com.amazonaws.auth.policy.actions.S3Actions Java Examples
The following examples show how to use
com.amazonaws.auth.policy.actions.S3Actions.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
| Source File: AwsIamServiceTest.java From cloudbreak with Apache License 2.0 | 6 votes |
|
@Test
public void testGetStatementActions() {
assertThat(awsIamService.getStatementActions(new Statement(Effect.Allow)))
.isEqualTo(new TreeSet<>());
SortedSet<String> expectedSingleAction = new TreeSet<>();
expectedSingleAction.add(S3Actions.GetObject.getActionName());
Statement statementSingleAction = new Statement(Effect.Allow).withActions(S3Actions.GetObject);
assertThat(awsIamService.getStatementActions(statementSingleAction))
.isEqualTo(expectedSingleAction);
SortedSet<String> expectedMultipleActions = new TreeSet<>();
expectedMultipleActions.add(S3Actions.GetObject.getActionName());
expectedMultipleActions.add(S3Actions.PutObject.getActionName());
Statement statementMultipleActions = new Statement(Effect.Allow)
.withActions(S3Actions.GetObject, S3Actions.PutObject);
assertThat(awsIamService.getStatementActions(statementMultipleActions))
.isEqualTo(expectedMultipleActions);
}
Example #2
| Source File: SetBucketPolicy.java From aws-doc-sdk-examples with Apache License 2.0 | 5 votes |
|
public static String getPublicReadPolicy(String bucket_name) {
Policy bucket_policy = new Policy().withStatements(
new Statement(Statement.Effect.Allow)
.withPrincipals(Principal.AllUsers)
.withActions(S3Actions.GetObject)
.withResources(new Resource(
"arn:aws:s3:::" + bucket_name + "/*")));
return bucket_policy.toJson();
}
Example #3
| Source File: AwsPolicyBuilder.java From herd with Apache License 2.0 | 5 votes |
|
/**
* Adds a permission to allow the specified actions to the given bucket and s3 object key. The permission will allow the given actions only to the specified
* object key. If object key is null, the permission is applied to the bucket itself.
*
* @param bucketName S3 bucket name
* @param objectKey S3 object key
* @param actions List of actions to allow
*
* @return This builder
*/
@SuppressWarnings("PMD.CloseResource")
public AwsPolicyBuilder withS3(String bucketName, String objectKey, S3Actions... actions)
{
Statement statement = new Statement(Effect.Allow);
statement.setActions(Arrays.asList(actions));
String resource = "arn:aws:s3:::" + bucketName;
if (objectKey != null)
{
resource += "/" + objectKey;
}
statement.setResources(Arrays.asList(new Resource(resource)));
policy.getStatements().add(statement);
return this;
}
Example #4
| Source File: AWSSessionCredentialsFactory.java From digdag with Apache License 2.0 | 5 votes |
|
public BasicSessionCredentials get()
{
AWSCredentials baseCredentials = new BasicAWSCredentials(accessKeyId, secretAccessKey);
List<Statement> statements = new ArrayList<>();
acceptableUris.forEach(acceptableUri -> {
Mode mode = acceptableUri.mode;
String uri = acceptableUri.uri;
if (uri.startsWith(URI_S3_PREFIX)) {
String s3BucketAndKeyStr = uri.substring(URI_S3_PREFIX.length());
String[] s3BucketAndKey = s3BucketAndKeyStr.split("/", 2);
statements.add(new Statement(Statement.Effect.Allow)
.withActions(S3Actions.ListObjects)
.withResources(new Resource("arn:aws:s3:::" + s3BucketAndKey[0])));
switch (mode) {
case READ:
statements.add(new Statement(Statement.Effect.Allow)
.withActions(S3Actions.GetObject)
.withResources(new Resource("arn:aws:s3:::" + s3BucketAndKeyStr + "*")));
break;
case WRITE:
