List of usage examples for com.amazonaws.auth.policy.actions S3Actions DeleteObject
S3Actions DeleteObject
To view the source code for com.amazonaws.auth.policy.actions S3Actions DeleteObject.
Click Source Link
From source file:org.applicationMigrator.userManagement.UserManagementWorker.java
License:Apache License
public void grantPermissions(CreateUserRequest user, AmazonIdentityManagementClient client) { Resource resource = new Resource(BUCKET_NAME + "/" + user.getUserName() + "/*"); Statement statement = new Statement(Effect.Allow); Action deleteObjectAction = S3Actions.DeleteObject; Action getObjectaAction = S3Actions.GetObject; Action putObjectAction = S3Actions.PutObject; Collection<Action> actions = new ArrayList<Action>(); actions.add(deleteObjectAction);/*from w w w . j ava 2 s. c om*/ actions.add(getObjectaAction); actions.add(putObjectAction); statement.setActions(actions); Collection<Resource> resources = new ArrayList<Resource>(); resources.add(resource); statement.setResources(resources); Policy userPolicy = new Policy(); Collection<Statement> statements = new ArrayList<Statement>(); statements.add(statement); userPolicy.setStatements(statements); PutUserPolicyRequest putUserPolicyRequest = new PutUserPolicyRequest(); putUserPolicyRequest.setPolicyDocument(userPolicy.toJson()); putUserPolicyRequest.setPolicyName(new Date().getTime() + "Policy"); putUserPolicyRequest.setUserName(user.getUserName()); client.putUserPolicy(putUserPolicyRequest); }
From source file:org.finra.herd.service.impl.BusinessObjectDataServiceImpl.java
License:Apache License
/** * Creates and returns a set of AWS credentials which can be used to access the S3 object indicated by the given business object data and storage. * * @param businessObjectDataKey Business object data key * @param createNewVersion true to create credentials for the next version up from the latest business object data, otherwise, uses specified data version * in data key./*from w ww .j a v a 2s .c om*/ * @param storageName Name of storage to access * @param isUpload true if this credential is to upload, false to download * * @return Credentials which has the permissions to perform the specified actions at the specified storage. */ private AwsCredential getBusinessObjectDataS3Credential(BusinessObjectDataKey businessObjectDataKey, Boolean createNewVersion, String storageName, boolean isUpload) { Assert.isTrue(StringUtils.isNotBlank(storageName), "storageName must be specified"); Assert.isTrue(businessObjectDataKey.getBusinessObjectDataVersion() != null || createNewVersion != null, "One of businessObjectDataVersion or createNewVersion must be specified."); Assert.isTrue( businessObjectDataKey.getBusinessObjectDataVersion() == null || !Boolean.TRUE.equals(createNewVersion), "createNewVersion must be false or unspecified when businessObjectDataVersion is specified."); /* * Choose configurations based on whether this is an upload or download operation. */ ConfigurationValue roleArnConfigurationValue; ConfigurationValue defaultSessionDurationConfigurationValue; ConfigurationValue sessionDurationConfigurationValue; S3Actions[] s3Actions; KmsActions[] kmsActions; if (isUpload) { roleArnConfigurationValue = ConfigurationValue.S3_ATTRIBUTE_NAME_UPLOAD_ROLE_ARN; defaultSessionDurationConfigurationValue = ConfigurationValue.AWS_S3_DEFAULT_UPLOAD_SESSION_DURATION_SECS; sessionDurationConfigurationValue = ConfigurationValue.S3_ATTRIBUTE_NAME_UPLOAD_SESSION_DURATION_SECS; s3Actions = new S3Actions[] { S3Actions.PutObject, S3Actions.DeleteObject }; kmsActions = new KmsActions[] { KmsActions.GENERATE_DATA_KEY, KmsActions.DECRYPT }; } else { roleArnConfigurationValue = ConfigurationValue.S3_ATTRIBUTE_NAME_DOWNLOAD_ROLE_ARN; defaultSessionDurationConfigurationValue = ConfigurationValue.AWS_S3_DEFAULT_DOWNLOAD_SESSION_DURATION_SECS; sessionDurationConfigurationValue = ConfigurationValue.S3_ATTRIBUTE_NAME_DOWNLOAD_SESSION_DURATION_SECS; s3Actions = new S3Actions[] { S3Actions.GetObject }; kmsActions = new KmsActions[] { KmsActions.DECRYPT }; } StorageEntity storageEntity = storageDaoHelper.getStorageEntity(storageName.trim()); String roleArn = storageDaoHelper.getStorageAttributeValueByName( configurationHelper.getProperty(roleArnConfigurationValue), storageEntity, true); Integer durationSeconds = storageDaoHelper.getStorageAttributeIntegerValueByName( configurationHelper.getProperty(sessionDurationConfigurationValue), storageEntity, configurationHelper.getProperty(defaultSessionDurationConfigurationValue, Integer.class)); String bucketName = storageDaoHelper.getStorageAttributeValueByName( configurationHelper.getProperty(ConfigurationValue.S3_ATTRIBUTE_NAME_BUCKET_NAME), storageEntity, true); S3KeyPrefixInformation s3KeyPrefixInformation = getS3KeyPrefixImpl(businessObjectDataKey, null, createNewVersion); /* * Policy is different based on whether this is meant for downloading or uploading. * However, both uploader and downloader requires a ListBucket at the bucket level. */ AwsPolicyBuilder awsPolicyBuilder = new AwsPolicyBuilder() .withS3Prefix(bucketName, s3KeyPrefixInformation.getS3KeyPrefix(), s3Actions) .withS3(bucketName, null, S3Actions.ListObjects); /* * Only add KMS policies if the storage specifies a KMS ID */ String kmsKeyId = getStorageKmsKeyId(storageEntity); if (kmsKeyId != null) { awsPolicyBuilder.withKms(kmsKeyId.trim(), kmsActions); } Credentials credentials = stsDao.getTemporarySecurityCredentials(awsHelper.getAwsParamsDto(), businessObjectDataKey.getNamespace(), roleArn, durationSeconds, awsPolicyBuilder.build()); AwsCredential awsCredential = new AwsCredential(); awsCredential.setAwsAccessKey(credentials.getAccessKeyId()); awsCredential.setAwsSecretKey(credentials.getSecretAccessKey()); awsCredential.setAwsSessionToken(credentials.getSessionToken()); awsCredential.setAwsSessionExpirationTime( HerdDateUtils.getXMLGregorianCalendarValue(credentials.getExpiration())); return awsCredential; }
