Add canned `diagnostics` policy for admin users (#8937)

5 years ago · 301c50b721
parent e9c111c8d0
commit 301c50b721
2 changed files with 17 additions and 0 deletions
--- a/cmd/iam.go
+++ b/cmd/iam.go
@ -1392,6 +1392,10 @@ func setDefaultCannedPolicies(policies map[string]iampolicy.Policy) {
 	if !ok {
 		policies["readwrite"] = iampolicy.ReadWrite
 	}
+	_, ok = policies["diagnostics"]
+	if !ok {
+		policies["diagnostics"] = iampolicy.AdminDiagnostics
+	}
 }

 // buildUserGroupMemberships - builds the memberships map. IMPORTANT:
--- a/pkg/iam/policy/constants.go
+++ b/pkg/iam/policy/constants.go
@ -64,3 +64,16 @@ var WriteOnly = Policy{
 		},
 	},
 }
+
+// AdminDiagnostics - provides admin diagnostics access.
+var AdminDiagnostics = Policy{
+	Version: DefaultVersion,
+	Statements: []Statement{
+		{
+			SID:       policy.ID(""),
+			Effect:    policy.Allow,
+			Actions:   NewActionSet(PerfInfoAdminAction, ProfilingAdminAction, TraceAdminAction, ConsoleLogAdminAction, ServerInfoAdminAction, ServerHardwareInfoAdminAction),
+			Resources: NewResourceSet(NewResource("*", "")),
+		},
+	},
+}