: {}, DeleteObjectVersionTaggingAction: {}, PutObjectVersionTaggingAction: {}, ReplicateObjectAction: {}, ReplicateDeleteAction: {}, ReplicateTagsAction: {}, GetObjectVersionForReplicationAction: {}, RestoreObjectAction: {}, ResetBucketReplicationStateAction: {}, PutObjectFanOutAction: {}, GetObjectAttributesAction: {}, GetObjectVersionAttributesAction: {}, }
SupportedObjectActions - list of all supported object actions.
View Source
var SupportedTableActions = map[TableAction]struct{}{ S3TablesCreateNamespaceAction: {}, S3TablesCreateTableAction: {}, S3TablesCreateTableBucketAction: {}, S3TablesDeleteNamespaceAction: {}, S3TablesDeleteTableAction: {}, S3TablesDeleteTableBucketAction: {}, S3TablesDeleteTableBucketEncryptionAction: {}, S3TablesDeleteTableBucketPolicyAction: {}, S3TablesDeleteTablePolicyAction: {}, S3TablesGetNamespaceAction: {}, S3TablesGetTableAction: {}, S3TablesGetTableBucketAction: {}, S3TablesGetTableBucketEncryptionAction: {}, S3TablesGetTableBucketMaintenanceConfigurationAction: {}, S3TablesGetTableBucketPolicyAction: {}, S3TablesGetTableDataAction: {}, S3TablesGetTableEncryptionAction: {}, S3TablesGetTableMaintenanceConfigurationAction: {}, S3TablesGetTableMaintenanceJobStatusAction: {}, S3TablesGetTableMetadataLocationAction: {}, S3TablesGetTablePolicyAction: {}, S3TablesListNamespacesAction: {}, S3TablesListTableBucketsAction: {}, S3TablesListTablesAction: {}, S3TablesPutTableBucketEncryptionAction: {}, S3TablesPutTableBucketMaintenanceConfigurationAction: {}, S3TablesPutTableBucketPolicyAction: {}, S3TablesPutTableDataAction: {}, S3TablesPutTableEncryptionAction: {}, S3TablesPutTableMaintenanceConfigurationAction: {}, S3TablesPutTablePolicyAction: {}, S3TablesRegisterTableAction: {}, S3TablesRenameTableAction: {}, S3TablesUpdateTableMetadataLocationAction: {}, S3TablesCreateWarehouseAction: {}, S3TablesDeleteWarehouseAction: {}, S3TablesDeleteWarehouseEncryptionAction: {}, S3TablesDeleteWarehousePolicyAction: {}, S3TablesGetWarehouseAction: {}, S3TablesGetWarehouseEncryptionAction: {}, S3TablesGetWarehouseMaintenanceConfigurationAction: {}, S3TablesGetWarehousePolicyAction: {}, S3TablesListWarehousesAction: {}, S3TablesPutWarehouseEncryptionAction: {}, S3TablesPutWarehouseMaintenanceConfigurationAction: {}, S3TablesPutWarehousePolicyAction: {}, S3TablesGetConfigAction: {}, S3TablesTableMetricsAction: {}, S3TablesUpdateTableAction: {}, S3TablesCreateViewAction: {}, S3TablesDeleteViewAction: {}, S3TablesGetViewAction: {}, S3TablesRenameViewAction: {}, S3TablesUpdateViewAction: {}, S3TablesListViewsAction: {}, S3TablesRegisterViewAction: {}, S3TablesUpdateNamespacePropertiesAction: {}, S3TablesTagResourceAction: {}, S3TablesUntagResourceAction: {}, S3TablesListTagsForResourceAction: {}, AllS3TablesActions: {}, }
SupportedTableActions - list of all supported S3 Tables actions.
View Source
var SupportedVectorsActions = map[VectorsAction]struct{}{ S3VectorsCreateVectorBucketAction: {}, S3VectorsDeleteVectorBucketAction: {}, S3VectorsGetVectorBucketAction: {}, S3VectorsListVectorBucketsAction: {}, S3VectorsCreateIndexAction: {}, S3VectorsDeleteIndexAction: {}, S3VectorsGetIndexAction: {}, S3VectorsListIndexesAction: {}, S3VectorsPutVectorsAction: {}, S3VectorsGetVectorsAction: {}, S3VectorsDeleteVectorsAction: {}, S3VectorsListVectorsAction: {}, S3VectorsQueryVectorsAction: {}, AllS3VectorsActions: {}, }
SupportedVectorsActions - list of all supported S3 Vectors actions.
