|
|
|
/*
|
|
|
|
* MinIO Cloud Storage, (C) 2019 MinIO, Inc.
|
|
|
|
*
|
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
* you may not use this file except in compliance with the License.
|
|
|
|
* You may obtain a copy of the License at
|
|
|
|
*
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
*
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
* See the License for the specific language governing permissions and
|
|
|
|
* limitations under the License.
|
|
|
|
*/
|
|
|
|
|
|
|
|
package iampolicy
|
|
|
|
|
|
|
|
import (
|
|
|
|
"github.com/minio/minio/pkg/bucket/policy/condition"
|
|
|
|
)
|
|
|
|
|
|
|
|
// AdminAction - admin policy action.
|
|
|
|
type AdminAction string
|
|
|
|
|
|
|
|
const (
|
|
|
|
// HealAdminAction - allows heal command
|
|
|
|
HealAdminAction = "admin:Heal"
|
|
|
|
|
|
|
|
// Service Actions
|
|
|
|
|
|
|
|
// StorageInfoAdminAction - allow listing server info
|
|
|
|
StorageInfoAdminAction = "admin:StorageInfo"
|
|
|
|
// AccountingUsageInfoAdminAction - allow listing accounting usage info
|
|
|
|
AccountingUsageInfoAdminAction = "admin:AccountingUsageInfo"
|
|
|
|
// DataUsageInfoAdminAction - allow listing data usage info
|
|
|
|
DataUsageInfoAdminAction = "admin:DataUsageInfo"
|
|
|
|
// TopLocksAdminAction - allow listing top locks
|
|
|
|
TopLocksAdminAction = "admin:TopLocksInfo"
|
|
|
|
// ProfilingAdminAction - allow profiling
|
|
|
|
ProfilingAdminAction = "admin:Profiling"
|
|
|
|
// TraceAdminAction - allow listing server trace
|
|
|
|
TraceAdminAction = "admin:ServerTrace"
|
|
|
|
// ConsoleLogAdminAction - allow listing console logs on terminal
|
|
|
|
ConsoleLogAdminAction = "admin:ConsoleLog"
|
|
|
|
// KMSKeyStatusAdminAction - allow getting KMS key status
|
|
|
|
KMSKeyStatusAdminAction = "admin:KMSKeyStatus"
|
|
|
|
// ServerInfoAdminAction - allow listing server info
|
|
|
|
ServerInfoAdminAction = "admin:ServerInfo"
|
|
|
|
// OBDInfoAdminAction - allow obtaining cluster on-board diagnostics
|
|
|
|
OBDInfoAdminAction = "admin:OBDInfo"
|
|
|
|
|
|
|
|
// ServerUpdateAdminAction - allow MinIO binary update
|
|
|
|
ServerUpdateAdminAction = "admin:ServerUpdate"
|
|
|
|
|
|
|
|
//Config Actions
|
|
|
|
|
|
|
|
// ConfigUpdateAdminAction - allow MinIO config management
|
|
|
|
ConfigUpdateAdminAction = "admin:ConfigUpdate"
|
|
|
|
|
|
|
|
// User Actions
|
|
|
|
|
|
|
|
// CreateUserAdminAction - allow creating MinIO user
|
|
|
|
CreateUserAdminAction = "admin:CreateUser"
|
|
|
|
|
|
|
|
// DeleteUserAdminAction - allow deleting MinIO user
|
|
|
|
DeleteUserAdminAction = "admin:DeleteUser"
|
|
|
|
// ListUsersAdminAction - allow list users permission
|
|
|
|
ListUsersAdminAction = "admin:ListUsers"
|
|
|
|
// EnableUserAdminAction - allow enable user permission
|
|
|
|
EnableUserAdminAction = "admin:EnableUser"
|
|
|
|
// DisableUserAdminAction - allow disable user permission
|
|
|
|
DisableUserAdminAction = "admin:DisableUser"
|
|
|
|
// GetUserAdminAction - allows GET permission on user info
|
|
|
|
GetUserAdminAction = "admin:GetUser"
|
|
|
|
|
|
|
|
// Group Actions
|
|
|
|
|
|
|
|
// AddUserToGroupAdminAction - allow adding user to group permission
|
|
|
|
AddUserToGroupAdminAction = "admin:AddUserToGroup"
|
|
|
|
// RemoveUserFromGroupAdminAction - allow removing user to group permission
|
|
|
|
RemoveUserFromGroupAdminAction = "admin:RemoveUserFromGroup"
|
|
|
|
// GetGroupAdminAction - allow getting group info
|
|
|
|
GetGroupAdminAction = "admin:GetGroup"
|
|
|
|
// ListGroupsAdminAction - allow list groups permission
|
|
|
|
ListGroupsAdminAction = "admin:ListGroups"
|
|
|
|
// EnableGroupAdminAction - allow enable group permission
|
|
|
|
EnableGroupAdminAction = "admin:EnableGroup"
|
|
|
|
// DisableGroupAdminAction - allow disable group permission
|
|
|
|
DisableGroupAdminAction = "admin:DisableGroup"
|
|
|
|
|
|
|
|
// Policy Actions
|
|
|
|
|
|
|
|
// CreatePolicyAdminAction - allow create policy permission
|
|
|
|
CreatePolicyAdminAction = "admin:CreatePolicy"
|
|
|
|
// DeletePolicyAdminAction - allow delete policy permission
|
|
|
|
DeletePolicyAdminAction = "admin:DeletePolicy"
|
|
|
|
// GetPolicyAdminAction - allow get policy permission
|
|
|
|
GetPolicyAdminAction = "admin:GetPolicy"
|
|
|
|
// AttachPolicyAdminAction - allows attaching a policy to a user/group
|
|
|
|
AttachPolicyAdminAction = "admin:AttachUserOrGroupPolicy"
|
|
|
|
// ListUserPoliciesAdminAction - allows listing user policies
|
|
|
|
ListUserPoliciesAdminAction = "admin:ListUserPolicies"
|
|
|
|
|
|
|
|
// Bucket quota Actions
|
|
|
|
|
|
|
|
// SetBucketQuotaAdminAction - allow setting bucket quota
|
|
|
|
SetBucketQuotaAdminAction = "admin:SetBucketQuota"
|
|
|
|
// GetBucketQuotaAdminAction - allow getting bucket quota
|
|
|
|
GetBucketQuotaAdminAction = "admin:GetBucketQuota"
|
|
|
|
|
|
|
|
// AllAdminActions - provides all admin permissions
|
|
|
|
AllAdminActions = "admin:*"
|
|
|
|
)
|
|
|
|
|
|
|
|
// List of all supported admin actions.
