1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
|
# Integration Example
This shows how to integrate the new policy engine with the existing S3ApiServer.
## Minimal Integration
```go
// In s3api_server.go - modify NewS3ApiServerWithStore function
func NewS3ApiServerWithStore(router *mux.Router, option *S3ApiServerOption, explicitStore string) (s3ApiServer *S3ApiServer, err error) {
// ... existing code ...
// Create traditional IAM
iam := NewIdentityAccessManagementWithStore(option, explicitStore)
s3ApiServer = &S3ApiServer{
option: option,
iam: iam, // Keep existing for compatibility
randomClientId: util.RandomInt32(),
filerGuard: security.NewGuard([]string{}, signingKey, expiresAfterSec, readSigningKey, readExpiresAfterSec),
cb: NewCircuitBreaker(option),
credentialManager: iam.credentialManager,
bucketConfigCache: NewBucketConfigCache(5 * time.Minute),
}
// Optional: Wrap with policy-backed IAM for enhanced features
if option.EnablePolicyEngine { // Add this config option
// Option 1: Create and set legacy IAM separately
policyBackedIAM := NewPolicyBackedIAM()
policyBackedIAM.SetLegacyIAM(iam)
// Option 2: Create with legacy IAM in one call (convenience method)
// policyBackedIAM := NewPolicyBackedIAMWithLegacy(iam)
// Load existing identities as policies
if err := policyBackedIAM.LoadIdentityPolicies(); err != nil {
glog.Warningf("Failed to load identity policies: %v", err)
}
// Replace IAM with policy-backed version
s3ApiServer.iam = policyBackedIAM
}
// ... rest of existing code ...
}
```
## Router Integration
```go
// In registerRouter function, replace bucket policy handlers:
// Old handlers (if they exist):
// bucket.Methods(http.MethodGet).HandlerFunc(s3a.GetBucketPolicyHandler).Queries("policy", "")
// bucket.Methods(http.MethodPut).HandlerFunc(s3a.PutBucketPolicyHandler).Queries("policy", "")
// bucket.Methods(http.MethodDelete).HandlerFunc(s3a.DeleteBucketPolicyHandler).Queries("policy", "")
// New handlers with policy engine:
if policyBackedIAM, ok := s3a.iam.(*PolicyBackedIAM); ok {
// Use policy-backed handlers
bucket.Methods(http.MethodGet).HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(policyBackedIAM.GetBucketPolicyHandler, ACTION_READ)), "GET")).Queries("policy", "")
bucket.Methods(http.MethodPut).HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(policyBackedIAM.PutBucketPolicyHandler, ACTION_WRITE)), "PUT")).Queries("policy", "")
bucket.Methods(http.MethodDelete).HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(policyBackedIAM.DeleteBucketPolicyHandler, ACTION_WRITE)), "DELETE")).Queries("policy", "")
} else {
// Use existing/fallback handlers
bucket.Methods(http.MethodGet).HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.GetBucketPolicyHandler, ACTION_READ)), "GET")).Queries("policy", "")
bucket.Methods(http.MethodPut).HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.PutBucketPolicyHandler, ACTION_WRITE)), "PUT")).Queries("policy", "")
bucket.Methods(http.MethodDelete).HandlerFunc(track(s3a.iam.Auth(s3a.cb.Limit(s3a.DeleteBucketPolicyHandler, ACTION_WRITE)), "DELETE")).Queries("policy", "")
}
```
## Configuration Option
Add to `S3ApiServerOption`:
```go
type S3ApiServerOption struct {
// ... existing fields ...
EnablePolicyEngine bool // Add this field
}
```
## Example Usage
### 1. Existing Users (No Changes)
Your existing `identities.json` continues to work:
```json
{
"identities": [
{
"name": "user1",
"credentials": [{"accessKey": "key1", "secretKey": "secret1"}],
"actions": ["Read:bucket1/*", "Write:bucket1/uploads/*"]
}
]
}
```
### 2. New Users (Enhanced Policies)
Set bucket policies via S3 API:
```bash
# Allow public read
aws s3api put-bucket-policy --bucket my-bucket --policy file://policy.json
# Where policy.json contains:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}
```
### 3. Advanced Conditions
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::secure-bucket/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "192.168.1.0/24"
},
"Bool": {
"aws:SecureTransport": "true"
}
}
}
]
}
```
## Migration Strategy
### Phase 1: Enable Policy Engine (Opt-in)
- Set `EnablePolicyEngine: true` in server options
- Existing `identities.json` automatically converted to policies
- Add bucket policies as needed
### Phase 2: Full Policy Management
- Use AWS CLI/SDK for policy management
- Gradually migrate from `identities.json` to pure IAM policies
- Take advantage of advanced conditions and features
## Testing
```bash
# Test existing functionality
go test -v -run TestCanDo
# Test new policy engine
go test -v -run TestPolicyEngine
# Test integration
go test -v -run TestPolicyBackedIAM
```
The integration is designed to be:
- **Backward compatible** - Existing setups work unchanged
- **Opt-in** - Enable policy engine only when needed
- **Gradual** - Migrate at your own pace
- **AWS compatible** - Use standard AWS tools and patterns
|
