com.amazonaws.auth.policy.Resource Java Examples

The following examples show how to use com.amazonaws.auth.policy.Resource. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: AwsIamServiceTest.java    From cloudbreak with Apache License 2.0 6 votes vote down vote up
@Test
public void testGetStatementResources() {
    assertThat(awsIamService.getStatementResources(new Statement(Effect.Allow)))
            .isEqualTo(new TreeSet<>());

    SortedSet<String> expectedSingleResource = new TreeSet<>();
    expectedSingleResource.add("resource1");
    Statement statementSingleResouce = new Statement(Effect.Allow)
            .withResources(new Resource("resource1"));
    assertThat(awsIamService.getStatementResources(statementSingleResouce))
            .isEqualTo(expectedSingleResource);

    SortedSet<String> expectedMultipleResources = new TreeSet<>();
    expectedMultipleResources.add("resource1");
    expectedMultipleResources.add("resource2");
    Statement statementMultipleResources = new Statement(Effect.Allow)
            .withResources(
                    new Resource("resource1"),
                    new Resource("resource2"));
    assertThat(awsIamService.getStatementResources(statementMultipleResources))
            .isEqualTo(expectedMultipleResources);
}
 
Example #2
Source File: IntegrationTest.java    From amazon-sqs-java-temporary-queues-client with Apache License 2.0 5 votes vote down vote up
protected Policy allowSendMessagePolicy(String roleARN) {
    Policy policy = new Policy();
    Statement statement = new Statement(Statement.Effect.Allow);
    statement.setActions(Collections.singletonList(SQSActions.SendMessage));
    statement.setPrincipals(new Principal(roleARN));
    statement.setResources(Collections.singletonList(new Resource("arn:aws:sqs:*:*:*")));
    policy.setStatements(Collections.singletonList(statement));
    return policy;
}
 
Example #3
Source File: SQSObservableQueue.java    From conductor with Apache License 2.0 5 votes vote down vote up
private String getPolicy(List<String> accountIds) {
	Policy policy = new Policy("AuthorizedWorkerAccessPolicy");
	Statement stmt = new Statement(Effect.Allow);
	Action action = SQSActions.SendMessage;
	stmt.getActions().add(action);
	stmt.setResources(new LinkedList<>());
	for(String accountId : accountIds) {
		Principal principal = new Principal(accountId);
		stmt.getPrincipals().add(principal);
	}
	stmt.getResources().add(new Resource(getQueueARN()));
	policy.getStatements().add(stmt);
	return policy.toJson();
}
 
Example #4
Source File: SetBucketPolicy.java    From aws-doc-sdk-examples with Apache License 2.0 5 votes vote down vote up
public static String getPublicReadPolicy(String bucket_name) {
    Policy bucket_policy = new Policy().withStatements(
            new Statement(Statement.Effect.Allow)
                    .withPrincipals(Principal.AllUsers)
                    .withActions(S3Actions.GetObject)
                    .withResources(new Resource(
                            "arn:aws:s3:::" + bucket_name + "/*")));
    return bucket_policy.toJson();
}
 
Example #5
Source File: AwsPolicyBuilder.java    From herd with Apache License 2.0 5 votes vote down vote up
/**
 * Adds a permission to allow the specified actions to the given KMS key id.
 *
 * @param kmsKeyId Full ARN to the kms key
 * @param actions List of actions
 *
 * @return This builder
 */
@SuppressWarnings("PMD.CloseResource")
public AwsPolicyBuilder withKms(String kmsKeyId, KmsActions... actions)
{
    Statement statement = new Statement(Effect.Allow);
    statement.setActions(Arrays.asList(actions));
    statement.setResources(Arrays.asList(new Resource(kmsKeyId)));
    policy.getStatements().add(statement);
    return this;
}
 
