forked from TrueCloudLab/frostfs-node
[#1519] cli: Make descriptive help for--rule
option
Signed-off-by: Airat Arifullin <a.arifullin@yadro.com>
This commit is contained in:
parent
1ed7ab75fb
commit
3ebd560f42
1 changed files with 61 additions and 1 deletions
|
@ -2,7 +2,6 @@ package ape
|
||||||
|
|
||||||
const (
|
const (
|
||||||
RuleFlag = "rule"
|
RuleFlag = "rule"
|
||||||
RuleFlagDesc = "Rule statement"
|
|
||||||
PathFlag = "path"
|
PathFlag = "path"
|
||||||
PathFlagDesc = "Path to encoded chain in JSON or binary format"
|
PathFlagDesc = "Path to encoded chain in JSON or binary format"
|
||||||
TargetNameFlag = "target-name"
|
TargetNameFlag = "target-name"
|
||||||
|
@ -17,3 +16,64 @@ const (
|
||||||
ChainNameFlagDesc = "Chain name(ingress|s3)"
|
ChainNameFlagDesc = "Chain name(ingress|s3)"
|
||||||
AllFlag = "all"
|
AllFlag = "all"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
const RuleFlagDesc = `Defines an Access Policy Engine (APE) rule in the format:
|
||||||
|
<status>[:status_detail] <action>... <condition>... <resource>...
|
||||||
|
|
||||||
|
Status:
|
||||||
|
- allow Permits specified actions
|
||||||
|
- deny Prohibits specified actions
|
||||||
|
- deny:QuotaLimitReached Denies access due to quota limits
|
||||||
|
|
||||||
|
Actions:
|
||||||
|
Object operations:
|
||||||
|
- Object.Put, Object.Get, etc.
|
||||||
|
- Object.* (all object operations)
|
||||||
|
Container operations:
|
||||||
|
- Container.Put, Container.Get, etc.
|
||||||
|
- Container.* (all container operations)
|
||||||
|
|
||||||
|
Conditions:
|
||||||
|
ResourceCondition:
|
||||||
|
Format: ResourceCondition:"key"=value, "key"!=value
|
||||||
|
Reserved properties (use '\' before '$'):
|
||||||
|
- $Object:version
|
||||||
|
- $Object:objectID
|
||||||
|
- $Object:containerID
|
||||||
|
- $Object:ownerID
|
||||||
|
- $Object:creationEpoch
|
||||||
|
- $Object:payloadLength
|
||||||
|
- $Object:payloadHash
|
||||||
|
- $Object:objectType
|
||||||
|
- $Object:homomorphicHash
|
||||||
|
|
||||||
|
RequestCondition:
|
||||||
|
Format: RequestCondition:"key"=value, "key"!=value
|
||||||
|
Reserved properties (use '\' before '$'):
|
||||||
|
- $Actor:publicKey
|
||||||
|
- $Actor:role
|
||||||
|
|
||||||
|
Example:
|
||||||
|
ResourceCondition:"check_key"!="check_value" RequestCondition:"$Actor:role"=others
|
||||||
|
|
||||||
|
Resources:
|
||||||
|
For objects:
|
||||||
|
- namespace/cid/oid (specific object)
|
||||||
|
- namespace/cid/* (all objects in container)
|
||||||
|
- namespace/* (all objects in namespace)
|
||||||
|
- * (all objects)
|
||||||
|
- /* (all objects in root namespace)
|
||||||
|
- /cid/* (all objects in root container)
|
||||||
|
- /cid/oid (specific object in root container)
|
||||||
|
|
||||||
|
For containers:
|
||||||
|
- namespace/cid (specific container)
|
||||||
|
- namespace/* (all containers in namespace)
|
||||||
|
- * (all containers)
|
||||||
|
- /cid (root container)
|
||||||
|
- /* (all root containers)
|
||||||
|
|
||||||
|
Notes:
|
||||||
|
- Cannot mix object and container operations in one rule
|
||||||
|
- Default behavior is Any=false unless 'any' is specified
|
||||||
|
- Use 'all' keyword to explicitly set Any=false`
|
||||||
|
|
Loading…
Reference in a new issue