minio/pkg/iam/policy/admin-action.go

/*
 * MinIO Cloud Storage, (C) 2019 MinIO, Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package iampolicy

import (
	"github.com/minio/minio/pkg/bucket/policy/condition"
)

// AdminAction - admin policy action.
type AdminAction string

const (
	// HealAdminAction - allows heal command
	HealAdminAction = "admin:Heal"

	// Service Actions

	// StorageInfoAdminAction - allow listing server info
	StorageInfoAdminAction = "admin:StorageInfo"
	// AccountingUsageInfoAdminAction - allow listing accounting usage info
	AccountingUsageInfoAdminAction = "admin:AccountingUsageInfo"
	// DataUsageInfoAdminAction - allow listing data usage info
	DataUsageInfoAdminAction = "admin:DataUsageInfo"
	// PerfInfoAdminAction - allow listing performance info
	PerfInfoAdminAction = "admin:PerfInfo"
	// TopLocksAdminAction - allow listing top locks
	TopLocksAdminAction = "admin:TopLocksInfo"
	// ProfilingAdminAction - allow profiling
	ProfilingAdminAction = "admin:Profiling"
	// TraceAdminAction - allow listing server trace
	TraceAdminAction = "admin:ServerTrace"
	// ConsoleLogAdminAction - allow listing console logs on terminal
	ConsoleLogAdminAction = "admin:ConsoleLog"
	// KMSKeyStatusAdminAction - allow getting KMS key status
	KMSKeyStatusAdminAction = "admin:KMSKeyStatus"
	// ServerHardwareInfoAdminAction - allow listing server hardware info
	ServerHardwareInfoAdminAction = "admin:HardwareInfo"
	// ServerInfoAdminAction - allow listing server info
	ServerInfoAdminAction = "admin:ServerInfo"
	// OBDInfoAdminAction - allow obtaining cluster on-board diagnostics
	OBDInfoAdminAction = "admin:OBDInfo"

	// ServerUpdateAdminAction - allow MinIO binary update
	ServerUpdateAdminAction = "admin:ServerUpdate"

	//Config Actions

	// ConfigUpdateAdminAction - allow MinIO config management
	ConfigUpdateAdminAction = "admin:ConfigUpdate"

	// User Actions

	// CreateUserAdminAction - allow creating MinIO user
	CreateUserAdminAction = "admin:CreateUser"
	// DeleteUserAdminAction - allow deleting MinIO user
	DeleteUserAdminAction = "admin:DeleteUser"
	// ListUsersAdminAction - allow list users permission
	ListUsersAdminAction = "admin:ListUsers"
	// EnableUserAdminAction - allow enable user permission
	EnableUserAdminAction = "admin:EnableUser"
	// DisableUserAdminAction - allow disable user permission
	DisableUserAdminAction = "admin:DisableUser"
	// GetUserAdminAction - allows GET permission on user info
	GetUserAdminAction = "admin:GetUser"

	// Group Actions

	// AddUserToGroupAdminAction - allow adding user to group permission
	AddUserToGroupAdminAction = "admin:AddUserToGroup"
	// RemoveUserFromGroupAdminAction - allow removing user to group permission
	RemoveUserFromGroupAdminAction = "admin:RemoveUserFromGroup"
	// GetGroupAdminAction - allow getting group info
	GetGroupAdminAction = "admin:GetGroup"
	// ListGroupsAdminAction - allow list groups permission
	ListGroupsAdminAction = "admin:ListGroups"
	// EnableGroupAdminAction - allow enable group permission
	EnableGroupAdminAction = "admin:EnableGroup"
	// DisableGroupAdminAction - allow disable group permission
	DisableGroupAdminAction = "admin:DisableGroup"

	// Policy Actions

	// CreatePolicyAdminAction - allow create policy permission
	CreatePolicyAdminAction = "admin:CreatePolicy"
	// DeletePolicyAdminAction - allow delete policy permission
	DeletePolicyAdminAction = "admin:DeletePolicy"
	// GetPolicyAdminAction - allow get policy permission
	GetPolicyAdminAction = "admin:GetPolicy"
	// AttachPolicyAdminAction - allows attaching a policy to a user/group
	AttachPolicyAdminAction = "admin:AttachUserOrGroupPolicy"
	// ListUserPoliciesAdminAction - allows listing user policies
	ListUserPoliciesAdminAction = "admin:ListUserPolicies"
	// AllAdminActions - provides all admin permissions
	AllAdminActions = "admin:*"
)

