From 301c50b72178ff54823c2f8e7fdaaf34644a4d01 Mon Sep 17 00:00:00 2001
From: poornas <poornas@users.noreply.github.com>
Date: Tue, 4 Feb 2020 17:58:38 -0800
Subject: [PATCH] Add canned `diagnostics` policy for admin users (#8937)

---
 cmd/iam.go                  |  4 ++++
 pkg/iam/policy/constants.go | 13 +++++++++++++
 2 files changed, 17 insertions(+)

diff --git a/cmd/iam.go b/cmd/iam.go
index 2b669dbd2..fc244a59c 100644
--- a/cmd/iam.go
+++ b/cmd/iam.go
@@ -1392,6 +1392,10 @@ func setDefaultCannedPolicies(policies map[string]iampolicy.Policy) {
 	if !ok {
 		policies["readwrite"] = iampolicy.ReadWrite
 	}
+	_, ok = policies["diagnostics"]
+	if !ok {
+		policies["diagnostics"] = iampolicy.AdminDiagnostics
+	}
 }
 
 // buildUserGroupMemberships - builds the memberships map. IMPORTANT:
diff --git a/pkg/iam/policy/constants.go b/pkg/iam/policy/constants.go
index 2e064e659..bd7a5d3de 100644
--- a/pkg/iam/policy/constants.go
+++ b/pkg/iam/policy/constants.go
@@ -64,3 +64,16 @@ var WriteOnly = Policy{
 		},
 	},
 }
+
+// AdminDiagnostics - provides admin diagnostics access.
+var AdminDiagnostics = Policy{
+	Version: DefaultVersion,
+	Statements: []Statement{
+		{
+			SID:       policy.ID(""),
+			Effect:    policy.Allow,
+			Actions:   NewActionSet(PerfInfoAdminAction, ProfilingAdminAction, TraceAdminAction, ConsoleLogAdminAction, ServerInfoAdminAction, ServerHardwareInfoAdminAction),
+			Resources: NewResourceSet(NewResource("*", "")),
+		},
+	},
+}