Separate resource type and resource for IAM policies

app/api/api.go

@@ -696,19 +696,22 @@ func (a *api) start(ctx context.Context) error {
 					{
 						Name:     "$anon",
 						Domain:   "$none",
-						Resource: "fs:/**",
+						Types:    []string{"fs"},
+						Resource: "/**",
 						Actions:  []string{"GET", "HEAD", "OPTIONS"},
 					},
 					{
 						Name:     "$anon",
 						Domain:   "$none",
-						Resource: "api:/api",
+						Types:    []string{"api"},
+						Resource: "/api",
 						Actions:  []string{"GET", "HEAD", "OPTIONS"},
 					},
 					{
 						Name:     "$anon",
 						Domain:   "$none",
-						Resource: "api:/api/v3/widget/process/**",
+						Types:    []string{"api"},
+						Resource: "/api/v3/widget/process/**",
 						Actions:  []string{"GET", "HEAD", "OPTIONS"},
 					},
 				}
@@ -728,7 +731,8 @@ func (a *api) start(ctx context.Context) error {
 					policies = append(policies, iamaccess.Policy{
 						Name:     cfg.Storage.Memory.Auth.Username,
 						Domain:   "$none",
-						Resource: "fs:/memfs/**",
+						Types:    []string{"fs"},
+						Resource: "/memfs/**",
 						Actions:  []string{"ANY"},
 					})
 				}
@@ -753,7 +757,8 @@ func (a *api) start(ctx context.Context) error {
 						policies = append(policies, iamaccess.Policy{
 							Name:     s.Auth.Username,
 							Domain:   "$none",
-							Resource: "fs:" + s.Mountpoint + "/**",
+							Types:    []string{"fs"},
+							Resource: s.Mountpoint + "/**",
 							Actions:  []string{"ANY"},
 						})
 					}
@@ -763,7 +768,8 @@ func (a *api) start(ctx context.Context) error {
 					policies = append(policies, iamaccess.Policy{
 						Name:     "$anon",
 						Domain:   "$none",
-						Resource: "rtmp:/**",
+						Types:    []string{"rtmp"},
+						Resource: "/**",
 						Actions:  []string{"ANY"},
 					})
 				}
@@ -772,7 +778,8 @@ func (a *api) start(ctx context.Context) error {
 					policies = append(policies, iamaccess.Policy{
 						Name:     "$anon",
 						Domain:   "$none",
-						Resource: "srt:**",
+						Types:    []string{"srt"},
+						Resource: "**",
 						Actions:  []string{"ANY"},
 					})
 				}
@@ -789,7 +796,7 @@ func (a *api) start(ctx context.Context) error {
 				}
 
 				for _, policy := range policies {
-					manager.AddPolicy(policy.Name, policy.Domain, policy.Resource, policy.Actions)
+					manager.AddPolicy(policy.Name, policy.Domain, policy.Types, policy.Resource, policy.Actions)
 				}
 			}
 		}

cluster/docs/ClusterAPI_swagger.json

@@ -1134,6 +1134,12 @@
                 },
                 "resource": {
                     "type": "string"
+                },
+                "types": {
+                    "type": "array",
+                    "items": {
+                        "type": "string"
+                    }
                 }
             }
         },

cluster/docs/ClusterAPI_swagger.yaml

@@ -12,6 +12,10 @@ definitions:
         type: string
       resource:
         type: string
+      types:
+        items:
+          type: string
+        type: array
     type: object
   app.Config:
     properties:

cluster/iam/iam.go

@@ -60,8 +60,8 @@ func (m *manager) apply(op store.Operation) {
 	}
 }
 
-func (m *manager) Enforce(name, domain, resource, action string) bool {
-	return m.iam.Enforce(name, domain, resource, action)
+func (m *manager) Enforce(name, domain, rtype, resource, action string) bool {
+	return m.iam.Enforce(name, domain, rtype, resource, action)
 }
 
 func (m *manager) HasDomain(domain string) bool {
@@ -72,20 +72,20 @@ func (m *manager) ListDomains() []string {
 	return m.iam.ListDomains()
 }
 
-func (m *manager) HasPolicy(name, domain, resource string, actions []string) bool {
-	return m.iam.HasPolicy(name, domain, resource, actions)
+func (m *manager) HasPolicy(name, domain string, types []string, resource string, actions []string) bool {
+	return m.iam.HasPolicy(name, domain, types, resource, actions)
 }
 
-func (m *manager) AddPolicy(name, domain, resource string, actions []string) error {
+func (m *manager) AddPolicy(name, domain string, types []string, resource string, actions []string) error {
 	return ErrClusterMode
 }
 
-func (m *manager) RemovePolicy(name, domain, resource string, actions []string) error {
+func (m *manager) RemovePolicy(name, domain string, types []string, resource string, actions []string) error {
 	return ErrClusterMode
 }
 
