-
Notifications
You must be signed in to change notification settings - Fork 351
/
permission.go
100 lines (85 loc) · 3.44 KB
/
permission.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
package acl
import (
"fmt"
"github.com/treeverse/lakefs/pkg/auth"
"github.com/treeverse/lakefs/pkg/auth/model"
"github.com/treeverse/lakefs/pkg/permissions"
)
const (
// ReadPermission allows reading the specified repositories, as well as
// managing own credentials.
ReadPermission model.ACLPermission = "Read"
// WritePermission allows reading and writing the specified repositories,
// as well as managing own credentials.
WritePermission model.ACLPermission = "Write"
// SuperPermission allows reading, writing, and all other actions on the
// specified repositories, as well as managing own credentials.
SuperPermission model.ACLPermission = "Super"
// AdminPermission allows all operations, including all reading, writing,
// and all other actions on all repositories, and managing
// authorization and credentials of all users.
AdminPermission model.ACLPermission = "Admin"
)
var (
ownUserARN = []string{permissions.UserArn("${user}")}
all = []string{permissions.All}
ErrBadACLPermission = fmt.Errorf("%w: Bad ACL permission", model.ErrValidationError)
)
func ACLToStatement(acl model.ACL) (model.Statements, error) {
var (
statements model.Statements
err error
)
switch acl.Permission {
case ReadPermission:
statements, err = auth.MakeStatementForPolicyType("FSRead", all)
if err != nil {
return nil, fmt.Errorf("%s: %w", acl.Permission, ErrBadACLPermission)
}
readConfigStatement, err := auth.MakeStatementForPolicyType("FSReadConfig", all)
if err != nil {
return nil, fmt.Errorf("%s: %w", acl.Permission, ErrBadACLPermission)
}
ownCredentialsStatement, err := auth.MakeStatementForPolicyType("AuthManageOwnCredentials", ownUserARN)
if err != nil {
return nil, err
}
statements = append(append(statements, readConfigStatement...), ownCredentialsStatement...)
case WritePermission:
statements, err = auth.MakeStatementForPolicyType("FSReadWrite", all)
if err != nil {
return nil, fmt.Errorf("%s: %w", acl.Permission, ErrBadACLPermission)
}
ownCredentialsStatement, err := auth.MakeStatementForPolicyType("AuthManageOwnCredentials", ownUserARN)
if err != nil {
return nil, err
}
ciStatement, err := auth.MakeStatementForPolicyType("RepoManagementRead", all)
if err != nil {
return nil, fmt.Errorf("%s: get RepoManagementRead: %w", acl.Permission, ErrBadACLPermission)
}
statements = append(statements, append(ownCredentialsStatement, ciStatement...)...)
case SuperPermission:
statements, err = auth.MakeStatementForPolicyType("FSFullAccess", all)
if err != nil {
return nil, fmt.Errorf("%s: get FSFullAccess: %w", acl.Permission, ErrBadACLPermission)
}
ownCredentialsStatement, err := auth.MakeStatementForPolicyType("AuthManageOwnCredentials", ownUserARN)
if err != nil {
return nil, fmt.Errorf("%s: get AuthManageOwnCredentials: %w", acl.Permission, ErrBadACLPermission)
}
ciStatement, err := auth.MakeStatementForPolicyType("RepoManagementRead", all)
if err != nil {
return nil, fmt.Errorf("%s: get RepoManagementRead: %w", acl.Permission, ErrBadACLPermission)
}
statements = append(statements, append(ownCredentialsStatement, ciStatement...)...)
case AdminPermission:
statements, err = auth.MakeStatementForPolicyType("AllAccess", []string{permissions.All})
if err != nil {
return nil, fmt.Errorf("%s: %w", acl.Permission, ErrBadACLPermission)
}
default:
return nil, fmt.Errorf("%w \"%s\"", ErrBadACLPermission, acl.Permission)
}
return statements, nil
}