RolePolicies (Apache Hadoop Amazon Web Services support 3.2.0 API)

java.lang.Object
- org.apache.hadoop.fs.s3a.auth.RolePolicies

```
public final class RolePolicies
extends Object
```
Operations, statements and policies covering the operations needed to work with S3 and S3Guard.

Field Summary

Fields
Modifier and Type	Field and Description
`static String`	`ALL_DDB_TABLES` All DynamoDB tables: "arn:aws:dynamodb:*".
`static RoleModel.Policy`	`ALLOW_S3_AND_SGUARD` Policy for all S3 and S3Guard operations, and SSE-KMS.
`static String`	`DDB_ADMIN` Operations needed for DDB/S3Guard Admin.
`static String`	`DDB_ALL_OPERATIONS` All DynamoDB operations: "dynamodb:*".
`static String`	`DDB_BATCH_GET_ITEM` Permission for DDB operation: "dynamodb:BatchGetItem".
`static String`	`DDB_BATCH_WRITE_ITEM` Batch write permission for DDB: "dynamodb:BatchWriteItem".
`static String`	`DDB_DELETE_ITEM` Permission for DDB delete operation: "dynamodb:DeleteItem".
`static String`	`DDB_DESCRIBE_TABLE` Permission for DDB describeTable() operation: "dynamodb:DescribeTable".
`static String`	`DDB_GET_ITEM` Permission for DDB operation to get a record: "dynamodb:GetItem".
`static String`	`DDB_PUT_ITEM` Permission for DDB write record operation: "dynamodb:PutItem".
`static String`	`DDB_QUERY` Permission to query the DDB table: "dynamodb:Query".
`static String`	`DDB_UPDATE_ITEM` Permission for DDB update single item operation: "dynamodb:UpdateItem".
`static String`	`KMS_ALL_KEYS` Arn for all KMS keys: "arn:aws:kms:*".
`static String`	`KMS_ALL_OPERATIONS` All KMS operations: "kms:*".
`static String`	`KMS_DECRYPT` Decrypt data encrypted with SSE-KMS: "kms:Decrypt".
`static String`	`KMS_ENCRYPT` KMS encryption.
`static String`	`KMS_GENERATE_DATA_KEY` This is used by S3 to generate a per-object encryption key and the encrypted value of this, the latter being what it tags the object with for later decryption: "kms:GenerateDataKey".
`static String`	`S3_ABORT_MULTIPART_UPLOAD` abort multipart upload is needed for the S3A Commit protocols.
`static String`	`S3_ALL_BUCKETS` All S3 buckets: "arn:aws:s3:::*".
`static String`	`S3_ALL_DELETE` All s3:Delete* operations.
`static String`	`S3_ALL_GET` All s3:Get* operations.
`static String`	`S3_ALL_LIST_BUCKET`
`static String`	`S3_ALL_LIST_OPERATIONS`
`static String`	`S3_ALL_OPERATIONS` All S3 operations: "s3:*".
`static String`	`S3_ALL_PUT` S3 Put*.
`static String`	`S3_DELETE_OBJECT`
`static String`	`S3_DELETE_OBJECT_TAGGING`
`static String`	`S3_DELETE_OBJECT_VERSION`
`static String`	`S3_DELETE_OBJECT_VERSION_TAGGING`
`static String`	`S3_GET_BUCKET_LOCATION`
`static String`	`S3_GET_OBJECT`
`static String`	`S3_GET_OBJECT_ACL`
`static String`	`S3_GET_OBJECT_TAGGING`
`static String`	`S3_GET_OBJECT_TORRENT`
`static String`	`S3_GET_OBJECT_VERSION`
`static String`	`S3_GET_OBJECT_VERSION_ACL`
`static String`	`S3_GET_OBJECT_VERSION_TAGGING`
`static String`	`S3_GET_OBJECT_VERSION_TORRENT`
`static String`	`S3_LIST_BUCKET`
`static String`	`S3_LIST_BUCKET_MULTPART_UPLOADS` This is used by the abort operation in S3A commit work.
`static String`	`S3_LIST_MULTIPART_UPLOAD_PARTS` List multipart upload is needed for the S3A Commit protocols.
`static String[]`	`S3_PATH_READ_OPERATIONS` Actions needed to read a file in S3 through S3A, excluding S3Guard and SSE-KMS.
`static String[]`	`S3_PATH_RW_OPERATIONS` Actions needed to write data to an S3A Path.
`static String[]`	`S3_PATH_WRITE_OPERATIONS` Actions needed to write data to an S3A Path.
`static String`	`S3_PUT_OBJECT`
`static String`	`S3_PUT_OBJECT_ACL`
`static String`	`S3_PUT_OBJECT_TAGGING`
`static String`	`S3_PUT_OBJECT_VERSION_ACL`
`static String`	`S3_PUT_OBJECT_VERSION_TAGGING`
`static String`	`S3_RESTORE_OBJECT`
`static String[]`	`S3_ROOT_READ_OPERATIONS` Base actions needed to read data from S3 through S3A, excluding SSE-KMS data and S3Guard-ed buckets.
`static String[]`	`S3_ROOT_RW_OPERATIONS` Actions needed for R/W IO from the root of a bucket.
`static RoleModel.Statement`	`STATEMENT_ALL_DDB` Statement to allow all DDB access.
`static RoleModel.Statement`	`STATEMENT_ALL_S3` Allow all S3 Operations.
`static RoleModel.Statement`	`STATEMENT_ALLOW_SSE_KMS_READ` Statement to allow read access to KMS keys, so the ability to read SSE-KMS data,, but not decrypt it.
`static RoleModel.Statement`	`STATEMENT_ALLOW_SSE_KMS_RW` Statement to allow KMS R/W access access, so full use of SSE-KMS.
`static RoleModel.Statement`	`STATEMENT_S3GUARD_CLIENT` Statement to allow all client operations needed for S3Guard, but none of the admin operations.

