Make admin permissions more granular for admin handlers. (#8888)

4 years ago · 2232e095d5
parent aae337f5b5
commit 2232e095d5
3 changed files with 61 additions and 16 deletions
--- a/cmd/admin-handlers.go
+++ b/cmd/admin-handlers.go
@ -270,7 +270,7 @@ type ServerInfo struct {
 // Get server information
 func (a adminAPIHandlers) StorageInfoHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := newContext(r, w, "StorageInfo")
-	objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ListServerInfoAdminAction)
+	objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.StorageInfoAdminAction)
 	if objectAPI == nil {
 		return
 	}
@ -295,7 +295,7 @@ func (a adminAPIHandlers) StorageInfoHandler(w http.ResponseWriter, r *http.Requ
 // Get server/cluster data usage info
 func (a adminAPIHandlers) DataUsageInfoHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := newContext(r, w, "DataUsageInfo")
-	objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ListServerInfoAdminAction)
+	objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.DataUsageInfoAdminAction)
 	if objectAPI == nil {
 		return
 	}
@ -349,7 +349,7 @@ type ServerNetReadPerfInfo struct {
 func (a adminAPIHandlers) PerfInfoHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := newContext(r, w, "PerfInfo")

-	objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ListServerInfoAdminAction)
+	objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.PerfInfoAdminAction)
 	if objectAPI == nil {
 		return
 	}
@ -520,7 +520,7 @@ type PeerLocks struct {
 func (a adminAPIHandlers) TopLocksHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := newContext(r, w, "TopLocks")

-	objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ListServerInfoAdminAction)
+	objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.TopLocksAdminAction)
 	if objectAPI == nil {
 		return
 	}
@ -565,7 +565,7 @@ type StartProfilingResult struct {
 func (a adminAPIHandlers) StartProfilingHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := newContext(r, w, "StartProfiling")

-	objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ListServerInfoAdminAction)
+	objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ProfilingAdminAction)
 	if objectAPI == nil {
 		return
 	}
@ -661,7 +661,7 @@ func (f dummyFileInfo) Sys() interface{}   { return f.sys }
 func (a adminAPIHandlers) DownloadProfilingHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := newContext(r, w, "DownloadProfiling")

-	objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ListServerInfoAdminAction)
+	objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ProfilingAdminAction)
 	if objectAPI == nil {
 		return
 	}
@ -1051,7 +1051,7 @@ func (a adminAPIHandlers) TraceHandler(w http.ResponseWriter, r *http.Request) {
 	trcErr := r.URL.Query().Get("err") == "true"

 	// Validate request signature.
-	_, adminAPIErr := checkAdminRequestAuthType(ctx, r, iampolicy.ListServerInfoAdminAction, "")
+	_, adminAPIErr := checkAdminRequestAuthType(ctx, r, iampolicy.TraceAdminAction, "")
 	if adminAPIErr != ErrNone {
 		writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(adminAPIErr), r.URL)
 		return
@ -1105,7 +1105,7 @@ func (a adminAPIHandlers) TraceHandler(w http.ResponseWriter, r *http.Request) {
 func (a adminAPIHandlers) ConsoleLogHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := newContext(r, w, "ConsoleLog")

-	objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ListServerInfoAdminAction)
+	objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ConsoleLogAdminAction)
 	if objectAPI == nil {
 		return
 	}
@ -1176,7 +1176,7 @@ func (a adminAPIHandlers) ConsoleLogHandler(w http.ResponseWriter, r *http.Reque
 func (a adminAPIHandlers) KMSKeyStatusHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := newContext(r, w, "KMSKeyStatusHandler")

-	objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ListServerInfoAdminAction)
+	objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.KMSKeyStatusAdminAction)
 	if objectAPI == nil {
 		return
 	}
@ -1261,7 +1261,7 @@ func (a adminAPIHandlers) KMSKeyStatusHandler(w http.ResponseWriter, r *http.Req
 func (a adminAPIHandlers) ServerHardwareInfoHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := newContext(r, w, "HardwareInfo")

-	objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ListServerInfoAdminAction)
+	objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ServerHardwareInfoAdminAction)
 	if objectAPI == nil {
 		return
 	}
@ -1316,7 +1316,7 @@ func (a adminAPIHandlers) ServerHardwareInfoHandler(w http.ResponseWriter, r *ht
 // Get server information
 func (a adminAPIHandlers) ServerInfoHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := newContext(r, w, "ServerInfo")
-	objectAPI, _ := validateAdminReq(ctx, w, r, "")
+	objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ServerInfoAdminAction)
 	if objectAPI == nil {
 		return
 	}
--- a/docs/multi-user/admin/README.md
+++ b/docs/multi-user/admin/README.md
@ -82,8 +82,17 @@ mc admin policy set myminio-admin1 user1policy user=user1
 - admin:GetUser

 #### Service management permissions
- admin:ListServerInfo
+- admin:ServerInfo
 - admin:ServerUpdate
+-	admin:StorageInfo
+-	admin:DataUsageInfo
+-	admin:PerfInfo
+- admin:TopLocks
+-	admin:Profiling,
+-	admin:ServerTrace,
+-	admin:ConsoleLog,
+-	admin:KMSKeyStatus
+-	admin:ServerHardwareInfo

 #### User/Group management permissions
 - admin:AddUserToGroup
--- a/pkg/iam/policy/admin-action.go
+++ b/pkg/iam/policy/admin-action.go
@ -29,8 +29,26 @@ const (

 	// Service Actions

-	// ListServerInfoAdminAction - allow listing server info
-	ListServerInfoAdminAction = "admin:ListServerInfo"
+	// StorageInfoAdminAction - allow listing server info
+	StorageInfoAdminAction = "admin:StorageInfo"
+	// DataUsageInfoAdminAction - allow listing data usage info
+	DataUsageInfoAdminAction = "admin:DataUsageInfo"
+	// PerfInfoAdminAction - allow listing performance info
+	PerfInfoAdminAction = "admin:PerfInfo"
+	// TopLocksAdminAction - allow listing top locks
+	TopLocksAdminAction = "admin:TopLocksInfo"
+	// ProfilingAdminAction - allow profiling
+	ProfilingAdminAction = "admin:Profiling"
+	// TraceAdminAction - allow listing server trace
+	TraceAdminAction = "admin:ServerTrace"
+	// ConsoleLogAdminAction - allow listing console logs on terminal
+	ConsoleLogAdminAction = "admin:ConsoleLog"
+	// KMSKeyStatusAdminAction - allow getting KMS key status
+	KMSKeyStatusAdminAction = "admin:KMSKeyStatus"
+	// ServerHardwareInfoAdminAction - allow listing server hardware info
+	ServerHardwareInfoAdminAction = "admin:HardwareInfo"
+	// ServerInfoAdminAction - allow listing server info
+	ServerInfoAdminAction = "admin:ServerInfo"

 	// ServerUpdateAdminAction - allow MinIO binary update
 	ServerUpdateAdminAction = "admin:ServerUpdate"
@ -90,7 +108,16 @@ const (
 var supportedAdminActions = map[AdminAction]struct{}{
 	AllAdminActions:                {},
 	HealAdminAction:                {},
-	ListServerInfoAdminAction:      {},
+	ServerInfoAdminAction:          {},
+	StorageInfoAdminAction:         {},
+	DataUsageInfoAdminAction:       {},
+	PerfInfoAdminAction:            {},
+	TopLocksAdminAction:            {},
+	ProfilingAdminAction:           {},
+	TraceAdminAction:               {},
+	ConsoleLogAdminAction:          {},
+	KMSKeyStatusAdminAction:        {},
+	ServerHardwareInfoAdminAction:  {},
 	ServerUpdateAdminAction:        {},
 	ConfigUpdateAdminAction:        {},
 	CreateUserAdminAction:          {},
@ -130,7 +157,16 @@ func (action AdminAction) IsValid() bool {
 var adminActionConditionKeyMap = map[Action]condition.KeySet{
 	AllAdminActions:                condition.NewKeySet(condition.AllSupportedAdminKeys...),
 	HealAdminAction:                condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	ListServerInfoAdminAction:      condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	StorageInfoAdminAction:         condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	ServerInfoAdminAction:          condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	DataUsageInfoAdminAction:       condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	PerfInfoAdminAction:            condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	TopLocksAdminAction:            condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	ProfilingAdminAction:           condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	TraceAdminAction:               condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	ConsoleLogAdminAction:          condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	KMSKeyStatusAdminAction:        condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	ServerHardwareInfoAdminAction:  condition.NewKeySet(condition.AllSupportedAdminKeys...),
 	ServerUpdateAdminAction:        condition.NewKeySet(condition.AllSupportedAdminKeys...),
 	ConfigUpdateAdminAction:        condition.NewKeySet(condition.AllSupportedAdminKeys...),
 	CreateUserAdminAction:          condition.NewKeySet(condition.AllSupportedAdminKeys...),