From source file:org.finra.herd.service.impl.StorageUnitServiceImpl.java
License:Apache License
/** * Creates and returns a set of AWS credentials which can be used to access the S3 object indicated by the given business object data and storage. * * @param businessObjectDataKey Business object data key * @param createNewVersion true to create credentials for the next version up from the latest business object data, otherwise, uses specified data version * in data key.//from www . j a va2s . c o m * @param storageName Name of storage to access * @param isUpload true if this credential is to upload, false to download * * @return Credentials which has the permissions to perform the specified actions at the specified storage. */ private AwsCredential getBusinessObjectDataS3Credential(BusinessObjectDataKey businessObjectDataKey, Boolean createNewVersion, String storageName, boolean isUpload) { Assert.isTrue(StringUtils.isNotBlank(storageName), "storageName must be specified"); Assert.isTrue(businessObjectDataKey.getBusinessObjectDataVersion() != null || createNewVersion != null, "One of businessObjectDataVersion or createNewVersion must be specified."); Assert.isTrue( businessObjectDataKey.getBusinessObjectDataVersion() == null || !Boolean.TRUE.equals(createNewVersion), "createNewVersion must be false or unspecified when businessObjectDataVersion is specified."); /* * Choose configurations based on whether this is an upload or download operation. */ ConfigurationValue roleArnConfigurationValue; ConfigurationValue defaultSessionDurationConfigurationValue; ConfigurationValue sessionDurationConfigurationValue; S3Actions[] s3Actions; KmsActions[] kmsActions; if (isUpload) { roleArnConfigurationValue = ConfigurationValue.S3_ATTRIBUTE_NAME_UPLOAD_ROLE_ARN; defaultSessionDurationConfigurationValue = ConfigurationValue.AWS_S3_DEFAULT_UPLOAD_SESSION_DURATION_SECS; sessionDurationConfigurationValue = ConfigurationValue.S3_ATTRIBUTE_NAME_UPLOAD_SESSION_DURATION_SECS; s3Actions = new S3Actions[] { S3Actions.PutObject, S3Actions.DeleteObject }; kmsActions = new KmsActions[] { KmsActions.GENERATE_DATA_KEY, KmsActions.DECRYPT }; } else { roleArnConfigurationValue = ConfigurationValue.S3_ATTRIBUTE_NAME_DOWNLOAD_ROLE_ARN; defaultSessionDurationConfigurationValue = ConfigurationValue.AWS_S3_DEFAULT_DOWNLOAD_SESSION_DURATION_SECS; sessionDurationConfigurationValue = ConfigurationValue.S3_ATTRIBUTE_NAME_DOWNLOAD_SESSION_DURATION_SECS; s3Actions = new S3Actions[] { S3Actions.GetObject }; kmsActions = new KmsActions[] { KmsActions.DECRYPT }; } StorageEntity storageEntity = storageDaoHelper.getStorageEntity(storageName.trim()); String roleArn = storageHelper.getStorageAttributeValueByName( configurationHelper.getProperty(roleArnConfigurationValue), storageEntity, true); Integer durationSeconds = storageHelper.getStorageAttributeIntegerValueByName( configurationHelper.getProperty(sessionDurationConfigurationValue), storageEntity, configurationHelper.getProperty(defaultSessionDurationConfigurationValue, Integer.class)); String bucketName = storageHelper.getStorageAttributeValueByName( configurationHelper.getProperty(ConfigurationValue.S3_ATTRIBUTE_NAME_BUCKET_NAME), storageEntity, true); S3KeyPrefixInformation s3KeyPrefixInformation = getS3KeyPrefixImpl(businessObjectDataKey, null, storageName, createNewVersion); /* * Policy is different based on whether this is meant for downloading or uploading. * However, both uploader and downloader requires a ListBucket at the bucket level. */ AwsPolicyBuilder awsPolicyBuilder = new AwsPolicyBuilder() .withS3Prefix(bucketName, s3KeyPrefixInformation.getS3KeyPrefix(), s3Actions) .withS3(bucketName, null, S3Actions.ListObjects); /* * Only add KMS policies if the storage specifies a KMS ID */ String kmsKeyId = getStorageKmsKeyId(storageEntity); if (kmsKeyId != null) { awsPolicyBuilder.withKms(kmsKeyId.trim(), kmsActions); } Credentials credentials = stsDao.getTemporarySecurityCredentials(awsHelper.getAwsParamsDto(), UUID.randomUUID().toString(), roleArn, durationSeconds, awsPolicyBuilder.build()); AwsCredential awsCredential = new AwsCredential(); awsCredential.setAwsAccessKey(credentials.getAccessKeyId()); awsCredential.setAwsSecretKey(credentials.getSecretAccessKey()); awsCredential.setAwsSessionToken(credentials.getSessionToken()); awsCredential.setAwsSessionExpirationTime( HerdDateUtils.getXMLGregorianCalendarValue(credentials.getExpiration())); return awsCredential; }