policy-engine/docs/images/ape/s3_ape.svg

<?xml version="1.0" encoding="UTF-8" standalone="no"?><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" contentScriptType="application/ecmascript" contentStyleType="text/css" height="852px" preserveAspectRatio="none" style="width:1612px;height:852px;" version="1.1" viewBox="0 0 1612 852" width="1612px" zoomAndPan="magnify"><defs><filter height="300%" id="f1l5dhsbmf5oik" width="300%" x="-1" y="-1"><feGaussianBlur result="blurOut" stdDeviation="2.0"/><feColorMatrix in="blurOut" result="blurOut2" type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 .4 0"/><feOffset dx="4.0" dy="4.0" in="blurOut2" result="blurOut3"/><feBlend in="SourceGraphic" in2="blurOut3" mode="normal"/></filter></defs><g><rect fill="#FF69B4" height="837.9141" style="stroke: #A80036; stroke-width: 1.0;" width="105" x="394" y="4"/><text fill="#000000" font-family="sans-serif" font-size="13" font-weight="bold" lengthAdjust="spacingAndGlyphs" textLength="18" x="437.5" y="16.0669">S3</text><rect fill="#FFB6C1" height="837.9141" style="stroke: #A80036; stroke-width: 1.0;" width="308" x="501" y="4"/><text fill="#000000" font-family="sans-serif" font-size="13" font-weight="bold" lengthAdjust="spacingAndGlyphs" textLength="302" x="504" y="16.0669">Access Policy Engine (as s3 middleware)</text><rect fill="#DDDDDD" height="837.9141" style="stroke: #A80036; stroke-width: 1.0;" width="183" x="811" y="4"/><text fill="#000000" font-family="sans-serif" font-size="13" font-weight="bold" lengthAdjust="spacingAndGlyphs" textLength="177" x="814" y="16.0669">Policy contract (shared)</text><rect fill="#90EE90" height="837.9141" style="stroke: #A80036; stroke-width: 1.0;" width="348" x="996" y="4"/><text fill="#000000" font-family="sans-serif" font-size="13" font-weight="bold" lengthAdjust="spacingAndGlyphs" textLength="342" x="999" y="16.0669">Access Policy Engine (as storage middleware)</text><rect fill="#008000" height="837.9141" style="stroke: #A80036; stroke-width: 1.0;" width="255" x="1346" y="4"/><text fill="#000000" font-family="sans-serif" font-size="13" font-weight="bold" lengthAdjust="spacingAndGlyphs" textLength="100" x="1423.5" y="16.0669">Storage node</text><rect fill="#FFFFFF" filter="url(#f1l5dhsbmf5oik)" height="191.9297" style="stroke: #000000; stroke-width: 2.0;" width="974" x="13" y="75.4297"/><rect fill="#FFFFFF" filter="url(#f1l5dhsbmf5oik)" height="162.7969" style="stroke: #000000; stroke-width: 2.0;" width="974" x="13" y="281.3594"/><rect fill="#FFFFFF" filter="url(#f1l5dhsbmf5oik)" height="328.4609" style="stroke: #000000; stroke-width: 2.0;" width="1463" x="13" y="458.1563"/><line style="stroke: #A80036; stroke-width: 1.0; stroke-dasharray: 5.0,5.0;" x1="51" x2="51" y1="58.4297" y2="803.6172"/><line style="stroke: #A80036; stroke-width: 1.0; stroke-dasharray: 5.0,5.0;" x1="164.5" x2="164.5" y1="58.4297" y2="803.6172"/><line style="stroke: #A80036; stroke-width: 1.0; stroke-dasharray: 5.0,5.0;" x1="305.5" x2="305.5" y1="58.4297" y2="803.6172"/><line style="stroke: #A80036; stroke-width: 1.0; stroke-dasharray: 5.0,5.0;" x1="446" x2="446" y1="58.4297" y2="803.6172"/><line style="stroke: #A80036; stroke-width: 1.0; stroke-dasharray: 5.0,5.0;" x1="598.5" x2="598.5" y1="58.4297" y2="803.6172"/><line style="stroke: #A80036; stroke-width: 1.0; stroke-dasharray: 5.0,5.0;" x1="744.5" x2="744.5" y1="58.4297" y2="803.6172"/><line style="stroke: #A80036; stroke-width: 1.0; stroke-dasharray: 5.0,5.0;" x1="902" x2="902" y1="58.4297" y2="803.6172"/><line style="stroke: #A80036; stroke-width: 1.0; stroke-dasharray: 5.0,5.0;" x1="1080" x2="1080" y1="58.4297" y2="803.6172"/><line style="stroke: #A80036; stroke-width: 1.0; stroke-dasharray: 5.0,5.0;" x1="1229" x2="1229" y1="58.4297" y2="803.6172"/><line style="stroke: #A80036; stroke-width: 1.0; stroke-dasharray: 5.0,5.0;" x1="1408" x2="1408" y1="58.4297" y2="803.6172"/><line style="stroke: #A80036; stroke-width: 1.0; stroke-dasharray: 5.0,5.0;" x1="1536" x2="1536" y1="58.4297" y2="803.6172"/><rect fill="#FEFECE" filter="url(#f1l5dhsbmf5oik)" height="30.2969" style="stroke: #A80036;
@startuml s3 ape