|
|
|
|
var supportedAdminActions = map[AdminAction]struct{}{
|
|
|
|
AllAdminActions: {},
|
|
|
|
HealAdminAction: {},
|
|
|
|
ServerInfoAdminAction: {},
|
|
|
|
StorageInfoAdminAction: {},
|
|
|
|
DataUsageInfoAdminAction: {},
|
|
|
|
TopLocksAdminAction: {},
|
|
|
|
ProfilingAdminAction: {},
|
|
|
|
TraceAdminAction: {},
|
|
|
|
OBDInfoAdminAction: {},
|
|
|
|
ConsoleLogAdminAction: {},
|
|
|
|
KMSKeyStatusAdminAction: {},
|
|
|
|
ServerUpdateAdminAction: {},
|
|
|
|
ConfigUpdateAdminAction: {},
|
|
|
|
CreateUserAdminAction: {},
|
|
|
|
DeleteUserAdminAction: {},
|
|
|
|
ListUsersAdminAction: {},
|
|
|
|
EnableUserAdminAction: {},
|
|
|
|
DisableUserAdminAction: {},
|
|
|
|
GetUserAdminAction: {},
|
|
|
|
AddUserToGroupAdminAction: {},
|
|
|
|
RemoveUserFromGroupAdminAction: {},
|
|
|
|
ListGroupsAdminAction: {},
|
|
|
|
EnableGroupAdminAction: {},
|
|
|
|
DisableGroupAdminAction: {},
|
|
|
|
CreatePolicyAdminAction: {},
|
|
|
|
DeletePolicyAdminAction: {},
|
|
|
|
GetPolicyAdminAction: {},
|
|
|
|
AttachPolicyAdminAction: {},
|
|
|
|
SetBucketQuotaAdminAction: {},
|
|
|
|
GetBucketQuotaAdminAction: {},
|
|
|
|
ListUserPoliciesAdminAction: {},
|
|
|
|
}
|
|
|
|
|
|
|
|
func parseAdminAction(s string) (AdminAction, error) {
|
|
|
|
action := AdminAction(s)
|
|
|
|
if action.IsValid() {
|
|
|
|
return action, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
return action, Errorf("unsupported action '%v'", s)
|
|
|
|
}
|
|
|
|
|
|
|
|
// IsValid - checks if action is valid or not.
|
|
|
|
func (action AdminAction) IsValid() bool {
|
|
|
|
_, ok := supportedAdminActions[action]
|
|
|
|
return ok
|
|
|
|
}
|
|
|
|
|
|
|
|
// adminActionConditionKeyMap - holds mapping of supported condition key for an action.
|
|
|
|
var adminActionConditionKeyMap = map[Action]condition.KeySet{
|
|
|
|
AllAdminActions: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
|
|
HealAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
|
|
StorageInfoAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
|
|
ServerInfoAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
|
|
DataUsageInfoAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
|
|
OBDInfoAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
|
|
TopLocksAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
|
|
ProfilingAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
|
|
TraceAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
|
|
ConsoleLogAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
|
|
KMSKeyStatusAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
|
|
ServerUpdateAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
|
|
ConfigUpdateAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
|
|
CreateUserAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
|
|
DeleteUserAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
|
|
ListUsersAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
|
|
EnableUserAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
|
|
DisableUserAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
|
|
GetUserAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
|
|
AddUserToGroupAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
|
|
RemoveUserFromGroupAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
|
|
ListGroupsAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
|
|
EnableGroupAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
|
|
DisableGroupAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
|
|
CreatePolicyAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
|
|
DeletePolicyAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
|
|
GetPolicyAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
|
|
AttachPolicyAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
|
|
ListUserPoliciesAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
|
|
SetBucketQuotaAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
|
|
GetBucketQuotaAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
|
|
}
|