Add policy engine (#6970)
This commit is contained in:
Chris Lu
@@ -7,18 +7,19 @@ import (
|
||||
|
||||
"github.com/seaweedfs/seaweedfs/weed/credential"
|
||||
"github.com/seaweedfs/seaweedfs/weed/glog"
|
||||
"github.com/seaweedfs/seaweedfs/weed/s3api/policy_engine"
|
||||
)
|
||||
|
||||
type IAMPolicy struct {
|
||||
Name string `json:"name"`
|
||||
Document credential.PolicyDocument `json:"document"`
|
||||
DocumentJSON string `json:"document_json"`
|
||||
CreatedAt time.Time `json:"created_at"`
|
||||
UpdatedAt time.Time `json:"updated_at"`
|
||||
Name string `json:"name"`
|
||||
Document policy_engine.PolicyDocument `json:"document"`
|
||||
DocumentJSON string `json:"document_json"`
|
||||
CreatedAt time.Time `json:"created_at"`
|
||||
UpdatedAt time.Time `json:"updated_at"`
|
||||
}
|
||||
|
||||
type PoliciesCollection struct {
|
||||
Policies map[string]credential.PolicyDocument `json:"policies"`
|
||||
Policies map[string]policy_engine.PolicyDocument `json:"policies"`
|
||||
}
|
||||
|
||||
type PoliciesData struct {
|
||||
@@ -30,14 +31,14 @@ type PoliciesData struct {
|
||||
|
||||
// Policy management request structures
|
||||
type CreatePolicyRequest struct {
|
||||
Name string `json:"name" binding:"required"`
|
||||
Document credential.PolicyDocument `json:"document" binding:"required"`
|
||||
DocumentJSON string `json:"document_json"`
|
||||
Name string `json:"name" binding:"required"`
|
||||
Document policy_engine.PolicyDocument `json:"document" binding:"required"`
|
||||
DocumentJSON string `json:"document_json"`
|
||||
}
|
||||
|
||||
type UpdatePolicyRequest struct {
|
||||
Document credential.PolicyDocument `json:"document" binding:"required"`
|
||||
DocumentJSON string `json:"document_json"`
|
||||
Document policy_engine.PolicyDocument `json:"document" binding:"required"`
|
||||
DocumentJSON string `json:"document_json"`
|
||||
}
|
||||
|
||||
// PolicyManager interface is now in the credential package
|
||||
@@ -55,7 +56,7 @@ func NewCredentialStorePolicyManager(credentialManager *credential.CredentialMan
|
||||
}
|
||||
|
||||
// GetPolicies retrieves all IAM policies via credential store
|
||||
func (cspm *CredentialStorePolicyManager) GetPolicies(ctx context.Context) (map[string]credential.PolicyDocument, error) {
|
||||
func (cspm *CredentialStorePolicyManager) GetPolicies(ctx context.Context) (map[string]policy_engine.PolicyDocument, error) {
|
||||
// Get policies from credential store
|
||||
// We'll use the credential store to access the filer indirectly
|
||||
// Since policies are stored separately, we need to access the underlying store
|
||||
@@ -75,12 +76,12 @@ func (cspm *CredentialStorePolicyManager) GetPolicies(ctx context.Context) (map[
|
||||
} else {
|
||||
// Fallback: use empty policies for stores that don't support policies
|
||||
glog.V(1).Infof("Credential store doesn't support policy management, returning empty policies")
|
||||
return make(map[string]credential.PolicyDocument), nil
|
||||
return make(map[string]policy_engine.PolicyDocument), nil
|
||||
}
|
||||
}
|
||||
|
||||
// CreatePolicy creates a new IAM policy via credential store
|
||||
func (cspm *CredentialStorePolicyManager) CreatePolicy(ctx context.Context, name string, document credential.PolicyDocument) error {
|
||||
func (cspm *CredentialStorePolicyManager) CreatePolicy(ctx context.Context, name string, document policy_engine.PolicyDocument) error {
|
||||
store := cspm.credentialManager.GetStore()
|
||||
|
||||
if policyStore, ok := store.(credential.PolicyManager); ok {
|
||||
@@ -91,7 +92,7 @@ func (cspm *CredentialStorePolicyManager) CreatePolicy(ctx context.Context, name
|
||||
