github.com/treeverse/lakefs@v1.24.1-0.20240520134607-95648127bfb0/pkg/auth/acl/permission.go (about) 1 package acl 2 3 import ( 4 "fmt" 5 6 "github.com/treeverse/lakefs/pkg/auth" 7 "github.com/treeverse/lakefs/pkg/auth/model" 8 "github.com/treeverse/lakefs/pkg/permissions" 9 ) 10 11 const ( 12 // ReadPermission allows reading the specified repositories, as well as 13 // managing own credentials. 14 ReadPermission model.ACLPermission = "Read" 15 // WritePermission allows reading and writing the specified repositories, 16 // as well as managing own credentials. 17 WritePermission model.ACLPermission = "Write" 18 // SuperPermission allows reading, writing, and all other actions on the 19 // specified repositories, as well as managing own credentials. 20 SuperPermission model.ACLPermission = "Super" 21 // AdminPermission allows all operations, including all reading, writing, 22 // and all other actions on all repositories, and managing 23 // authorization and credentials of all users. 24 AdminPermission model.ACLPermission = "Admin" 25 ) 26 27 var ( 28 ownUserARN = []string{permissions.UserArn("${user}")} 29 all = []string{permissions.All} 30 31 ErrBadACLPermission = fmt.Errorf("%w: Bad ACL permission", model.ErrValidationError) 32 ) 33 34 func ACLToStatement(acl model.ACL) (model.Statements, error) { 35 var ( 36 statements model.Statements 37 err error 38 ) 39 40 switch acl.Permission { 41 case ReadPermission: 42 statements, err = auth.MakeStatementForPolicyType("FSRead", all) 43 if err != nil { 44 return nil, fmt.Errorf("%s: %w", acl.Permission, ErrBadACLPermission) 45 } 46 readConfigStatement, err := auth.MakeStatementForPolicyType("FSReadConfig", all) 47 if err != nil { 48 return nil, fmt.Errorf("%s: %w", acl.Permission, ErrBadACLPermission) 49 } 50 51 ownCredentialsStatement, err := auth.MakeStatementForPolicyType("AuthManageOwnCredentials", ownUserARN) 52 if err != nil { 53 return nil, err 54 } 55 statements = append(append(statements, readConfigStatement...), ownCredentialsStatement...) 56 case WritePermission: 57 statements, err = auth.MakeStatementForPolicyType("FSReadWrite", all) 58 if err != nil { 59 return nil, fmt.Errorf("%s: %w", acl.Permission, ErrBadACLPermission) 60 } 61 62 ownCredentialsStatement, err := auth.MakeStatementForPolicyType("AuthManageOwnCredentials", ownUserARN) 63 if err != nil { 64 return nil, err 65 } 66 67 ciStatement, err := auth.MakeStatementForPolicyType("RepoManagementRead", all) 68 if err != nil { 69 return nil, fmt.Errorf("%s: get RepoManagementRead: %w", acl.Permission, ErrBadACLPermission) 70 } 71 72 statements = append(statements, append(ownCredentialsStatement, ciStatement...)...) 73 case SuperPermission: 74 statements, err = auth.MakeStatementForPolicyType("FSFullAccess", all) 75 if err != nil { 76 return nil, fmt.Errorf("%s: get FSFullAccess: %w", acl.Permission, ErrBadACLPermission) 77 } 78 79 ownCredentialsStatement, err := auth.MakeStatementForPolicyType("AuthManageOwnCredentials", ownUserARN) 80 if err != nil { 81 return nil, fmt.Errorf("%s: get AuthManageOwnCredentials: %w", acl.Permission, ErrBadACLPermission) 82 } 83 84 ciStatement, err := auth.MakeStatementForPolicyType("RepoManagementRead", all) 85 if err != nil { 86 return nil, fmt.Errorf("%s: get RepoManagementRead: %w", acl.Permission, ErrBadACLPermission) 87 } 88 89 statements = append(statements, append(ownCredentialsStatement, ciStatement...)...) 90 case AdminPermission: 91 statements, err = auth.MakeStatementForPolicyType("AllAccess", []string{permissions.All}) 92 if err != nil { 93 return nil, fmt.Errorf("%s: %w", acl.Permission, ErrBadACLPermission) 94 } 95 default: 96 return nil, fmt.Errorf("%w \"%s\"", ErrBadACLPermission, acl.Permission) 97 } 98 99 return statements, nil 100 }