Method Summary
- Methods inherited from class java.lang.Object
  clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

- Field Detail
  - KMS_ALL_OPERATIONS
```
public static final String KMS_ALL_OPERATIONS
```
    All KMS operations: "kms:*".
    
    See Also:
    
    Constant Field Values
  - KMS_ENCRYPT
```
public static final String KMS_ENCRYPT
```
    KMS encryption. This is Not used by SSE-KMS: "kms:Encrypt".
    
    See Also:
    
    Constant Field Values
  - KMS_DECRYPT
```
public static final String KMS_DECRYPT
```
    Decrypt data encrypted with SSE-KMS: "kms:Decrypt".
    
    See Also:
    
    Constant Field Values
  - KMS_ALL_KEYS
```
public static final String KMS_ALL_KEYS
```
    Arn for all KMS keys: "arn:aws:kms:*".
    
    See Also:
    
    Constant Field Values
  - KMS_GENERATE_DATA_KEY
```
public static final String KMS_GENERATE_DATA_KEY
```
    This is used by S3 to generate a per-object encryption key and the encrypted value of this, the latter being what it tags the object with for later decryption: "kms:GenerateDataKey".
    
    See Also:
    
    Constant Field Values
  - STATEMENT_ALLOW_SSE_KMS_RW
```
public static final RoleModel.Statement STATEMENT_ALLOW_SSE_KMS_RW
```
    Statement to allow KMS R/W access access, so full use of SSE-KMS.
  - STATEMENT_ALLOW_SSE_KMS_READ
```
public static final RoleModel.Statement STATEMENT_ALLOW_SSE_KMS_READ
```
    Statement to allow read access to KMS keys, so the ability to read SSE-KMS data,, but not decrypt it.
  - S3_ALL_OPERATIONS
```
public static final String S3_ALL_OPERATIONS
```
    All S3 operations: "s3:*".
    
    See Also:
    
    Constant Field Values
  - S3_ALL_BUCKETS
```
public static final String S3_ALL_BUCKETS
```
    All S3 buckets: "arn:aws:s3:::*".
    
