diff options
Diffstat (limited to 'test/s3/iam/test_config.json')
| -rw-r--r-- | test/s3/iam/test_config.json | 321 |
1 files changed, 321 insertions, 0 deletions
diff --git a/test/s3/iam/test_config.json b/test/s3/iam/test_config.json new file mode 100644 index 000000000..d2f1fb09e --- /dev/null +++ b/test/s3/iam/test_config.json @@ -0,0 +1,321 @@ +{ + "identities": [ + { + "name": "testuser", + "credentials": [ + { + "accessKey": "test-access-key", + "secretKey": "test-secret-key" + } + ], + "actions": ["Admin"] + }, + { + "name": "readonlyuser", + "credentials": [ + { + "accessKey": "readonly-access-key", + "secretKey": "readonly-secret-key" + } + ], + "actions": ["Read"] + }, + { + "name": "writeonlyuser", + "credentials": [ + { + "accessKey": "writeonly-access-key", + "secretKey": "writeonly-secret-key" + } + ], + "actions": ["Write"] + } + ], + "iam": { + "enabled": true, + "sts": { + "tokenDuration": "15m", + "issuer": "seaweedfs-sts", + "signingKey": "test-sts-signing-key-for-integration-tests" + }, + "policy": { + "defaultEffect": "Deny" + }, + "providers": { + "oidc": { + "test-oidc": { + "issuer": "http://localhost:8080/.well-known/openid_configuration", + "clientId": "test-client-id", + "jwksUri": "http://localhost:8080/jwks", + "userInfoUri": "http://localhost:8080/userinfo", + "roleMapping": { + "rules": [ + { + "claim": "groups", + "claimValue": "admins", + "roleName": "S3AdminRole" + }, + { + "claim": "groups", + "claimValue": "users", + "roleName": "S3ReadOnlyRole" + }, + { + "claim": "groups", + "claimValue": "writers", + "roleName": "S3WriteOnlyRole" + } + ] + }, + "claimsMapping": { + "email": "email", + "displayName": "name", + "groups": "groups" + } + } + }, + "ldap": { + "test-ldap": { + "server": "ldap://localhost:389", + "baseDN": "dc=example,dc=com", + "bindDN": "cn=admin,dc=example,dc=com", + "bindPassword": "admin-password", + "userFilter": "(uid=%s)", + "groupFilter": "(memberUid=%s)", + "attributes": { + "email": "mail", + "displayName": "cn", + "groups": "memberOf" + }, + "roleMapping": { + "rules": [ + { + "claim": "groups", + "claimValue": "cn=admins,ou=groups,dc=example,dc=com", + "roleName": "S3AdminRole" + }, + { + "claim": "groups", + "claimValue": "cn=users,ou=groups,dc=example,dc=com", + "roleName": "S3ReadOnlyRole" + } + ] + } + } + } + }, + "policyStore": {} + }, + "roles": { + "S3AdminRole": { + "trustPolicy": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Federated": ["test-oidc", "test-ldap"] + }, + "Action": "sts:AssumeRoleWithWebIdentity" + } + ] + }, + "attachedPolicies": ["S3AdminPolicy"], + "description": "Full administrative access to S3 resources" + }, + "S3ReadOnlyRole": { + "trustPolicy": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Federated": ["test-oidc", "test-ldap"] + }, + "Action": "sts:AssumeRoleWithWebIdentity" + } + ] + }, + "attachedPolicies": ["S3ReadOnlyPolicy"], + "description": "Read-only access to S3 resources" + }, + "S3WriteOnlyRole": { + "trustPolicy": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Federated": ["test-oidc", "test-ldap"] + }, + "Action": "sts:AssumeRoleWithWebIdentity" + } + ] + }, + "attachedPolicies": ["S3WriteOnlyPolicy"], + "description": "Write-only access to S3 resources" + } + }, + "policies": { + "S3AdminPolicy": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": ["s3:*"], + "Resource": [ + "arn:seaweed:s3:::*", + "arn:seaweed:s3:::*/*" + ] + } + ] + }, + "S3ReadOnlyPolicy": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:GetObjectVersion", + "s3:ListBucket", + "s3:ListBucketVersions", + "s3:GetBucketLocation", + "s3:GetBucketVersioning" + ], + "Resource": [ + "arn:seaweed:s3:::*", + "arn:seaweed:s3:::*/*" + ] + } + ] + }, + "S3WriteOnlyPolicy": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:PutObject", + "s3:PutObjectAcl", + "s3:DeleteObject", + "s3:DeleteObjectVersion", + "s3:InitiateMultipartUpload", + "s3:UploadPart", + "s3:CompleteMultipartUpload", + "s3:AbortMultipartUpload", + "s3:ListMultipartUploadParts" + ], + "Resource": [ + "arn:seaweed:s3:::*/*" + ] + } + ] + }, + "S3BucketManagementPolicy": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:CreateBucket", + "s3:DeleteBucket", + "s3:GetBucketPolicy", + "s3:PutBucketPolicy", + "s3:DeleteBucketPolicy", + "s3:GetBucketVersioning", + "s3:PutBucketVersioning" + ], + "Resource": [ + "arn:seaweed:s3:::*" + ] + } + ] + }, + "S3IPRestrictedPolicy": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": ["s3:*"], + "Resource": [ + "arn:seaweed:s3:::*", + "arn:seaweed:s3:::*/*" + ], + "Condition": { + "IpAddress": { + "aws:SourceIp": ["192.168.1.0/24", "10.0.0.0/8"] + } + } + } + ] + }, + "S3TimeBasedPolicy": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": ["s3:GetObject", "s3:ListBucket"], + "Resource": [ + "arn:seaweed:s3:::*", + "arn:seaweed:s3:::*/*" + ], + "Condition": { + "DateGreaterThan": { + "aws:CurrentTime": "2023-01-01T00:00:00Z" + }, + "DateLessThan": { + "aws:CurrentTime": "2025-12-31T23:59:59Z" + } + } + } + ] + } + }, + "bucketPolicyExamples": { + "PublicReadPolicy": { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "PublicReadGetObject", + "Effect": "Allow", + "Principal": "*", + "Action": "s3:GetObject", + "Resource": "arn:seaweed:s3:::example-bucket/*" + } + ] + }, + "DenyDeletePolicy": { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "DenyDeleteOperations", + "Effect": "Deny", + "Principal": "*", + "Action": ["s3:DeleteObject", "s3:DeleteBucket"], + "Resource": [ + "arn:seaweed:s3:::example-bucket", + "arn:seaweed:s3:::example-bucket/*" + ] + } + ] + }, + "IPRestrictedAccessPolicy": { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "IPRestrictedAccess", + "Effect": "Allow", + "Principal": "*", + "Action": ["s3:GetObject", "s3:PutObject"], + "Resource": "arn:seaweed:s3:::example-bucket/*", + "Condition": { + "IpAddress": { + "aws:SourceIp": ["203.0.113.0/24"] + } + } + } + ] + } + } +} |