List of usage examples for com.amazonaws.auth.policy Statement setResources
public void setResources(Collection<Resource> resources)
From source file:com.netflix.conductor.contribs.queue.sqs.SQSObservableQueue.java
License:Apache License
private String getPolicy(List<String> accountIds) { Policy policy = new Policy("ReloadedWorkerAccessPolicy"); Statement stmt = new Statement(Effect.Allow); Action action = SQSActions.SendMessage; stmt.getActions().add(action);//from w w w. java 2s. com stmt.setResources(new LinkedList<>()); for (String accountId : accountIds) { Principal principal = new Principal(accountId); stmt.getPrincipals().add(principal); } stmt.getResources().add(new Resource(getQueueARN())); policy.getStatements().add(stmt); return policy.toJson(); }
From source file:com.netflix.spinnaker.clouddriver.aws.lifecycle.InstanceTerminationLifecycleAgent.java
License:Apache License
private static Policy buildSNSPolicy(ARN topicARN, List<String> allAccountIds) { Statement statement = new Statement(Statement.Effect.Allow).withActions(SNSActions.Publish); statement.setPrincipals(allAccountIds.stream().map(Principal::new).collect(Collectors.toList())); statement.setResources(Collections.singletonList(new Resource(topicARN.arn))); return new Policy("allow-remote-account-send", Collections.singletonList(statement)); }
From source file:com.netflix.spinnaker.clouddriver.aws.lifecycle.InstanceTerminationLifecycleAgent.java
License:Apache License
private static Policy buildSQSPolicy(ARN queue, ARN topic) { Statement statement = new Statement(Statement.Effect.Allow).withActions(SQSActions.SendMessage); statement.setPrincipals(Principal.All); statement.setResources(Collections.singletonList(new Resource(queue.arn))); statement.setConditions(Collections.singletonList( new Condition().withType("ArnEquals").withConditionKey("aws:SourceArn").withValues(topic.arn))); return new Policy("allow-sns-topic-send", Collections.singletonList(statement)); }
From source file:com.netflix.spinnaker.clouddriver.aws.lifecycle.InstanceTerminationLifecycleWorker.java
License:Apache License
/** * This policy allows operators to choose whether or not to have lifecycle hooks to be sent via SNS for fanout, or * be sent directly to an SQS queue from the autoscaling group. *//*from w ww . j a v a 2s . c o m*/ private static Policy buildSQSPolicy(ARN queue, ARN topic, Set<String> terminatingRoleArns) { Statement snsStatement = new Statement(Effect.Allow).withActions(SQSActions.SendMessage); snsStatement.setPrincipals(Principal.All); snsStatement.setResources(Collections.singletonList(new Resource(queue.arn))); snsStatement.setConditions(Collections.singletonList( new Condition().withType("ArnEquals").withConditionKey("aws:SourceArn").withValues(topic.arn))); Statement sqsStatement = new Statement(Effect.Allow).withActions(SQSActions.SendMessage, SQSActions.GetQueueUrl); sqsStatement.setPrincipals(terminatingRoleArns.stream().map(Principal::new).collect(Collectors.toList())); sqsStatement.setResources(Collections.singletonList(new Resource(queue.arn))); return new Policy("allow-sns-or-sqs-send", Arrays.asList(snsStatement, sqsStatement)); }
From source file:com.netflix.spinnaker.echo.pubsub.amazon.SQSSubscriber.java
License:Apache License
/** * This policy allows operators to choose whether or not to have pubsub messages to be sent via SNS for fanout, or * be sent directly to an SQS queue from the autoscaling group. *//*from w ww . j a v a2 s .c om*/ private static Policy buildSQSPolicy(ARN queue, ARN topic) { Statement snsStatement = new Statement(Statement.Effect.Allow).withActions(SQSActions.SendMessage); snsStatement.setPrincipals(Principal.All); snsStatement.setResources(Collections.singletonList(new Resource(queue.getArn()))); snsStatement.setConditions(Collections.singletonList(new Condition().withType("ArnEquals") .withConditionKey("aws:SourceArn").withValues(topic.getArn()))); Statement sqsStatement = new Statement(Statement.Effect.Allow).withActions(SQSActions.SendMessage, SQSActions.GetQueueUrl); sqsStatement.setPrincipals(Principal.All); sqsStatement.setResources(Collections.singletonList(new Resource(queue.getArn()))); return new Policy("allow-sns-or-sqs-send", Arrays.asList(snsStatement, sqsStatement)); }
