[#68] iam: Allow read object on delete operation

We must be able to read s3 multipart object from storage
(to find out the parts it consists of)
to fully delete such multipart object

Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
This commit is contained in:
Denis Kirillov 2024-04-12 09:45:31 +03:00
parent 1f190e1668
commit b6a6816800
2 changed files with 17 additions and 7 deletions

View file

@ -15,9 +15,9 @@ var actionToNativeOpMap = map[string][]string{
s3ActionCreateBucket: {native.MethodGetContainer, native.MethodPutContainer, native.MethodSetContainerEACL},
s3ActionDeleteBucket: {native.MethodGetContainer, native.MethodDeleteContainer, native.MethodSearchObject, native.MethodHeadObject},
s3ActionDeleteBucketPolicy: {native.MethodGetContainer},
s3ActionDeleteObject: {native.MethodGetContainer, native.MethodDeleteObject, native.MethodPutObject, native.MethodHeadObject},
s3ActionDeleteObject: {native.MethodGetContainer, native.MethodDeleteObject, native.MethodPutObject, native.MethodHeadObject, native.MethodGetObject, native.MethodRangeObject},
s3ActionDeleteObjectTagging: {native.MethodGetContainer, native.MethodHeadObject},
s3ActionDeleteObjectVersion: {native.MethodGetContainer, native.MethodDeleteObject, native.MethodPutObject, native.MethodHeadObject},
s3ActionDeleteObjectVersion: {native.MethodGetContainer, native.MethodDeleteObject, native.MethodPutObject, native.MethodHeadObject, native.MethodGetObject, native.MethodRangeObject},
s3ActionDeleteObjectVersionTagging: {native.MethodGetContainer, native.MethodHeadObject},
s3ActionGetBucketACL: {native.MethodGetContainer, native.MethodGetContainerEACL},
s3ActionGetBucketCORS: {native.MethodGetContainer, native.MethodGetObject, native.MethodHeadObject},

View file

@ -212,7 +212,12 @@ func TestConverters(t *testing.T) {
expected := &chain.Chain{Rules: []chain.Rule{
{
Status: chain.Allow,
Actions: chain.Actions{Names: []string{native.MethodGetContainer, native.MethodDeleteContainer, native.MethodSearchObject, native.MethodHeadObject, native.MethodDeleteObject, native.MethodPutObject}},
Actions: chain.Actions{Names: []string{
native.MethodGetContainer, native.MethodDeleteContainer,
native.MethodSearchObject, native.MethodHeadObject,
native.MethodDeleteObject, native.MethodPutObject,
native.MethodGetObject, native.MethodRangeObject,
}},
Resources: chain.Resources{Names: []string{
fmt.Sprintf(native.ResourceFormatNamespaceContainerObjects, namespace, mockResolver.containers[bktName]),
fmt.Sprintf(native.ResourceFormatNamespaceContainer, namespace, mockResolver.containers[bktName]),
@ -234,7 +239,12 @@ func TestConverters(t *testing.T) {
},
{
Status: chain.Allow,
Actions: chain.Actions{Names: []string{native.MethodGetContainer, native.MethodDeleteContainer, native.MethodSearchObject, native.MethodHeadObject, native.MethodDeleteObject, native.MethodPutObject}},
Actions: chain.Actions{Names: []string{
native.MethodGetContainer, native.MethodDeleteContainer,
native.MethodSearchObject, native.MethodHeadObject,
native.MethodDeleteObject, native.MethodPutObject,
native.MethodGetObject, native.MethodRangeObject,
}},
Resources: chain.Resources{Names: []string{
fmt.Sprintf(native.ResourceFormatNamespaceContainer, namespace, mockResolver.containers[bktName]),
}},
@ -347,7 +357,7 @@ func TestConverters(t *testing.T) {
nativeExpected := &chain.Chain{Rules: []chain.Rule{{
Status: chain.Allow,
Actions: chain.Actions{Names: []string{native.MethodGetContainer, native.MethodDeleteObject, native.MethodPutObject, native.MethodHeadObject}},
Actions: chain.Actions{Names: []string{native.MethodGetContainer, native.MethodDeleteObject, native.MethodPutObject, native.MethodHeadObject, native.MethodGetObject, native.MethodRangeObject}},
Resources: chain.Resources{Names: []string{native.ResourceFormatAllObjects, native.ResourceFormatAllContainers}},
Condition: []chain.Condition{{
Op: chain.CondStringEquals,