You can not select more than 25 topics
			Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
		
		
		
		
		
			
		
			
				
					
					
						
							327 lines
						
					
					
						
							8.1 KiB
						
					
					
				
			
		
		
		
			
			
			
		
		
	
	
							327 lines
						
					
					
						
							8.1 KiB
						
					
					
				| { | |
|   "identities": [ | |
|     { | |
|       "name": "testuser", | |
|       "credentials": [ | |
|         { | |
|           "accessKey": "test-access-key", | |
|           "secretKey": "test-secret-key" | |
|         } | |
|       ], | |
|       "actions": ["Admin"] | |
|     }, | |
|     { | |
|       "name": "readonlyuser",  | |
|       "credentials": [ | |
|         { | |
|           "accessKey": "readonly-access-key", | |
|           "secretKey": "readonly-secret-key" | |
|         } | |
|       ], | |
|       "actions": ["Read"] | |
|     }, | |
|     { | |
|       "name": "writeonlyuser", | |
|       "credentials": [ | |
|         { | |
|           "accessKey": "writeonly-access-key",  | |
|           "secretKey": "writeonly-secret-key" | |
|         } | |
|       ], | |
|       "actions": ["Write"] | |
|     } | |
|   ], | |
|   "iam": { | |
|     "enabled": true, | |
|     "sts": { | |
|       "tokenDuration": "15m", | |
|       "issuer": "seaweedfs-sts", | |
|       "signingKey": "test-sts-signing-key-for-integration-tests" | |
|     }, | |
|     "policy": { | |
|       "defaultEffect": "Deny" | |
|     }, | |
|     "providers": { | |
|       "oidc": { | |
|         "test-oidc": { | |
|           "issuer": "http://localhost:8080/.well-known/openid_configuration", | |
|           "clientId": "test-client-id", | |
|           "jwksUri": "http://localhost:8080/jwks", | |
|           "userInfoUri": "http://localhost:8080/userinfo", | |
|           "roleMapping": { | |
|             "rules": [ | |
|               { | |
|                 "claim": "groups", | |
|                 "claimValue": "admins",  | |
|                 "roleName": "S3AdminRole" | |
|               }, | |
|               { | |
|                 "claim": "groups", | |
|                 "claimValue": "users", | |
|                 "roleName": "S3ReadOnlyRole" | |
|               }, | |
|               { | |
|                 "claim": "groups", | |
|                 "claimValue": "writers", | |
|                 "roleName": "S3WriteOnlyRole" | |
|               } | |
|             ] | |
|           }, | |
|           "claimsMapping": { | |
|             "email": "email", | |
|             "displayName": "name", | |
|             "groups": "groups" | |
|           } | |
|         } | |
|       }, | |
|       "ldap": { | |
|         "test-ldap": { | |
|           "server": "ldap://localhost:389", | |
|           "baseDN": "dc=example,dc=com", | |
|           "bindDN": "cn=admin,dc=example,dc=com",  | |
|           "bindPassword": "admin-password", | |
|           "userFilter": "(uid=%s)", | |
|           "groupFilter": "(memberUid=%s)", | |
|           "attributes": { | |
|             "email": "mail", | |
|             "displayName": "cn",  | |
|             "groups": "memberOf" | |
|           }, | |
|           "roleMapping": { | |
|             "rules": [ | |
|               { | |
|                 "claim": "groups", | |
|                 "claimValue": "cn=admins,ou=groups,dc=example,dc=com", | |
|                 "roleName": "S3AdminRole" | |
|               }, | |
|               { | |
|                 "claim": "groups",  | |
|                 "claimValue": "cn=users,ou=groups,dc=example,dc=com", | |
|                 "roleName": "S3ReadOnlyRole" | |
|               } | |
|             ] | |
|           } | |
|         } | |
|       } | |
|     }, | |
|     "policyStore": { | |
|       "type": "filer", | |
|       "config": { | |
|         "filerAddress": "localhost:8888",  | |
|         "basePath": "/seaweedfs/iam/policies" | |
|       } | |
|     } | |
|   }, | |
|   "roles": { | |
|     "S3AdminRole": { | |
|       "trustPolicy": { | |
|         "Version": "2012-10-17", | |
|         "Statement": [ | |
|           { | |
|             "Effect": "Allow", | |
|             "Principal": { | |
|               "Federated": ["test-oidc", "test-ldap"] | |
|             }, | |
|             "Action": "sts:AssumeRoleWithWebIdentity" | |
|           } | |
|         ] | |
|       }, | |
|       "attachedPolicies": ["S3AdminPolicy"], | |
|       "description": "Full administrative access to S3 resources" | |
|     }, | |
|     "S3ReadOnlyRole": { | |
|       "trustPolicy": { | |
|         "Version": "2012-10-17", | |
|         "Statement": [ | |
|           { | |
|             "Effect": "Allow",  | |
|             "Principal": { | |
|               "Federated": ["test-oidc", "test-ldap"] | |
|             }, | |
|             "Action": "sts:AssumeRoleWithWebIdentity" | |
|           } | |
|         ] | |
|       }, | |
|       "attachedPolicies": ["S3ReadOnlyPolicy"], | |
|       "description": "Read-only access to S3 resources" | |
|     }, | |
|     "S3WriteOnlyRole": { | |
|       "trustPolicy": { | |
|         "Version": "2012-10-17", | |
|         "Statement": [ | |
|           { | |
|             "Effect": "Allow", | |
|             "Principal": { | |
