S3: Enforce bucket policy (#7471)
* evaluate policies during authorization * cache bucket policy * refactor * matching with regex special characters * Case Sensitivity, pattern cache, Dead Code Removal * Fixed Typo, Restored []string Case, Added Cache Size Limit * hook up with policy engine * remove old implementation * action mapping * validate * if not specified, fall through to IAM checks * fmt * Fail-close on policy evaluation errors * Explicit `Allow` bypasses IAM checks * fix error message * arn:seaweed => arn:aws * remove legacy support * fix tests * Clean up bucket policy after this test * fix for tests * address comments * security fixes * fix tests * temp comment out
This commit is contained in:
Chris Lu
@@ -25,7 +25,7 @@
|
||||
"roles": [
|
||||
{
|
||||
"roleName": "S3AdminRole",
|
||||
"roleArn": "arn:seaweed:iam::role/S3AdminRole",
|
||||
"roleArn": "arn:aws:iam::role/S3AdminRole",
|
||||
"trustPolicy": {
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
@@ -48,7 +48,7 @@
|
||||
},
|
||||
{
|
||||
"roleName": "S3ReadOnlyRole",
|
||||
"roleArn": "arn:seaweed:iam::role/S3ReadOnlyRole",
|
||||
"roleArn": "arn:aws:iam::role/S3ReadOnlyRole",
|
||||
"trustPolicy": {
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
@@ -71,7 +71,7 @@
|
||||
},
|
||||
{
|
||||
"roleName": "S3ReadWriteRole",
|
||||
"roleArn": "arn:seaweed:iam::role/S3ReadWriteRole",
|
||||
"roleArn": "arn:aws:iam::role/S3ReadWriteRole",
|
||||
"trustPolicy": {
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
@@ -122,8 +122,8 @@
|
||||
"s3:ListBucketVersions"
|
||||
],
|
||||
"Resource": [
|
||||
"arn:seaweed:s3:::*",
|
||||
"arn:seaweed:s3:::*/*"
|
||||
"arn:aws:s3:::*",
|
||||
"arn:aws:s3:::*/*"
|
||||
]
|
||||
}
|
||||
]
|
||||
@@ -147,8 +147,8 @@
|
||||
"s3:ListBucketVersions"
|
||||
],
|
||||
"Resource": [
|
||||
"arn:seaweed:s3:::*",
|
||||
"arn:seaweed:s3:::*/*"
|
||||
"arn:aws:s3:::*",
|
||||
"arn:aws:s3:::*/*"
|
||||
]
|
||||
}
|
||||
]
|
||||
|
||||
Reference in New Issue
Block a user