policy-engine/docs/images/ape/s3_ape.svg

73 lines
22 KiB
XML
Raw Normal View History

<?xml version="1.0" encoding="UTF-8" standalone="no"?><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" contentScriptType="application/ecmascript" contentStyleType="text/css" height="852px" preserveAspectRatio="none" style="width:1612px;height:852px;" version="1.1" viewBox="0 0 1612 852" width="1612px" zoomAndPan="magnify"><defs><filter height="300%" id="f1l5dhsbmf5oik" width="300%" x="-1" y="-1"><feGaussianBlur result="blurOut" stdDeviation="2.0"/><feColorMatrix in="blurOut" result="blurOut2" type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 .4 0"/><feOffset dx="4.0" dy="4.0" in="blurOut2" result="blurOut3"/><feBlend in="SourceGraphic" in2="blurOut3" mode="normal"/></filter></defs><g><rect fill="#FF69B4" height="837.9141" style="stroke: #A80036; stroke-width: 1.0;" width="105" x="394" y="4"/><text fill="#000000" font-family="sans-serif" font-size="13" font-weight="bold" lengthAdjust="spacingAndGlyphs" textLength="18" x="437.5" y="16.0669">S3</text><rect fill="#FFB6C1" height="837.9141" style="stroke: #A80036; stroke-width: 1.0;" width="308" x="501" y="4"/><text fill="#000000" font-family="sans-serif" font-size="13" font-weight="bold" lengthAdjust="spacingAndGlyphs" textLength="302" x="504" y="16.0669">Access Policy Engine (as s3 middleware)</text><rect fill="#DDDDDD" height="837.9141" style="stroke: #A80036; stroke-width: 1.0;" width="183" x="811" y="4"/><text fill="#000000" font-family="sans-serif" font-size="13" font-weight="bold" lengthAdjust="spacingAndGlyphs" textLength="177" x="814" y="16.0669">Policy contract (shared)</text><rect fill="#90EE90" height="837.9141" style="stroke: #A80036; stroke-width: 1.0;" width="348" x="996" y="4"/><text fill="#000000" font-family="sans-serif" font-size="13" font-weight="bold" lengthAdjust="spacingAndGlyphs" textLength="342" x="999" y="16.0669">Access Policy Engine (as storage middleware)</text><rect fill="#008000" height="837.9141" style="stroke: #A80036; stroke-width: 1.0;" width="255" x="1346" y="4"/><text fill="#000000" font-family="sans-serif" font-size="13" font-weight="bold" lengthAdjust="spacingAndGlyphs" textLength="100" x="1423.5" y="16.0669">Storage node</text><rect fill="#FFFFFF" filter="url(#f1l5dhsbmf5oik)" height="191.9297" style="stroke: #000000; stroke-width: 2.0;" width="974" x="13" y="75.4297"/><rect fill="#FFFFFF" filter="url(#f1l5dhsbmf5oik)" height="162.7969" style="stroke: #000000; stroke-width: 2.0;" width="974" x="13" y="281.3594"/><rect fill="#FFFFFF" filter="url(#f1l5dhsbmf5oik)" height="328.4609" style="stroke: #000000; stroke-width: 2.0;" width="1463" x="13" y="458.1563"/><line style="stroke: #A80036; stroke-width: 1.0; stroke-dasharray: 5.0,5.0;" x1="51" x2="51" y1="58.4297" y2="803.6172"/><line style="stroke: #A80036; stroke-width: 1.0; stroke-dasharray: 5.0,5.0;" x1="164.5" x2="164.5" y1="58.4297" y2="803.6172"/><line style="stroke: #A80036; stroke-width: 1.0; stroke-dasharray: 5.0,5.0;" x1="305.5" x2="305.5" y1="58.4297" y2="803.6172"/><line style="stroke: #A80036; stroke-width: 1.0; stroke-dasharray: 5.0,5.0;" x1="446" x2="446" y1="58.4297" y2="803.6172"/><line style="stroke: #A80036; stroke-width: 1.0; stroke-dasharray: 5.0,5.0;" x1="598.5" x2="598.5" y1="58.4297" y2="803.6172"/><line style="stroke: #A80036; stroke-width: 1.0; stroke-dasharray: 5.0,5.0;" x1="744.5" x2="744.5" y1="58.4297" y2="803.6172"/><line style="stroke: #A80036; stroke-width: 1.0; stroke-dasharray: 5.0,5.0;" x1="902" x2="902" y1="58.4297" y2="803.6172"/><line style="stroke: #A80036; stroke-width: 1.0; stroke-dasharray: 5.0,5.0;" x1="1080" x2="1080" y1="58.4297" y2="803.6172"/><line style="stroke: #A80036; stroke-width: 1.0; stroke-dasharray: 5.0,5.0;" x1="1229" x2="1229" y1="58.4297" y2="803.6172"/><line style="stroke: #A80036; stroke-width: 1.0; stroke-dasharray: 5.0,5.0;" x1="1408" x2="1408" y1="58.4297" y2="803.6172"/><line style="stroke: #A80036; stroke-width: 1.0; stroke-dasharray: 5.0,5.0;" x1="1536" x2="1536" y1="58.4297" y2="803.6172"/><rect fill="#FEFECE" filter="url(#f1l5dhsbmf5oik)" height="30.2969" style="stroke: #A80036;
@startuml s3 ape
participant "Client" as client
participant "IAM" as iam
participant "IAM -> APE converter" as converter
box "S3" #HotPink
participant "S3 gateway" as s3
end box
box "Access Policy Engine (as s3 middleware)" #LightPink
participant "Local override storage" as s3localOverrides
participant "Chain router" as s3chainRouter
end box
box "Policy contract (shared)"
participant "Morph rule storage" as morphRuleStorage
end box
box "Access Policy Engine (as storage middleware)" #LightGreen
participant "Chain Router" as storageChainRouter
participant "Local override storage" as storageLocalOverrides
end box
box "Storage node" #Green
participant "Object service" as obj
participant "Control service" as control
end box
group Request IAM to set a policy
client -> iam : Set IAM policy
iam -> converter : Convert IAM policy
converter -> iam : Return APE chain
iam -> morphRuleStorage : Store IAM policy and APE chain
iam -> s3localOverrides : Set S3 local overrides
iam -> client : OK
end
group Request S3 to set a policy
client -> s3 : Set bucket policy
s3 -> converter : Convert IAM policy
converter -> s3 : Return APE chain
s3 -> morphRuleStorage : Store bucket policy and APE chain
s3 -> client : OK
end
group Get object
client -> s3: GetObject
s3 -> s3chainRouter: Check if APE allows request for S3
note over s3chainRouter: matching the request with overrides and rules
s3chainRouter -> s3: Status: ALLOW
s3 -> obj: Get object
obj -> storageChainRouter: Check if APE allows the request
note over storageChainRouter : matching the request with overrides and rules
storageChainRouter -> obj: Status: ALLOW
obj -> s3: Response: OK, Object
s3 -> client: Response: OK, Object
end
@enduml
PlantUML version 1.2020.02(Sun Mar 01 13:22:07 MSK 2020)
(GPL source distribution)
Java Runtime: OpenJDK Runtime Environment
JVM: OpenJDK 64-Bit Server VM
Java Version: 11.0.22+7-post-Ubuntu-0ubuntu222.04.1
Operating System: Linux
Default Encoding: UTF-8
Language: en
Country: null
--></g></svg>