View Source
var VectorsActionConditionKeyMap = createVectorsActionConditionKeyMap()
VectorsActionConditionKeyMap - holds mapping of Vectors actions to condition keys.
Functions ¶
func Errorf ¶
Errorf - formats according to a format specifier and returns the string as a value that satisfies error of type policy.Error
func GetPoliciesFromClaims ¶
GetPoliciesFromClaims returns the list of policies to be applied for this incoming request, extracting the information from input JWT claims.
func GetValuesFromClaims ¶
GetValuesFromClaims returns the list of values for the input claimName. Supports values in following formats - string - comma separated values - string array
func IsAllowedPar ¶ added in v3.3.2
IsAllowedPar - checks if the given Args is allowed by any one of the given policies in parallel (when len(policies) > 100).
func IsAllowedSerial ¶ added in v3.3.2
IsAllowedSerial - checks if the given Args is allowed by any one of the given policies in serial.
This is currently the fastest implementation for our basic benchmark.
Types ¶
type Action ¶
type Action string
Action - policy action. Refer https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazons3.html for more information about available actions.
func (Action) IsObjectAction ¶
IsObjectAction - returns whether action is object type or not.
type ActionConditionKeyMap ¶
ActionConditionKeyMap is alias for the map type used here.
type ActionSet ¶
type ActionSet map[Action]struct{}
ActionSet - set of actions.
func NewActionSet ¶
NewActionSet - creates new action set.
func NewActionStrings ¶ added in v3.2.2
NewActionStrings - creates new action set from strings.
func (ActionSet) Equals ¶
Equals - checks whether given action set is equal to current action set or not.
func (ActionSet) Intersection ¶
Intersection - returns actions available in both ActionSet.
func (ActionSet) MarshalJSON ¶
MarshalJSON - encodes ActionSet to JSON data.
func (ActionSet) ToAdminSlice ¶
func (actionSet ActionSet) ToAdminSlice() []AdminAction
ToAdminSlice - returns slice of admin actions from the action set.
func (ActionSet) ToKMSSlice ¶
ToKMSSlice - returns slice of kms actions from the action set.
func (ActionSet) ToSTSSlice ¶
ToSTSSlice - returns slice of STS actions from the action set.
func (ActionSet) ToTableSlice ¶ added in v3.4.3
func (actionSet ActionSet) ToTableSlice() []TableAction
ToTableSlice - returns slice of table actions from the action set.
func (ActionSet) ToVectorsSlice ¶ added in v3.6.1
func (actionSet ActionSet) ToVectorsSlice() []VectorsAction
ToVectorsSlice - returns slice of vectors actions from the action set.
func (*ActionSet) UnmarshalJSON ¶
UnmarshalJSON - decodes JSON data to ActionSet.
func (ActionSet) ValidateAdmin ¶
ValidateAdmin checks if all actions are valid Admin actions
func (ActionSet) ValidateKMS ¶
ValidateKMS checks if all actions are valid KMS actions
func (ActionSet) ValidateSTS ¶
ValidateSTS checks if all actions are valid STS actions
func (ActionSet) ValidateTable ¶ added in v3.4.3
ValidateTable checks if all actions are valid Table actions
func (ActionSet) ValidateVectors ¶ added in v3.6.1
ValidateVectors checks if all actions are valid Vectors actions
type AdminAction ¶
type AdminAction string
AdminAction - admin policy action.
func (AdminAction) HasResource ¶ added in v3.7.0
func (action AdminAction) HasResource() bool
HasResource reports whether this admin action operates on a bucket resource.
func (AdminAction) IsValid ¶
func (action AdminAction) IsValid() bool
IsValid - checks if action is valid or not.
func (AdminAction) Match ¶ added in v3.6.1
func (action AdminAction) Match(a AdminAction) bool
Match - matches action name with action pattern.
type Args ¶
type Args struct {
AccountName string `json:"account"`
Groups []string `json:"groups"`
Action Action `json:"action"`
OriginalAction Action `json:"originalAction"`
BucketName string `json:"bucket"`
ConditionValues map[string][]string `json:"conditions"`
IsOwner bool `json:"owner"`
ObjectName string `json:"object"`
Claims map[string]any `json:"claims"`
DenyOnly bool `json:"denyOnly"` // only applies deny
}
Args - arguments to policy to check whether it is allowed
func (Args) GetPolicies ¶
GetPolicies returns the list of policies to be applied for this incoming request, extracting the information from JWT claims.