|               "Federated": ["test-oidc", "test-ldap"]  | |
|             }, | |
|             "Action": "sts:AssumeRoleWithWebIdentity" | |
|           } | |
|         ] | |
|       }, | |
|       "attachedPolicies": ["S3WriteOnlyPolicy"], | |
|       "description": "Write-only access to S3 resources" | |
|     } | |
|   }, | |
|   "policies": { | |
|     "S3AdminPolicy": { | |
|       "Version": "2012-10-17", | |
|       "Statement": [ | |
|         { | |
|           "Effect": "Allow", | |
|           "Action": ["s3:*"], | |
|           "Resource": [ | |
|             "arn:seaweed:s3:::*", | |
|             "arn:seaweed:s3:::*/*" | |
|           ] | |
|         } | |
|       ] | |
|     }, | |
|     "S3ReadOnlyPolicy": { | |
|       "Version": "2012-10-17",  | |
|       "Statement": [ | |
|         { | |
|           "Effect": "Allow", | |
|           "Action": [ | |
|             "s3:GetObject", | |
|             "s3:GetObjectVersion",  | |
|             "s3:ListBucket", | |
|             "s3:ListBucketVersions", | |
|             "s3:GetBucketLocation", | |
|             "s3:GetBucketVersioning" | |
|           ], | |
|           "Resource": [ | |
|             "arn:seaweed:s3:::*", | |
|             "arn:seaweed:s3:::*/*" | |
|           ] | |
|         } | |
|       ] | |
|     }, | |
|     "S3WriteOnlyPolicy": { | |
|       "Version": "2012-10-17", | |
|       "Statement": [ | |
|         { | |
|           "Effect": "Allow", | |
|           "Action": [ | |
|             "s3:PutObject", | |
|             "s3:PutObjectAcl", | |
|             "s3:DeleteObject", | |
|             "s3:DeleteObjectVersion", | |
|             "s3:InitiateMultipartUpload", | |
|             "s3:UploadPart",  | |
|             "s3:CompleteMultipartUpload", | |
|             "s3:AbortMultipartUpload", | |
|             "s3:ListMultipartUploadParts" | |
|           ], | |
|           "Resource": [ | |
|             "arn:seaweed:s3:::*/*" | |
|           ] | |
|         } | |
|       ] | |
|     }, | |
|     "S3BucketManagementPolicy": { | |
|       "Version": "2012-10-17", | |
|       "Statement": [ | |
|         { | |
|           "Effect": "Allow", | |
|           "Action": [ | |
|             "s3:CreateBucket", | |
|             "s3:DeleteBucket",  | |
|             "s3:GetBucketPolicy", | |
|             "s3:PutBucketPolicy", | |
|             "s3:DeleteBucketPolicy", | |
|             "s3:GetBucketVersioning", | |
|             "s3:PutBucketVersioning" | |
|           ], | |
|           "Resource": [ | |
|             "arn:seaweed:s3:::*" | |
|           ] | |
|         } | |
|       ] | |
|     }, | |
|     "S3IPRestrictedPolicy": { | |
|       "Version": "2012-10-17", | |
|       "Statement": [ | |
|         { | |
|           "Effect": "Allow", | |
|           "Action": ["s3:*"], | |
|           "Resource": [ | |
|             "arn:seaweed:s3:::*", | |
|             "arn:seaweed:s3:::*/*" | |
|           ], | |
|           "Condition": { | |
|             "IpAddress": { | |
|               "aws:SourceIp": ["192.168.1.0/24", "10.0.0.0/8"] | |
|             } | |
|           } | |
|         } | |
|       ] | |
|     }, | |
|     "S3TimeBasedPolicy": { | |
|       "Version": "2012-10-17", | |
|       "Statement": [ | |
|         { | |
|           "Effect": "Allow",  | |
|           "Action": ["s3:GetObject", "s3:ListBucket"], | |
|           "Resource": [ | |
|             "arn:seaweed:s3:::*", | |
|             "arn:seaweed:s3:::*/*" | |
|           ], | |
|           "Condition": { | |
|             "DateGreaterThan": { | |
|               "aws:CurrentTime": "2023-01-01T00:00:00Z" | |
|             }, | |
|             "DateLessThan": { | |
|               "aws:CurrentTime": "2025-12-31T23:59:59Z"  | |
|             } | |
|           } | |
|         } | |
|       ] | |
|     } | |
|   }, | |
|   "bucketPolicyExamples": { | |
|     "PublicReadPolicy": { | |
|       "Version": "2012-10-17", | |
|       "Statement": [ | |
|         { | |
|           "Sid": "PublicReadGetObject", | |
|           "Effect": "Allow", | |
|           "Principal": "*", | |
|           "Action": "s3:GetObject",  | |
|           "Resource": "arn:seaweed:s3:::example-bucket/*" | |
|         } | |
|       ] | |
|     }, | |
|     "DenyDeletePolicy": { | |
|       "Version": "2012-10-17", | |
|       "Statement": [ | |
|         { | |
|           "Sid": "DenyDeleteOperations", | |
|           "Effect": "Deny", | |
|           "Principal": "*", | |
|           "Action": ["s3:DeleteObject", "s3:DeleteBucket"], | |
|           "Resource": [ | |
|             "arn:seaweed:s3:::example-bucket", | |
|             "arn:seaweed:s3:::example-bucket/*" | |
|           ] | |
|         } | |
|       ] | |
|     }, | |
|     "IPRestrictedAccessPolicy": { | |
|       "Version": "2012-10-17", | |
|       "Statement": [ | |
|         { | |
|           "Sid": "IPRestrictedAccess", | |
|           "Effect": "Allow",  | |
|           "Principal": "*", | |
|           "Action": ["s3:GetObject", "s3:PutObject"], | |
|           "Resource": "arn:seaweed:s3:::example-bucket/*", | |
|           "Condition": { | |
|             "IpAddress": { | |
|               "aws:SourceIp": ["203.0.113.0/24"] | |
|             } | |
|           } | |
|         } | |
|       ] | |
|     } | |
|   } | |
| }
 |