statements.add(new Statement(Statement.Effect.Allow)
.withActions(S3Actions.PutObject)
.withResources(new Resource("arn:aws:s3:::" + s3BucketAndKeyStr + "*")));
break;
}
}
else if (uri.startsWith(URI_DYNAMODB_PREFIX)) {
String table = uri.substring(URI_DYNAMODB_PREFIX.length());
statements.add(new Statement(Statement.Effect.Allow)
.withActions(DynamoDBv2Actions.DescribeTable)
.withResources(new Resource(String.format("arn:aws:dynamodb:*:*:table/%s", table))));
switch (mode) {
case READ:
statements.add(new Statement(Statement.Effect.Allow)
.withActions(DynamoDBv2Actions.Scan)
.withResources(new Resource(String.format("arn:aws:dynamodb:*:*:table/%s", table))));
break;
case WRITE:
break;
}
}
else if (uri.startsWith(URI_EMR_PREFIX)) {
String cluster = uri.substring(URI_EMR_PREFIX.length());
// TODO: Grant minimum actions
statements.add(new Statement(Statement.Effect.Allow)
.withActions(ElasticMapReduceActions.AllElasticMapReduceActions)
.withResources(new Resource(String.format("arn:aws:elasticmapreduce:*:*:cluster/%s", cluster))));
}
else {
throw new IllegalArgumentException("Unexpected `uri`. uri=" + uri);
}
}
);
Policy policy = new Policy();
policy.setStatements(statements);
Credentials credentials;
AWSSecurityTokenServiceClient stsClient = new AWSSecurityTokenServiceClient(baseCredentials);
if (roleArn != null && !roleArn.isEmpty()) {
// use STS to assume role
AssumeRoleResult assumeResult = stsClient.assumeRole(new AssumeRoleRequest()
.withRoleArn(roleArn)
.withDurationSeconds(durationSeconds)
.withRoleSessionName(sessionName)
.withPolicy(policy.toJson()));
credentials = assumeResult.getCredentials();
}
else {
// Maybe we'd better add an option command later like `without_federated_token`
GetFederationTokenRequest federationTokenRequest = new GetFederationTokenRequest()
.withDurationSeconds(durationSeconds)
.withName(sessionName)
.withPolicy(policy.toJson());
GetFederationTokenResult federationTokenResult =
stsClient.getFederationToken(federationTokenRequest);
credentials = federationTokenResult.getCredentials();
}
return new BasicSessionCredentials(
credentials.getAccessKeyId(),
credentials.getSecretAccessKey(),
credentials.getSessionToken());
}
Example #5
| Source File: AwsInstanceProfileEC2TrustValidatorTest.java From cloudbreak with Apache License 2.0 | 5 votes |
|
@Test
public void assumeRoleNotInActions() {
assertThat(awsInstanceProfileEC2TrustValidator.checkAssumeRoleInActions(
Collections.singletonList(S3Actions.CreateBucket))).isFalse();
assertThat(awsInstanceProfileEC2TrustValidator.checkAssumeRoleInActions(
Collections.singletonList(SecurityTokenServiceActions.AssumeRoleWithSAML))).isFalse();
assertThat(awsInstanceProfileEC2TrustValidator.checkAssumeRoleInActions(
Arrays.asList(
S3Actions.CreateBucket,
SecurityTokenServiceActions.AssumeRoleWithSAML
))).isFalse();
}
Example #6
| Source File: AwsInstanceProfileEC2TrustValidatorTest.java From cloudbreak with Apache License 2.0 | 5 votes |
|
@Test
public void assumeRoleInActions() {
assertThat(awsInstanceProfileEC2TrustValidator.checkAssumeRoleInActions(
Collections.singletonList(SecurityTokenServiceActions.AssumeRole))).isTrue();
assertThat(awsInstanceProfileEC2TrustValidator.checkAssumeRoleInActions(
Arrays.asList(
S3Actions.CreateBucket,
SecurityTokenServiceActions.AssumeRole
))).isTrue();
}
Example #7
| Source File: AwsIamServiceTest.java From cloudbreak with Apache License 2.0 | 5 votes |
|
@Test
public void testGetPolicy() {
assertThat(awsIamService.getPolicy("abc", Collections.emptyMap())).isNull();
