forked from TrueCloudLab/frostfs-s3-gw
parent
69a03c5bbe
commit
58ce884eab
1 changed files with 18 additions and 14 deletions
|
@ -158,6 +158,12 @@ where content of `bearer-rules.json`:
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
**Note:** such rules allow all operations for all users (the same behavior when records are empty).
|
||||||
|
To restrict access you MUST provide records with `DENY` action. That's why we recommend always place such records
|
||||||
|
at the end of records (see default rules below) to prevent undesirable access violation.
|
||||||
|
Since the rules are applied from top to bottom, they do not override what was previously allowed.
|
||||||
|
|
||||||
If bearer rules are not set, a token will be auto-generated with a value:
|
If bearer rules are not set, a token will be auto-generated with a value:
|
||||||
```json
|
```json
|
||||||
{
|
{
|
||||||
|
@ -169,17 +175,15 @@ If bearer rules are not set, a token will be auto-generated with a value:
|
||||||
"value": null
|
"value": null
|
||||||
},
|
},
|
||||||
"records": [
|
"records": [
|
||||||
{
|
{"operation": "GET", "action": "ALLOW", "filters": [], "targets": [{"role": "OTHERS", "keys": []}]},
|
||||||
"operation": "GET",
|
|
||||||
"action": "ALLOW",
|
{"operation": "GET", "action": "DENY", "filters": [], "targets": [{"role": "OTHERS", "keys": []}]},
|
||||||
"filters": [],
|
{"operation": "HEAD", "action": "DENY", "filters": [], "targets": [{"role": "OTHERS", "keys": []}]},
|
||||||
"targets": [
|
{"operation": "PUT", "action": "DENY", "filters": [], "targets": [{"role": "OTHERS", "keys": []}]},
|
||||||
{
|
{"operation": "DELETE", "action": "DENY", "filters": [], "targets": [{"role": "OTHERS", "keys": []}]},
|
||||||
"role": "OTHERS",
|
{"operation": "SEARCH", "action": "DENY", "filters": [], "targets": [{"role": "OTHERS", "keys": []}]},
|
||||||
"keys": []
|
{"operation": "GETRANGE", "action": "DENY", "filters": [], "targets": [{"role": "OTHERS", "keys": []}]},
|
||||||
}
|
{"operation": "GETRANGEHASH", "action": "DENY", "filters": [], "targets": [{"role": "OTHERS", "keys": []}]}
|
||||||
]
|
|
||||||
}
|
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
Loading…
Reference in a new issue