From 2232e095d5449075fd541824b59aea88f41570b1 Mon Sep 17 00:00:00 2001
From: poornas <poornas@users.noreply.github.com>
Date: Sun, 26 Jan 2020 18:47:52 -0800
Subject: [PATCH] Make admin permissions more granular for admin handlers.
 (#8888)

---
 cmd/admin-handlers.go           | 22 ++++++++---------
 docs/multi-user/admin/README.md | 11 ++++++++-
 pkg/iam/policy/admin-action.go  | 44 ++++++++++++++++++++++++++++++---
 3 files changed, 61 insertions(+), 16 deletions(-)

diff --git a/cmd/admin-handlers.go b/cmd/admin-handlers.go
index beb470ab6..fd4216f4b 100644
--- a/cmd/admin-handlers.go
+++ b/cmd/admin-handlers.go
@@ -270,7 +270,7 @@ type ServerInfo struct {
 // Get server information
 func (a adminAPIHandlers) StorageInfoHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := newContext(r, w, "StorageInfo")
-	objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ListServerInfoAdminAction)
+	objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.StorageInfoAdminAction)
 	if objectAPI == nil {
 		return
 	}
@@ -295,7 +295,7 @@ func (a adminAPIHandlers) StorageInfoHandler(w http.ResponseWriter, r *http.Requ
 // Get server/cluster data usage info
 func (a adminAPIHandlers) DataUsageInfoHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := newContext(r, w, "DataUsageInfo")
-	objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ListServerInfoAdminAction)
+	objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.DataUsageInfoAdminAction)
 	if objectAPI == nil {
 		return
 	}
@@ -349,7 +349,7 @@ type ServerNetReadPerfInfo struct {
 func (a adminAPIHandlers) PerfInfoHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := newContext(r, w, "PerfInfo")
 
-	objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ListServerInfoAdminAction)
+	objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.PerfInfoAdminAction)
 	if objectAPI == nil {
 		return
 	}
@@ -520,7 +520,7 @@ type PeerLocks struct {
 func (a adminAPIHandlers) TopLocksHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := newContext(r, w, "TopLocks")
 
-	objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ListServerInfoAdminAction)
+	objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.TopLocksAdminAction)
 	if objectAPI == nil {
 		return
 	}
@@ -565,7 +565,7 @@ type StartProfilingResult struct {
 func (a adminAPIHandlers) StartProfilingHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := newContext(r, w, "StartProfiling")
 
-	objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ListServerInfoAdminAction)
+	objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ProfilingAdminAction)
 	if objectAPI == nil {
 		return
 	}
@@ -661,7 +661,7 @@ func (f dummyFileInfo) Sys() interface{}   { return f.sys }
 func (a adminAPIHandlers) DownloadProfilingHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := newContext(r, w, "DownloadProfiling")
 
-	objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ListServerInfoAdminAction)
+	objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ProfilingAdminAction)
 	if objectAPI == nil {
 		return
 	}
@@ -1051,7 +1051,7 @@ func (a adminAPIHandlers) TraceHandler(w http.ResponseWriter, r *http.Request) {
 	trcErr := r.URL.Query().Get("err") == "true"
 
 	// Validate request signature.
-	_, adminAPIErr := checkAdminRequestAuthType(ctx, r, iampolicy.ListServerInfoAdminAction, "")
+	_, adminAPIErr := checkAdminRequestAuthType(ctx, r, iampolicy.TraceAdminAction, "")
 	if adminAPIErr != ErrNone {
 		writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(adminAPIErr), r.URL)
 		return
@@ -1105,7 +1105,7 @@ func (a adminAPIHandlers) TraceHandler(w http.ResponseWriter, r *http.Request) {
 func (a adminAPIHandlers) ConsoleLogHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := newContext(r, w, "ConsoleLog")
 
-	objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ListServerInfoAdminAction)
+	objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ConsoleLogAdminAction)
 	if objectAPI == nil {
 		return
 	}
@@ -1176,7 +1176,7 @@ func (a adminAPIHandlers) ConsoleLogHandler(w http.ResponseWriter, r *http.Reque
 func (a adminAPIHandlers) KMSKeyStatusHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := newContext(r, w, "KMSKeyStatusHandler")
 
-	objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ListServerInfoAdminAction)
+	objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.KMSKeyStatusAdminAction)
 	if objectAPI == nil {
 		return
 	}
@@ -1261,7 +1261,7 @@ func (a adminAPIHandlers) KMSKeyStatusHandler(w http.ResponseWriter, r *http.Req
 func (a adminAPIHandlers) ServerHardwareInfoHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := newContext(r, w, "HardwareInfo")
 
-	objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ListServerInfoAdminAction)
+	objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ServerHardwareInfoAdminAction)
 	if objectAPI == nil {
 		return
 	}
@@ -1316,7 +1316,7 @@ func (a adminAPIHandlers) ServerHardwareInfoHandler(w http.ResponseWriter, r *ht
 // Get server information
 func (a adminAPIHandlers) ServerInfoHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := newContext(r, w, "ServerInfo")
-	objectAPI, _ := validateAdminReq(ctx, w, r, "")
+	objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ServerInfoAdminAction)
 	if objectAPI == nil {
 		return
 	}
diff --git a/docs/multi-user/admin/README.md b/docs/multi-user/admin/README.md
index 359197840..79a0a0b45 100644
--- a/docs/multi-user/admin/README.md
+++ b/docs/multi-user/admin/README.md
@@ -82,8 +82,17 @@ mc admin policy set myminio-admin1 user1policy user=user1
 - admin:GetUser
 
 #### Service management permissions
-- admin:ListServerInfo
+- admin:ServerInfo
 - admin:ServerUpdate
+-	admin:StorageInfo
+-	admin:DataUsageInfo
+-	admin:PerfInfo
+- admin:TopLocks
+-	admin:Profiling,
+-	admin:ServerTrace,
+-	admin:ConsoleLog,
+-	admin:KMSKeyStatus
+-	admin:ServerHardwareInfo
 
 #### User/Group management permissions
 - admin:AddUserToGroup
diff --git a/pkg/iam/policy/admin-action.go b/pkg/iam/policy/admin-action.go
index c31ae2e4f..7ee6d50ea 100644
--- a/pkg/iam/policy/admin-action.go
+++ b/pkg/iam/policy/admin-action.go
@@ -29,8 +29,26 @@ const (
 
 	// Service Actions
 
-	// ListServerInfoAdminAction - allow listing server info
-	ListServerInfoAdminAction = "admin:ListServerInfo"
+	// StorageInfoAdminAction - allow listing server info
+	StorageInfoAdminAction = "admin:StorageInfo"
+	// DataUsageInfoAdminAction - allow listing data usage info
+	DataUsageInfoAdminAction = "admin:DataUsageInfo"
+	// PerfInfoAdminAction - allow listing performance info
+	PerfInfoAdminAction = "admin:PerfInfo"
+	// TopLocksAdminAction - allow listing top locks
+	TopLocksAdminAction = "admin:TopLocksInfo"
+	// ProfilingAdminAction - allow profiling
+	ProfilingAdminAction = "admin:Profiling"
+	// TraceAdminAction - allow listing server trace
+	TraceAdminAction = "admin:ServerTrace"
+	// ConsoleLogAdminAction - allow listing console logs on terminal
+	ConsoleLogAdminAction = "admin:ConsoleLog"
+	// KMSKeyStatusAdminAction - allow getting KMS key status
+	KMSKeyStatusAdminAction = "admin:KMSKeyStatus"
+	// ServerHardwareInfoAdminAction - allow listing server hardware info
+	ServerHardwareInfoAdminAction = "admin:HardwareInfo"
+	// ServerInfoAdminAction - allow listing server info
+	ServerInfoAdminAction = "admin:ServerInfo"
 
 	// ServerUpdateAdminAction - allow MinIO binary update
 	ServerUpdateAdminAction = "admin:ServerUpdate"
@@ -90,7 +108,16 @@ const (
 var supportedAdminActions = map[AdminAction]struct{}{
 	AllAdminActions:                {},
 	HealAdminAction:                {},
-	ListServerInfoAdminAction:      {},
+	ServerInfoAdminAction:          {},
+	StorageInfoAdminAction:         {},
+	DataUsageInfoAdminAction:       {},
+	PerfInfoAdminAction:            {},
+	TopLocksAdminAction:            {},
+	ProfilingAdminAction:           {},
+	TraceAdminAction:               {},
+	ConsoleLogAdminAction:          {},
+	KMSKeyStatusAdminAction:        {},
+	ServerHardwareInfoAdminAction:  {},
 	ServerUpdateAdminAction:        {},
 	ConfigUpdateAdminAction:        {},
 	CreateUserAdminAction:          {},
@@ -130,7 +157,16 @@ func (action AdminAction) IsValid() bool {
 var adminActionConditionKeyMap = map[Action]condition.KeySet{
 	AllAdminActions:                condition.NewKeySet(condition.AllSupportedAdminKeys...),
 	HealAdminAction:                condition.NewKeySet(condition.AllSupportedAdminKeys...),
-	ListServerInfoAdminAction:      condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	StorageInfoAdminAction:         condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	ServerInfoAdminAction:          condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	DataUsageInfoAdminAction:       condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	PerfInfoAdminAction:            condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	TopLocksAdminAction:            condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	ProfilingAdminAction:           condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	TraceAdminAction:               condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	ConsoleLogAdminAction:          condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	KMSKeyStatusAdminAction:        condition.NewKeySet(condition.AllSupportedAdminKeys...),
+	ServerHardwareInfoAdminAction:  condition.NewKeySet(condition.AllSupportedAdminKeys...),
 	ServerUpdateAdminAction:        condition.NewKeySet(condition.AllSupportedAdminKeys...),
 	ConfigUpdateAdminAction:        condition.NewKeySet(condition.AllSupportedAdminKeys...),
 	CreateUserAdminAction:          condition.NewKeySet(condition.AllSupportedAdminKeys...),