minio/pkg/iam/policy/admin-action.go

/*
 * MinIO Cloud Storage, (C) 2019 MinIO, Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package iampolicy

import (
	"github.com/minio/minio/pkg/policy/condition"
)

// AdminAction - admin policy action.
type AdminAction string

const (
	// HealAdminAction - allows heal command
	HealAdminAction = "admin:Heal"

	// Service Actions

	// ListServerInfoAdminAction - allow listing server info
	ListServerInfoAdminAction = "admin:ListServerInfo"

	// ServerUpdateAdminAction - allow MinIO binary update
	ServerUpdateAdminAction = "admin:ServerUpdate"

	//Config Actions

	// ConfigUpdateAdminAction - allow MinIO config management
	ConfigUpdateAdminAction = "admin:ConfigUpdate"

	// User Actions

	// CreateUserAdminAction - allow creating MinIO user
	CreateUserAdminAction = "admin:CreateUser"
	// DeleteUserAdminAction - allow deleting MinIO user
	DeleteUserAdminAction = "admin:DeleteUser"
	// ListUsersAdminAction - allow list users permission
	ListUsersAdminAction = "admin:ListUsers"
	// EnableUserAdminAction - allow enable user permission
	EnableUserAdminAction = "admin:EnableUser"
	// DisableUserAdminAction - allow disable user permission
	DisableUserAdminAction = "admin:DisableUser"
	// GetUserAdminAction - allows GET permission on user info
	GetUserAdminAction = "admin:GetUser"

	// Group Actions

	// AddUserToGroupAdminAction - allow adding user to group permission
	AddUserToGroupAdminAction = "admin:AddUserToGroup"
	// RemoveUserFromGroupAdminAction - allow removing user to group permission
	RemoveUserFromGroupAdminAction = "admin:RemoveUserFromGroup"
	// GetGroupAdminAction - allow getting group info
	GetGroupAdminAction = "admin:GetGroup"
	// ListGroupsAdminAction - allow list groups permission
	ListGroupsAdminAction = "admin:ListGroups"
	// EnableGroupAdminAction - allow enable group permission
	EnableGroupAdminAction = "admin:EnableGroup"
	// DisableGroupAdminAction - allow disable group permission
	DisableGroupAdminAction = "admin:DisableGroup"

	// Policy Actions

	// CreatePolicyAdminAction - allow create policy permission
	CreatePolicyAdminAction = "admin:CreatePolicy"
	// DeletePolicyAdminAction - allow delete policy permission
	DeletePolicyAdminAction = "admin:DeletePolicy"
	// GetPolicyAdminAction - allow get policy permission
	GetPolicyAdminAction = "admin:GetPolicy"
	// AttachPolicyAdminAction - allows attaching a policy to a user/group
	AttachPolicyAdminAction = "admin:AttachUserOrGroupPolicy"
	// ListUserPoliciesAdminAction - allows listing user policies
	ListUserPoliciesAdminAction = "admin:ListUserPolicies"
	// AllAdminActions - provides all admin permissions
	AllAdminActions = "admin:*"
)

// List of all supported admin actions.
var supportedAdminActions = map[AdminAction]struct{}{
	AllAdminActions:                {},
	HealAdminAction:                {},
	ListServerInfoAdminAction:      {},
	ServerUpdateAdminAction:        {},
	ConfigUpdateAdminAction:        {},
	CreateUserAdminAction:          {},
	DeleteUserAdminAction:          {},
	ListUsersAdminAction:           {},
	EnableUserAdminAction:          {},
	DisableUserAdminAction:         {},
	GetUserAdminAction:             {},
	AddUserToGroupAdminAction:      {},
	RemoveUserFromGroupAdminAction: {},
	ListGroupsAdminAction:          {},
	EnableGroupAdminAction:         {},
	DisableGroupAdminAction:        {},
	CreatePolicyAdminAction:        {},
	DeletePolicyAdminAction:        {},
	GetPolicyAdminAction:           {},
	AttachPolicyAdminAction:        {},
	ListUserPoliciesAdminAction:    {},
}

func parseAdminAction(s string) (AdminAction, error) {
	action := AdminAction(s)
	if action.IsValid() {
		return action, nil
	}

	return action, Errorf("unsupported action '%v'", s)
}

// IsValid - checks if action is valid or not.
func (action AdminAction) IsValid() bool {
	_, ok := supportedAdminActions[action]
	return ok
}

