Add object retention at the per object (#8528)

level - this PR builds on #8120 which added PutBucketObjectLockConfiguration and GetBucketObjectLockConfiguration APIS This PR implements PutObjectRetention, GetObjectRetention API and enhances PUT and GET API operations to display governance metadata if permissions allow.
2025-11-10 05:59:43 -05:00 · 2019-11-20 13:18:09 -08:00
parent cc1a84b62e
commit ca96560d56
25 changed files with 826 additions and 194 deletions
--- a/pkg/event/name.go
+++ b/pkg/event/name.go
@@ -29,12 +29,14 @@ type Name int
 const (
 	ObjectAccessedAll Name = 1 + iota
 	ObjectAccessedGet
+	ObjectAccessedGetRetention
 	ObjectAccessedHead
 	ObjectCreatedAll
 	ObjectCreatedCompleteMultipartUpload
 	ObjectCreatedCopy
 	ObjectCreatedPost
 	ObjectCreatedPut
+	ObjectCreatedPutRetention
 	ObjectRemovedAll
 	ObjectRemovedDelete
 )
@@ -43,9 +45,9 @@ const (
 func (name Name) Expand() []Name {
 	switch name {
 	case ObjectAccessedAll:
-		return []Name{ObjectAccessedGet, ObjectAccessedHead}
+		return []Name{ObjectAccessedGet, ObjectAccessedHead, ObjectAccessedGetRetention}
 	case ObjectCreatedAll:
-		return []Name{ObjectCreatedCompleteMultipartUpload, ObjectCreatedCopy, ObjectCreatedPost, ObjectCreatedPut}
+		return []Name{ObjectCreatedCompleteMultipartUpload, ObjectCreatedCopy, ObjectCreatedPost, ObjectCreatedPut, ObjectCreatedPutRetention}
 	case ObjectRemovedAll:
 		return []Name{ObjectRemovedDelete}
 	default:
@@ -60,6 +62,8 @@ func (name Name) String() string {
 		return "s3:ObjectAccessed:*"
 	case ObjectAccessedGet:
 		return "s3:ObjectAccessed:Get"
+	case ObjectAccessedGetRetention:
+		return "s3:ObjectAccessed:GetRetention"
 	case ObjectAccessedHead:
 		return "s3:ObjectAccessed:Head"
 	case ObjectCreatedAll:
@@ -72,6 +76,8 @@ func (name Name) String() string {
 		return "s3:ObjectCreated:Post"
 	case ObjectCreatedPut:
 		return "s3:ObjectCreated:Put"
+	case ObjectCreatedPutRetention:
+		return "s3:ObjectAccessed:PutRetention"
 	case ObjectRemovedAll:
 		return "s3:ObjectRemoved:*"
 	case ObjectRemovedDelete:
@@ -130,6 +136,8 @@ func ParseName(s string) (Name, error) {
 		return ObjectAccessedAll, nil
 	case "s3:ObjectAccessed:Get":
 		return ObjectAccessedGet, nil
+	case "s3:ObjectAccessed:GetRetention":
+		return ObjectAccessedGetRetention, nil
 	case "s3:ObjectAccessed:Head":
 		return ObjectAccessedHead, nil
 	case "s3:ObjectCreated:*":
@@ -142,6 +150,8 @@ func ParseName(s string) (Name, error) {
 		return ObjectCreatedPost, nil
 	case "s3:ObjectCreated:Put":
 		return ObjectCreatedPut, nil
+	case "s3:ObjectCreated:PutRetention":
+		return ObjectCreatedPutRetention, nil
 	case "s3:ObjectRemoved:*":
 		return ObjectRemovedAll, nil
 	case "s3:ObjectRemoved:Delete":
--- a/pkg/event/target/elasticsearch.go
+++ b/pkg/event/target/elasticsearch.go
@@ -146,7 +146,6 @@ func (target *ElasticsearchTarget) send(eventData event.Event) error {
 		} else {
 			err = update()
 		}
-
 		return err
 	}

