You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
154 lines
6.3 KiB
154 lines
6.3 KiB
/*
|
|
* MinIO Cloud Storage, (C) 2019 MinIO, Inc.
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
package iampolicy
|
|
|
|
import (
|
|
"fmt"
|
|
|
|
"github.com/minio/minio/pkg/policy/condition"
|
|
)
|
|
|
|
// AdminAction - admin policy action.
|
|
type AdminAction string
|
|
|
|
const (
|
|
// HealAdminAction - allows heal command
|
|
HealAdminAction = "admin:Heal"
|
|
|
|
// Service Actions
|
|
|
|
// ListServerInfoAdminAction - allow listing server info
|
|
ListServerInfoAdminAction = "admin:ListServerInfo"
|
|
|
|
// ServerUpdateAdminAction - allow MinIO binary update
|
|
ServerUpdateAdminAction = "admin:ServerUpdate"
|
|
|
|
//Config Actions
|
|
|
|
// ConfigUpdateAdminAction - allow MinIO config management
|
|
ConfigUpdateAdminAction = "admin:ConfigUpdate"
|
|
|
|
// User Actions
|
|
|
|
// CreateUserAdminAction - allow creating MinIO user
|
|
CreateUserAdminAction = "admin:CreateUser"
|
|
// DeleteUserAdminAction - allow deleting MinIO user
|
|
DeleteUserAdminAction = "admin:DeleteUser"
|
|
// ListUsersAdminAction - allow list users permission
|
|
ListUsersAdminAction = "admin:ListUsers"
|
|
// EnableUserAdminAction - allow enable user permission
|
|
EnableUserAdminAction = "admin:EnableUser"
|
|
// DisableUserAdminAction - allow disable user permission
|
|
DisableUserAdminAction = "admin:DisableUser"
|
|
// GetUserAdminAction - allows GET permission on user info
|
|
GetUserAdminAction = "admin:GetUser"
|
|
|
|
// Group Actions
|
|
|
|
// AddUserToGroupAdminAction - allow adding user to group permission
|
|
AddUserToGroupAdminAction = "admin:AddUserToGroup"
|
|
// RemoveUserFromGroupAdminAction - allow removing user to group permission
|
|
RemoveUserFromGroupAdminAction = "admin:RemoveUserFromGroup"
|
|
// GetGroupAdminAction - allow getting group info
|
|
GetGroupAdminAction = "admin:GetGroup"
|
|
// ListGroupsAdminAction - allow list groups permission
|
|
ListGroupsAdminAction = "admin:ListGroups"
|
|
// EnableGroupAdminAction - allow enable group permission
|
|
EnableGroupAdminAction = "admin:EnableGroup"
|
|
// DisableGroupAdminAction - allow disable group permission
|
|
DisableGroupAdminAction = "admin:DisableGroup"
|
|
|
|
// Policy Actions
|
|
|
|
// CreatePolicyAdminAction - allow create policy permission
|
|
CreatePolicyAdminAction = "admin:CreatePolicy"
|
|
// DeletePolicyAdminAction - allow delete policy permission
|
|
DeletePolicyAdminAction = "admin:DeletePolicy"
|
|
// GetPolicyAdminAction - allow get policy permission
|
|
GetPolicyAdminAction = "admin:GetPolicy"
|
|
// AttachPolicyAdminAction - allows attaching a policy to a user/group
|
|
AttachPolicyAdminAction = "admin:AttachUserOrGroupPolicy"
|
|
// ListUserPoliciesAdminAction - allows listing user policies
|
|
ListUserPoliciesAdminAction = "admin:ListUserPolicies"
|
|
// AllAdminActions - provides all admin permissions
|
|
AllAdminActions = "admin:*"
|
|
)
|
|
|
|
// List of all supported admin actions.
|
|
var supportedAdminActions = map[AdminAction]struct{}{
|
|
AllAdminActions: {},
|
|
HealAdminAction: {},
|
|
ListServerInfoAdminAction: {},
|
|
ServerUpdateAdminAction: {},
|
|
ConfigUpdateAdminAction: {},
|
|
CreateUserAdminAction: {},
|
|
DeleteUserAdminAction: {},
|
|
ListUsersAdminAction: {},
|
|
EnableUserAdminAction: {},
|
|
DisableUserAdminAction: {},
|
|
GetUserAdminAction: {},
|
|
AddUserToGroupAdminAction: {},
|
|
RemoveUserFromGroupAdminAction: {},
|
|
ListGroupsAdminAction: {},
|
|
EnableGroupAdminAction: {},
|
|
DisableGroupAdminAction: {},
|
|
CreatePolicyAdminAction: {},
|
|
DeletePolicyAdminAction: {},
|
|
GetPolicyAdminAction: {},
|
|
AttachPolicyAdminAction: {},
|
|
ListUserPoliciesAdminAction: {},
|
|
}
|
|
|
|
func parseAdminAction(s string) (AdminAction, error) {
|
|
action := AdminAction(s)
|
|
if action.IsValid() {
|
|
return action, nil
|
|
}
|
|
|
|
return action, fmt.Errorf("unsupported action '%v'", s)
|
|
}
|
|
|
|
// IsValid - checks if action is valid or not.
|
|
func (action AdminAction) IsValid() bool {
|
|
_, ok := supportedAdminActions[action]
|
|
return ok
|
|
}
|
|
|
|
// adminActionConditionKeyMap - holds mapping of supported condition key for an action.
|
|
var adminActionConditionKeyMap = map[Action]condition.KeySet{
|
|
AllAdminActions: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
HealAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
ListServerInfoAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
ServerUpdateAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
ConfigUpdateAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
CreateUserAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
DeleteUserAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
ListUsersAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
EnableUserAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
DisableUserAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
GetUserAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
AddUserToGroupAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
RemoveUserFromGroupAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
ListGroupsAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
EnableGroupAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
DisableGroupAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
CreatePolicyAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
DeletePolicyAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
GetPolicyAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
AttachPolicyAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
ListUserPoliciesAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
}
|
|
|