-func (m *manager) ListPolicies(name, domain, resource string, actions []string) []access.Policy {
-	return m.iam.ListPolicies(name, domain, resource, actions)
+func (m *manager) ListPolicies(name, domain string, types []string, resource string, actions []string) []access.Policy {
+	return m.iam.ListPolicies(name, domain, types, resource, actions)
 }
 
 func (m *manager) ReloadPolicies() error {

docs/swagger.json

@@ -5681,6 +5681,12 @@
                 },
                 "resource": {
                     "type": "string"
+                },
+                "types": {
+                    "type": "array",
+                    "items": {
+                        "type": "string"
+                    }
                 }
             }
         },

docs/swagger.yaml

@@ -770,6 +770,10 @@ definitions:
         type: string
       resource:
         type: string
+      types:
+        items:
+          type: string
+        type: array
     type: object
   api.IAMUser:
     properties:

http/api/iam.go

@@ -45,6 +45,7 @@ func (u *IAMUser) Marshal(user identity.User, policies []access.Policy) {
 	for _, p := range policies {
 		u.Policies = append(u.Policies, IAMPolicy{
 			Domain:   p.Domain,
+			Types:    p.Types,
 			Resource: p.Resource,
 			Actions:  p.Actions,
 		})
@@ -84,6 +85,7 @@ func (u *IAMUser) Unmarshal() (identity.User, []access.Policy) {
 		iampolicies = append(iampolicies, access.Policy{
 			Name:     u.Name,
 			Domain:   p.Domain,
+			Types:    p.Types,
 			Resource: p.Resource,
 			Actions:  p.Actions,
 		})
@@ -122,6 +124,7 @@ type IAMAuth0Tenant struct {
 type IAMPolicy struct {
 	Name     string   `json:"name,omitempty"`
 	Domain   string   `json:"domain"`
+	Types    []string `json:"types"`
 	Resource string   `json:"resource"`
 	Actions  []string `json:"actions"`
 }

http/handler/api/cluster_iam.go

@@ -36,12 +36,12 @@ func (h *ClusterHandler) AddIdentity(c echo.Context) error {
 
 	iamuser, iampolicies := user.Unmarshal()
 
-	if !h.iam.Enforce(ctxuser, domain, "iam:"+iamuser.Name, "write") {
+	if !h.iam.Enforce(ctxuser, domain, "iam", iamuser.Name, "write") {
 		return api.Err(http.StatusForbidden, "", "Not allowed to create user '%s'", iamuser.Name)
 	}
 
 	for _, p := range iampolicies {
-		if !h.iam.Enforce(ctxuser, p.Domain, "iam:"+iamuser.Name, "write") {
+		if !h.iam.Enforce(ctxuser, p.Domain, "iam", iamuser.Name, "write") {
 			return api.Err(http.StatusForbidden, "", "Not allowed to write policy: %v", p)
 		}
 	}
@@ -84,7 +84,7 @@ func (h *ClusterHandler) UpdateIdentity(c echo.Context) error {
 	domain := util.DefaultQuery(c, "domain", "")
 	name := util.PathParam(c, "name")
 
-	if !h.iam.Enforce(ctxuser, domain, "iam:"+name, "write") {
+	if !h.iam.Enforce(ctxuser, domain, "iam", name, "write") {
 		return api.Err(http.StatusForbidden, "", "not allowed to modify this user")
 	}
 
@@ -102,7 +102,7 @@ func (h *ClusterHandler) UpdateIdentity(c echo.Context) error {
 		}
 	}
 
-	iampolicies := h.iam.ListPolicies(name, "", "", nil)
+	iampolicies := h.iam.ListPolicies(name, "", nil, "", nil)
 
 	user := api.IAMUser{}
 	user.Marshal(iamuser, iampolicies)
@@ -113,12 +113,12 @@ func (h *ClusterHandler) UpdateIdentity(c echo.Context) error {
 
 	iamuser, iampolicies = user.Unmarshal()
 
-	if !h.iam.Enforce(ctxuser, domain, "iam:"+iamuser.Name, "write") {
+	if !h.iam.Enforce(ctxuser, domain, "iam", iamuser.Name, "write") {
 		return api.Err(http.StatusForbidden, "", "not allowed to create user '%s'", iamuser.Name)
 	}
 
 	for _, p := range iampolicies {
-		if !h.iam.Enforce(ctxuser, p.Domain, "iam:"+iamuser.Name, "write") {
+		if !h.iam.Enforce(ctxuser, p.Domain, "iam", iamuser.Name, "write") {
 			return api.Err(http.StatusForbidden, "", "not allowed to write policy: %v", p)
 		}
 	}
@@ -165,7 +165,7 @@ func (h *ClusterHandler) UpdateIdentityPolicies(c echo.Context) error {
 	domain := util.DefaultQuery(c, "domain", "")
 	name := util.PathParam(c, "name")
 
