forked from TrueCloudLab/frostfs-node
79 lines
2.7 KiB
Go
79 lines
2.7 KiB
Go
package ape
|
|
|
|
const (
|
|
RuleFlag = "rule"
|
|
PathFlag = "path"
|
|
PathFlagDesc = "Path to encoded chain in JSON or binary format"
|
|
TargetNameFlag = "target-name"
|
|
TargetNameFlagDesc = "Resource name in APE resource name format"
|
|
TargetTypeFlag = "target-type"
|
|
TargetTypeFlagDesc = "Resource type(container/namespace)"
|
|
ChainIDFlag = "chain-id"
|
|
ChainIDFlagDesc = "Chain id"
|
|
ChainIDHexFlag = "chain-id-hex"
|
|
ChainIDHexFlagDesc = "Flag to parse chain ID as hex"
|
|
ChainNameFlag = "chain-name"
|
|
ChainNameFlagDesc = "Chain name(ingress|s3)"
|
|
AllFlag = "all"
|
|
)
|
|
|
|
const RuleFlagDesc = `Defines an Access Policy Engine (APE) rule in the format:
|
|
<status>[:status_detail] <action>... <condition>... <resource>...
|
|
|
|
Status:
|
|
- allow Permits specified actions
|
|
- deny Prohibits specified actions
|
|
- deny:QuotaLimitReached Denies access due to quota limits
|
|
|
|
Actions:
|
|
Object operations:
|
|
- Object.Put, Object.Get, etc.
|
|
- Object.* (all object operations)
|
|
Container operations:
|
|
- Container.Put, Container.Get, etc.
|
|
- Container.* (all container operations)
|
|
|
|
Conditions:
|
|
ResourceCondition:
|
|
Format: ResourceCondition:"key"=value, "key"!=value
|
|
Reserved properties (use '\' before '$'):
|
|
- $Object:version
|
|
- $Object:objectID
|
|
- $Object:containerID
|
|
- $Object:ownerID
|
|
- $Object:creationEpoch
|
|
- $Object:payloadLength
|
|
- $Object:payloadHash
|
|
- $Object:objectType
|
|
- $Object:homomorphicHash
|
|
|
|
RequestCondition:
|
|
Format: RequestCondition:"key"=value, "key"!=value
|
|
Reserved properties (use '\' before '$'):
|
|
- $Actor:publicKey
|
|
- $Actor:role
|
|
|
|
Example:
|
|
ResourceCondition:"check_key"!="check_value" RequestCondition:"$Actor:role"=others
|
|
|
|
Resources:
|
|
For objects:
|
|
- namespace/cid/oid (specific object)
|
|
- namespace/cid/* (all objects in container)
|
|
- namespace/* (all objects in namespace)
|
|
- * (all objects)
|
|
- /* (all objects in root namespace)
|
|
- /cid/* (all objects in root container)
|
|
- /cid/oid (specific object in root container)
|
|
|
|
For containers:
|
|
- namespace/cid (specific container)
|
|
- namespace/* (all containers in namespace)
|
|
- * (all containers)
|
|
- /cid (root container)
|
|
- /* (all root containers)
|
|
|
|
Notes:
|
|
- Cannot mix object and container operations in one rule
|
|
- Default behavior is Any=false unless 'any' is specified
|
|
- Use 'all' keyword to explicitly set Any=false`
|