github-mirrors
/
mirror-seaweedfs


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345
							{
  "sts": {
    "tokenDuration": "1h",
    "maxSessionLength": "12h",
    "issuer": "seaweedfs-sts",
    "signingKey": "dGVzdC1zaWduaW5nLWtleS0zMi1jaGFyYWN0ZXJzLWxvbmc="
  },
  "providers": [
    {
      "name": "test-oidc",
      "type": "mock",
      "config": {
        "issuer": "test-oidc-issuer",
        "clientId": "test-oidc-client"
      }
    },
    {
      "name": "keycloak",
      "type": "oidc",
      "enabled": true,
      "config": {
        "issuer": "http://localhost:8090/realms/seaweedfs-test",
        "clientId": "seaweedfs-s3",
        "clientSecret": "seaweedfs-s3-secret",
        "jwksUri": "http://localhost:8090/realms/seaweedfs-test/protocol/openid-connect/certs",
        "userInfoUri": "http://localhost:8090/realms/seaweedfs-test/protocol/openid-connect/userinfo",
        "scopes": [
          "openid",
          "profile",
          "email"
        ],
        "claimsMapping": {
          "username": "preferred_username",
          "email": "email",
          "name": "name"
        },
        "roleMapping": {
          "rules": [
            {
              "claim": "roles",
              "value": "s3-admin",
              "role": "arn:seaweed:iam::role/KeycloakAdminRole"
            },
            {
              "claim": "roles",
              "value": "s3-read-only",
              "role": "arn:seaweed:iam::role/KeycloakReadOnlyRole"
            },
            {
              "claim": "roles",
              "value": "s3-write-only",
              "role": "arn:seaweed:iam::role/KeycloakWriteOnlyRole"
            },
            {
              "claim": "roles",
              "value": "s3-read-write",
              "role": "arn:seaweed:iam::role/KeycloakReadWriteRole"
            }
          ],
          "defaultRole": "arn:seaweed:iam::role/KeycloakReadOnlyRole"
        }
      }
    }
  ],
  "policy": {
    "defaultEffect": "Deny"
  },
  "roles": [
    {
      "roleName": "TestAdminRole",
      "roleArn": "arn:seaweed:iam::role/TestAdminRole",
      "trustPolicy": {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Principal": {
              "Federated": "test-oidc"
            },
            "Action": [
              "sts:AssumeRoleWithWebIdentity"
            ]
          }
        ]
      },
      "attachedPolicies": [
        "S3AdminPolicy"
      ],
      "description": "Admin role for testing"
    },
    {
      "roleName": "TestReadOnlyRole",
      "roleArn": "arn:seaweed:iam::role/TestReadOnlyRole",
      "trustPolicy": {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Principal": {
              "Federated": "test-oidc"
            },
            "Action": [
              "sts:AssumeRoleWithWebIdentity"
            ]
          }
        ]
      },
      "attachedPolicies": [
        "S3ReadOnlyPolicy"
      ],
      "description": "Read-only role for testing"
    },
    {
      "roleName": "TestWriteOnlyRole",
      "roleArn": "arn:seaweed:iam::role/TestWriteOnlyRole",
      "trustPolicy": {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Principal": {
              "Federated": "test-oidc"
            },
            "Action": [
              "sts:AssumeRoleWithWebIdentity"
            ]
          }
        ]
      },
      "attachedPolicies": [
        "S3WriteOnlyPolicy"
      ],
      "description": "Write-only role for testing"
    },
    {
      "roleName": "KeycloakAdminRole",
      "roleArn": "arn:seaweed:iam::role/KeycloakAdminRole",
      "trustPolicy": {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Principal": {
              "Federated": "keycloak"
            },
            "Action": [
              "sts:AssumeRoleWithWebIdentity"
            ]
          }
        ]
      },
      "attachedPolicies": [
        "S3AdminPolicy"
      ],
      "description": "Admin role for Keycloak users"
    },
    {
      "roleName": "KeycloakReadOnlyRole",
      "roleArn": "arn:seaweed:iam::role/KeycloakReadOnlyRole",
      "trustPolicy": {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Principal": {
              "Federated": "keycloak"
            },
            "Action": [
              "sts:AssumeRoleWithWebIdentity"
            ]
          }
        ]
      },
      "attachedPolicies": [
        "S3ReadOnlyPolicy"
      ],
      "description": "Read-only role for Keycloak users"
    },
    {
      "roleName": "KeycloakWriteOnlyRole",
      "roleArn": "arn:seaweed:iam::role/KeycloakWriteOnlyRole",
      "trustPolicy": {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Principal": {
              "Federated": "keycloak"
            },
            "Action": [
              "sts:AssumeRoleWithWebIdentity"
            ]
          }
        ]
      },
      "attachedPolicies": [
        "S3WriteOnlyPolicy"
      ],
      "description": "Write-only role for Keycloak users"
    },
    {
      "roleName": "KeycloakReadWriteRole",
      "roleArn": "arn:seaweed:iam::role/KeycloakReadWriteRole",
      "trustPolicy": {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Principal": {
              "Federated": "keycloak"
            },
            "Action": [
              "sts:AssumeRoleWithWebIdentity"
            ]
          }
        ]
      },
      "attachedPolicies": [
        "S3ReadWritePolicy"
      ],
      "description": "Read-write role for Keycloak users"
    }
  ],
  "policies": [
    {
      "name": "S3AdminPolicy",
      "document": {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "s3:*"
            ],
            "Resource": [
              "*"
            ]
          },
          {
            "Effect": "Allow",
            "Action": [
              "sts:ValidateSession"
            ],
            "Resource": [
              "*"
            ]
          }
        ]
      }
    },
    {
      "name": "S3ReadOnlyPolicy",
      "document": {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "s3:GetObject",
              "s3:ListBucket"
            ],
            "Resource": [
              "arn:seaweed:s3:::*",
              "arn:seaweed:s3:::*/*"
            ]
          },
          {
            "Effect": "Allow",
            "Action": [
              "sts:ValidateSession"
            ],
            "Resource": [
              "*"
            ]
          }
        ]
      }
    },
    {
      "name": "S3WriteOnlyPolicy",
      "document": {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "s3:*"
            ],
            "Resource": [
              "arn:seaweed:s3:::*",
              "arn:seaweed:s3:::*/*"
            ]
          },
          {
            "Effect": "Deny",
            "Action": [
              "s3:GetObject",
              "s3:ListBucket"
            ],
            "Resource": [
              "arn:seaweed:s3:::*",
              "arn:seaweed:s3:::*/*"
            ]
          },
          {
            "Effect": "Allow",
            "Action": [
              "sts:ValidateSession"
            ],
            "Resource": [
              "*"
            ]
          }
        ]
      }
    },
    {
      "name": "S3ReadWritePolicy",
      "document": {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "s3:*"
            ],
            "Resource": [
              "arn:seaweed:s3:::*",
              "arn:seaweed:s3:::*/*"
            ]
          },
          {
            "Effect": "Allow",
            "Action": [
              "sts:ValidateSession"
            ],
            "Resource": [
              "*"
            ]
          }
        ]
      }
    }
  ]
}