// adminActionConditionKeyMap - holds mapping of supported condition key for an action.
var adminActionConditionKeyMap = map[Action]condition.KeySet{
	AllAdminActions:                condition.NewKeySet(condition.AllSupportedAdminKeys...),
	HealAdminAction:                condition.NewKeySet(condition.AllSupportedAdminKeys...),
	ListServerInfoAdminAction:      condition.NewKeySet(condition.AllSupportedAdminKeys...),
	ServerUpdateAdminAction:        condition.NewKeySet(condition.AllSupportedAdminKeys...),
	ConfigUpdateAdminAction:        condition.NewKeySet(condition.AllSupportedAdminKeys...),
	CreateUserAdminAction:          condition.NewKeySet(condition.AllSupportedAdminKeys...),
	DeleteUserAdminAction:          condition.NewKeySet(condition.AllSupportedAdminKeys...),
	ListUsersAdminAction:           condition.NewKeySet(condition.AllSupportedAdminKeys...),
	EnableUserAdminAction:          condition.NewKeySet(condition.AllSupportedAdminKeys...),
	DisableUserAdminAction:         condition.NewKeySet(condition.AllSupportedAdminKeys...),
	GetUserAdminAction:             condition.NewKeySet(condition.AllSupportedAdminKeys...),
	AddUserToGroupAdminAction:      condition.NewKeySet(condition.AllSupportedAdminKeys...),
	RemoveUserFromGroupAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
	ListGroupsAdminAction:          condition.NewKeySet(condition.AllSupportedAdminKeys...),
	EnableGroupAdminAction:         condition.NewKeySet(condition.AllSupportedAdminKeys...),
	DisableGroupAdminAction:        condition.NewKeySet(condition.AllSupportedAdminKeys...),
	CreatePolicyAdminAction:        condition.NewKeySet(condition.AllSupportedAdminKeys...),
	DeletePolicyAdminAction:        condition.NewKeySet(condition.AllSupportedAdminKeys...),
	GetPolicyAdminAction:           condition.NewKeySet(condition.AllSupportedAdminKeys...),
	AttachPolicyAdminAction:        condition.NewKeySet(condition.AllSupportedAdminKeys...),
	ListUserPoliciesAdminAction:    condition.NewKeySet(condition.AllSupportedAdminKeys...),
}
Add support for multiple admins (#8487) Also define IAM policies for administering MinIO server 5 years ago			`/*`
			`* MinIO Cloud Storage, (C) 2019 MinIO, Inc.`
			`*`
			`* Licensed under the Apache License, Version 2.0 (the "License");`
			`* you may not use this file except in compliance with the License.`
			`* You may obtain a copy of the License at`
			`*`
			`* http://www.apache.org/licenses/LICENSE-2.0`
			`*`
			`* Unless required by applicable law or agreed to in writing, software`
			`* distributed under the License is distributed on an "AS IS" BASIS,`
			`* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`* See the License for the specific language governing permissions and`
			`* limitations under the License.`
			`*/`

			`package iampolicy`

			`import (`
			`"github.com/minio/minio/pkg/policy/condition"`
			`)`

			`// AdminAction - admin policy action.`
			`type AdminAction string`

			`const (`
			`// HealAdminAction - allows heal command`
			`HealAdminAction = "admin:Heal"`

			`// Service Actions`

			`// ListServerInfoAdminAction - allow listing server info`
			`ListServerInfoAdminAction = "admin:ListServerInfo"`

			`// ServerUpdateAdminAction - allow MinIO binary update`
			`ServerUpdateAdminAction = "admin:ServerUpdate"`

			`//Config Actions`

			`// ConfigUpdateAdminAction - allow MinIO config management`
			`ConfigUpdateAdminAction = "admin:ConfigUpdate"`

			`// User Actions`

			`// CreateUserAdminAction - allow creating MinIO user`
			`CreateUserAdminAction = "admin:CreateUser"`
			`// DeleteUserAdminAction - allow deleting MinIO user`
			`DeleteUserAdminAction = "admin:DeleteUser"`
			`// ListUsersAdminAction - allow list users permission`
			`ListUsersAdminAction = "admin:ListUsers"`
			`// EnableUserAdminAction - allow enable user permission`
			`EnableUserAdminAction = "admin:EnableUser"`
			`// DisableUserAdminAction - allow disable user permission`
			`DisableUserAdminAction = "admin:DisableUser"`
			`// GetUserAdminAction - allows GET permission on user info`
			`GetUserAdminAction = "admin:GetUser"`

			`// Group Actions`

			`// AddUserToGroupAdminAction - allow adding user to group permission`
			`AddUserToGroupAdminAction = "admin:AddUserToGroup"`
			`// RemoveUserFromGroupAdminAction - allow removing user to group permission`
			`RemoveUserFromGroupAdminAction = "admin:RemoveUserFromGroup"`
			`// GetGroupAdminAction - allow getting group info`
			`GetGroupAdminAction = "admin:GetGroup"`
			`// ListGroupsAdminAction - allow list groups permission`
			`ListGroupsAdminAction = "admin:ListGroups"`
			`// EnableGroupAdminAction - allow enable group permission`
			`EnableGroupAdminAction = "admin:EnableGroup"`
			`// DisableGroupAdminAction - allow disable group permission`
			`DisableGroupAdminAction = "admin:DisableGroup"`

			`// Policy Actions`

			`// CreatePolicyAdminAction - allow create policy permission`
			`CreatePolicyAdminAction = "admin:CreatePolicy"`
			`// DeletePolicyAdminAction - allow delete policy permission`
			`DeletePolicyAdminAction = "admin:DeletePolicy"`
			`// GetPolicyAdminAction - allow get policy permission`
			`GetPolicyAdminAction = "admin:GetPolicy"`
			`// AttachPolicyAdminAction - allows attaching a policy to a user/group`
			`AttachPolicyAdminAction = "admin:AttachUserOrGroupPolicy"`
			`// ListUserPoliciesAdminAction - allows listing user policies`
			`ListUserPoliciesAdminAction = "admin:ListUserPolicies"`
			`// AllAdminActions - provides all admin permissions`
			`AllAdminActions = "admin:*"`
			`)`

			`// List of all supported admin actions.`
			`var supportedAdminActions = map[AdminAction]struct{}{`
			`AllAdminActions: {},`
			`HealAdminAction: {},`
			`ListServerInfoAdminAction: {},`
			`ServerUpdateAdminAction: {},`
			`ConfigUpdateAdminAction: {},`
			`CreateUserAdminAction: {},`
			`DeleteUserAdminAction: {},`
			`ListUsersAdminAction: {},`
			`EnableUserAdminAction: {},`
			`DisableUserAdminAction: {},`
			`GetUserAdminAction: {},`
			`AddUserToGroupAdminAction: {},`
			`RemoveUserFromGroupAdminAction: {},`
			`ListGroupsAdminAction: {},`
			`EnableGroupAdminAction: {},`
			`DisableGroupAdminAction: {},`
			`CreatePolicyAdminAction: {},`
			`DeletePolicyAdminAction: {},`
			`GetPolicyAdminAction: {},`
			`AttachPolicyAdminAction: {},`
			`ListUserPoliciesAdminAction: {},`
			`}`

			`func parseAdminAction(s string) (AdminAction, error) {`
			`action := AdminAction(s)`
			`if action.IsValid() {`
			`return action, nil`
			`}`

Add more context aware error for policy parsing errors (#8726) In existing functionality we simply return a generic error such as "MalformedPolicy" which indicates just a generic string "invalid resource" which is not very meaningful when there might be multiple types of errors during policy parsing. This PR ensures that we send these errors back to client to indicate the actual error, brings in two concrete types such as - iampolicy.Error - policy.Error Refer #8202 5 years ago			`return action, Errorf("unsupported action '%v'", s)`
Add support for multiple admins (#8487) Also define IAM policies for administering MinIO server 5 years ago			`}`

			`// IsValid - checks if action is valid or not.`
			`func (action AdminAction) IsValid() bool {`
			`_, ok := supportedAdminActions[action]`
			`return ok`
			`}`

			`// adminActionConditionKeyMap - holds mapping of supported condition key for an action.`
			`var adminActionConditionKeyMap = map[Action]condition.KeySet{`
			`AllAdminActions: condition.NewKeySet(condition.AllSupportedAdminKeys...),`
			`HealAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),`
			`ListServerInfoAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),`
			`ServerUpdateAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),`
			`ConfigUpdateAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),`
			`CreateUserAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),`
			`DeleteUserAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),`
			`ListUsersAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),`
			`EnableUserAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),`
			`DisableUserAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),`
			`GetUserAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),`
			`AddUserToGroupAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),`
			`RemoveUserFromGroupAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),`
			`ListGroupsAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),`
			`EnableGroupAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),`
			`DisableGroupAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),`
			`CreatePolicyAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),`
			`DeletePolicyAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),`
			`GetPolicyAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),`
			`AttachPolicyAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),`
			`ListUserPoliciesAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),`
			`}`