Example #6
Source File: AwsPolicyBuilder.java    From herd with Apache License 2.0 5 votes vote down vote up
/**
 * Adds a permission to allow the specified actions to the given bucket and s3 object key. The permission will allow the given actions only to the specified
 * object key. If object key is null, the permission is applied to the bucket itself.
 *
 * @param bucketName S3 bucket name
 * @param objectKey S3 object key
 * @param actions List of actions to allow
 *
 * @return This builder
 */
@SuppressWarnings("PMD.CloseResource")
public AwsPolicyBuilder withS3(String bucketName, String objectKey, S3Actions... actions)
{
    Statement statement = new Statement(Effect.Allow);
    statement.setActions(Arrays.asList(actions));
    String resource = "arn:aws:s3:::" + bucketName;
    if (objectKey != null)
    {
        resource += "/" + objectKey;
    }
    statement.setResources(Arrays.asList(new Resource(resource)));
    policy.getStatements().add(statement);
    return this;
}
 
Example #7
Source File: AWSSessionCredentialsFactory.java    From digdag with Apache License 2.0 5 votes vote down vote up
public BasicSessionCredentials get()
{
    AWSCredentials baseCredentials = new BasicAWSCredentials(accessKeyId, secretAccessKey);

    List<Statement> statements = new ArrayList<>();
    acceptableUris.forEach(acceptableUri -> {
                Mode mode = acceptableUri.mode;
                String uri = acceptableUri.uri;
                if (uri.startsWith(URI_S3_PREFIX)) {
                    String s3BucketAndKeyStr = uri.substring(URI_S3_PREFIX.length());
                    String[] s3BucketAndKey = s3BucketAndKeyStr.split("/", 2);
                    statements.add(new Statement(Statement.Effect.Allow)
                            .withActions(S3Actions.ListObjects)
                            .withResources(new Resource("arn:aws:s3:::" + s3BucketAndKey[0])));
                    switch (mode) {
                        case READ:
                            statements.add(new Statement(Statement.Effect.Allow)
                                    .withActions(S3Actions.GetObject)
                                    .withResources(new Resource("arn:aws:s3:::" + s3BucketAndKeyStr + "*")));
                            break;
                        case WRITE:
                            statements.add(new Statement(Statement.Effect.Allow)
                                    .withActions(S3Actions.PutObject)
                                    .withResources(new Resource("arn:aws:s3:::" + s3BucketAndKeyStr + "*")));
                            break;
                    }
                }
                else if (uri.startsWith(URI_DYNAMODB_PREFIX)) {
                    String table = uri.substring(URI_DYNAMODB_PREFIX.length());
                    statements.add(new Statement(Statement.Effect.Allow)
                            .withActions(DynamoDBv2Actions.DescribeTable)
                            .withResources(new Resource(String.format("arn:aws:dynamodb:*:*:table/%s", table))));
                    switch (mode) {
                        case READ:
                            statements.add(new Statement(Statement.Effect.Allow)
                                    .withActions(DynamoDBv2Actions.Scan)
                                    .withResources(new Resource(String.format("arn:aws:dynamodb:*:*:table/%s", table))));
                            break;
                        case WRITE:
                            break;
                    }
                }
                else if (uri.startsWith(URI_EMR_PREFIX)) {
                    String cluster = uri.substring(URI_EMR_PREFIX.length());
                    // TODO: Grant minimum actions
                    statements.add(new Statement(Statement.Effect.Allow)
                                    .withActions(ElasticMapReduceActions.AllElasticMapReduceActions)
                                    .withResources(new Resource(String.format("arn:aws:elasticmapreduce:*:*:cluster/%s", cluster))));
                }
                else {
                    throw new IllegalArgumentException("Unexpected `uri`. uri=" + uri);
                }
            }
    );
    Policy policy = new Policy();
    policy.setStatements(statements);

    Credentials credentials;

