generated from TrueCloudLab/basic
Compare commits
1 Commits
debbb27862
...
2e7518c453
Author | SHA1 | Date |
---|---|---|
Denis Kirillov | 2e7518c453 |
|
@ -93,7 +93,6 @@ and consists of the following fields:
|
|||
| `Key` | Property key |
|
||||
| `Value` | Property value |
|
||||
|
||||
|
||||
Conditions operators:
|
||||
|
||||
| AWS conditions operator | FrostFS condition operator | Comment |
|
||||
|
@ -191,16 +190,16 @@ transforms to FrostFS conditions:
|
|||
|
||||
#### Actions
|
||||
|
||||
Each action allows some s3-gw methods, so we must transform action to specific method names
|
||||
(you can see exact mapping in table in [this file](../iam/converter_s3.go)).
|
||||
Each action allows some s3-gw methods, so we must transform action to specific method names
|
||||
(you can see exact mapping in table in [this file](../iam/converter_s3.go)).
|
||||
|
||||
For example the following actions:
|
||||
|
||||
```json
|
||||
{
|
||||
"Action": [
|
||||
"s3:DeleteObject",
|
||||
"iam:CreateUser"
|
||||
"s3:DeleteObject",
|
||||
"iam:CreateUser"
|
||||
]
|
||||
}
|
||||
```
|
||||
|
@ -220,9 +219,9 @@ transforms to
|
|||
}
|
||||
```
|
||||
|
||||
As we can see any `iam:*` action transformed as it is. But `s3:*` actions transforms according to
|
||||
[spec rules](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html)
|
||||
and s3-gw [method names](https://git.frostfs.info/TrueCloudLab/frostfs-s3-gw/src/commit/2ab655b909c40db6f7a4e41e07d8b99167f791bd/api/middleware/constants.go#L3-L76).
|
||||
As we can see any `iam:*` action transformed as it is. But `s3:*` actions transforms according to
|
||||
[spec rules](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html) and s3-gw
|
||||
[method names](https://git.frostfs.info/TrueCloudLab/frostfs-s3-gw/src/commit/2ab655b909c40db6f7a4e41e07d8b99167f791bd/api/middleware/constants.go#L3-L76).
|
||||
|
||||
#### Resources
|
||||
|
||||
|
@ -249,10 +248,9 @@ Resource is transformed as it is:
|
|||
|
||||
#### Principals
|
||||
|
||||
To check user s3-gw uses special condition request property (`Owner`), so when AWS policy contains principal field
|
||||
it transforms to rule with appropriate condition. To get correct `Owner` property value
|
||||
special user resolver (`S3Resolver` interface in [converter_s3 file](../iam/converter_s3.go)) must be provided into
|
||||
convert function.
|
||||
To check user s3-gw uses special condition request property (`Owner`), so when AWS policy contains principal field
|
||||
it transforms to rule with appropriate condition. To get correct `Owner` property value special user resolver
|
||||
(`S3Resolver` interface in [converter_s3 file](../iam/converter_s3.go)) must be provided into convert function.
|
||||
|
||||
For example such AWS json statement:
|
||||
|
||||
|
@ -261,7 +259,7 @@ For example such AWS json statement:
|
|||
"Effect": "Allow",
|
||||
"Action": "*",
|
||||
"Resource": "*",
|
||||
"Principal":{
|
||||
"Principal": {
|
||||
"AWS": "arn:aws:iam::111122223333:user/JohnDoe"
|
||||
}
|
||||
}
|
||||
|
@ -308,8 +306,8 @@ For example the following actions:
|
|||
```json
|
||||
{
|
||||
"Action": [
|
||||
"s3:DeleteObject",
|
||||
"iam:CreateUser"
|
||||
"s3:DeleteObject",
|
||||
"iam:CreateUser"
|
||||
]
|
||||
}
|
||||
```
|
||||
|
@ -347,7 +345,7 @@ To transform resources the following is being performed:
|
|||
|
||||
* Bucket name is resoled to container id (by providing `NativeResolver` interface implementation to converter)
|
||||
* Object name is transformed to condition with special `FilePath` attribute
|
||||
(that present on every object that was uploaded via s3-gw)
|
||||
(that present on every object that was uploaded via s3-gw)
|
||||
|
||||
For example, the following AWS policy statement:
|
||||
|
||||
|
@ -392,10 +390,10 @@ transforms to FrostFS native policy rule:
|
|||
|
||||
#### Principals
|
||||
|
||||
To check user s3-gw uses special condition request property (`$Actor:publicKey`), so when AWS policy contains principal field
|
||||
it transforms to rule with appropriate condition. To get correct `$Actor:publicKey` property value
|
||||
special user resolver (`NativeResolver` interface in [converter_native file](../iam/converter_native.go)) must be provided into
|
||||
convert function.
|
||||
To check user s3-gw uses special condition request property (`$Actor:publicKey`), so when AWS policy contains principal
|
||||
field it transforms to rule with appropriate condition. To get correct `$Actor:publicKey` property value
|
||||
special user resolver (`NativeResolver` interface in [converter_native file](../iam/converter_native.go)) must be
|
||||
provided into convert function.
|
||||
|
||||
For example such AWS json statement:
|
||||
|
||||
|
|
Loading…
Reference in New Issue