generated from TrueCloudLab/basic
61 lines
1.7 KiB
Text
61 lines
1.7 KiB
Text
|
@startuml s3 ape
|
||
|
|
||
|
participant "Client" as client
|
||
|
|
||
|
participant "IAM" as iam
|
||
|
participant "IAM -> APE converter" as converter
|
||
|
|
||
|
box "S3" #HotPink
|
||
|
participant "S3 gateway" as s3
|
||
|
end box
|
||
|
|
||
|
box "Access Policy Engine (as s3 middleware)" #LightPink
|
||
|
participant "Local override storage" as s3localOverrides
|
||
|
participant "Chain router" as s3chainRouter
|
||
|
end box
|
||
|
|
||
|
box "Policy contract (shared)"
|
||
|
participant "Morph rule storage" as morphRuleStorage
|
||
|
end box
|
||
|
|
||
|
box "Access Policy Engine (as storage middleware)" #LightGreen
|
||
|
participant "Chain Router" as storageChainRouter
|
||
|
participant "Local override storage" as storageLocalOverrides
|
||
|
end box
|
||
|
|
||
|
box "Storage node" #Green
|
||
|
participant "Object service" as obj
|
||
|
participant "Control service" as control
|
||
|
end box
|
||
|
|
||
|
group Request IAM to set a policy
|
||
|
client -> iam : Set IAM policy
|
||
|
iam -> converter : Convert IAM policy
|
||
|
converter -> iam : Return APE chain
|
||
|
iam -> morphRuleStorage : Store IAM policy and APE chain
|
||
|
iam -> s3localOverrides : Set S3 local overrides
|
||
|
iam -> client : OK
|
||
|
end
|
||
|
|
||
|
group Request S3 to set a policy
|
||
|
client -> s3 : Set bucket policy
|
||
|
s3 -> converter : Convert IAM policy
|
||
|
converter -> s3 : Return APE chain
|
||
|
s3 -> morphRuleStorage : Store bucket policy and APE chain
|
||
|
s3 -> client : OK
|
||
|
end
|
||
|
|
||
|
group Get object
|
||
|
client -> s3: GetObject
|
||
|
s3 -> s3chainRouter: Check if APE allows request for S3
|
||
|
note over s3chainRouter: matching the request with overrides and rules
|
||
|
s3chainRouter -> s3: Status: ALLOW
|
||
|
s3 -> obj: Get object
|
||
|
obj -> storageChainRouter: Check if APE allows the request
|
||
|
note over storageChainRouter : matching the request with overrides and rules
|
||
|
storageChainRouter -> obj: Status: ALLOW
|
||
|
obj -> s3: Response: OK, Object
|
||
|
s3 -> client: Response: OK, Object
|
||
|
end
|
||
|
|
||
|
@enduml
|