--- a/pkg/iam/policy/action.go
+++ b/pkg/iam/policy/action.go
@@ -91,33 +91,57 @@ const (
 	// PutObjectAction - PutObject Rest API action.
 	PutObjectAction = "s3:PutObject"

+	// BypassGovernanceModeAction - bypass governance mode for DeleteObject Rest API action.
+	BypassGovernanceModeAction = "s3:BypassGovernanceMode"
+
+	// BypassGovernanceRetentionAction - bypass governance retention for PutObjectRetention, PutObject and DeleteObject Rest API action.
+	BypassGovernanceRetentionAction = "s3:BypassGovernanceRetention"
+
+	// PutObjectRetentionAction - PutObjectRetention Rest API action.
+	PutObjectRetentionAction = "s3:PutObjectRetention"
+
+	// GetObjectRetentionAction - GetObjectRetention, GetObject, HeadObject Rest API action.
+	GetObjectRetentionAction = "s3:GetObjectRetention"
+
+	// GetBucketObjectLockConfigurationAction - GetBucketObjectLockConfiguration Rest API action
+	GetBucketObjectLockConfigurationAction = "s3:GetBucketObjectLockConfiguration"
+
+	// PutBucketObjectLockConfigurationAction - PutBucketObjectLockConfiguration Rest API action
+	PutBucketObjectLockConfigurationAction = "s3:PutBucketObjectLockConfiguration"
+
 	// AllActions - all API actions
 	AllActions = "s3:*"
 )

 // List of all supported actions.
 var supportedActions = map[Action]struct{}{
-	AllActions:                       {},
-	AbortMultipartUploadAction:       {},
-	CreateBucketAction:               {},
-	DeleteBucketAction:               {},
-	DeleteBucketPolicyAction:         {},
-	DeleteObjectAction:               {},
-	GetBucketLocationAction:          {},
-	GetBucketNotificationAction:      {},
-	GetBucketPolicyAction:            {},
-	GetObjectAction:                  {},
-	HeadBucketAction:                 {},
-	ListAllMyBucketsAction:           {},
-	ListBucketAction:                 {},
-	ListBucketMultipartUploadsAction: {},
-	ListenBucketNotificationAction:   {},
-	ListMultipartUploadPartsAction:   {},
-	PutBucketNotificationAction:      {},
-	PutBucketPolicyAction:            {},
-	PutObjectAction:                  {},
-	GetBucketLifecycleAction:         {},
-	PutBucketLifecycleAction:         {},
+	AllActions:                             {},
+	AbortMultipartUploadAction:             {},
+	CreateBucketAction:                     {},
+	DeleteBucketAction:                     {},
+	DeleteBucketPolicyAction:               {},
+	DeleteObjectAction:                     {},
+	GetBucketLocationAction:                {},
+	GetBucketNotificationAction:            {},
+	GetBucketPolicyAction:                  {},
+	GetObjectAction:                        {},
+	HeadBucketAction:                       {},
+	ListAllMyBucketsAction:                 {},
+	ListBucketAction:                       {},
+	ListBucketMultipartUploadsAction:       {},
+	ListenBucketNotificationAction:         {},
+	ListMultipartUploadPartsAction:         {},
+	PutBucketNotificationAction:            {},
+	PutBucketPolicyAction:                  {},
+	PutObjectAction:                        {},
+	GetBucketLifecycleAction:               {},
+	PutBucketLifecycleAction:               {},
+	PutObjectRetentionAction:               {},
+	GetObjectRetentionAction:               {},
+	PutBucketObjectLockConfigurationAction: {},
+	GetBucketObjectLockConfigurationAction: {},
+	BypassGovernanceModeAction:             {},
+	BypassGovernanceRetentionAction:        {},
 }