Policy expectedPolicyNoReplacements = new Policy().withStatements(
new Statement(Effect.Allow).withId("FullObjectAccessUnderAuditDir")
.withActions(S3Actions.GetObject, S3Actions.PutObject)
.withResources(new Resource("arn:aws:s3:::${STORAGE_LOCATION_BASE}/ranger/audit/*")),
new Statement(Effect.Allow).withId("LimitedAccessToDataLakeBucket")
.withActions(S3Actions.AbortMultipartUpload, S3Actions.ListObjects,
S3Actions.ListBucketMultipartUploads)
.withResources(new Resource("arn:aws:s3:::${DATALAKE_BUCKET}"))
);
assertThat(awsIamService.getPolicy("aws-cdp-ranger-audit-s3-policy.json",
Collections.emptyMap()).toJson()).isEqualTo(expectedPolicyNoReplacements.toJson());
Policy expectedPolicyWithReplacements = new Policy().withStatements(
new Statement(Effect.Allow).withId("FullObjectAccessUnderAuditDir")
.withActions(S3Actions.GetObject, S3Actions.PutObject)
.withResources(new Resource("arn:aws:s3:::mybucket/mycluster/ranger/audit/*")),
new Statement(Effect.Allow).withId("LimitedAccessToDataLakeBucket")
.withActions(S3Actions.AbortMultipartUpload, S3Actions.ListObjects,
S3Actions.ListBucketMultipartUploads)
.withResources(new Resource("arn:aws:s3:::mybucket"))
);
Map<String, String> policyReplacements = new HashMap<>();
policyReplacements.put("${STORAGE_LOCATION_BASE}", "mybucket/mycluster");
policyReplacements.put("${DATALAKE_BUCKET}", "mybucket");
assertThat(awsIamService.getPolicy("aws-cdp-ranger-audit-s3-policy.json",
policyReplacements).toJson()).isEqualTo(expectedPolicyWithReplacements.toJson());
}
Example #8
| Source File: UploadDownloadServiceImpl.java From herd with Apache License 2.0 | 4 votes |
|
@SuppressWarnings("PMD.CloseResource") // These are not SQL statements so they don't need to be closed.
private Policy createUploaderPolicyNoKmsKey(String s3BucketName, String s3Key)
{
return new AwsPolicyBuilder().withS3(s3BucketName, s3Key, S3Actions.PutObject).build();
}
Example #9
| Source File: UploadDownloadServiceImpl.java From herd with Apache License 2.0 | 4 votes |
|
@NamespacePermission(fields = "#downloadBusinessObjectDataStorageFileSingleInitiationRequest.businessObjectDataStorageFileKey.namespace",
permissions = NamespacePermissionEnum.READ)
@Override
public DownloadBusinessObjectDataStorageFileSingleInitiationResponse initiateDownloadSingleBusinessObjectDataStorageFile(
DownloadBusinessObjectDataStorageFileSingleInitiationRequest downloadBusinessObjectDataStorageFileSingleInitiationRequest)
{
// Validate and trim the request.
uploadDownloadHelper
.validateAndTrimDownloadBusinessObjectDataStorageFileSingleInitiationRequest(downloadBusinessObjectDataStorageFileSingleInitiationRequest);
// Get the business object data storage file key.
BusinessObjectDataStorageFileKey businessObjectDataStorageFileKey =
downloadBusinessObjectDataStorageFileSingleInitiationRequest.getBusinessObjectDataStorageFileKey();
// Retrieve and validate that the business object data exists.
BusinessObjectDataKey businessObjectDataKey = getBusinessObjectDataKeyFromBusinessObjectDataStorageFileKey(businessObjectDataStorageFileKey);
BusinessObjectDataEntity businessObjectDataEntity = businessObjectDataDaoHelper.getBusinessObjectDataEntity(businessObjectDataKey);
// Retrieve and validate that the storage unit exists
StorageUnitEntity storageUnitEntity =
storageUnitDaoHelper.getStorageUnitEntity(businessObjectDataStorageFileKey.getStorageName(), businessObjectDataEntity);
// Get the storage file entity and ensure it exists.
StorageFileEntity storageFileEntity =
storageFileDaoHelper.getStorageFileEntity(storageUnitEntity, businessObjectDataStorageFileKey.getFilePath(), businessObjectDataKey);
// Get S3 bucket access parameters.
StorageEntity storageEntity = storageFileEntity.getStorageUnit().getStorage();
// Retrieve the storage related information.
String s3BucketName = storageHelper.getStorageBucketName(storageEntity);
String s3ObjectKey = businessObjectDataStorageFileKey.getFilePath();
// Create an AWS policy builder.
AwsPolicyBuilder awsPolicyBuilder = new AwsPolicyBuilder().withS3(s3BucketName, s3ObjectKey, S3Actions.GetObject);
// Get the storage kms key id.
String storageKmsKeyId = storageHelper
.getStorageAttributeValueByName(configurationHelper.getProperty(ConfigurationValue.S3_ATTRIBUTE_NAME_KMS_KEY_ID), storageEntity, false, true);
/*
* Only add KMS policies if the storage specifies a KMS ID
*/
if (storageKmsKeyId != null)
{
awsPolicyBuilder.withKms(storageKmsKeyId.trim(), KmsActions.DECRYPT);
}
// Create a sessionId.
String sessionId = UUID.randomUUID().toString();
// Get the temporary credentials.
Credentials downloaderCredentials = getDownloaderCredentials(storageEntity, sessionId, awsPolicyBuilder);
// Generate a pre-signed URL.
Date expiration = downloaderCredentials.getExpiration();
S3FileTransferRequestParamsDto s3BucketAccessParams = storageHelper.getS3BucketAccessParams(storageEntity);
String preSignedUrl = s3Dao.generateGetObjectPresignedUrl(s3BucketName, s3ObjectKey, expiration, s3BucketAccessParams);
// Convert the business object format entity to the business object format model object
BusinessObjectFormat businessObjectFormat =
businessObjectFormatHelper.createBusinessObjectFormatFromEntity(businessObjectDataEntity.getBusinessObjectFormat());
// Create a business object data storage file key for the download business object data storage file single initiation response.
BusinessObjectDataStorageFileKey businessObjectDataStorageFileKeyForResponse =
new BusinessObjectDataStorageFileKey(businessObjectFormat.getNamespace(), businessObjectFormat.getBusinessObjectDefinitionName(),
businessObjectFormat.getBusinessObjectFormatUsage(), businessObjectFormat.getBusinessObjectFormatFileType(),
businessObjectFormat.getBusinessObjectFormatVersion(), businessObjectDataEntity.getPartitionValue(),
businessObjectDataHelper.getSubPartitionValues(businessObjectDataEntity), businessObjectDataEntity.getVersion(),
storageUnitEntity.getStorageName(), storageFileEntity.getPath());
// Create the download business object data storage file single initiation response.
DownloadBusinessObjectDataStorageFileSingleInitiationResponse downloadBusinessObjectDataStorageFileSingleInitiationResponse =
new DownloadBusinessObjectDataStorageFileSingleInitiationResponse();
downloadBusinessObjectDataStorageFileSingleInitiationResponse.setBusinessObjectDataStorageFileKey(businessObjectDataStorageFileKeyForResponse);
downloadBusinessObjectDataStorageFileSingleInitiationResponse.setAwsS3BucketName(s3BucketName);
downloadBusinessObjectDataStorageFileSingleInitiationResponse.setAwsAccessKey(downloaderCredentials.getAccessKeyId());
downloadBusinessObjectDataStorageFileSingleInitiationResponse.setAwsSecretKey(downloaderCredentials.getSecretAccessKey());
downloadBusinessObjectDataStorageFileSingleInitiationResponse.setAwsSessionToken(downloaderCredentials.getSessionToken());
downloadBusinessObjectDataStorageFileSingleInitiationResponse.setAwsSessionExpirationTime(HerdDateUtils.getXMLGregorianCalendarValue(expiration));
downloadBusinessObjectDataStorageFileSingleInitiationResponse.setPreSignedUrl(preSignedUrl);
// Return the download business object data storage file single initiation response.
return downloadBusinessObjectDataStorageFileSingleInitiationResponse;
}
Example #10
| Source File: StorageUnitServiceImpl.java From herd with Apache License 2.0 | 4 votes |
|
/**
* Creates and returns a set of AWS credentials which can be used to access the S3 object indicated by the given business object data and storage.