participant "Client" as client

participant "IAM" as iam
participant "IAM -> APE converter" as converter

box "S3" #HotPink
  participant "S3 gateway" as s3
end box

box "Access Policy Engine (as s3 middleware)" #LightPink
  participant "Local override storage" as s3localOverrides
  participant "Chain router" as s3chainRouter
end box

box "Policy contract (shared)" 
  participant "Morph rule storage" as morphRuleStorage
end box

box "Access Policy Engine (as storage middleware)" #LightGreen
  participant "Chain Router" as storageChainRouter
  participant "Local override storage" as storageLocalOverrides
end box

box "Storage node" #Green
  participant "Object service" as obj
  participant "Control service" as control
end box

group Request IAM to set a policy
  client -> iam : Set IAM policy
  iam -> converter : Convert IAM policy
  converter -> iam : Return APE chain
  iam -> morphRuleStorage : Store IAM policy and APE chain
  iam -> s3localOverrides : Set S3 local overrides
  iam -> client : OK
end

group Request S3 to set a policy
  client -> s3 : Set bucket policy
  s3 -> converter : Convert IAM policy
  converter -> s3 : Return APE chain
  s3 -> morphRuleStorage : Store bucket policy and APE chain
  s3 -> client : OK
end

group Get object
  client -> s3: GetObject
  s3 -> s3chainRouter: Check if APE allows request for S3
  note over s3chainRouter: matching the request with overrides and rules
  s3chainRouter -> s3: Status: ALLOW
  s3 -> obj: Get object
  obj -> storageChainRouter: Check if APE allows the request
  note over storageChainRouter : matching the request with overrides and rules
  storageChainRouter -> obj: Status: ALLOW
  obj -> s3: Response: OK, Object
  s3 -> client: Response: OK, Object
end

