[#87] iam: Support s3:PatchObject action #87

Merged
fyrchik merged 1 commit from mbiryukova/policy-engine:feature/s3_patch into master 2024-08-22 10:41:53 +00:00
3 changed files with 3 additions and 0 deletions

View file

@ -63,6 +63,7 @@ const (
s3ActionPutObjectTagging = "s3:PutObjectTagging" s3ActionPutObjectTagging = "s3:PutObjectTagging"
s3ActionPutObjectVersionACL = "s3:PutObjectVersionAcl" s3ActionPutObjectVersionACL = "s3:PutObjectVersionAcl"
s3ActionPutObjectVersionTagging = "s3:PutObjectVersionTagging" s3ActionPutObjectVersionTagging = "s3:PutObjectVersionTagging"
s3ActionPatchObject = "s3:PatchObject"
) )
const ( const (

View file

@ -60,6 +60,7 @@ var actionToNativeOpMap = map[string][]string{
s3ActionPutObjectTagging: {native.MethodGetContainer, native.MethodHeadObject, native.MethodGetObject, native.MethodPutObject}, s3ActionPutObjectTagging: {native.MethodGetContainer, native.MethodHeadObject, native.MethodGetObject, native.MethodPutObject},
s3ActionPutObjectVersionACL: {native.MethodGetContainer, native.MethodGetContainerEACL, native.MethodSetContainerEACL, native.MethodGetObject, native.MethodHeadObject}, s3ActionPutObjectVersionACL: {native.MethodGetContainer, native.MethodGetContainerEACL, native.MethodSetContainerEACL, native.MethodGetObject, native.MethodHeadObject},
s3ActionPutObjectVersionTagging: {native.MethodGetContainer, native.MethodHeadObject, native.MethodGetObject, native.MethodPutObject}, s3ActionPutObjectVersionTagging: {native.MethodGetContainer, native.MethodHeadObject, native.MethodGetObject, native.MethodPutObject},
s3ActionPatchObject: {native.MethodGetContainer, native.MethodGetObject, native.MethodHeadObject, native.MethodPatchObject, native.MethodPutObject, native.MethodRangeObject},

native.MethodGetObject and native.MethodHeadObject are for multi-part uploads or is it required for regular objects as well?

`native.MethodGetObject` and `native.MethodHeadObject` are for multi-part uploads or is it required for regular objects as well?

@aarifullin do we need Put too?

@aarifullin do we need `Put` too?

Get, as I understand while testing, is needed for retrieving bucket settings (and for multi-part uploads too), Head for all objects

Get, as I understand while testing, is needed for retrieving bucket settings (and for multi-part uploads too), Head for all objects

Actually we have to add Put. We update object version in tree service which is required to have allowed Put

Actually we have to add `Put`. We update object version in tree service which is required to have allowed `Put`

Can we use the same oprerations as for s3:PutObject with additional (native:Patch)? So I also suggest add MethodRangeObject

Can we use the same oprerations as for `s3:PutObject` with additional (native:Patch)? So I also suggest add `MethodRangeObject`

Added

Added
} }
var containerNativeOperations = map[string]struct{}{ var containerNativeOperations = map[string]struct{}{

View file

@ -32,6 +32,7 @@ var actionToS3OpMap = map[string][]string{
s3ActionPutObjectLegalHold: {s3ActionPutObjectLegalHold}, s3ActionPutObjectLegalHold: {s3ActionPutObjectLegalHold},
s3ActionPutObjectRetention: {s3ActionPutObjectRetention}, s3ActionPutObjectRetention: {s3ActionPutObjectRetention},
s3ActionPutObjectTagging: {s3ActionPutObjectTagging}, s3ActionPutObjectTagging: {s3ActionPutObjectTagging},
s3ActionPatchObject: {s3ActionPatchObject},
s3ActionListAllMyBuckets: {"s3:ListBuckets"}, s3ActionListAllMyBuckets: {"s3:ListBuckets"},
s3ActionListBucket: {"s3:HeadBucket", "s3:GetBucketLocation", "s3:ListObjectsV1", "s3:ListObjectsV2"}, s3ActionListBucket: {"s3:HeadBucket", "s3:GetBucketLocation", "s3:ListObjectsV1", "s3:ListObjectsV2"},