From source file:com.netflix.spinnaker.front50.model.TemporarySQSQueue.java
License:Apache License
private TemporaryQueue createQueue(String snsTopicArn, String sqsQueueArn, String sqsQueueName) { String sqsQueueUrl = amazonSQS.createQueue(new CreateQueueRequest().withQueueName(sqsQueueName) .withAttributes(Collections.singletonMap("MessageRetentionPeriod", "60")) // 60s message retention ).getQueueUrl();// w w w. ja v a 2 s.c om log.info("Created Temporary S3 Notification Queue: {}", value("queue", sqsQueueUrl)); String snsTopicSubscriptionArn = amazonSNS.subscribe(snsTopicArn, "sqs", sqsQueueArn).getSubscriptionArn(); Statement snsStatement = new Statement(Statement.Effect.Allow).withActions(SQSActions.SendMessage); snsStatement.setPrincipals(Principal.All); snsStatement.setResources(Collections.singletonList(new Resource(sqsQueueArn))); snsStatement.setConditions(Collections.singletonList( new Condition().withType("ArnEquals").withConditionKey("aws:SourceArn").withValues(snsTopicArn))); Policy allowSnsPolicy = new Policy("allow-sns", Collections.singletonList(snsStatement)); HashMap<String, String> attributes = new HashMap<>(); attributes.put("Policy", allowSnsPolicy.toJson()); amazonSQS.setQueueAttributes(sqsQueueUrl, attributes); return new TemporaryQueue(snsTopicArn, sqsQueueArn, sqsQueueUrl, snsTopicSubscriptionArn); }
From source file:com.netflix.spinnaker.kork.aws.pubsub.PubSubUtils.java
License:Apache License
/** * This policy allows messages to be sent from an SNS topic. *//*from w w w . ja v a2s. c om*/ public static Policy buildSQSPolicy(ARN queue, ARN topic) { Statement snsStatement = new Statement(Statement.Effect.Allow).withActions(SQSActions.SendMessage); snsStatement.setPrincipals(Principal.All); snsStatement.setResources(Collections.singletonList(new Resource(queue.getArn()))); snsStatement.setConditions(Collections.singletonList(new Condition().withType("ArnEquals") .withConditionKey("aws:SourceArn").withValues(topic.getArn()))); return new Policy("allow-sns-send", Collections.singletonList(snsStatement)); }
From source file:n3phele.storage.s3.CloudStorageImpl.java
License:Open Source License
public boolean setPermissions(Repository repo, String filename, boolean isPublic) { String bucket = repo.getRoot(); Credential credential = repo.getCredential().decrypt(); AmazonS3Client s3 = new AmazonS3Client( new BasicAWSCredentials(credential.getAccount(), credential.getSecret())); String key = new S3ObjectResource(bucket, filename).getId(); boolean inserted = false; s3.setEndpoint(repo.getTarget().toString()); try {/*w ww .ja va2 s.c o m*/ List<Statement> statements = new ArrayList<Statement>(); Policy policy = null; BucketPolicy bp = s3.getBucketPolicy(repo.getRoot()); if (bp != null && bp.getPolicyText() != null) { log.info("Policy text " + bp.getPolicyText()); policy = PolicyHelper.parse(bp.getPolicyText()); log.info("Policy object is " + (policy == null ? null : policy.toJson())); if (policy != null) { if (policy.getStatements() != null) { for (Statement statement : policy.getStatements()) { if (statement.getId().equals("n3phele")) { List<com.amazonaws.auth.policy.Resource> resources = statement.getResources(); List<com.amazonaws.auth.policy.Resource> update = new ArrayList<com.amazonaws.auth.policy.Resource>(); if (resources != null) { for (com.amazonaws.auth.policy.Resource resource : resources) { String resourceName = resource.getId(); if (resourceName.endsWith("*")) { resourceName = resourceName.substring(0, resourceName.length() - 1); } if (!