@enduml

PlantUML version 1.2020.02(Sun Mar 01 13:22:07 MSK 2020)
(GPL source distribution)
Java Runtime: OpenJDK Runtime Environment
JVM: OpenJDK 64-Bit Server VM
Java Version: 11.0.22+7-post-Ubuntu-0ubuntu222.04.1
Operating System: Linux
Default Encoding: UTF-8
Language: en
Country: null
--></g></svg>
[#71] docs: Introduce APE overview Signed-off-by: Airat Arifullin <aarifullin@yadro.com> 2024-04-18 11:27:52 +00:00			<?xml version="1.0" encoding="UTF-8" standalone="no"?><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" contentScriptType="application/ecmascript" contentStyleType="text/css" height="852px" preserveAspectRatio="none" style="width:1612px;height:852px;" version="1.1" viewBox="0 0 1612 852" width="1612px" zoomAndPan="magnify"><defs><filter height="300%" id="f1l5dhsbmf5oik" width="300%" x="-1" y="-1"><feGaussianBlur result="blurOut" stdDeviation="2.0"/><feColorMatrix in="blurOut" result="blurOut2" type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 .4 0"/><feOffset dx="4.0" dy="4.0" in="blurOut2" result="blurOut3"/><feBlend in="SourceGraphic" in2="blurOut3" mode="normal"/></filter></defs><g><rect fill="#FF69B4" height="837.9141" style="stroke: #A80036; stroke-width: 1.0;" width="105" x="394" y="4"/><text fill="#000000" font-family="sans-serif" font-size="13" font-weight="bold" lengthAdjust="spacingAndGlyphs" textLength="18" x="437.5" y="16.0669">S3</text><rect fill="#FFB6C1" height="837.9141" style="stroke: #A80036; stroke-width: 1.0;" width="308" x="501" y="4"/><text fill="#000000" font-family="sans-serif" font-size="13" font-weight="bold" lengthAdjust="spacingAndGlyphs" textLength="302" x="504" y="16.0669">Access Policy Engine (as s3 middleware)</text><rect fill="#DDDDDD" height="837.9141" style="stroke: #A80036; stroke-width: 1.0;" width="183" x="811" y="4"/><text fill="#000000" font-family="sans-serif" font-size="13" font-weight="bold" lengthAdjust="spacingAndGlyphs" textLength="177" x="814" y="16.0669">Policy contract (shared)</text><rect fill="#90EE90" height="837.9141" style="stroke: #A80036; stroke-width: 1.0;" width="348" x="996" y="4"/><text fill="#000000" font-family="sans-serif" font-size="13" font-weight="bold" lengthAdjust="spacingAndGlyphs" textLength="342" x="999" y="16.0669">Access Policy Engine (as storage middleware)</text><rect fill="#008000" height="837.9141" style="stroke: #A80036; stroke-width: 1.0;" width="255" x="1346" y="4"/><text fill="#000000" font-family="sans-serif" font-size="13" font-weight="bold" lengthAdjust="spacingAndGlyphs" textLength="100" x="1423.5" y="16.0669">Storage node</text><rect fill="#FFFFFF" filter="url(#f1l5dhsbmf5oik)" height="191.9297" style="stroke: #000000; stroke-width: 2.0;" width="974" x="13" y="75.4297"/><rect fill="#FFFFFF" filter="url(#f1l5dhsbmf5oik)" height="162.7969" style="stroke: #000000; stroke-width: 2.0;" width="974" x="13" y="281.3594"/><rect fill="#FFFFFF" filter="url(#f1l5dhsbmf5oik)" height="328.4609" style="stroke: #000000; stroke-width: 2.0;" width="1463" x="13" y="458.1563"/><line style="stroke: #A80036; stroke-width: 1.0; stroke-dasharray: 5.0,5.0;" x1="51" x2="51" y1="58.4297" y2="803.6172"/><line style="stroke: #A80036; stroke-width: 1.0; stroke-dasharray: 5.0,5.0;" x1="164.5" x2="164.5" y1="58.4297" y2="803.6172"/><line style="stroke: #A80036; stroke-width: 1.0; stroke-dasharray: 5.0,5.0;" x1="305.5" x2="305.5" y1="58.4297" y2="803.6172"/><line style="stroke: #A80036; stroke-width: 1.0; stroke-dasharray: 5.0,5.0;" x1="446" x2="446" y1="58.4297" y2="803.6172"/><line style="stroke: #A80036; stroke-width: 1.0; stroke-dasharray: 5.0,5.0;" x1="598.5" x2="598.5" y1="58.4297" y2="803.6172"/><line style="stroke: #A80036; stroke-width: 1.0; stroke-dasharray: 5.0,5.0;" x1="744.5" x2="744.5" y1="58.4297" y2="803.6172"/><line style="stroke: #A80036; stroke-width: 1.0; stroke-dasharray: 5.0,5.0;" x1="902" x2="902" y1="58.4297" y2="803.6172"/><line style="stroke: #A80036; stroke-width: 1.0; stroke-dasharray: 5.0,5.0;" x1="1080" x2="1080" y1="58.4297" y2="803.6172"/><line style="stroke: #A80036; stroke-width: 1.0; stroke-dasharray: 5.0,5.0;" x1="1229" x2="1229" y1="58.4297" y2="803.6172"/><line style="stroke: #A80036; stroke-width: 1.0; stroke-dasharray: 5.0,5.0;" x1="1408" x2="1408" y1="58.4297" y2="803.6172"/><line style="stroke: #A80036; stroke-width: 1.0; stroke-dasharray: 5.0,5.0;" x1="1536" x2="1536" y1="58.4297" y2="803.6172"/><rect fill="#FEFECE" filter="url(#f1l5dhsbmf5oik)" height="30.2969" style="stroke: #A80036;
			`@startuml s3 ape`