*
* @param businessObjectDataKey Business object data key
* @param createNewVersion true to create credentials for the next version up from the latest business object data, otherwise, uses specified data version
* in data key.
* @param storageName Name of storage to access
* @param isUpload true if this credential is to upload, false to download
*
* @return Credentials which has the permissions to perform the specified actions at the specified storage.
*/
private AwsCredential getBusinessObjectDataS3Credential(BusinessObjectDataKey businessObjectDataKey, Boolean createNewVersion, String storageName,
boolean isUpload)
{
Assert.isTrue(StringUtils.isNotBlank(storageName), "storageName must be specified");
Assert.isTrue(businessObjectDataKey.getBusinessObjectDataVersion() != null || createNewVersion != null,
"One of businessObjectDataVersion or createNewVersion must be specified.");
Assert.isTrue(businessObjectDataKey.getBusinessObjectDataVersion() == null || !Boolean.TRUE.equals(createNewVersion),
"createNewVersion must be false or unspecified when businessObjectDataVersion is specified.");
/*
* Choose configurations based on whether this is an upload or download operation.
*/
ConfigurationValue roleArnConfigurationValue;
ConfigurationValue defaultSessionDurationConfigurationValue;
ConfigurationValue sessionDurationConfigurationValue;
S3Actions[] s3Actions;
KmsActions[] kmsActions;
Integer durationSeconds;
StorageEntity storageEntity = storageDaoHelper.getStorageEntity(storageName.trim());
if (isUpload)
{
roleArnConfigurationValue = ConfigurationValue.S3_ATTRIBUTE_NAME_UPLOAD_ROLE_ARN;
defaultSessionDurationConfigurationValue = ConfigurationValue.AWS_S3_DEFAULT_UPLOAD_SESSION_DURATION_SECS;
sessionDurationConfigurationValue = ConfigurationValue.S3_ATTRIBUTE_NAME_UPLOAD_SESSION_DURATION_SECS;
s3Actions = new S3Actions[] {S3Actions.PutObject};
kmsActions = new KmsActions[] {KmsActions.GENERATE_DATA_KEY, KmsActions.DECRYPT};
durationSeconds = storageHelper
.getStorageAttributeIntegerValueByName(configurationHelper.getProperty(sessionDurationConfigurationValue), storageEntity,
configurationHelper.getProperty(defaultSessionDurationConfigurationValue, Integer.class));
}
else
{
roleArnConfigurationValue = ConfigurationValue.S3_ATTRIBUTE_NAME_DOWNLOAD_ROLE_ARN;
defaultSessionDurationConfigurationValue = ConfigurationValue.AWS_S3_DEFAULT_DOWNLOAD_SESSION_DURATION_SECS;
durationSeconds = configurationHelper.getProperty(defaultSessionDurationConfigurationValue, Integer.class);
s3Actions = new S3Actions[] {S3Actions.GetObject};
kmsActions = new KmsActions[] {KmsActions.DECRYPT};
}
String roleArn = storageHelper.getStorageAttributeValueByName(configurationHelper.getProperty(roleArnConfigurationValue), storageEntity, true);
String bucketName = storageHelper
.getStorageAttributeValueByName(configurationHelper.getProperty(ConfigurationValue.S3_ATTRIBUTE_NAME_BUCKET_NAME), storageEntity, true);
S3KeyPrefixInformation s3KeyPrefixInformation = getS3KeyPrefixImpl(businessObjectDataKey, null, storageName, createNewVersion);
/*
* Policy is different based on whether this is meant for downloading or uploading.
* However, both uploader and downloader requires a ListBucket at the bucket level.
