RolePolicies (Apache Hadoop Amazon Web Services support 3.4.0 API)

java.lang.Object
- org.apache.hadoop.fs.s3a.auth.RolePolicies

@InterfaceAudience.LimitedPrivate(value="Tests")
 @InterfaceStability.Unstable
public final class RolePolicies
extends Object

Operations, statements and policies covering the operations needed to work with S3.

Field Summary

Fields
Modifier and Type	Field and Description
`static String`	`KMS_ALL_KEYS` Arn for all KMS keys: "*".
`static String`	`KMS_ALL_OPERATIONS` All KMS operations: "kms:*".
`static String`	`KMS_DECRYPT` Decrypt data encrypted with SSE-KMS: "kms:Decrypt".
`static String`	`KMS_ENCRYPT` KMS encryption.
`static String`	`KMS_GENERATE_DATA_KEY` This is used by S3 to generate a per-object encryption key and the encrypted value of this, the latter being what it tags the object with for later decryption: "kms:GenerateDataKey".
`static String`	`S3_ABORT_MULTIPART_UPLOAD` Abort multipart upload is needed for the S3A Commit protocols.
`static String`	`S3_ALL_BUCKETS` All S3 buckets: "arn:aws:s3:::*".
`static String`	`S3_ALL_DELETE` All s3:Delete* operations.
`static String`	`S3_ALL_GET` All s3:Get* operations.
`static String`	`S3_ALL_OPERATIONS` All S3 operations: "s3:*".
`static String`	`S3_ALL_PUT` S3 Put*.
`static String`	`S3_BUCKET_ALL_LIST` All bucket list operations, including `S3_BUCKET_LIST_BUCKET` and `S3_BUCKET_LIST_MULTIPART_UPLOADS`.
`static String`	`S3_BUCKET_LIST_BUCKET` List the contents of a bucket.
`static String`	`S3_BUCKET_LIST_MULTIPART_UPLOADS` This is used by the abort operation in S3A commit work.
`static String[]`	`S3_BUCKET_READ_OPERATIONS` Policies which can be applied to bucket resources for read operations.
`static String`	`S3_DELETE_OBJECT`
`static String`	`S3_DELETE_OBJECT_TAGGING`
`static String`	`S3_DELETE_OBJECT_VERSION`
`static String`	`S3_DELETE_OBJECT_VERSION_TAGGING`
`static String`	`S3_GET_BUCKET_LOCATION`
`static String`	`S3_GET_OBJECT`
`static String`	`S3_GET_OBJECT_ACL`
`static String`	`S3_GET_OBJECT_TAGGING`
`static String`	`S3_GET_OBJECT_TORRENT`
`static String`	`S3_GET_OBJECT_VERSION`
`static String`	`S3_GET_OBJECT_VERSION_ACL`
`static String`	`S3_GET_OBJECT_VERSION_TAGGING`
`static String`	`S3_GET_OBJECT_VERSION_TORRENT`
`static String`	`S3_LIST_MULTIPART_UPLOAD_PARTS` List multipart upload is needed for the S3A Commit protocols.
`static List<String>`	`S3_PATH_RW_OPERATIONS` Actions needed to write data to an S3A Path.
`static List<String>`	`S3_PATH_WRITE_OPERATIONS` Actions needed to write data to an S3A Path.
`static String`	`S3_PUT_OBJECT`
`static String`	`S3_PUT_OBJECT_ACL`
`static String`	`S3_PUT_OBJECT_TAGGING`
`static String`	`S3_PUT_OBJECT_VERSION_ACL`
`static String`	`S3_PUT_OBJECT_VERSION_TAGGING`
`static String`	`S3_RESTORE_OBJECT`
`static List<String>`	`S3_ROOT_READ_OPERATIONS_LIST`
`static List<String>`	`S3_ROOT_RW_OPERATIONS` Actions needed for R/W IO from the root of a bucket.
`static String`	`S3EXPRESS_CREATE_SESSION_POLICY` S3Express session permission; required unless sessions are disabled.
`static RoleModel.Statement`	`STATEMENT_ALL_S3` Allow all S3 Operations.
`static RoleModel.Statement`	`STATEMENT_ALL_S3_GET_BUCKET_LOCATION` The s3:GetBucketLocation permission is for all buckets, not for any named bucket, which complicates permissions.
`static RoleModel.Statement`	`STATEMENT_ALLOW_KMS_RW` Statement to allow KMS R/W access access, so full use of SSE-KMS.
`static RoleModel.Statement`	`STATEMENT_ALLOW_SSE_KMS_READ` Statement to allow read access to KMS keys, so the ability to read SSE-KMS data,, but not decrypt it.