(resourceName + "/").startsWith(key + "/")) { update.add(resource); } else { log.info("Removing " + resource.getId()); } } } if (isPublic && !inserted) update.add(new S3ObjectResource(repo.getRoot(), filename + "*")); if (update.size() > 0) { statement.setResources(update); statements.add(statement); } inserted = true; } else { statements.add(statement); } } } if (!inserted && isPublic) { Statement statement = new Statement(Effect.Allow); statement.setId("n3phele"); statement.setPrincipals(Arrays.asList(new Principal("*"))); statement.setActions(Arrays.asList((Action) S3Actions.GetObject)); statement.setResources(Arrays .asList((com.amazonaws.auth.policy.Resource) new S3ObjectResource(repo.getRoot(), filename + "*"))); statements.add(statement); } } } if (policy == null && isPublic) { policy = new Policy("n3phele-" + repo.getRoot()); Statement statement = new Statement(Effect.Allow); statement.setId("n3phele"); statement.setPrincipals(Arrays.asList(new Principal("*"))); statement.setActions(Arrays.asList((Action) S3Actions.GetObject)); statement.setResources(Arrays.asList( (com.amazonaws.auth.policy.Resource) new S3ObjectResource(repo.getRoot(), filename + "*"))); statements.add(statement); } if (policy != null) { if (statements.size() != 0) { policy.setStatements(statements); s3.setBucketPolicy(repo.getRoot(), policy.toJson()); log.info("Set policy " + policy.toJson()); } else { s3.deleteBucketPolicy(repo.getRoot()); } } return true; } catch (AmazonServiceException e) { log.log(Level.WARNING, "Service Error processing " + repo, e); } catch (AmazonClientException e) { log.log(Level.SEVERE, "Client Error processing " + repo, e); } catch (IllegalArgumentException e) { log.log(Level.SEVERE, "parse error ", e); log.log(Level.SEVERE, "cause", e.getCause()); } return false; }
From source file:n3phele.storage.s3.PolicyHelper.java
License:Open Source License
public static Policy parse(String s) { Policy result = null;/*w ww .j av a 2s.com*/ try { JSONObject jo = new JSONObject(s); String id = jo.getString("Id"); result = new Policy(id); JSONArray statementArray = jo.getJSONArray("Statement"); List<Statement> statements = new ArrayList<Statement>(); if (statementArray != null) { for (int i = 0; i < statementArray.length(); i++) { JSONObject js = statementArray.getJSONObject(i); Statement statement = new Statement(Effect.valueOf((js.getString("Effect")))); String sid = js.getString("Sid"); statement.setId(sid); if (js.has("Action")) statement.setActions(parseActions(js.get("Action"))); if (js.has("Resource")) statement.setResources(parseResources(js.get("Resource"))); if (js.has("Principal")) statement.setPrincipals(parsePrincipal(js.get("Principal"))); if (js.has("Condition")) statement.setConditions(parseCondition(js.get("Condition"))); statements.add(statement); } result.setStatements(statements); } } catch (JSONException e) { log.log(Level.SEVERE, "error parsing policy", e); } return result; }
From source file:org.applicationMigrator.userManagement.UserManagementWorker.java
License:Apache License
public void grantPermissions(CreateUserRequest user, AmazonIdentityManagementClient client) { Resource resource = new Resource(BUCKET_NAME + "/" + user.getUserName() + "/*"); Statement statement = new Statement(Effect.Allow); Action deleteObjectAction = S3Actions.DeleteObject; Action getObjectaAction = S3Actions.GetObject; Action putObjectAction = S3Actions.PutObject; Collection<Action> actions = new ArrayList<Action>(); actions.add(deleteObjectAction);// ww w .j a v a2 s.c o m actions.add(getObjectaAction); actions.add(putObjectAction); statement.setActions(actions); Collection<Resource> resources = new ArrayList<Resource>(); resources.add(resource); statement.setResources(resources); Policy userPolicy = new Policy(); Collection<Statement> statements = new ArrayList<Statement>(); statements.add(statement); userPolicy.setStatements(statements); PutUserPolicyRequest putUserPolicyRequest = new PutUserPolicyRequest(); putUserPolicyRequest.setPolicyDocument(userPolicy.toJson()); putUserPolicyRequest.setPolicyName(new Date().getTime() + "Policy"); putUserPolicyRequest.setUserName(user.getUserName()); client.putUserPolicy(putUserPolicyRequest); }