*/
AwsPolicyBuilder awsPolicyBuilder =
new AwsPolicyBuilder().withS3Prefix(bucketName, s3KeyPrefixInformation.getS3KeyPrefix(), s3Actions).withS3(bucketName, null, S3Actions.ListObjects);
/*
* Only add KMS policies if the storage specifies a KMS ID
*/
String kmsKeyId = getStorageKmsKeyId(storageEntity);
if (kmsKeyId != null)
{
awsPolicyBuilder.withKms(kmsKeyId.trim(), kmsActions);
}
Credentials credentials = stsDao
.getTemporarySecurityCredentials(awsHelper.getAwsParamsDto(), UUID.randomUUID().toString(), roleArn, durationSeconds, awsPolicyBuilder.build());
AwsCredential awsCredential = new AwsCredential();
awsCredential.setAwsAccessKey(credentials.getAccessKeyId());
awsCredential.setAwsSecretKey(credentials.getSecretAccessKey());
awsCredential.setAwsSessionToken(credentials.getSessionToken());
awsCredential.setAwsSessionExpirationTime(HerdDateUtils.getXMLGregorianCalendarValue(credentials.getExpiration()));
return awsCredential;
}
Example #11
| Source File: UploadDownloadServiceImpl.java From herd with Apache License 2.0 | 3 votes |
|
/**
* Creates a restricted policy JSON string which only allows PutObject to the given bucket name and object key, and allows GenerateDataKey and Decrypt for
* the given key ID. The Decrypt is required for multipart upload with KMS encryption.
*
* @param s3BucketName - The S3 bucket name to restrict uploads to
* @param s3Key - The S3 object key to restrict the uploads to
* @param awsKmsKeyId - The KMS key ID to allow access
*
* @return the policy JSON string
*/
@SuppressWarnings("PMD.CloseResource") // These are not SQL statements so they don't need to be closed.
private Policy createUploaderPolicy(String s3BucketName, String s3Key, String awsKmsKeyId)
{
return new AwsPolicyBuilder().withS3(s3BucketName, s3Key, S3Actions.PutObject).withKms(awsKmsKeyId, KmsActions.GENERATE_DATA_KEY, KmsActions.DECRYPT)
.build();
}
Example #12
| Source File: AwsPolicyBuilder.java From herd with Apache License 2.0 | 2 votes |
|
/**
* Adds a permission to allow the specified actions to the given bucket and s3 key prefix. The permissions will allow the given actions to all objects with
* the given prefix.
*
* @param bucketName S3 Bucket name
* @param prefix S3 Object key prefix
* @param actions List of actions to allow
*
* @return This builder
*/
public AwsPolicyBuilder withS3Prefix(String bucketName, String prefix, S3Actions... actions)
{
return withS3(bucketName, prefix + "/*", actions);
}
Example #13
| Source File: UploadDownloadServiceImpl.java From herd with Apache License 2.0 | 2 votes |
|
/**
* Creates a restricted policy JSON string which only allows GetObject to the given bucket name and object key, and allows Decrypt for the given key ID.
*
* @param s3BucketName - The S3 bucket name to restrict uploads to
* @param s3Key - The S3 object key to restrict the uploads to
* @param awsKmsKeyId - The KMS key ID to allow access
*
* @return the policy JSON string
*/
@SuppressWarnings("PMD.CloseResource") // These are not SQL statements so they don't need to be closed.
private Policy createDownloaderPolicy(String s3BucketName, String s3Key, String awsKmsKeyId)
{
return new AwsPolicyBuilder().withS3(s3BucketName, s3Key, S3Actions.GetObject).withKms(awsKmsKeyId, KmsActions.DECRYPT).build();
}
Example #14
| Source File: UploadDownloadServiceImpl.java From herd with Apache License 2.0 | 2 votes |
|
/**
* Creates a restricted policy JSON string which only allows GetObject to the given bucket name and object key, and allows Decrypt for the given key ID.
*
* @param s3BucketName - The S3 bucket name to restrict uploads to
* @param s3Key - The S3 object key to restrict the uploads to
*
* @return the policy JSON string
*/
@SuppressWarnings("PMD.CloseResource") // These are not SQL statements so they don't need to be closed.
private Policy createDownloaderPolicy(String s3BucketName, String s3Key)
{
return new AwsPolicyBuilder().withS3(s3BucketName, s3Key, S3Actions.GetObject).build();
}