}
|
||||
|
||||
// UpdatePolicy updates an existing IAM policy via credential store
|
||||
func (cspm *CredentialStorePolicyManager) UpdatePolicy(ctx context.Context, name string, document credential.PolicyDocument) error {
|
||||
func (cspm *CredentialStorePolicyManager) UpdatePolicy(ctx context.Context, name string, document policy_engine.PolicyDocument) error {
|
||||
store := cspm.credentialManager.GetStore()
|
||||
|
||||
if policyStore, ok := store.(credential.PolicyManager); ok {
|
||||
@@ -113,7 +114,7 @@ func (cspm *CredentialStorePolicyManager) DeletePolicy(ctx context.Context, name
|
||||
}
|
||||
|
||||
// GetPolicy retrieves a specific IAM policy via credential store
|
||||
func (cspm *CredentialStorePolicyManager) GetPolicy(ctx context.Context, name string) (*credential.PolicyDocument, error) {
|
||||
func (cspm *CredentialStorePolicyManager) GetPolicy(ctx context.Context, name string) (*policy_engine.PolicyDocument, error) {
|
||||
store := cspm.credentialManager.GetStore()
|
||||
|
||||
if policyStore, ok := store.(credential.PolicyManager); ok {
|
||||
@@ -163,7 +164,7 @@ func (s *AdminServer) GetPolicies() ([]IAMPolicy, error) {
|
||||
}
|
||||
|
||||
// CreatePolicy creates a new IAM policy
|
||||
func (s *AdminServer) CreatePolicy(name string, document credential.PolicyDocument) error {
|
||||
func (s *AdminServer) CreatePolicy(name string, document policy_engine.PolicyDocument) error {
|
||||
policyManager := s.GetPolicyManager()
|
||||
if policyManager == nil {
|
||||
return fmt.Errorf("policy manager not available")
|
||||
@@ -174,7 +175,7 @@ func (s *AdminServer) CreatePolicy(name string, document credential.PolicyDocume
|
||||
}
|
||||
|
||||
// UpdatePolicy updates an existing IAM policy
|
||||
func (s *AdminServer) UpdatePolicy(name string, document credential.PolicyDocument) error {
|
||||
func (s *AdminServer) UpdatePolicy(name string, document policy_engine.PolicyDocument) error {
|
||||
policyManager := s.GetPolicyManager()
|
||||
if policyManager == nil {
|
||||
return fmt.Errorf("policy manager not available")
|
||||
|
||||
@@ -9,8 +9,8 @@ import (
|
||||
"github.com/seaweedfs/seaweedfs/weed/admin/dash"
|
||||
"github.com/seaweedfs/seaweedfs/weed/admin/view/app"
|
||||
"github.com/seaweedfs/seaweedfs/weed/admin/view/layout"
|
||||
"github.com/seaweedfs/seaweedfs/weed/credential"
|
||||
"github.com/seaweedfs/seaweedfs/weed/glog"
|
||||
"github.com/seaweedfs/seaweedfs/weed/s3api/policy_engine"
|
||||
)
|
||||
|
||||
// PolicyHandlers contains all the HTTP handlers for policy management
|
||||
@@ -190,7 +190,7 @@ func (h *PolicyHandlers) DeletePolicy(c *gin.Context) {
|
||||
// ValidatePolicy validates a policy document without saving it
|
||||
func (h *PolicyHandlers) ValidatePolicy(c *gin.Context) {
|
||||
var req struct {
|
||||
Document credential.PolicyDocument `json:"document" binding:"required"`
|
||||
Document policy_engine.PolicyDocument `json:"document" binding:"required"`
|
||||
}
|
||||
|
||||
if err := c.ShouldBindJSON(&req); err != nil {
|
||||
@@ -218,14 +218,14 @@ func (h *PolicyHandlers) ValidatePolicy(c *gin.Context) {
|
||||
return
|
||||
}
|
||||
|
||||
if len(statement.Action) == 0 {
|
||||
if len(statement.Action.Strings()) == 0 {
|
||||
c.JSON(http.StatusBadRequest, gin.H{
|
||||
"error": fmt.Sprintf("Statement %d: Action is required", i+1),
|
||||
})
|
||||
return
|
||||
}
|
||||
|
||||
if len(statement.Resource) == 0 {
|
||||
if len(statement.Resource.Strings()) == 0 {
|
||||
c.JSON(http.StatusBadRequest, gin.H{
|
||||
"error": fmt.Sprintf("Statement %d: Resource is required", i+1),
|
||||
})
|
||||
|
||||
Reference in New Issue
Block a user