forked from TrueCloudLab/policy-engine
[#68] iam: Allow read object on delete operation
We must be able to read s3 multipart object from storage (to find out the parts it consists of) to fully delete such multipart object Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
This commit is contained in:
parent
1f190e1668
commit
b6a6816800
2 changed files with 17 additions and 7 deletions
|
|
@ -15,9 +15,9 @@ var actionToNativeOpMap = map[string][]string{
|
||||||
s3ActionCreateBucket: {native.MethodGetContainer, native.MethodPutContainer, native.MethodSetContainerEACL},
|
s3ActionCreateBucket: {native.MethodGetContainer, native.MethodPutContainer, native.MethodSetContainerEACL},
|
||||||
s3ActionDeleteBucket: {native.MethodGetContainer, native.MethodDeleteContainer, native.MethodSearchObject, native.MethodHeadObject},
|
s3ActionDeleteBucket: {native.MethodGetContainer, native.MethodDeleteContainer, native.MethodSearchObject, native.MethodHeadObject},
|
||||||
s3ActionDeleteBucketPolicy: {native.MethodGetContainer},
|
s3ActionDeleteBucketPolicy: {native.MethodGetContainer},
|
||||||
s3ActionDeleteObject: {native.MethodGetContainer, native.MethodDeleteObject, native.MethodPutObject, native.MethodHeadObject},
|
s3ActionDeleteObject: {native.MethodGetContainer, native.MethodDeleteObject, native.MethodPutObject, native.MethodHeadObject, native.MethodGetObject, native.MethodRangeObject},
|
||||||
s3ActionDeleteObjectTagging: {native.MethodGetContainer, native.MethodHeadObject},
|
s3ActionDeleteObjectTagging: {native.MethodGetContainer, native.MethodHeadObject},
|
||||||
s3ActionDeleteObjectVersion: {native.MethodGetContainer, native.MethodDeleteObject, native.MethodPutObject, native.MethodHeadObject},
|
s3ActionDeleteObjectVersion: {native.MethodGetContainer, native.MethodDeleteObject, native.MethodPutObject, native.MethodHeadObject, native.MethodGetObject, native.MethodRangeObject},
|
||||||
s3ActionDeleteObjectVersionTagging: {native.MethodGetContainer, native.MethodHeadObject},
|
s3ActionDeleteObjectVersionTagging: {native.MethodGetContainer, native.MethodHeadObject},
|
||||||
s3ActionGetBucketACL: {native.MethodGetContainer, native.MethodGetContainerEACL},
|
s3ActionGetBucketACL: {native.MethodGetContainer, native.MethodGetContainerEACL},
|
||||||
s3ActionGetBucketCORS: {native.MethodGetContainer, native.MethodGetObject, native.MethodHeadObject},
|
s3ActionGetBucketCORS: {native.MethodGetContainer, native.MethodGetObject, native.MethodHeadObject},
|
||||||
|
|
|
||||||
|
|
@ -211,8 +211,13 @@ func TestConverters(t *testing.T) {
|
||||||
|
|
||||||
expected := &chain.Chain{Rules: []chain.Rule{
|
expected := &chain.Chain{Rules: []chain.Rule{
|
||||||
{
|
{
|
||||||
Status: chain.Allow,
|
Status: chain.Allow,
|
||||||
Actions: chain.Actions{Names: []string{native.MethodGetContainer, native.MethodDeleteContainer, native.MethodSearchObject, native.MethodHeadObject, native.MethodDeleteObject, native.MethodPutObject}},
|
Actions: chain.Actions{Names: []string{
|
||||||
|
native.MethodGetContainer, native.MethodDeleteContainer,
|
||||||
|
native.MethodSearchObject, native.MethodHeadObject,
|
||||||
|
native.MethodDeleteObject, native.MethodPutObject,
|
||||||
|
native.MethodGetObject, native.MethodRangeObject,
|
||||||
|
}},
|
||||||
Resources: chain.Resources{Names: []string{
|
Resources: chain.Resources{Names: []string{
|
||||||
fmt.Sprintf(native.ResourceFormatNamespaceContainerObjects, namespace, mockResolver.containers[bktName]),
|
fmt.Sprintf(native.ResourceFormatNamespaceContainerObjects, namespace, mockResolver.containers[bktName]),
|
||||||
fmt.Sprintf(native.ResourceFormatNamespaceContainer, namespace, mockResolver.containers[bktName]),
|
fmt.Sprintf(native.ResourceFormatNamespaceContainer, namespace, mockResolver.containers[bktName]),
|
||||||
|
|
@ -233,8 +238,13 @@ func TestConverters(t *testing.T) {
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
Status: chain.Allow,
|
Status: chain.Allow,
|
||||||
Actions: chain.Actions{Names: []string{native.MethodGetContainer, native.MethodDeleteContainer, native.MethodSearchObject, native.MethodHeadObject, native.MethodDeleteObject, native.MethodPutObject}},
|
Actions: chain.Actions{Names: []string{
|
||||||
|
native.MethodGetContainer, native.MethodDeleteContainer,
|
||||||
|
native.MethodSearchObject, native.MethodHeadObject,
|
||||||
|
native.MethodDeleteObject, native.MethodPutObject,
|
||||||
|
native.MethodGetObject, native.MethodRangeObject,
|
||||||
|
}},
|
||||||
Resources: chain.Resources{Names: []string{
|
Resources: chain.Resources{Names: []string{
|
||||||
fmt.Sprintf(native.ResourceFormatNamespaceContainer, namespace, mockResolver.containers[bktName]),
|
fmt.Sprintf(native.ResourceFormatNamespaceContainer, namespace, mockResolver.containers[bktName]),
|
||||||
}},
|
}},
|
||||||
|
|
@ -347,7 +357,7 @@ func TestConverters(t *testing.T) {
|
||||||
|
|
||||||
nativeExpected := &chain.Chain{Rules: []chain.Rule{{
|
nativeExpected := &chain.Chain{Rules: []chain.Rule{{
|
||||||
Status: chain.Allow,
|
Status: chain.Allow,
|
||||||
Actions: chain.Actions{Names: []string{native.MethodGetContainer, native.MethodDeleteObject, native.MethodPutObject, native.MethodHeadObject}},
|
Actions: chain.Actions{Names: []string{native.MethodGetContainer, native.MethodDeleteObject, native.MethodPutObject, native.MethodHeadObject, native.MethodGetObject, native.MethodRangeObject}},
|
||||||
Resources: chain.Resources{Names: []string{native.ResourceFormatAllObjects, native.ResourceFormatAllContainers}},
|
Resources: chain.Resources{Names: []string{native.ResourceFormatAllObjects, native.ResourceFormatAllContainers}},
|
||||||
Condition: []chain.Condition{{
|
Condition: []chain.Condition{{
|
||||||
Op: chain.CondStringEquals,
|
Op: chain.CondStringEquals,
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue