com.amazonaws.auth.policy.Statement.Effect Java Examples
The following examples show how to use
com.amazonaws.auth.policy.Statement.Effect.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
| Source File: AwsIamServiceTest.java From cloudbreak with Apache License 2.0 | 6 votes |
|
@Test
public void testGetAssumeRolePolicyDocument() throws IOException {
String assumeRolePolicyDocument = awsIamService.getResourceFileAsString(
"json/aws-assume-role-policy-document.json");
String encodedAssumeRolePolicyDocument = URLEncoder.encode(assumeRolePolicyDocument,
StandardCharsets.UTF_8);
Statement statement = new Statement(Effect.Allow).withId("1")
.withPrincipals(new Principal("AWS", "arn:aws:iam::123456890:role/assume-role"))
.withActions(SecurityTokenServiceActions.AssumeRole);
Policy expectedAssumeRolePolicy = new Policy().withStatements(statement);
Role role = mock(Role.class);
when(role.getAssumeRolePolicyDocument()).thenReturn(encodedAssumeRolePolicyDocument);
Policy assumeRolePolicy = awsIamService.getAssumeRolePolicy(role);
assertThat(assumeRolePolicy).isNotNull();
assertThat(assumeRolePolicy.toJson()).isEqualTo(expectedAssumeRolePolicy.toJson());
}
Example #2
| Source File: AwsIamServiceTest.java From cloudbreak with Apache License 2.0 | 6 votes |
|
@Test
public void testGetStatementActions() {
assertThat(awsIamService.getStatementActions(new Statement(Effect.Allow)))
.isEqualTo(new TreeSet<>());
SortedSet<String> expectedSingleAction = new TreeSet<>();
expectedSingleAction.add(S3Actions.GetObject.getActionName());
Statement statementSingleAction = new Statement(Effect.Allow).withActions(S3Actions.GetObject);
assertThat(awsIamService.getStatementActions(statementSingleAction))
.isEqualTo(expectedSingleAction);
SortedSet<String> expectedMultipleActions = new TreeSet<>();
expectedMultipleActions.add(S3Actions.GetObject.getActionName());
expectedMultipleActions.add(S3Actions.PutObject.getActionName());
Statement statementMultipleActions = new Statement(Effect.Allow)
.withActions(S3Actions.GetObject, S3Actions.PutObject);
assertThat(awsIamService.getStatementActions(statementMultipleActions))
.isEqualTo(expectedMultipleActions);
}
Example #3
| Source File: AwsIamServiceTest.java From cloudbreak with Apache License 2.0 | 6 votes |
|
@Test
public void testGetStatementResources() {
assertThat(awsIamService.getStatementResources(new Statement(Effect.Allow)))
.isEqualTo(new TreeSet<>());
SortedSet<String> expectedSingleResource = new TreeSet<>();
expectedSingleResource.add("resource1");
Statement statementSingleResouce = new Statement(Effect.Allow)
.withResources(new Resource("resource1"));
assertThat(awsIamService.getStatementResources(statementSingleResouce))
.isEqualTo(expectedSingleResource);
SortedSet<String> expectedMultipleResources = new TreeSet<>();
expectedMultipleResources.add("resource1");
expectedMultipleResources.add("resource2");
Statement statementMultipleResources = new Statement(Effect.Allow)
.withResources(
new Resource("resource1"),
new Resource("resource2"));
assertThat(awsIamService.getStatementResources(statementMultipleResources))
.isEqualTo(expectedMultipleResources);
}
Example #4
| Source File: CommonTestUtils.java From pacbot with Apache License 2.0 | 5 votes |
|
public static Policy getPolicy() {
Policy policy = new Policy();
List<Statement> statements = new ArrayList<Statement>();
Statement statement = new Statement(Effect.Allow);
List<Action> actions = new ArrayList<>();
actions.add(IdentityManagementActions.AllIdentityManagementActions);
actions.add(EC2Actions.RunInstances);
statement.setActions(actions);
statements.add(statement);
policy.setStatements(statements);
policy.setId("123");
policy.setStatements(statements);
return policy;
}
Example #5
| Source File: IAMUtils.java From pacbot with Apache License 2.0 | 5 votes |
|
private static Set<String> getActionSet(Policy policy) {
Set<String> actionsSet = new HashSet();
for (Statement statement : policy.getStatements()) {
if (statement.getEffect().equals(Effect.Allow)) {
for (Action action : statement.getActions()) {
actionsSet.add(action.getActionName());
}
}
}
return actionsSet;
}
Example #6
| Source File: SQSObservableQueue.java From conductor with Apache License 2.0 | 5 votes |
|
private String getPolicy(List<String> accountIds) {
Policy policy = new Policy("AuthorizedWorkerAccessPolicy");
Statement stmt = new Statement(Effect.Allow);
Action action = SQSActions.SendMessage;
stmt.getActions().add(action);
stmt.setResources(new LinkedList<>());
for(String accountId : accountIds) {
Principal principal = new Principal(accountId);
stmt.getPrincipals().add(principal);
}
stmt.getResources().add(new Resource(getQueueARN()));
policy.getStatements().add(stmt);
return policy.toJson();
}
Example #7
| Source File: AwsPolicyBuilder.java From herd with Apache License 2.0 | 5 votes |
|
/**
* Adds a permission to allow the specified actions to the given KMS key id.
*
* @param kmsKeyId Full ARN to the kms key
* @param actions List of actions
*
* @return This builder
*/
@SuppressWarnings("PMD.CloseResource")
public AwsPolicyBuilder withKms(String kmsKeyId, KmsActions... actions)
{
Statement statement = new Statement(Effect.Allow);
statement.setActions(Arrays.asList(actions));
statement.setResources(Arrays.asList(new Resource(kmsKeyId)));
policy.getStatements().add(statement);
return this;
}
Example #8
| Source File: AwsPolicyBuilder.java From herd with Apache License 2.0 | 5 votes |
|
/**
* Adds a permission to allow the specified actions to the given bucket and s3 object key. The permission will allow the given actions only to the specified
* object key. If object key is null, the permission is applied to the bucket itself.
*
* @param bucketName S3 bucket name
* @param objectKey S3 object key
* @param actions List of actions to allow
*
* @return This builder
*/
@SuppressWarnings("PMD.CloseResource")
public AwsPolicyBuilder withS3(String bucketName, String objectKey, S3Actions... actions)
{
Statement statement = new Statement(Effect.Allow);
statement.setActions(Arrays.asList(actions));
String resource = "arn:aws:s3:::" + bucketName;
if (objectKey != null)
{
resource += "/" + objectKey;
}
statement.setResources(Arrays.asList(new Resource(resource)));
policy.getStatements().add(statement);
return this;
}
Example #9
| Source File: AwsGlacierInventoryRetriever.java From core with GNU General Public License v3.0 | 5 votes |
|
/**
* For retrieving vault inventory. For initializing SQS for determining when
* job completed. Does nothing if member snsTopicName is null. Sets members
* sqsQueueURL, sqsQueueARN, and sqsClient.
*/
private void setupSQS() {
// If no sqsQueueName setup then simply return
if (sqsQueueName == null)
return;
CreateQueueRequest request = new CreateQueueRequest()
.withQueueName(sqsQueueName);
CreateQueueResult result = sqsClient.createQueue(request);
sqsQueueURL = result.getQueueUrl();
GetQueueAttributesRequest qRequest = new GetQueueAttributesRequest()
.withQueueUrl(sqsQueueURL).withAttributeNames("QueueArn");
GetQueueAttributesResult qResult = sqsClient
.getQueueAttributes(qRequest);
sqsQueueARN = qResult.getAttributes().get("QueueArn");
Policy sqsPolicy = new Policy().withStatements(new Statement(
Effect.Allow).withPrincipals(Principal.AllUsers)
.withActions(SQSActions.SendMessage)
.withResources(new Resource(sqsQueueARN)));
Map<String, String> queueAttributes = new HashMap<String, String>();
queueAttributes.put("Policy", sqsPolicy.toJson());
sqsClient.setQueueAttributes(new SetQueueAttributesRequest(sqsQueueURL,
queueAttributes));
}
Example #10
| Source File: AwsInstanceProfileEC2TrustValidatorTest.java From cloudbreak with Apache License 2.0 | 5 votes |
|
private Policy getTrustedPolicy() {
return new Policy().withStatements(
new Statement(Effect.Allow)
.withActions(SecurityTokenServiceActions.AssumeRole)
.withPrincipals(new Principal("Service", Services.AmazonEC2.getServiceId()))
);
}
Example #11
| Source File: AwsIamServiceTest.java From cloudbreak with Apache License 2.0 | 5 votes |
|
@Test
public void testGetPolicy() {
assertThat(awsIamService.getPolicy("abc", Collections.emptyMap())).isNull();
Policy expectedPolicyNoReplacements = new Policy().withStatements(
new Statement(Effect.Allow).withId("FullObjectAccessUnderAuditDir")
.withActions(S3Actions.GetObject, S3Actions.PutObject)
.withResources(new Resource("arn:aws:s3:::${STORAGE_LOCATION_BASE}/ranger/audit/*")),
new Statement(Effect.Allow).withId("LimitedAccessToDataLakeBucket")
.withActions(S3Actions.AbortMultipartUpload, S3Actions.ListObjects,
S3Actions.ListBucketMultipartUploads)
.withResources(new Resource("arn:aws:s3:::${DATALAKE_BUCKET}"))
);
assertThat(awsIamService.getPolicy("aws-cdp-ranger-audit-s3-policy.json",
Collections.emptyMap()).toJson()).isEqualTo(expectedPolicyNoReplacements.toJson());
Policy expectedPolicyWithReplacements = new Policy().withStatements(
new Statement(Effect.Allow).withId("FullObjectAccessUnderAuditDir")
.withActions(S3Actions.GetObject, S3Actions.PutObject)
.withResources(new Resource("arn:aws:s3:::mybucket/mycluster/ranger/audit/*")),
new Statement(Effect.Allow).withId("LimitedAccessToDataLakeBucket")
.withActions(S3Actions.AbortMultipartUpload, S3Actions.ListObjects,
S3Actions.ListBucketMultipartUploads)
.withResources(new Resource("arn:aws:s3:::mybucket"))
);
Map<String, String> policyReplacements = new HashMap<>();
policyReplacements.put("${STORAGE_LOCATION_BASE}", "mybucket/mycluster");
policyReplacements.put("${DATALAKE_BUCKET}", "mybucket");
assertThat(awsIamService.getPolicy("aws-cdp-ranger-audit-s3-policy.json",
policyReplacements).toJson()).isEqualTo(expectedPolicyWithReplacements.toJson());
}
Example #12
| Source File: ControlChannel.java From s3-bucket-loader with Apache License 2.0 | 4 votes |
|
public void connectToTopic(boolean callerIsMaster, int maxAttempts, String userAccountPrincipalId, String userARN) throws Exception {
// try up to max attempts to connect to pre-existing topic
for (int i=0; i<maxAttempts; i++) {
logger.debug("connectToTopic() attempt: " + (i+1));
ListTopicsResult listResult = snsClient.listTopics();
List<Topic> topics = listResult.getTopics();
while(topics != null) {
for (Topic topic : topics) {
// note we do index of match....
if (topic.getTopicArn().indexOf(snsControlTopicName) != -1) {
snsTopicARN = topic.getTopicArn();
logger.info("Found existing SNS topic by name: "+snsControlTopicName + " @ " + snsTopicARN);
break;
}
}
String nextToken = listResult.getNextToken();
if (nextToken != null && snsTopicARN == null) {
listResult = snsClient.listTopics(nextToken);
topics = listResult.getTopics();
} else {
break;
}
}
// if consumer, retry, otherwise is master, so just exit quick to create...
if (snsTopicARN == null && !callerIsMaster) {
Thread.currentThread().sleep(1000);
continue;
} else {
break; // exit;
}
}
// if master only he can create...
if (snsTopicARN == null && callerIsMaster) {
this.snsControlTopicName = this.snsControlTopicName.substring(0,(snsControlTopicName.length() > 80 ? 80 : this.snsControlTopicName.length()));
logger.info("Attempting to create new SNS control channel topic by name: "+this.snsControlTopicName);
CreateTopicResult createTopicResult = snsClient.createTopic(this.snsControlTopicName);
snsTopicARN = createTopicResult.getTopicArn();
snsClient.addPermission(snsTopicARN, "Permit_SNSAdd",
Arrays.asList(new String[]{userARN}),
Arrays.asList(new String[]{"Publish","Subscribe","Receive"}));
logger.info("Created new SNS control channel topic by name: "+this.snsControlTopicName + " @ " + snsTopicARN);
} else if (snsTopicARN == null) {
throw new Exception("Worker() cannot start, snsControlTopicName has yet to be created by master?: " + this.snsControlTopicName);
}
// http://www.jorgjanke.com/2013/01/aws-sns-topic-subscriptions-with-sqs.html
// create SQS queue to get SNS notifications (max 80 len)
String prefix = ("s3bktLoaderCC_" + mySourceIdentifier);
String sqsQueueName = prefix.substring(0,(prefix.length() > 80 ? 80 : prefix.length()));
CreateQueueResult createQueueResult = sqsClient.createQueue(sqsQueueName);
this.sqsQueueUrl = createQueueResult.getQueueUrl();
this.sqsQueueARN = sqsClient.getQueueAttributes(sqsQueueUrl, Arrays.asList(new String[]{"QueueArn"})).getAttributes().get("QueueArn");
Statement statement = new Statement(Effect.Allow)
.withActions(SQSActions.SendMessage)
.withPrincipals(new Principal("*"))
.withConditions(ConditionFactory.newSourceArnCondition(snsTopicARN))
.withResources(new Resource(sqsQueueARN));
Policy policy = new Policy("SubscriptionPermission").withStatements(statement);
HashMap<String, String> attributes = new HashMap<String, String>();
attributes.put("Policy", policy.toJson());
SetQueueAttributesRequest request = new SetQueueAttributesRequest(sqsQueueUrl, attributes);
sqsClient.setQueueAttributes(request);
logger.info("Created SQS queue: " + sqsQueueARN + " @ " + sqsQueueUrl);
// subscribe our SQS queue to the SNS:s3MountTest topic
SubscribeResult subscribeResult = snsClient.subscribe(snsTopicARN,"sqs",sqsQueueARN);
snsSubscriptionARN = subscribeResult.getSubscriptionArn();
logger.info("Subscribed for messages from SNS control channel:" + snsTopicARN + " ----> SQS: "+sqsQueueARN);
logger.info("Subscription ARN: " + snsSubscriptionARN);
this.consumerThread = new Thread(this,"ControlChannel msg consumer thread");
this.consumerThread.start();
logger.info("\n-------------------------------------------\n" +
"CONTROL CHANNEL: ALL SNS/SQS resources hooked up OK\n" +
"-------------------------------------------\n");
}