Method Summary

All Methods Static Methods Concrete Methods
Modifier and Type	Method and Description
`static List<RoleModel.Statement>`	`allowS3Operations(String bucket, boolean write)` From an S3 bucket name, build an ARN to refer to it.
`static String`	`bucketObjectsToArn(String bucket)` From an S3 bucket name, build an ARN to refer to all objects in it.
`static String`	`bucketToArn(String bucket)` From an S3 bucket name, build an ARN to refer to it.

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

- Field Detail
  - KMS_ALL_OPERATIONS
```
public static final String KMS_ALL_OPERATIONS
```
    All KMS operations: "kms:*".
    
    See Also:
    
    Constant Field Values
  - KMS_ENCRYPT
```
public static final String KMS_ENCRYPT
```
    KMS encryption. This is Not used by SSE-KMS: "kms:Encrypt".
    
    See Also:
    
    Constant Field Values
  - KMS_DECRYPT
```
public static final String KMS_DECRYPT
```
    Decrypt data encrypted with SSE-KMS: "kms:Decrypt".
    
    See Also:
    
    Constant Field Values
  - KMS_ALL_KEYS
```
public static final String KMS_ALL_KEYS
```
    Arn for all KMS keys: "*".
    
    See Also:
    
    Constant Field Values
  - KMS_GENERATE_DATA_KEY
```
public static final String KMS_GENERATE_DATA_KEY
```
    This is used by S3 to generate a per-object encryption key and the encrypted value of this, the latter being what it tags the object with for later decryption: "kms:GenerateDataKey".
    
    See Also:
    
    Constant Field Values
  - STATEMENT_ALLOW_KMS_RW
```
public static final RoleModel.Statement STATEMENT_ALLOW_KMS_RW
```
    Statement to allow KMS R/W access access, so full use of SSE-KMS.
  - STATEMENT_ALLOW_SSE_KMS_READ
```
public static final RoleModel.Statement STATEMENT_ALLOW_SSE_KMS_READ
```
    Statement to allow read access to KMS keys, so the ability to read SSE-KMS data,, but not decrypt it.
  - S3_ALL_OPERATIONS
```
public static final String S3_ALL_OPERATIONS
```
    All S3 operations: "s3:*".
    
    See Also:
    
    Constant Field Values
  - S3_ALL_BUCKETS
```
public static final String S3_ALL_BUCKETS
```
    All S3 buckets: "arn:aws:s3:::*".
    
    See Also:
    
    Constant Field Values
  - S3_BUCKET_ALL_LIST
```
public static final String S3_BUCKET_ALL_LIST
```
    All bucket list operations, including S3_BUCKET_LIST_BUCKET and S3_BUCKET_LIST_MULTIPART_UPLOADS.
    
    See Also:
    
    Constant Field Values
  - S3_BUCKET_LIST_BUCKET
```
public static final String S3_BUCKET_LIST_BUCKET
```
    List the contents of a bucket. It applies to a bucket, not to a path in a bucket.
    
    See Also:
    
    Constant Field Values
  - S3_BUCKET_LIST_MULTIPART_UPLOADS
```
public static final String S3_BUCKET_LIST_MULTIPART_UPLOADS
```
    This is used by the abort operation in S3A commit work. It applies to a bucket, not to a path in a bucket.
    
    See Also:
    
    Constant Field Values
  - S3_LIST_MULTIPART_UPLOAD_PARTS
```
public static final String S3_LIST_MULTIPART_UPLOAD_PARTS
```
    List multipart upload is needed for the S3A Commit protocols. It applies to a path in a bucket.
    
    See Also:
    
    Constant Field Values
  - S3_ABORT_MULTIPART_UPLOAD
```
public static final String S3_ABORT_MULTIPART_UPLOAD
```
    Abort multipart upload is needed for the S3A Commit protocols. It applies to a path in a bucket.
    