    See Also:
    
    Constant Field Values
  - S3_ALL_LIST_OPERATIONS
```
public static final String S3_ALL_LIST_OPERATIONS
```
    See Also:
    
    Constant Field Values
  - S3_ALL_LIST_BUCKET
```
public static final String S3_ALL_LIST_BUCKET
```
    See Also:
    
    Constant Field Values
  - S3_LIST_BUCKET
```
public static final String S3_LIST_BUCKET
```
    See Also:
    
    Constant Field Values
  - S3_LIST_BUCKET_MULTPART_UPLOADS
```
public static final String S3_LIST_BUCKET_MULTPART_UPLOADS
```
    This is used by the abort operation in S3A commit work.
    
    See Also:
    
    Constant Field Values
  - S3_LIST_MULTIPART_UPLOAD_PARTS
```
public static final String S3_LIST_MULTIPART_UPLOAD_PARTS
```
    List multipart upload is needed for the S3A Commit protocols.
    
    See Also:
    
    Constant Field Values
  - S3_ABORT_MULTIPART_UPLOAD
```
public static final String S3_ABORT_MULTIPART_UPLOAD
```
    abort multipart upload is needed for the S3A Commit protocols.
    
    See Also:
    
    Constant Field Values
  - S3_ALL_DELETE
```
public static final String S3_ALL_DELETE
```
    All s3:Delete* operations.
    
    See Also:
    
    Constant Field Values
  - S3_DELETE_OBJECT
```
public static final String S3_DELETE_OBJECT
```
    See Also:
    
    Constant Field Values
  - S3_DELETE_OBJECT_TAGGING
```
public static final String S3_DELETE_OBJECT_TAGGING
```
    See Also:
    
    Constant Field Values
  - S3_DELETE_OBJECT_VERSION
```
public static final String S3_DELETE_OBJECT_VERSION
```
    See Also:
    
    Constant Field Values
  - S3_DELETE_OBJECT_VERSION_TAGGING
```
public static final String S3_DELETE_OBJECT_VERSION_TAGGING
```
    See Also:
    
    Constant Field Values
  - S3_ALL_GET
```
public static final String S3_ALL_GET
```
    All s3:Get* operations.
    
    See Also:
    
    Constant Field Values
  - S3_GET_OBJECT
```
public static final String S3_GET_OBJECT
```
    See Also:
    
    Constant Field Values
  - S3_GET_OBJECT_ACL
```
public static final String S3_GET_OBJECT_ACL
```
    See Also:
    
    Constant Field Values
  - S3_GET_OBJECT_TAGGING
```
public static final String S3_GET_OBJECT_TAGGING
```
    See Also:
    
    Constant Field Values
  - S3_GET_OBJECT_TORRENT
```
public static final String S3_GET_OBJECT_TORRENT
```
    See Also:
    
    Constant Field Values
  - S3_GET_OBJECT_VERSION
```
public static final String S3_GET_OBJECT_VERSION
```
    See Also:
    
    Constant Field Values
  - S3_GET_BUCKET_LOCATION
```
public static final String S3_GET_BUCKET_LOCATION
```
    See Also:
    
    Constant Field Values
  - S3_GET_OBJECT_VERSION_ACL
```
public static final String S3_GET_OBJECT_VERSION_ACL
```
    See Also:
    
    Constant Field Values
  - S3_GET_OBJECT_VERSION_TAGGING
```
public static final String S3_GET_OBJECT_VERSION_TAGGING
```
    See Also:
    
    Constant Field Values
  - S3_GET_OBJECT_VERSION_TORRENT
```
public static final String S3_GET_OBJECT_VERSION_TORRENT
```
    See Also:
    
    Constant Field Values
  - S3_ALL_PUT
```
public static final String S3_ALL_PUT
```
    S3 Put*. This covers single an multipart uploads, but not list/abort of the latter.
    
    See Also:
    
    Constant Field Values
  - S3_PUT_OBJECT
```
public static final String S3_PUT_OBJECT
```
    See Also:
    
    Constant Field Values
  - S3_PUT_OBJECT_ACL
```
public static final String S3_PUT_OBJECT_ACL
```
    See Also:
    
    Constant Field Values
  - S3_PUT_OBJECT_TAGGING
```
public static final String S3_PUT_OBJECT_TAGGING
```
    See Also:
    
    Constant Field Values
  - S3_PUT_OBJECT_VERSION_ACL
```
public static final String S3_PUT_OBJECT_VERSION_ACL
```
    See Also:
    
    Constant Field Values
  - S3_PUT_OBJECT_VERSION_TAGGING
```
public static final String S3_PUT_OBJECT_VERSION_TAGGING
```
    See Also:
    
    Constant Field Values
  - S3_RESTORE_OBJECT
```
public static final String S3_RESTORE_OBJECT
```
    See Also:
    
    Constant Field Values
  - S3_PATH_READ_OPERATIONS
```
public static final String[] S3_PATH_READ_OPERATIONS
```
    Actions needed to read a file in S3 through S3A, excluding S3Guard and SSE-KMS.
  - S3_ROOT_READ_OPERATIONS
```
public static final String[] S3_ROOT_READ_OPERATIONS
```
    Base actions needed to read data from S3 through S3A, excluding SSE-KMS data and S3Guard-ed buckets.
  - S3_PATH_RW_OPERATIONS
```
public static final String[] S3_PATH_RW_OPERATIONS
```
    Actions needed to write data to an S3A Path. This includes the appropriate read operations, but not SSE-KMS or S3Guard support.
  - S3_PATH_WRITE_OPERATIONS
```
public static final String[] S3_PATH_WRITE_OPERATIONS
```
    Actions needed to write data to an S3A Path. This is purely the extra operations needed for writing atop of the read operation set. Deny these and a path is still readable, but not writeable. Excludes: SSE-KMS and S3Guard permissions.
  - S3_ROOT_RW_OPERATIONS
```
public static final String[] S3_ROOT_RW_OPERATIONS
```
    Actions needed for R/W IO from the root of a bucket. Excludes: SSE-KMS and S3Guard permissions.
  - DDB_ALL_OPERATIONS
```
public static final String DDB_ALL_OPERATIONS
```
    All DynamoDB operations: "dynamodb:*".
    
    See Also:
    
    Constant Field Values
  - DDB_ADMIN
```
public static final String DDB_ADMIN
```
    Operations needed for DDB/S3Guard Admin. For now: make this DDB_ALL_OPERATIONS.
    
    See Also:
    
    Constant Field Values
  - DDB_DESCRIBE_TABLE
```
public static final String DDB_DESCRIBE_TABLE
```
    Permission for DDB describeTable() operation: "dynamodb:DescribeTable". This is used during initialization.
    
    See Also:
    
    Constant Field Values
  - DDB_QUERY
```
public static final String DDB_QUERY
```
    Permission to query the DDB table: "dynamodb:Query".
    
    See Also:
    
    Constant Field Values
  - DDB_GET_ITEM
```
public static final String DDB_GET_ITEM
```
    Permission for DDB operation to get a record: "dynamodb:GetItem".
    
    See Also:
    
    Constant Field Values
  - DDB_PUT_ITEM
```
public static final String DDB_PUT_ITEM
```
    Permission for DDB write record operation: "dynamodb:PutItem".
    
    See Also:
    
    Constant Field Values
  - DDB_UPDATE_ITEM
```
public static final String DDB_UPDATE_ITEM
```
    Permission for DDB update single item operation: "dynamodb:UpdateItem".
    
    See Also:
    
    Constant Field Values
  - DDB_DELETE_ITEM
```
public static final String DDB_DELETE_ITEM
```
    Permission for DDB delete operation: "dynamodb:DeleteItem".
    
    See Also:
    
    Constant Field Values
  - DDB_BATCH_GET_ITEM
```
public static final String DDB_BATCH_GET_ITEM
```
    Permission for DDB operation: "dynamodb:BatchGetItem".
    
    See Also:
    
    Constant Field Values
  - DDB_BATCH_WRITE_ITEM
```
public static final String DDB_BATCH_WRITE_ITEM
```
    Batch write permission for DDB: "dynamodb:BatchWriteItem".
    
    See Also:
    
    Constant Field Values
  - ALL_DDB_TABLES
```
public static final String ALL_DDB_TABLES
```
    All DynamoDB tables: "arn:aws:dynamodb:*".
    
    See Also:
    
    Constant Field Values
  - STATEMENT_ALL_DDB
```
public static final RoleModel.Statement STATEMENT_ALL_DDB
```
    Statement to allow all DDB access.
  - STATEMENT_S3GUARD_CLIENT
```
public static final RoleModel.Statement STATEMENT_S3GUARD_CLIENT
```
    Statement to allow all client operations needed for S3Guard, but none of the admin operations.
  - STATEMENT_ALL_S3
```
public static final RoleModel.Statement STATEMENT_ALL_S3
```
    Allow all S3 Operations. This does not cover DDB or S3-KMS
  - ALLOW_S3_AND_SGUARD
```
public static final RoleModel.Policy ALLOW_S3_AND_SGUARD
```
    Policy for all S3 and S3Guard operations, and SSE-KMS.

Class RolePolicies

Field Summary

Method Summary

Methods inherited from class java.lang.Object

Field Detail

KMS_ALL_OPERATIONS

KMS_ENCRYPT

KMS_DECRYPT

KMS_ALL_KEYS

KMS_GENERATE_DATA_KEY

STATEMENT_ALLOW_SSE_KMS_RW

STATEMENT_ALLOW_SSE_KMS_READ

S3_ALL_OPERATIONS

S3_ALL_BUCKETS

S3_ALL_LIST_OPERATIONS

S3_ALL_LIST_BUCKET

S3_LIST_BUCKET

S3_LIST_BUCKET_MULTPART_UPLOADS

S3_LIST_MULTIPART_UPLOAD_PARTS

S3_ABORT_MULTIPART_UPLOAD

S3_ALL_DELETE

S3_DELETE_OBJECT

S3_DELETE_OBJECT_TAGGING

S3_DELETE_OBJECT_VERSION

S3_DELETE_OBJECT_VERSION_TAGGING

S3_ALL_GET

S3_GET_OBJECT

S3_GET_OBJECT_ACL

S3_GET_OBJECT_TAGGING

S3_GET_OBJECT_TORRENT

S3_GET_OBJECT_VERSION

S3_GET_BUCKET_LOCATION

S3_GET_OBJECT_VERSION_ACL

S3_GET_OBJECT_VERSION_TAGGING

S3_GET_OBJECT_VERSION_TORRENT

S3_ALL_PUT

S3_PUT_OBJECT

S3_PUT_OBJECT_ACL

S3_PUT_OBJECT_TAGGING

S3_PUT_OBJECT_VERSION_ACL

S3_PUT_OBJECT_VERSION_TAGGING

S3_RESTORE_OBJECT

S3_PATH_READ_OPERATIONS

S3_ROOT_READ_OPERATIONS

S3_PATH_RW_OPERATIONS

S3_PATH_WRITE_OPERATIONS

S3_ROOT_RW_OPERATIONS

DDB_ALL_OPERATIONS

DDB_ADMIN

DDB_DESCRIBE_TABLE

DDB_QUERY

DDB_GET_ITEM

DDB_PUT_ITEM

DDB_UPDATE_ITEM

DDB_DELETE_ITEM

DDB_BATCH_GET_ITEM

DDB_BATCH_WRITE_ITEM

ALL_DDB_TABLES

STATEMENT_ALL_DDB

STATEMENT_S3GUARD_CLIENT

STATEMENT_ALL_S3

ALLOW_S3_AND_SGUARD