func (Args) GetRoleArn ¶
GetRoleArn returns the role ARN from JWT claims if present. Otherwise returns empty string.
type BPStatement ¶
type BPStatement struct {
SID ID `json:"Sid,omitempty"`
Effect Effect `json:"Effect"`
Principal Principal `json:"Principal"`
Actions ActionSet `json:"Action"`
NotActions ActionSet `json:"NotAction,omitempty"`
Resources ResourceSet `json:"Resource"`
NotResources ResourceSet `json:"NotResource,omitempty"`
Conditions condition.Functions `json:"Condition,omitempty"`
}
BPStatement - policy statement.
func NewBPStatement ¶
func NewBPStatement(sid ID, effect Effect, principal Principal, actionSet ActionSet, resourceSet ResourceSet, conditions condition.Functions) BPStatement
NewBPStatement - creates new statement.
func NewBPStatementWithNotAction ¶
func NewBPStatementWithNotAction(sid ID, effect Effect, principal Principal, notActions ActionSet, resources ResourceSet, conditions condition.Functions) BPStatement
NewBPStatementWithNotAction - creates new statement with NotAction.
func NewBPStatementWithNotResource ¶ added in v3.0.23
func NewBPStatementWithNotResource(sid ID, effect Effect, principal Principal, actions ActionSet, notResources ResourceSet, conditions condition.Functions) BPStatement
NewBPStatementWithNotResource - creates new statement with NotResource.
func (BPStatement) Clone ¶
func (statement BPStatement) Clone() BPStatement
Clone clones Statement structure
func (BPStatement) Equals ¶
func (statement BPStatement) Equals(st BPStatement) bool
Equals checks if two statements are equal
func (BPStatement) IsAllowed ¶
func (statement BPStatement) IsAllowed(args BucketPolicyArgs) bool
IsAllowed - checks given policy args is allowed to continue the Rest API.
func (BPStatement) Validate ¶
func (statement BPStatement) Validate(bucketName string) error
Validate - validates Statement is for given bucket or not.
type BucketPolicy ¶
type BucketPolicy struct {
ID ID `json:"ID,omitempty"`
Version string
Statements []BPStatement `json:"Statement"`
}
BucketPolicy - bucket policy.
func ParseBucketPolicyConfig ¶
func ParseBucketPolicyConfig(reader io.Reader, bucketName string) (*BucketPolicy, error)
ParseBucketPolicyConfig - parses data in given reader to Policy.
func (*BucketPolicy) Equals ¶
func (policy *BucketPolicy) Equals(p BucketPolicy) bool
Equals returns true if the two policies are identical
func (BucketPolicy) IsAllowed ¶
func (policy BucketPolicy) IsAllowed(args BucketPolicyArgs) bool
IsAllowed - checks given policy args is allowed to continue the Rest API.
func (BucketPolicy) IsEmpty ¶
func (policy BucketPolicy) IsEmpty() bool
IsEmpty - returns whether policy is empty or not.
func (BucketPolicy) MarshalJSON ¶
func (policy BucketPolicy) MarshalJSON() ([]byte, error)
MarshalJSON - encodes Policy to JSON data.
func (*BucketPolicy) UnmarshalJSON ¶
func (policy *BucketPolicy) UnmarshalJSON(data []byte) error
UnmarshalJSON - decodes JSON data to Policy.
func (BucketPolicy) Validate ¶
func (policy BucketPolicy) Validate(bucketName string) error
Validate - validates all statements are for given bucket or not.
type BucketPolicyArgs ¶
type BucketPolicyArgs struct {
AccountName string `json:"account"`
Groups []string `json:"groups"`
Action Action `json:"action"`
BucketName string `json:"bucket"`
ConditionValues map[string][]string `json:"conditions"`
IsOwner bool `json:"owner"`
ObjectName string `json:"object"`
}
BucketPolicyArgs - arguments to policy to check whether it is allowed
type Decision ¶ added in v3.3.2
type Decision uint8
Decision is an enum type representing the decision made by the policy for the given arguments.
type Effect ¶
type Effect string
Effect - policy statement effect Allow or Deny.
const ( // Allow - allow effect. Allow Effect = "Allow" // Deny - deny effect. Deny = "Deny" )
type Error ¶
type Error struct {
// contains filtered or unexported fields
}
Error is the generic type for any error happening during policy parsing.
type Policy ¶
type Policy struct {
ID ID `json:"ID,omitempty"`
Version string
Statements []Statement `json:"Statement"`
// contains filtered or unexported fields
}
Policy - iam bucket iamp.