    See Also:
    
    Constant Field Values
  - S3_ALL_DELETE
```
public static final String S3_ALL_DELETE
```
    All s3:Delete* operations.
    
    See Also:
    
    Constant Field Values
  - S3_DELETE_OBJECT
```
public static final String S3_DELETE_OBJECT
```
    See Also:
    
    Constant Field Values
  - S3_DELETE_OBJECT_TAGGING
```
public static final String S3_DELETE_OBJECT_TAGGING
```
    See Also:
    
    Constant Field Values
  - S3_DELETE_OBJECT_VERSION
```
public static final String S3_DELETE_OBJECT_VERSION
```
    See Also:
    
    Constant Field Values
  - S3_DELETE_OBJECT_VERSION_TAGGING
```
public static final String S3_DELETE_OBJECT_VERSION_TAGGING
```
    See Also:
    
    Constant Field Values
  - S3_ALL_GET
```
public static final String S3_ALL_GET
```
    All s3:Get* operations.
    
    See Also:
    
    Constant Field Values
  - S3_GET_OBJECT
```
public static final String S3_GET_OBJECT
```
    See Also:
    
    Constant Field Values
  - S3_GET_OBJECT_ACL
```
public static final String S3_GET_OBJECT_ACL
```
    See Also:
    
    Constant Field Values
  - S3_GET_OBJECT_TAGGING
```
public static final String S3_GET_OBJECT_TAGGING
```
    See Also:
    
    Constant Field Values
  - S3_GET_OBJECT_TORRENT
```
public static final String S3_GET_OBJECT_TORRENT
```
    See Also:
    
    Constant Field Values
  - S3_GET_OBJECT_VERSION
```
public static final String S3_GET_OBJECT_VERSION
```
    See Also:
    
    Constant Field Values
  - S3_GET_BUCKET_LOCATION
```
public static final String S3_GET_BUCKET_LOCATION
```
    See Also:
    
    Constant Field Values
  - S3_GET_OBJECT_VERSION_ACL
```
public static final String S3_GET_OBJECT_VERSION_ACL
```
    See Also:
    
    Constant Field Values
  - S3_GET_OBJECT_VERSION_TAGGING
```
public static final String S3_GET_OBJECT_VERSION_TAGGING
```
    See Also:
    
    Constant Field Values
  - S3_GET_OBJECT_VERSION_TORRENT
```
public static final String S3_GET_OBJECT_VERSION_TORRENT
```
    See Also:
    
    Constant Field Values
  - S3_ALL_PUT
```
public static final String S3_ALL_PUT
```
    S3 Put*. This covers single an multipart uploads, but not list/abort of the latter.
    
    See Also:
    
    Constant Field Values
  - S3_PUT_OBJECT
```
public static final String S3_PUT_OBJECT
```
    See Also:
    
    Constant Field Values
  - S3_PUT_OBJECT_ACL
```
public static final String S3_PUT_OBJECT_ACL
```
    See Also:
    
    Constant Field Values
  - S3_PUT_OBJECT_TAGGING
```
public static final String S3_PUT_OBJECT_TAGGING
```
    See Also:
    
    Constant Field Values
  - S3_PUT_OBJECT_VERSION_ACL
```
public static final String S3_PUT_OBJECT_VERSION_ACL
```
    See Also:
    
    Constant Field Values
  - S3_PUT_OBJECT_VERSION_TAGGING
```
public static final String S3_PUT_OBJECT_VERSION_TAGGING
```
    See Also:
    
    Constant Field Values
  - S3_RESTORE_OBJECT
```
public static final String S3_RESTORE_OBJECT
```
    See Also:
    
    Constant Field Values
  - S3EXPRESS_CREATE_SESSION_POLICY
```
public static final String S3EXPRESS_CREATE_SESSION_POLICY
```
    S3Express session permission; required unless sessions are disabled.
    
