1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
|
# Governance Permission Implementation
This document explains the implementation of `s3:BypassGovernanceRetention` permission in SeaweedFS, providing AWS S3-compatible governance retention bypass functionality.
## Overview
The governance permission system enables proper AWS S3-compatible object retention with governance mode bypass capabilities. This implementation ensures that only users with the appropriate permissions can bypass governance retention, while maintaining security and compliance requirements.
## Features
### 1. Permission-Based Bypass Control
- **s3:BypassGovernanceRetention**: New permission that allows users to bypass governance retention
- **Admin Override**: Admin users can always bypass governance retention
- **Header Detection**: Automatic detection of `x-amz-bypass-governance-retention` header
- **Permission Validation**: Validates user permissions before allowing bypass
### 2. Retention Mode Support
- **GOVERNANCE Mode**: Can be bypassed with proper permission and header
- **COMPLIANCE Mode**: Cannot be bypassed (highest security level)
- **Legal Hold**: Always blocks operations regardless of permissions
### 3. Integration Points
- **DELETE Operations**: Checks governance permissions before object deletion
- **PUT Operations**: Validates permissions before object overwrite
- **Retention Modification**: Ensures proper permissions for retention changes
## Implementation Details
### Core Components
1. **Permission Checker**
```go
func (s3a *S3ApiServer) checkGovernanceBypassPermission(r *http.Request, bucket, object string) bool
```
- Checks if user has `s3:BypassGovernanceRetention` permission
- Validates admin status
- Integrates with existing IAM system
2. **Object Lock Permission Validation**
```go
func (s3a *S3ApiServer) checkObjectLockPermissions(r *http.Request, bucket, object, versionId string, bypassGovernance bool) error
```
- Validates governance bypass permissions
- Checks retention mode (GOVERNANCE vs COMPLIANCE)
- Enforces legal hold restrictions
3. **IAM Integration**
- Added `ACTION_BYPASS_GOVERNANCE_RETENTION` constant
- Updated policy engine with `s3:BypassGovernanceRetention` action
- Integrated with existing identity-based access control
### Permission Flow
```
Request with x-amz-bypass-governance-retention: true
↓
Check if object is under retention
↓
If GOVERNANCE mode:
↓
Check if user has s3:BypassGovernanceRetention permission
↓
If permission granted: Allow operation
If permission denied: Deny operation
↓
If COMPLIANCE mode: Always deny
```
## Configuration
### 1. Identity-Based Configuration
Add governance bypass permission to user actions in `identities.json`:
```json
{
"identities": [
{
"name": "governance-admin",
"credentials": [{"accessKey": "admin123", "secretKey": "secret123"}],
"actions": [
"Read:my-bucket/*",
"Write:my-bucket/*",
"BypassGovernanceRetention:my-bucket/*"
]
}
]
}
```
### 2. Bucket Policy Configuration
Grant governance bypass permission via bucket policies:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:BypassGovernanceRetention",
"Resource": "arn:aws:s3:::bucket/*"
}
]
}
```
**Note**: The policy version should use the standard AWS policy version `PolicyVersion2012_10_17` constant (which equals `"2012-10-17"`).
## Usage Examples
### 1. Delete Object with Governance Bypass
```bash
# User with bypass permission
aws s3api delete-object \
--bucket my-bucket \
--key my-object \
--bypass-governance-retention
# Admin user (always allowed)
aws s3api delete-object \
--bucket my-bucket \
--key my-object \
--bypass-governance-retention
```
### 2. Update Object Retention
```bash
# Extend retention period (requires bypass permission for governance mode)
aws s3api put-object-retention \
--bucket my-bucket \
--key my-object \
--retention Mode=GOVERNANCE,RetainUntilDate=2025-01-01T00:00:00Z \
--bypass-governance-retention
```
### 3. Bulk Object Deletion
```bash
# Delete multiple objects with governance bypass
aws s3api delete-objects \
--bucket my-bucket \
--delete file://delete-objects.json \
--bypass-governance-retention
```
## Error Handling
### Permission Errors
- **ErrAccessDenied**: User lacks `s3:BypassGovernanceRetention` permission
- **ErrGovernanceModeActive**: Governance mode protection without bypass
- **ErrComplianceModeActive**: Compliance mode cannot be bypassed
### Example Error Response
```xml
<?xml version="1.0" encoding="UTF-8"?>
<Error>
<Code>AccessDenied</Code>
<Message>User does not have permission to bypass governance retention</Message>
<RequestId>abc123</RequestId>
<Resource>/my-bucket/my-object</Resource>
</Error>
```
## Security Considerations
### 1. Least Privilege Principle
- Grant bypass permission only to users who absolutely need it
- Use bucket-specific permissions rather than global permissions
- Regularly audit users with bypass permissions
### 2. Compliance Mode Protection
- COMPLIANCE mode objects cannot be bypassed by any user
- Use COMPLIANCE mode for regulatory requirements
- GOVERNANCE mode provides flexibility while maintaining audit trails
### 3. Admin Privileges
- Admin users can always bypass governance retention
- Ensure admin access is properly secured
- Use admin privileges responsibly
## Testing
### Unit Tests
```bash
# Run governance permission tests
go test -v ./weed/s3api/ -run TestGovernance
# Run all object retention tests
go test -v ./weed/s3api/ -run TestObjectRetention
```
### Integration Tests
```bash
# Test with real S3 clients
cd test/s3/retention
go test -v ./... -run TestGovernanceBypass
```
## AWS Compatibility
This implementation provides full AWS S3 compatibility for:
- ✅ `x-amz-bypass-governance-retention` header support
- ✅ `s3:BypassGovernanceRetention` permission
- ✅ GOVERNANCE vs COMPLIANCE mode behavior
- ✅ Legal hold enforcement
- ✅ Error responses and codes
- ✅ Bucket policy integration
- ✅ IAM policy integration
## Troubleshooting
### Common Issues
1. **User cannot bypass governance retention**
- Check if user has `s3:BypassGovernanceRetention` permission
- Verify the header `x-amz-bypass-governance-retention: true` is set
- Ensure object is in GOVERNANCE mode (not COMPLIANCE)
2. **Admin bypass not working**
- Verify user has admin privileges in the IAM system
- Check that object is not under legal hold
- Ensure versioning is enabled on the bucket
3. **Policy not taking effect**
- Verify bucket policy JSON syntax
- Check resource ARN format
- Ensure principal has proper format
## Future Enhancements
- [ ] AWS STS integration for temporary credentials
- [ ] CloudTrail-compatible audit logging
- [ ] Advanced condition evaluation (IP, time, etc.)
- [ ] Integration with external identity providers
- [ ] Fine-grained permissions for different retention operations
|