func MergePolicies ¶
MergePolicies merges all the given policies into a single policy dropping any duplicate statements.
func ParseConfig ¶
ParseConfig - parses data in given reader to Iamp.
func ParseConfigStrict ¶ added in v3.7.0
ParseConfigStrict parses and validates with strict rules. Use this when the server is creating or updating policies — it rejects constructs that Validate allows for backward compatibility.
func (*Policy) Decide ¶ added in v3.3.2
Decide - decides whether the given args is allowed or not. If no policy statement explicitly allows or denies the operation in the Args, it returns `noDecision`. It is upto the caller to handle such cases.
func (*Policy) HasDenyStatement ¶ added in v3.3.3
HasDenyStatement returns if the policy has a deny statement.
func (Policy) IsAllowedActions ¶
func (iamp Policy) IsAllowedActions(bucketName, objectName string, conditionValues map[string][]string) ActionSet
IsAllowedActions returns all supported actions for this policy.
func (Policy) MatchResource ¶
MatchResource matches resource with match resource patterns
func (*Policy) UnmarshalJSON ¶
UnmarshalJSON - decodes JSON data to Iamp.
func (Policy) ValidateStrict ¶ added in v3.7.0
ValidateStrict applies strict validation rules suitable for new policy creation. It rejects policies that would be accepted by Validate for backward compatibility but are invalid going forward (e.g. admin statements with both Resource and NotResource).
type Principal ¶
Principal - policy principal.
func NewPrincipal ¶
NewPrincipal - creates new Principal.
func (Principal) Intersection ¶
Intersection - returns principals available in both Principal.
func (Principal) MarshalJSON ¶
MarshalJSON - encodes Principal to JSON data.
func (*Principal) UnmarshalJSON ¶
UnmarshalJSON - decodes JSON data to Principal.
type Resource ¶
type Resource struct {
Pattern string
Type ResourceARNType
}
Resource - resource in policy statement.
func NewKMSResource ¶ added in v3.0.8
NewKMSResource - creates new resource with type KMS
func NewResource ¶
NewResource - creates new resource with the default ARN type of S3.
func NewS3TablesResource ¶ added in v3.6.0
NewS3TablesResource - creates new resource with type S3 Tables
func ParseResource ¶ added in v3.4.2
ParseResource - parses string to Resource.
func (Resource) MarshalJSON ¶
MarshalJSON - encodes Resource to JSON data.
func (Resource) Match ¶
Match - matches object name with resource pattern, including specific conditionals.
func (Resource) MatchResource ¶
MatchResource matches object name with resource pattern only.
func (*Resource) UnmarshalJSON ¶
UnmarshalJSON - decodes JSON data to Resource.
func (Resource) ValidateBucket ¶
ValidateBucket - validates that given bucketName is matched by Resource.
type ResourceARNType ¶ added in v3.0.8
type ResourceARNType uint32
ResourceARNType - ARN prefix type
const ( // ResourceARNS3 is the ARN prefix type for S3 resources. ResourceARNS3 ResourceARNType // ResourceARNS3Tables is the ARN prefix type for Amazon S3 Tables resources. ResourceARNS3Tables // ResourceARNKMS is the ARN prefix type for MinIO KMS resources. ResourceARNKMS // ResourceARNAll is the ARN '*' ResourceARNAll )
func (ResourceARNType) String ¶ added in v3.0.8
func (a ResourceARNType) String() string
type ResourceSet ¶
type ResourceSet map[Resource]struct{}
ResourceSet - set of resources in policy statement.
func NewResourceSet ¶
func NewResourceSet(resources ...Resource) ResourceSet
NewResourceSet - creates new resource set.
func NewResourceStrings ¶ added in v3.2.2
func NewResourceStrings(resources ...string) ResourceSet
NewResourceStrings - creates new resource set from strings
func (ResourceSet) Add ¶
func (resourceSet ResourceSet) Add(resource Resource)
Add - adds resource to resource set.
func (ResourceSet) BucketResourceExists ¶
func (resourceSet ResourceSet) BucketResourceExists() bool
BucketResourceExists - checks if at least one bucket resource exists in the set.
func (ResourceSet) Clone ¶
func (resourceSet ResourceSet) Clone() ResourceSet
Clone clones ResourceSet structure
func (ResourceSet) Equals ¶
func (resourceSet ResourceSet) Equals(sresourceSet ResourceSet) bool
Equals - checks whether given resource set is equal to current resource set or not.