-	if !h.iam.Enforce(ctxuser, domain, "iam:"+name, "write") {
+	if !h.iam.Enforce(ctxuser, domain, "iam", name, "write") {
 		return api.Err(http.StatusForbidden, "", "not allowed to modify this user")
 	}
 
@@ -199,7 +199,7 @@ func (h *ClusterHandler) UpdateIdentityPolicies(c echo.Context) error {
 	accessPolicies := []access.Policy{}
 
 	for _, p := range policies {
-		if !h.iam.Enforce(ctxuser, p.Domain, "iam:"+iamuser.Name, "write") {
+		if !h.iam.Enforce(ctxuser, p.Domain, "iam", iamuser.Name, "write") {
 			return api.Err(http.StatusForbidden, "", "not allowed to write policy: %v", p)
 		}
 
@@ -265,17 +265,17 @@ func (h *ClusterHandler) ListIdentities(c echo.Context) error {
 	users := make([]api.IAMUser, len(identities)+1)
 
 	for i, iamuser := range identities {
-		if !h.iam.Enforce(ctxuser, domain, "iam:"+iamuser.Name, "read") {
+		if !h.iam.Enforce(ctxuser, domain, "iam", iamuser.Name, "read") {
 			continue
 		}
 
-		if !h.iam.Enforce(ctxuser, domain, "iam:"+iamuser.Name, "write") {
+		if !h.iam.Enforce(ctxuser, domain, "iam", iamuser.Name, "write") {
 			iamuser = identity.User{
 				Name: iamuser.Name,
 			}
 		}
 
-		policies := h.iam.ListPolicies(iamuser.Name, "", "", nil)
+		policies := h.iam.ListPolicies(iamuser.Name, "", nil, "", nil)
 
 		users[i].Marshal(iamuser, policies)
 	}
@@ -284,7 +284,7 @@ func (h *ClusterHandler) ListIdentities(c echo.Context) error {
 		Name: "$anon",
 	}
 
-	policies := h.iam.ListPolicies("$anon", "", "", nil)
+	policies := h.iam.ListPolicies("$anon", "", nil, "", nil)
 
 	users[len(users)-1].Marshal(anon, policies)
 
@@ -307,7 +307,7 @@ func (h *ClusterHandler) ListIdentity(c echo.Context) error {
 	domain := util.DefaultQuery(c, "domain", "")
 	name := util.PathParam(c, "name")
 
-	if !h.iam.Enforce(ctxuser, domain, "iam:"+name, "read") {
+	if !h.iam.Enforce(ctxuser, domain, "iam", name, "read") {
 		return api.Err(http.StatusForbidden, "", "Not allowed to access this user")
 	}
 
@@ -321,7 +321,7 @@ func (h *ClusterHandler) ListIdentity(c echo.Context) error {
 		}
 
 		if ctxuser != iamuser.Name {
-			if !h.iam.Enforce(ctxuser, domain, "iam:"+name, "write") {
+			if !h.iam.Enforce(ctxuser, domain, "iam", name, "write") {
 				iamuser = identity.User{
 					Name: iamuser.Name,
 				}
@@ -333,7 +333,7 @@ func (h *ClusterHandler) ListIdentity(c echo.Context) error {
 		}
 	}
 
-	iampolicies := h.iam.ListPolicies(name, "", "", nil)
+	iampolicies := h.iam.ListPolicies(name, "", nil, "", nil)
 
 	user := api.IAMUser{}
 	user.Marshal(iamuser, iampolicies)
@@ -351,7 +351,7 @@ func (h *ClusterHandler) ListIdentity(c echo.Context) error {
 // @Security ApiKeyAuth
 // @Router /api/v3/cluster/iam/policies [get]
 func (h *ClusterHandler) ListPolicies(c echo.Context) error {
-	iampolicies := h.iam.ListPolicies("", "", "", nil)
+	iampolicies := h.iam.ListPolicies("", "", nil, "", nil)
 
 	policies := []api.IAMPolicy{}
 
@@ -385,7 +385,7 @@ func (h *ClusterHandler) RemoveIdentity(c echo.Context) error {
 	domain := util.DefaultQuery(c, "domain", "$none")
 	name := util.PathParam(c, "name")
 
-	if !h.iam.Enforce(ctxuser, domain, "iam:"+name, "write") {
+	if !h.iam.Enforce(ctxuser, domain, "iam", name, "write") {
 		return api.Err(http.StatusForbidden, "", "Not allowed to delete this user")
 	}
 

http/handler/api/cluster_node.go

@@ -194,7 +194,7 @@ func (h *ClusterHandler) ListNodeProcesses(c echo.Context) error {
 	processes := []clientapi.Process{}
 
 	for _, p := range procs {
-		if !h.iam.Enforce(ctxuser, domain, "process:"+p.Config.ID, "read") {
+		if !h.iam.Enforce(ctxuser, domain, "process", p.Config.ID, "read") {
 			continue
 		}