    AWSSecurityTokenServiceClient stsClient = new AWSSecurityTokenServiceClient(baseCredentials);

    if (roleArn != null && !roleArn.isEmpty()) {
        // use STS to assume role
        AssumeRoleResult assumeResult = stsClient.assumeRole(new AssumeRoleRequest()
                .withRoleArn(roleArn)
                .withDurationSeconds(durationSeconds)
                .withRoleSessionName(sessionName)
                .withPolicy(policy.toJson()));

        credentials = assumeResult.getCredentials();
    }
    else {
        // Maybe we'd better add an option command later like `without_federated_token`
        GetFederationTokenRequest federationTokenRequest = new GetFederationTokenRequest()
                .withDurationSeconds(durationSeconds)
                .withName(sessionName)
                .withPolicy(policy.toJson());

        GetFederationTokenResult federationTokenResult =
                stsClient.getFederationToken(federationTokenRequest);

        credentials = federationTokenResult.getCredentials();
    }

    return new BasicSessionCredentials(
            credentials.getAccessKeyId(),
            credentials.getSecretAccessKey(),
            credentials.getSessionToken());
}
 
Example #8
Source File: AwsGlacierInventoryRetriever.java    From core with GNU General Public License v3.0 5 votes vote down vote up
/**
 * For retrieving vault inventory. For initializing SQS for determining when
 * job completed. Does nothing if member snsTopicName is null. Sets members
 * sqsQueueURL, sqsQueueARN, and sqsClient.
 */
   private void setupSQS() {
	// If no sqsQueueName setup then simply return
	if (sqsQueueName == null)
		return;

	CreateQueueRequest request = new CreateQueueRequest()
			.withQueueName(sqsQueueName);
	CreateQueueResult result = sqsClient.createQueue(request);
	sqsQueueURL = result.getQueueUrl();

	GetQueueAttributesRequest qRequest = new GetQueueAttributesRequest()
			.withQueueUrl(sqsQueueURL).withAttributeNames("QueueArn");

	GetQueueAttributesResult qResult = sqsClient
			.getQueueAttributes(qRequest);
	sqsQueueARN = qResult.getAttributes().get("QueueArn");

	Policy sqsPolicy = new Policy().withStatements(new Statement(
			Effect.Allow).withPrincipals(Principal.AllUsers)
			.withActions(SQSActions.SendMessage)
			.withResources(new Resource(sqsQueueARN)));
	Map<String, String> queueAttributes = new HashMap<String, String>();
	queueAttributes.put("Policy", sqsPolicy.toJson());
	sqsClient.setQueueAttributes(new SetQueueAttributesRequest(sqsQueueURL,
			queueAttributes));
}
 
Example #9
Source File: TemporarySQSQueue.java    From front50 with Apache License 2.0 5 votes vote down vote up
private TemporaryQueue createQueue(String snsTopicArn, String sqsQueueArn, String sqsQueueName) {
  String sqsQueueUrl =
      amazonSQS
          .createQueue(
              new CreateQueueRequest()
                  .withQueueName(sqsQueueName)
                  .withAttributes(
                      Collections.singletonMap(
                          "MessageRetentionPeriod", "60")) // 60s message retention
              )
          .getQueueUrl();
  log.info("Created Temporary S3 Notification Queue: {}", value("queue", sqsQueueUrl));

  String snsTopicSubscriptionArn =
      amazonSNS.subscribe(snsTopicArn, "sqs", sqsQueueArn).getSubscriptionArn();

  Statement snsStatement =
      new Statement(Statement.Effect.Allow).withActions(SQSActions.SendMessage);
  snsStatement.setPrincipals(Principal.All);
  snsStatement.setResources(Collections.singletonList(new Resource(sqsQueueArn)));
  snsStatement.setConditions(
      Collections.singletonList(
          new Condition()
              .withType("ArnEquals")
              .withConditionKey("aws:SourceArn")
              .withValues(snsTopicArn)));

  Policy allowSnsPolicy = new Policy("allow-sns", Collections.singletonList(snsStatement));

  HashMap<String, String> attributes = new HashMap<>();
  attributes.put("Policy", allowSnsPolicy.toJson());
  amazonSQS.setQueueAttributes(sqsQueueUrl, attributes);

  return new TemporaryQueue(snsTopicArn, sqsQueueArn, sqsQueueUrl, snsTopicSubscriptionArn);
}
 
Example #10
Source File: AwsIamService.java    From cloudbreak with Apache License 2.0 5 votes vote down vote up
/**
 * Returns resources from the given statement
 *
 * @param statement statement to get resources from
 * @return sorted set of resources
 */
public SortedSet<String> getStatementResources(Statement statement) {
    List<Resource> resources = statement.getResources();
    if (resources == null) {
        return new TreeSet<>();
    }
    return resources.stream()
            .map(Resource::getId)
            .collect(Collectors.toCollection(TreeSet::new));
}
 
Example #11
Source File: AwsIamServiceTest.java    From cloudbreak with Apache License 2.0 5 votes vote down vote up
@Test
public void testGetPolicy() {
    assertThat(awsIamService.getPolicy("abc", Collections.emptyMap())).isNull();

    Policy expectedPolicyNoReplacements = new Policy().withStatements(
            new Statement(Effect.Allow).withId("FullObjectAccessUnderAuditDir")
                    .withActions(S3Actions.GetObject, S3Actions.PutObject)
                    .withResources(new Resource("arn:aws:s3:::${STORAGE_LOCATION_BASE}/ranger/audit/*")),
            new Statement(Effect.Allow).withId("LimitedAccessToDataLakeBucket")
                    .withActions(S3Actions.AbortMultipartUpload, S3Actions.ListObjects,
                            S3Actions.ListBucketMultipartUploads)
                    .withResources(new Resource("arn:aws:s3:::${DATALAKE_BUCKET}"))
    );
    assertThat(awsIamService.getPolicy("aws-cdp-ranger-audit-s3-policy.json",
            Collections.emptyMap()).toJson()).isEqualTo(expectedPolicyNoReplacements.toJson());

    Policy expectedPolicyWithReplacements = new Policy().withStatements(
            new Statement(Effect.Allow).withId("FullObjectAccessUnderAuditDir")
                    .withActions(S3Actions.GetObject, S3Actions.PutObject)
                    .withResources(new Resource("arn:aws:s3:::mybucket/mycluster/ranger/audit/*")),
            new Statement(Effect.Allow).withId("LimitedAccessToDataLakeBucket")
                    .withActions(S3Actions.AbortMultipartUpload, S3Actions.ListObjects,
                            S3Actions.ListBucketMultipartUploads)
                    .withResources(new Resource("arn:aws:s3:::mybucket"))
    );

    Map<String, String> policyReplacements = new HashMap<>();
    policyReplacements.put("${STORAGE_LOCATION_BASE}", "mybucket/mycluster");
    policyReplacements.put("${DATALAKE_BUCKET}", "mybucket");
    assertThat(awsIamService.getPolicy("aws-cdp-ranger-audit-s3-policy.json",
            policyReplacements).toJson()).isEqualTo(expectedPolicyWithReplacements.toJson());
}
 
Example #12
Source File: ControlChannel.java    From s3-bucket-loader with Apache License 2.0 4 votes vote down vote up
public void connectToTopic(boolean callerIsMaster, int maxAttempts, String userAccountPrincipalId, String userARN) throws Exception {
	
	
	// try up to max attempts to connect to pre-existing topic
	for (int i=0; i<maxAttempts; i++) {
		
		logger.debug("connectToTopic() attempt: " + (i+1));
		
		ListTopicsResult listResult = snsClient.listTopics();
		List<Topic> topics = listResult.getTopics();
		
		while(topics != null) {
			
			for (Topic topic : topics) {

				// note we do index of match....
				if (topic.getTopicArn().indexOf(snsControlTopicName) != -1) {
					snsTopicARN = topic.getTopicArn();
					logger.info("Found existing SNS topic by name: "+snsControlTopicName + " @ " + snsTopicARN);
					break;
				}
			}

			String nextToken = listResult.getNextToken();
			
			if (nextToken != null && snsTopicARN == null) {
				listResult = snsClient.listTopics(nextToken);
				topics = listResult.getTopics();
				
			} else {
				break;
			}
		}
		
		// if consumer, retry, otherwise is master, so just exit quick to create...
		if (snsTopicARN == null && !callerIsMaster) {
			Thread.currentThread().sleep(1000);
			continue;
		} else {
			break; // exit;
		}
	}
	
	
	
	// if master only he can create...
	if (snsTopicARN == null && callerIsMaster) {
		this.snsControlTopicName = this.snsControlTopicName.substring(0,(snsControlTopicName.length() > 80 ? 80 : this.snsControlTopicName.length()));
		
		logger.info("Attempting to create new SNS control channel topic by name: "+this.snsControlTopicName);
		
		CreateTopicResult createTopicResult = snsClient.createTopic(this.snsControlTopicName);
		snsTopicARN = createTopicResult.getTopicArn();
		snsClient.addPermission(snsTopicARN, "Permit_SNSAdd", 
								Arrays.asList(new String[]{userARN}), 
								Arrays.asList(new String[]{"Publish","Subscribe","Receive"}));
		logger.info("Created new SNS control channel topic by name: "+this.snsControlTopicName + " @ " + snsTopicARN);
		
	} else if (snsTopicARN == null) {
		throw new Exception("Worker() cannot start, snsControlTopicName has yet to be created by master?: " + this.snsControlTopicName);
	}
	
	// http://www.jorgjanke.com/2013/01/aws-sns-topic-subscriptions-with-sqs.html
	
	// create SQS queue to get SNS notifications (max 80 len)
	String prefix =  ("s3bktLoaderCC_" + mySourceIdentifier);
	String sqsQueueName = prefix.substring(0,(prefix.length() > 80 ? 80 : prefix.length()));
	
	CreateQueueResult createQueueResult = sqsClient.createQueue(sqsQueueName);
	this.sqsQueueUrl = createQueueResult.getQueueUrl();
	this.sqsQueueARN = sqsClient.getQueueAttributes(sqsQueueUrl, Arrays.asList(new String[]{"QueueArn"})).getAttributes().get("QueueArn");

	Statement statement = new Statement(Effect.Allow)
							.withActions(SQSActions.SendMessage)
							 .withPrincipals(new Principal("*"))
							 .withConditions(ConditionFactory.newSourceArnCondition(snsTopicARN))
							 .withResources(new Resource(sqsQueueARN));
	Policy policy = new Policy("SubscriptionPermission").withStatements(statement);

	HashMap<String, String> attributes = new HashMap<String, String>();
	attributes.put("Policy", policy.toJson());
	SetQueueAttributesRequest request = new SetQueueAttributesRequest(sqsQueueUrl, attributes);
	sqsClient.setQueueAttributes(request);

	logger.info("Created SQS queue: " + sqsQueueARN + " @ " + sqsQueueUrl);
	
	// subscribe our SQS queue to the SNS:s3MountTest topic
	SubscribeResult subscribeResult = snsClient.subscribe(snsTopicARN,"sqs",sqsQueueARN);
	snsSubscriptionARN = subscribeResult.getSubscriptionArn();
	logger.info("Subscribed for messages from SNS control channel:" + snsTopicARN + " ----> SQS: "+sqsQueueARN);
	logger.info("Subscription ARN: " + snsSubscriptionARN);
	
	this.consumerThread = new Thread(this,"ControlChannel msg consumer thread");
	this.consumerThread.start();

	logger.info("\n-------------------------------------------\n" +
				"CONTROL CHANNEL: ALL SNS/SQS resources hooked up OK\n" +
				"-------------------------------------------\n");
}