[#1519] cli: Make descriptive help for--rule option
All checks were successful
Tests and linters / Run gofumpt (pull_request) Successful in 4m4s
DCO action / DCO (pull_request) Successful in 4m16s
Vulncheck / Vulncheck (pull_request) Successful in 4m25s
Pre-commit hooks / Pre-commit (pull_request) Successful in 5m12s
Tests and linters / Staticcheck (pull_request) Successful in 5m10s
Build / Build Components (pull_request) Successful in 5m42s
Tests and linters / gopls check (pull_request) Successful in 5m39s
Tests and linters / Lint (pull_request) Successful in 6m2s
Tests and linters / Tests (pull_request) Successful in 7m24s
Tests and linters / Tests with -race (pull_request) Successful in 7m37s
All checks were successful
Tests and linters / Run gofumpt (pull_request) Successful in 4m4s
DCO action / DCO (pull_request) Successful in 4m16s
Vulncheck / Vulncheck (pull_request) Successful in 4m25s
Pre-commit hooks / Pre-commit (pull_request) Successful in 5m12s
Tests and linters / Staticcheck (pull_request) Successful in 5m10s
Build / Build Components (pull_request) Successful in 5m42s
Tests and linters / gopls check (pull_request) Successful in 5m39s
Tests and linters / Lint (pull_request) Successful in 6m2s
Tests and linters / Tests (pull_request) Successful in 7m24s
Tests and linters / Tests with -race (pull_request) Successful in 7m37s
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
This commit is contained in:
parent
99f9e59de9
commit
b02c3daf7c
1 changed files with 61 additions and 1 deletions
|
|
@ -2,7 +2,6 @@ package ape
|
|||
|
||||
const (
|
||||
RuleFlag = "rule"
|
||||
RuleFlagDesc = "Rule statement"
|
||||
PathFlag = "path"
|
||||
PathFlagDesc = "Path to encoded chain in JSON or binary format"
|
||||
TargetNameFlag = "target-name"
|
||||
|
|
@ -17,3 +16,64 @@ const (
|
|||
ChainNameFlagDesc = "Chain name(ingress|s3)"
|
||||
AllFlag = "all"
|
||||
)
|
||||
|
||||
const RuleFlagDesc = `Defines an Access Policy Engine (APE) rule in the format:
|
||||
<status>[:status_detail] <action>... <condition>... <resource>...
|
||||
|
||||
Status:
|
||||
- allow Permits specified actions
|
||||
- deny Prohibits specified actions
|
||||
- deny:QuotaLimitReached Denies access due to quota limits
|
||||
|
||||
Actions:
|
||||
Object operations:
|
||||
- Object.Put, Object.Get, etc.
|
||||
- Object.* (all object operations)
|
||||
Container operations:
|
||||
- Container.Put, Container.Get, etc.
|
||||
- Container.* (all container operations)
|
||||
|
||||
Conditions:
|
||||
ResourceCondition:
|
||||
Format: ResourceCondition:"key"=value, "key"!=value
|
||||
Reserved properties (use '\' before '$'):
|
||||
- $Object:version
|
||||
- $Object:objectID
|
||||
- $Object:containerID
|
||||
- $Object:ownerID
|
||||
- $Object:creationEpoch
|
||||
- $Object:payloadLength
|
||||
- $Object:payloadHash
|
||||
- $Object:objectType
|
||||
- $Object:homomorphicHash
|
||||
|
||||
RequestCondition:
|
||||
Format: RequestCondition:"key"=value, "key"!=value
|
||||
Reserved properties (use '\' before '$'):
|
||||
- $Actor:publicKey
|
||||
- $Actor:role
|
||||
|
||||
Example:
|
||||
ResourceCondition:"check_key"!="check_value" RequestCondition:"$Actor:role"=others
|
||||
|
||||
Resources:
|
||||
For objects:
|
||||
- namespace/cid/oid (specific object)
|
||||
- namespace/cid/* (all objects in container)
|
||||
- namespace/* (all objects in namespace)
|
||||
- * (all objects)
|
||||
- /* (all objects in root namespace)
|
||||
- /cid/* (all objects in root container)
|
||||
- /cid/oid (specific object in root container)
|
||||
|
||||
For containers:
|
||||
- namespace/cid (specific container)
|
||||
- namespace/* (all containers in namespace)
|
||||
- * (all containers)
|
||||
- /cid (root container)
|
||||
- /* (all root containers)
|
||||
|
||||
Notes:
|
||||
- Cannot mix object and container operations in one rule
|
||||
- Default behavior is Any=false unless 'any' is specified
|
||||
- Use 'all' keyword to explicitly set Any=false`
|
||||
|
|
|
|||
Loading…
Reference in a new issue