aboutsummaryrefslogtreecommitdiff
path: root/weed/s3api/policy_engine/integration.go
diff options
context:
space:
mode:
Diffstat (limited to 'weed/s3api/policy_engine/integration.go')
-rw-r--r--weed/s3api/policy_engine/integration.go62
1 files changed, 62 insertions, 0 deletions
diff --git a/weed/s3api/policy_engine/integration.go b/weed/s3api/policy_engine/integration.go
index 2a6a5c8fa..9c4bee9e4 100644
--- a/weed/s3api/policy_engine/integration.go
+++ b/weed/s3api/policy_engine/integration.go
@@ -213,6 +213,50 @@ func convertSingleAction(action, bucketName string) (*PolicyStatement, error) {
resources = []string{fmt.Sprintf("arn:aws:s3:::%s/*", resourcePattern)}
}
+ case "GetObjectRetention":
+ s3Actions = []string{"s3:GetObjectRetention"}
+ if strings.HasSuffix(resourcePattern, "/*") {
+ bucket := strings.TrimSuffix(resourcePattern, "/*")
+ resources = []string{fmt.Sprintf("arn:aws:s3:::%s/*", bucket)}
+ } else {
+ resources = []string{fmt.Sprintf("arn:aws:s3:::%s/*", resourcePattern)}
+ }
+
+ case "PutObjectRetention":
+ s3Actions = []string{"s3:PutObjectRetention"}
+ if strings.HasSuffix(resourcePattern, "/*") {
+ bucket := strings.TrimSuffix(resourcePattern, "/*")
+ resources = []string{fmt.Sprintf("arn:aws:s3:::%s/*", bucket)}
+ } else {
+ resources = []string{fmt.Sprintf("arn:aws:s3:::%s/*", resourcePattern)}
+ }
+
+ case "GetObjectLegalHold":
+ s3Actions = []string{"s3:GetObjectLegalHold"}
+ if strings.HasSuffix(resourcePattern, "/*") {
+ bucket := strings.TrimSuffix(resourcePattern, "/*")
+ resources = []string{fmt.Sprintf("arn:aws:s3:::%s/*", bucket)}
+ } else {
+ resources = []string{fmt.Sprintf("arn:aws:s3:::%s/*", resourcePattern)}
+ }
+
+ case "PutObjectLegalHold":
+ s3Actions = []string{"s3:PutObjectLegalHold"}
+ if strings.HasSuffix(resourcePattern, "/*") {
+ bucket := strings.TrimSuffix(resourcePattern, "/*")
+ resources = []string{fmt.Sprintf("arn:aws:s3:::%s/*", bucket)}
+ } else {
+ resources = []string{fmt.Sprintf("arn:aws:s3:::%s/*", resourcePattern)}
+ }
+
+ case "GetBucketObjectLockConfiguration":
+ s3Actions = []string{"s3:GetBucketObjectLockConfiguration"}
+ resources = []string{fmt.Sprintf("arn:aws:s3:::%s", resourcePattern)}
+
+ case "PutBucketObjectLockConfiguration":
+ s3Actions = []string{"s3:PutBucketObjectLockConfiguration"}
+ resources = []string{fmt.Sprintf("arn:aws:s3:::%s", resourcePattern)}
+
default:
return nil, fmt.Errorf("unknown action type: %s", actionType)
}
@@ -280,6 +324,24 @@ func GetActionMappings() map[string][]string {
"BypassGovernanceRetention": {
"s3:BypassGovernanceRetention",
},
+ "GetObjectRetention": {
+ "s3:GetObjectRetention",
+ },
+ "PutObjectRetention": {
+ "s3:PutObjectRetention",
+ },
+ "GetObjectLegalHold": {
+ "s3:GetObjectLegalHold",
+ },
+ "PutObjectLegalHold": {
+ "s3:PutObjectLegalHold",
+ },
+ "GetBucketObjectLockConfiguration": {
+ "s3:GetBucketObjectLockConfiguration",
+ },
+ "PutBucketObjectLockConfiguration": {
+ "s3:PutBucketObjectLockConfiguration",
+ },
}
}
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-21 06:59:44 +0000