TrueCloudLab
/
policy-engine
generated from TrueCloudLab/basic
18
0
Fork 8
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: TrueCloudLab:debbb278627709d023b10560d98a91221af666b4
Branches Tags
TrueCloudLab:master
TrueCloudLab:feat/list_by_iterator
TrueCloudLab:feature/3_policy-contract-interface
TrueCloudLab:feature/support-iam_to_native_converter
TrueCloudLab:init
..
compare: TrueCloudLab:2e7518c453ee682887eb79a7563684d9c97d54c2
Branches Tags
TrueCloudLab:master
TrueCloudLab:feat/list_by_iterator
TrueCloudLab:feature/3_policy-contract-interface
TrueCloudLab:feature/support-iam_to_native_converter
TrueCloudLab:init

1 Commits
debbb27862 ... 2e7518c453

Author SHA1 Message Date
Denis Kirillov 2e7518c453 [#74] docs: Describe converters
Tests and linters / Tests (1.20) (pull_request) Successful in 55s Details
Tests and linters / Tests (1.21) (pull_request) Successful in 1m5s Details
DCO action / DCO (pull_request) Successful in 58s Details
Tests and linters / Staticcheck (pull_request) Successful in 1m14s Details
Tests and linters / Tests with -race (pull_request) Successful in 1m31s Details
Tests and linters / Lint (pull_request) Successful in 2m16s Details 
Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
 2024-05-07 13:10:02 +03:00
1 changed files with 18 additions and 20 deletions
Show Stats Expand all files Collapse all files

38
docs/policy_converters.md
View File

@ -93,7 +93,6 @@ and consists of the following fields:
| `Key` | Property key |
| `Value` | Property value |
Conditions operators:
| AWS conditions operator | FrostFS condition operator | Comment |
@ -191,16 +190,16 @@ transforms to FrostFS conditions:
#### Actions
Each action allows some s3-gw methods, so we must transform action to specific method names
(you can see exact mapping in table in [this file](../iam/converter_s3.go)).
Each action allows some s3-gw methods, so we must transform action to specific method names
(you can see exact mapping in table in [this file](../iam/converter_s3.go)).
For example the following actions:
```json
{
"Action": [
"s3:DeleteObject",
"iam:CreateUser"
"s3:DeleteObject",
"iam:CreateUser"
]
}
```
@ -220,9 +219,9 @@ transforms to
}
```
As we can see any `iam:*` action transformed as it is. But `s3:*` actions transforms according to
[spec rules](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html)
and s3-gw [method names](https://git.frostfs.info/TrueCloudLab/frostfs-s3-gw/src/commit/2ab655b909c40db6f7a4e41e07d8b99167f791bd/api/middleware/constants.go#L3-L76).
As we can see any `iam:*` action transformed as it is. But `s3:*` actions transforms according to
[spec rules](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html) and s3-gw
[method names](https://git.frostfs.info/TrueCloudLab/frostfs-s3-gw/src/commit/2ab655b909c40db6f7a4e41e07d8b99167f791bd/api/middleware/constants.go#L3-L76).
#### Resources
@ -249,10 +248,9 @@ Resource is transformed as it is:
#### Principals
To check user s3-gw uses special condition request property (`Owner`), so when AWS policy contains principal field
it transforms to rule with appropriate condition. To get correct `Owner` property value
special user resolver (`S3Resolver` interface in [converter_s3 file](../iam/converter_s3.go)) must be provided into
convert function.
To check user s3-gw uses special condition request property (`Owner`), so when AWS policy contains principal field
it transforms to rule with appropriate condition. To get correct `Owner` property value special user resolver
(`S3Resolver` interface in [converter_s3 file](../iam/converter_s3.go)) must be provided into convert function.
For example such AWS json statement:
@ -261,7 +259,7 @@ For example such AWS json statement:
"Effect": "Allow",
"Action": "*",
"Resource": "*",
"Principal":{
"Principal": {
"AWS": "arn:aws:iam::111122223333:user/JohnDoe"
}
}
@ -308,8 +306,8 @@ For example the following actions:
```json
{
"Action": [
"s3:DeleteObject",
"iam:CreateUser"
"s3:DeleteObject",
"iam:CreateUser"
]
}
```
@ -347,7 +345,7 @@ To transform resources the following is being performed:
* Bucket name is resoled to container id (by providing `NativeResolver` interface implementation to converter)
* Object name is transformed to condition with special `FilePath` attribute
(that present on every object that was uploaded via s3-gw)
(that present on every object that was uploaded via s3-gw)
For example, the following AWS policy statement:
@ -392,10 +390,10 @@ transforms to FrostFS native policy rule:
#### Principals
To check user s3-gw uses special condition request property (`$Actor:publicKey`), so when AWS policy contains principal field
it transforms to rule with appropriate condition. To get correct `$Actor:publicKey` property value
special user resolver (`NativeResolver` interface in [converter_native file](../iam/converter_native.go)) must be provided into
convert function.
To check user s3-gw uses special condition request property (`$Actor:publicKey`), so when AWS policy contains principal
field it transforms to rule with appropriate condition. To get correct `$Actor:publicKey` property value
special user resolver (`NativeResolver` interface in [converter_native file](../iam/converter_native.go)) must be
provided into convert function.
For example such AWS json statement: