admin ui adds object lock permissions

author: chrislu <chris.lu@gmail.com> 2025-07-13 20:29:25 -0700
committer: chrislu <chris.lu@gmail.com> 2025-07-13 20:29:25 -0700
commit: e7dfc3552cf7c60cc500dd4ce4320b081cde64d8 (patch)
tree: e09c75e4ba05e7601b25a4c3deb0265890d53479 /weed/s3api/policy_engine/integration.go
parent: 7cb1ca13082568bfdcdab974d8cefddf650443c5 (diff)
download: seaweedfs-e7dfc3552cf7c60cc500dd4ce4320b081cde64d8.tar.xz
seaweedfs-e7dfc3552cf7c60cc500dd4ce4320b081cde64d8.zip
1 files changed, 62 insertions, 0 deletions
diff --git a/weed/s3api/policy_engine/integration.go b/weed/s3api/policy_engine/integration.go
index 2a6a5c8fa..9c4bee9e4 100644
--- a/weed/s3api/policy_engine/integration.go
+++ b/weed/s3api/policy_engine/integration.go
@@ -213,6 +213,50 @@ func convertSingleAction(action, bucketName string) (*PolicyStatement, error) {
 			resources = []string{fmt.Sprintf("arn:aws:s3:::%s/*", resourcePattern)}
 		}
 
+	case "GetObjectRetention":
+		s3Actions = []string{"s3:GetObjectRetention"}
+		if strings.HasSuffix(resourcePattern, "/*") {
+			bucket := strings.TrimSuffix(resourcePattern, "/*")
+			resources = []string{fmt.Sprintf("arn:aws:s3:::%s/*", bucket)}
+		} else {
+			resources = []string{fmt.Sprintf("arn:aws:s3:::%s/*", resourcePattern)}
+		}
+
+	case "PutObjectRetention":
+		s3Actions = []string{"s3:PutObjectRetention"}
+		if strings.HasSuffix(resourcePattern, "/*") {
+			bucket := strings.TrimSuffix(resourcePattern, "/*")
+			resources = []string{fmt.Sprintf("arn:aws:s3:::%s/*", bucket)}
+		} else {
+			resources = []string{fmt.Sprintf("arn:aws:s3:::%s/*", resourcePattern)}
+		}
+
+	case "GetObjectLegalHold":
+		s3Actions = []string{"s3:GetObjectLegalHold"}
+		if strings.HasSuffix(resourcePattern, "/*") {
+			bucket := strings.TrimSuffix(resourcePattern, "/*")
+			resources = []string{fmt.Sprintf("arn:aws:s3:::%s/*", bucket)}
+		} else {
+			resources = []string{fmt.Sprintf("arn:aws:s3:::%s/*", resourcePattern)}
+		}
+
+	case "PutObjectLegalHold":
+		s3Actions = []string{"s3:PutObjectLegalHold"}
+		if strings.HasSuffix(resourcePattern, "/*") {
+			bucket := strings.TrimSuffix(resourcePattern, "/*")
+			resources = []string{fmt.Sprintf("arn:aws:s3:::%s/*", bucket)}
+		} else {
+			resources = []string{fmt.Sprintf("arn:aws:s3:::%s/*", resourcePattern)}
+		}
+
+	case "GetBucketObjectLockConfiguration":
+		s3Actions = []string{"s3:GetBucketObjectLockConfiguration"}
+		resources = []string{fmt.Sprintf("arn:aws:s3:::%s", resourcePattern)}
+
+	case "PutBucketObjectLockConfiguration":
+		s3Actions = []string{"s3:PutBucketObjectLockConfiguration"}
+		resources = []string{fmt.Sprintf("arn:aws:s3:::%s", resourcePattern)}
+
 	default:
 		return nil, fmt.Errorf("unknown action type: %s", actionType)
 	}
@@ -280,6 +324,24 @@ func GetActionMappings() map[string][]string {
 		"BypassGovernanceRetention": {
 			"s3:BypassGovernanceRetention",
 		},
+		"GetObjectRetention": {
+			"s3:GetObjectRetention",
+		},
+		"PutObjectRetention": {
+			"s3:PutObjectRetention",
+		},
+		"GetObjectLegalHold": {
+			"s3:GetObjectLegalHold",
+		},
+		"PutObjectLegalHold": {
+			"s3:PutObjectLegalHold",
+		},
+		"GetBucketObjectLockConfiguration": {
+			"s3:GetBucketObjectLockConfiguration",
+		},
+		"PutBucketObjectLockConfiguration": {
+			"s3:PutBucketObjectLockConfiguration",
+		},
 	}
 }
author	chrislu <chris.lu@gmail.com>	2025-07-13 20:29:25 -0700
committer	chrislu <chris.lu@gmail.com>	2025-07-13 20:29:25 -0700
commit	e7dfc3552cf7c60cc500dd4ce4320b081cde64d8 (patch)
tree	e09c75e4ba05e7601b25a4c3deb0265890d53479 /weed/s3api/policy_engine/integration.go
parent	7cb1ca13082568bfdcdab974d8cefddf650443c5 (diff)
download	seaweedfs-e7dfc3552cf7c60cc500dd4ce4320b081cde64d8.tar.xz seaweedfs-e7dfc3552cf7c60cc500dd4ce4320b081cde64d8.zip