Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
11963 Commits
50 Branches
316 Tags
332 MiB
 
 
 
 
 
 
Tree: 164158b2a1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '164158b2a1'
${ noResults }
seaweedfs/test/s3/iam/test_config.json

321 lines
8.0 KiB
Raw Blame History

{
"identities": [
{
"name": "testuser",
"credentials": [
{
"accessKey": "test-access-key",
"secretKey": "test-secret-key"
}
],
"actions": ["Admin"]
},
{
"name": "readonlyuser",
"credentials": [
{
"accessKey": "readonly-access-key",
"secretKey": "readonly-secret-key"
}
],
"actions": ["Read"]
},
{
"name": "writeonlyuser",
"credentials": [
{
"accessKey": "writeonly-access-key",
"secretKey": "writeonly-secret-key"
}
],
"actions": ["Write"]
}
],
"iam": {
"enabled": true,
"sts": {
"tokenDuration": "15m",
"issuer": "seaweedfs-sts",
"signingKey": "test-sts-signing-key-for-integration-tests"
},
"policy": {
"defaultEffect": "Deny"
},
"providers": {
"oidc": {
"test-oidc": {
"issuer": "http://localhost:8080/.well-known/openid_configuration",
"clientId": "test-client-id",
"jwksUri": "http://localhost:8080/jwks",
"userInfoUri": "http://localhost:8080/userinfo",
"roleMapping": {
"rules": [
{
"claim": "groups",
"claimValue": "admins",
"roleName": "S3AdminRole"
},
{
"claim": "groups",
"claimValue": "users",
"roleName": "S3ReadOnlyRole"
},
{
"claim": "groups",
"claimValue": "writers",
"roleName": "S3WriteOnlyRole"
}
]
},
"claimsMapping": {
"email": "email",
"displayName": "name",
"groups": "groups"
}
}
},
"ldap": {
"test-ldap": {
"server": "ldap://localhost:389",
"baseDN": "dc=example,dc=com",
"bindDN": "cn=admin,dc=example,dc=com",
"bindPassword": "admin-password",
"userFilter": "(uid=%s)",
"groupFilter": "(memberUid=%s)",
"attributes": {
"email": "mail",
"displayName": "cn",
"groups": "memberOf"
},
"roleMapping": {
"rules": [
{
"claim": "groups",
"claimValue": "cn=admins,ou=groups,dc=example,dc=com",
"roleName": "S3AdminRole"
},
{
"claim": "groups",
"claimValue": "cn=users,ou=groups,dc=example,dc=com",
"roleName": "S3ReadOnlyRole"
}
]
}
}
}
},
"policyStore": {}
},
"roles": {
"S3AdminRole": {
"trustPolicy": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": ["test-oidc", "test-ldap"]
},
"Action": "sts:AssumeRoleWithWebIdentity"
}
]
},
"attachedPolicies": ["S3AdminPolicy"],
"description": "Full administrative access to S3 resources"
},
"S3ReadOnlyRole": {
"trustPolicy": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": ["test-oidc", "test-ldap"]
},
"Action": "sts:AssumeRoleWithWebIdentity"
}
]
},
"attachedPolicies": ["S3ReadOnlyPolicy"],
"description": "Read-only access to S3 resources"
},
"S3WriteOnlyRole": {
"trustPolicy": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": ["test-oidc", "test-ldap"]
},
"Action": "sts:AssumeRoleWithWebIdentity"
}
]
},
"attachedPolicies": ["S3WriteOnlyPolicy"],
"description": "Write-only access to S3 resources"
}
},
"policies": {
"S3AdminPolicy": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": [
"arn:seaweed:s3:::*",
"arn:seaweed:s3:::*/*"
]
}
]
},
"S3ReadOnlyPolicy": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion",
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:GetBucketLocation",
"s3:GetBucketVersioning"
],
"Resource": [
"arn:seaweed:s3:::*",
"arn:seaweed:s3:::*/*"
]
}
]
},
"S3WriteOnlyPolicy": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:InitiateMultipartUpload",
"s3:UploadPart",
"s3:CompleteMultipartUpload",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts"
],
"Resource": [
"arn:seaweed:s3:::*/*"
]
}
]
},
"S3BucketManagementPolicy": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:GetBucketPolicy",
"s3:PutBucketPolicy",
"s3:DeleteBucketPolicy",
"s3:GetBucketVersioning",
"s3:PutBucketVersioning"
],
"Resource": [
"arn:seaweed:s3:::*"
]
}
]
},
"S3IPRestrictedPolicy": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": [
"arn:seaweed:s3:::*",
"arn:seaweed:s3:::*/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": ["192.168.1.0/24", "10.0.0.0/8"]
}
}
}
]
},
"S3TimeBasedPolicy": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:ListBucket"],
"Resource": [
"arn:seaweed:s3:::*",
"arn:seaweed:s3:::*/*"
],
"Condition": {
"DateGreaterThan": {
"aws:CurrentTime": "2023-01-01T00:00:00Z"
},
"DateLessThan": {
"aws:CurrentTime": "2025-12-31T23:59:59Z"
}
}
}
]
}
},
"bucketPolicyExamples": {
"PublicReadPolicy": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:seaweed:s3:::example-bucket/*"
}
]
},
"DenyDeletePolicy": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyDeleteOperations",
"Effect": "Deny",
"Principal": "*",
"Action": ["s3:DeleteObject", "s3:DeleteBucket"],
"Resource": [
"arn:seaweed:s3:::example-bucket",
"arn:seaweed:s3:::example-bucket/*"
]
}
]
},
"IPRestrictedAccessPolicy": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "IPRestrictedAccess",
"Effect": "Allow",
"Principal": "*",
"Action": ["s3:GetObject", "s3:PutObject"],
"Resource": "arn:seaweed:s3:::example-bucket/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": ["203.0.113.0/24"]
}
}
}
]
}
}
}