func (ResourceSet) Intersection ¶
func (resourceSet ResourceSet) Intersection(sset ResourceSet) ResourceSet
Intersection - returns resources available in both ResourceSet.
func (ResourceSet) MarshalJSON ¶
func (resourceSet ResourceSet) MarshalJSON() ([]byte, error)
MarshalJSON - encodes ResourceSet to JSON data.
func (ResourceSet) Match ¶
func (resourceSet ResourceSet) Match(resource string, conditionValues map[string][]string) bool
Match - matches object name with anyone of resource pattern in resource set.
func (ResourceSet) MatchResource ¶
func (resourceSet ResourceSet) MatchResource(resource string) bool
MatchResource matches object name with resource patterns only.
func (ResourceSet) ObjectResourceExists ¶
func (resourceSet ResourceSet) ObjectResourceExists() bool
ObjectResourceExists - checks if at least one object resource exists in the set.
func (ResourceSet) String ¶
func (resourceSet ResourceSet) String() string
func (ResourceSet) ToSlice ¶
func (resourceSet ResourceSet) ToSlice() []Resource
ToSlice - returns slice of resources from the resource set.
func (*ResourceSet) UnmarshalJSON ¶
func (resourceSet *ResourceSet) UnmarshalJSON(data []byte) error
UnmarshalJSON - decodes JSON data to ResourceSet.
func (ResourceSet) ValidateBucket ¶
func (resourceSet ResourceSet) ValidateBucket(bucketName string) error
ValidateBucket - validates ResourceSet is for given bucket or not.
func (ResourceSet) ValidateKMS ¶ added in v3.0.8
func (resourceSet ResourceSet) ValidateKMS() error
ValidateKMS - validates ResourceSet is KMS.
func (ResourceSet) ValidateS3 ¶ added in v3.0.8
func (resourceSet ResourceSet) ValidateS3() error
ValidateS3 - validates ResourceSet is S3.
func (ResourceSet) ValidateTable ¶ added in v3.4.3
func (resourceSet ResourceSet) ValidateTable() error
ValidateTable - validates ResourceSet is S3 Tables.
func (ResourceSet) ValidateVectors ¶ added in v3.6.1
func (resourceSet ResourceSet) ValidateVectors() error
ValidateVectors - validates ResourceSet for S3 Vectors. S3 Vectors uses S3 ARN format for resources (e.g., arn:aws:s3:::vectors-bucket/*).
type Statement ¶
type Statement struct {
SID ID `json:"Sid,omitempty"`
Effect Effect `json:"Effect"`
Actions ActionSet `json:"Action,omitempty"`
NotActions ActionSet `json:"NotAction,omitempty"`
Resources ResourceSet `json:"Resource,omitempty"`
NotResources ResourceSet `json:"NotResource,omitempty"`
Conditions condition.Functions `json:"Condition,omitempty"`
}
Statement - iam policy statement.
func NewStatement ¶
func NewStatement(sid ID, effect Effect, actionSet ActionSet, resourceSet ResourceSet, conditions condition.Functions) Statement
NewStatement - creates new statement.
func NewStatementWithNotAction ¶
func NewStatementWithNotAction(sid ID, effect Effect, notActions ActionSet, resources ResourceSet, conditions condition.Functions) Statement
NewStatementWithNotAction - creates new statement with NotAction.
func NewStatementWithNotResource ¶ added in v3.0.28
func NewStatementWithNotResource(sid ID, effect Effect, actions ActionSet, notResources ResourceSet, conditions condition.Functions) Statement
NewStatementWithNotResource - creates new statement with NotAction.
func (Statement) IsAllowed ¶
IsAllowed - checks given policy args is allowed to continue the Rest API.
func (Statement) IsAllowedPtr ¶ added in v3.3.2
IsAllowedPtr - checks given policy args is allowed to continue the Rest API.
func (Statement) ValidateStrict ¶ added in v3.7.0
ValidateStrict validates the statement with strict rules suitable for new policy creation. See isValidStrict for details.
type TableAction ¶ added in v3.4.3
type TableAction string
TableAction - S3 Tables policy action.
func (TableAction) IsValid ¶ added in v3.4.3
func (action TableAction) IsValid() bool
IsValid - checks if action is valid or not.
type VectorsAction ¶ added in v3.6.1
type VectorsAction string
VectorsAction - S3 Vectors policy action.
func (VectorsAction) IsValid ¶ added in v3.6.1
func (action VectorsAction) IsValid() bool
IsValid - checks if action is valid or not.
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.