 // isObjectAction - returns whether action is object type or not.
@@ -127,6 +151,10 @@ func (action Action) isObjectAction() bool {
 		fallthrough
 	case ListMultipartUploadPartsAction, PutObjectAction, AllActions:
 		return true
+	case BypassGovernanceModeAction, BypassGovernanceRetentionAction:
+		return true
+	case PutObjectRetentionAction, GetObjectRetentionAction:
+		return true
 	}

 	return false
@@ -238,4 +266,10 @@ var actionConditionKeyMap = map[Action]condition.KeySet{
 			condition.S3XAmzMetadataDirective,
 			condition.S3XAmzStorageClass,
 		}, condition.CommonKeys...)...),
+	PutObjectRetentionAction:               condition.NewKeySet(condition.CommonKeys...),
+	GetObjectRetentionAction:               condition.NewKeySet(condition.CommonKeys...),
+	BypassGovernanceModeAction:             condition.NewKeySet(condition.CommonKeys...),
+	BypassGovernanceRetentionAction:        condition.NewKeySet(condition.CommonKeys...),
+	GetBucketObjectLockConfigurationAction: condition.NewKeySet(condition.CommonKeys...),
+	PutBucketObjectLockConfigurationAction: condition.NewKeySet(condition.CommonKeys...),
 }
--- a/pkg/policy/action.go
+++ b/pkg/policy/action.go
@@ -89,6 +89,20 @@ const (

 	// GetBucketLifecycleAction - GetBucketLifecycle Rest API action.
 	GetBucketLifecycleAction = "s3:GetBucketLifecycle"
+
+	// BypassGovernanceModeAction - bypass governance mode for DeleteObject Rest API action.
+	BypassGovernanceModeAction = "s3:BypassGovernanceMode"
+	// BypassGovernanceRetentionAction - bypass governance retention for PutObjectRetention, PutObject and DeleteObject Rest API action.
+	BypassGovernanceRetentionAction = "s3:BypassGovernanceRetention"
+	// PutObjectRetentionAction - PutObjectRetention Rest API action.
+	PutObjectRetentionAction = "s3:PutObjectRetention"
+
+	// GetObjectRetentionAction - GetObjectRetention, GetObject, HeadObject Rest API action.
+	GetObjectRetentionAction = "s3:GetObjectRetention"
+	// GetBucketObjectLockConfigurationAction - GetObjectLockConfiguration Rest API action
+	GetBucketObjectLockConfigurationAction = "s3:GetBucketObjectLockConfiguration"
+	// PutBucketObjectLockConfigurationAction - PutObjectLockConfiguration Rest API action
+	PutBucketObjectLockConfigurationAction = "s3:PutBucketObjectLockConfiguration"
 )

 // isObjectAction - returns whether action is object type or not.
@@ -98,6 +112,10 @@ func (action Action) isObjectAction() bool {
 		fallthrough
 	case ListMultipartUploadPartsAction, PutObjectAction:
 		return true
+	case PutObjectRetentionAction, GetObjectRetentionAction:
+		return true
+	case BypassGovernanceModeAction, BypassGovernanceRetentionAction:
+		return true
 	}

 	return false
@@ -122,6 +140,12 @@ func (action Action) IsValid() bool {
 		fallthrough
 	case PutBucketLifecycleAction, GetBucketLifecycleAction:
 		return true
+	case BypassGovernanceModeAction, BypassGovernanceRetentionAction:
+		return true
+	case PutObjectRetentionAction, GetObjectRetentionAction:
+		return true
+	case PutBucketObjectLockConfigurationAction, GetBucketObjectLockConfigurationAction:
+		return true
 	}

 	return false
@@ -204,4 +228,10 @@ var actionConditionKeyMap = map[Action]condition.KeySet{
 			condition.S3XAmzMetadataDirective,
 			condition.S3XAmzStorageClass,
 		}, condition.CommonKeys...)...),
+	PutObjectRetentionAction:               condition.NewKeySet(condition.CommonKeys...),
+	GetObjectRetentionAction:               condition.NewKeySet(condition.CommonKeys...),
+	BypassGovernanceModeAction:             condition.NewKeySet(condition.CommonKeys...),
+	BypassGovernanceRetentionAction:        condition.NewKeySet(condition.CommonKeys...),
+	GetBucketObjectLockConfigurationAction: condition.NewKeySet(condition.CommonKeys...),
+	PutBucketObjectLockConfigurationAction: condition.NewKeySet(condition.CommonKeys...),
 }