			`participant "Client" as client`

			`participant "IAM" as iam`
			`participant "IAM -> APE converter" as converter`

			`box "S3" #HotPink`
			`participant "S3 gateway" as s3`
			`end box`

			`box "Access Policy Engine (as s3 middleware)" #LightPink`
			`participant "Local override storage" as s3localOverrides`
			`participant "Chain router" as s3chainRouter`
			`end box`

			`box "Policy contract (shared)"`
			`participant "Morph rule storage" as morphRuleStorage`
			`end box`

			`box "Access Policy Engine (as storage middleware)" #LightGreen`
			`participant "Chain Router" as storageChainRouter`
			`participant "Local override storage" as storageLocalOverrides`
			`end box`

			`box "Storage node" #Green`
			`participant "Object service" as obj`
			`participant "Control service" as control`
			`end box`

			`group Request IAM to set a policy`
			`client -> iam : Set IAM policy`
			`iam -> converter : Convert IAM policy`
			`converter -> iam : Return APE chain`
			`iam -> morphRuleStorage : Store IAM policy and APE chain`
			`iam -> s3localOverrides : Set S3 local overrides`
			`iam -> client : OK`
			`end`

			`group Request S3 to set a policy`
			`client -> s3 : Set bucket policy`
			`s3 -> converter : Convert IAM policy`
			`converter -> s3 : Return APE chain`
			`s3 -> morphRuleStorage : Store bucket policy and APE chain`
			`s3 -> client : OK`
			`end`

			`group Get object`
			`client -> s3: GetObject`
			`s3 -> s3chainRouter: Check if APE allows request for S3`
			`note over s3chainRouter: matching the request with overrides and rules`
			`s3chainRouter -> s3: Status: ALLOW`
			`s3 -> obj: Get object`
			`obj -> storageChainRouter: Check if APE allows the request`
			`note over storageChainRouter : matching the request with overrides and rules`
			`storageChainRouter -> obj: Status: ALLOW`
			`obj -> s3: Response: OK, Object`
			`s3 -> client: Response: OK, Object`
			`end`

			`@enduml`

			`PlantUML version 1.2020.02(Sun Mar 01 13:22:07 MSK 2020)`
			`(GPL source distribution)`
			`Java Runtime: OpenJDK Runtime Environment`
			`JVM: OpenJDK 64-Bit Server VM`
			`Java Version: 11.0.22+7-post-Ubuntu-0ubuntu222.04.1`
			`Operating System: Linux`
			`Default Encoding: UTF-8`
			`Language: en`
			`Country: null`
			`--></g></svg>`