    See Also:
    
    Constant Field Values
  - S3_ROOT_READ_OPERATIONS_LIST
```
public static final List<String> S3_ROOT_READ_OPERATIONS_LIST
```
  - S3_BUCKET_READ_OPERATIONS
```
public static final String[] S3_BUCKET_READ_OPERATIONS
```
    Policies which can be applied to bucket resources for read operations.
    1. SSE-KMS key operations
  - S3_PATH_RW_OPERATIONS
```
public static final List<String> S3_PATH_RW_OPERATIONS
```
    Actions needed to write data to an S3A Path. This includes the appropriate read operations, but not SSE-KMS support.
  - S3_PATH_WRITE_OPERATIONS
```
public static final List<String> S3_PATH_WRITE_OPERATIONS
```
    Actions needed to write data to an S3A Path. This is purely the extra operations needed for writing atop of the read operation set. Deny these and a path is still readable, but not writeable. Excludes: bucket-ARN and SSE-KMS permissions.
  - S3_ROOT_RW_OPERATIONS
```
public static final List<String> S3_ROOT_RW_OPERATIONS
```
    Actions needed for R/W IO from the root of a bucket. Excludes: bucket-ARN and SSE-KMS permissions.
  - STATEMENT_ALL_S3
```
public static final RoleModel.Statement STATEMENT_ALL_S3
```
    Allow all S3 Operations. This does not cover S3-KMS
  - STATEMENT_ALL_S3_GET_BUCKET_LOCATION
```
public static final RoleModel.Statement STATEMENT_ALL_S3_GET_BUCKET_LOCATION
```
    The s3:GetBucketLocation permission is for all buckets, not for any named bucket, which complicates permissions.
- Method Detail
  - allowS3Operations
```
public static List<RoleModel.Statement> allowS3Operations(String bucket,
                                                          boolean write)
```
    From an S3 bucket name, build an ARN to refer to it.
    
    Parameters:
    
    bucket - bucket name.
    
    write - are write permissions required
    
    Returns:
    
    return statement granting access.
  - bucketObjectsToArn
```
public static String bucketObjectsToArn(String bucket)
```
    From an S3 bucket name, build an ARN to refer to all objects in it.
    
    Parameters:
    
    bucket - bucket name.
    
    Returns:
    
    return the ARN to use in statements.
  - bucketToArn
```
public static String bucketToArn(String bucket)
```
    From an S3 bucket name, build an ARN to refer to it.
    
    Parameters:
    
    bucket - bucket name.
    
    Returns:
    
    return the ARN to use in statements.

Class RolePolicies

Field Summary

Method Summary

Methods inherited from class java.lang.Object

Field Detail

KMS_ALL_OPERATIONS

KMS_ENCRYPT

KMS_DECRYPT

KMS_ALL_KEYS

KMS_GENERATE_DATA_KEY

STATEMENT_ALLOW_KMS_RW

STATEMENT_ALLOW_SSE_KMS_READ

S3_ALL_OPERATIONS

S3_ALL_BUCKETS

S3_BUCKET_ALL_LIST

S3_BUCKET_LIST_BUCKET

S3_BUCKET_LIST_MULTIPART_UPLOADS

S3_LIST_MULTIPART_UPLOAD_PARTS

S3_ABORT_MULTIPART_UPLOAD

S3_ALL_DELETE

S3_DELETE_OBJECT

S3_DELETE_OBJECT_TAGGING

S3_DELETE_OBJECT_VERSION

S3_DELETE_OBJECT_VERSION_TAGGING

S3_ALL_GET

S3_GET_OBJECT

S3_GET_OBJECT_ACL

S3_GET_OBJECT_TAGGING

S3_GET_OBJECT_TORRENT

S3_GET_OBJECT_VERSION

S3_GET_BUCKET_LOCATION

S3_GET_OBJECT_VERSION_ACL

S3_GET_OBJECT_VERSION_TAGGING

S3_GET_OBJECT_VERSION_TORRENT

S3_ALL_PUT

S3_PUT_OBJECT

S3_PUT_OBJECT_ACL

S3_PUT_OBJECT_TAGGING

S3_PUT_OBJECT_VERSION_ACL

S3_PUT_OBJECT_VERSION_TAGGING

S3_RESTORE_OBJECT

S3EXPRESS_CREATE_SESSION_POLICY

S3_ROOT_READ_OPERATIONS_LIST

S3_BUCKET_READ_OPERATIONS

S3_PATH_RW_OPERATIONS

S3_PATH_WRITE_OPERATIONS

S3_ROOT_RW_OPERATIONS

STATEMENT_ALL_S3

STATEMENT_ALL_S3_GET_BUCKET_LOCATION

Method Detail

allowS3Operations

bucketObjectsToArn

bucketToArn