// List of all supported admin actions.
var supportedAdminActions = map[AdminAction]struct{}{
	AllAdminActions:                {},
	HealAdminAction:                {},
	ServerInfoAdminAction:          {},
	StorageInfoAdminAction:         {},
	DataUsageInfoAdminAction:       {},
	PerfInfoAdminAction:            {},
	TopLocksAdminAction:            {},
	ProfilingAdminAction:           {},
	TraceAdminAction:               {},
	ConsoleLogAdminAction:          {},
	KMSKeyStatusAdminAction:        {},
	ServerHardwareInfoAdminAction:  {},
	ServerUpdateAdminAction:        {},
	ConfigUpdateAdminAction:        {},
	CreateUserAdminAction:          {},
	DeleteUserAdminAction:          {},
	ListUsersAdminAction:           {},
	EnableUserAdminAction:          {},
	DisableUserAdminAction:         {},
	GetUserAdminAction:             {},
	AddUserToGroupAdminAction:      {},
	RemoveUserFromGroupAdminAction: {},
	ListGroupsAdminAction:          {},
	EnableGroupAdminAction:         {},
	DisableGroupAdminAction:        {},
	CreatePolicyAdminAction:        {},
	DeletePolicyAdminAction:        {},
	GetPolicyAdminAction:           {},
	AttachPolicyAdminAction:        {},
	ListUserPoliciesAdminAction:    {},
}

func parseAdminAction(s string) (AdminAction, error) {
	action := AdminAction(s)
	if action.IsValid() {
		return action, nil
	}

	return action, Errorf("unsupported action '%v'", s)
}

// IsValid - checks if action is valid or not.
func (action AdminAction) IsValid() bool {
	_, ok := supportedAdminActions[action]
	return ok
}

// adminActionConditionKeyMap - holds mapping of supported condition key for an action.
var adminActionConditionKeyMap = map[Action]condition.KeySet{
	AllAdminActions:                condition.NewKeySet(condition.AllSupportedAdminKeys...),
	HealAdminAction:                condition.NewKeySet(condition.AllSupportedAdminKeys...),
	StorageInfoAdminAction:         condition.NewKeySet(condition.AllSupportedAdminKeys...),
	ServerInfoAdminAction:          condition.NewKeySet(condition.AllSupportedAdminKeys...),
	DataUsageInfoAdminAction:       condition.NewKeySet(condition.AllSupportedAdminKeys...),
	PerfInfoAdminAction:            condition.NewKeySet(condition.AllSupportedAdminKeys...),
	TopLocksAdminAction:            condition.NewKeySet(condition.AllSupportedAdminKeys...),
	ProfilingAdminAction:           condition.NewKeySet(condition.AllSupportedAdminKeys...),
	TraceAdminAction:               condition.NewKeySet(condition.AllSupportedAdminKeys...),
	ConsoleLogAdminAction:          condition.NewKeySet(condition.AllSupportedAdminKeys...),
	KMSKeyStatusAdminAction:        condition.NewKeySet(condition.AllSupportedAdminKeys...),
	ServerHardwareInfoAdminAction:  condition.NewKeySet(condition.AllSupportedAdminKeys...),
	ServerUpdateAdminAction:        condition.NewKeySet(condition.AllSupportedAdminKeys...),
	ConfigUpdateAdminAction:        condition.NewKeySet(condition.AllSupportedAdminKeys...),
	CreateUserAdminAction:          condition.NewKeySet(condition.AllSupportedAdminKeys...),
	DeleteUserAdminAction:          condition.NewKeySet(condition.AllSupportedAdminKeys...),
	ListUsersAdminAction:           condition.NewKeySet(condition.AllSupportedAdminKeys...),
	EnableUserAdminAction:          condition.NewKeySet(condition.AllSupportedAdminKeys...),
	DisableUserAdminAction:         condition.NewKeySet(condition.AllSupportedAdminKeys...),
	GetUserAdminAction:             condition.NewKeySet(condition.AllSupportedAdminKeys...),
	AddUserToGroupAdminAction:      condition.NewKeySet(condition.AllSupportedAdminKeys...),
	RemoveUserFromGroupAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
	ListGroupsAdminAction:          condition.NewKeySet(condition.AllSupportedAdminKeys...),
	EnableGroupAdminAction:         condition.NewKeySet(condition.AllSupportedAdminKeys...),
	DisableGroupAdminAction:        condition.NewKeySet(condition.AllSupportedAdminKeys...),
	CreatePolicyAdminAction:        condition.NewKeySet(condition.AllSupportedAdminKeys...),
	DeletePolicyAdminAction:        condition.NewKeySet(condition.AllSupportedAdminKeys...),
	GetPolicyAdminAction:           condition.NewKeySet(condition.AllSupportedAdminKeys...),
	AttachPolicyAdminAction:        condition.NewKeySet(condition.AllSupportedAdminKeys...),
	ListUserPoliciesAdminAction:    condition.NewKeySet(condition.AllSupportedAdminKeys...),
}
Add support for multiple admins (#8487) Also define IAM policies for administering MinIO server 2019-11-19 18:03:18 +08:00			`/*`
			`* MinIO Cloud Storage, (C) 2019 MinIO, Inc.`
			`*`
			`* Licensed under the Apache License, Version 2.0 (the "License");`
			`* you may not use this file except in compliance with the License.`
			`* You may obtain a copy of the License at`
			`*`
			`* http://www.apache.org/licenses/LICENSE-2.0`
			`*`
			`* Unless required by applicable law or agreed to in writing, software`
			`* distributed under the License is distributed on an "AS IS" BASIS,`
			`* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`* See the License for the specific language governing permissions and`
			`* limitations under the License.`
			`*/`

			`package iampolicy`

			`import (`
Rename pkg/{tagging,lifecycle} to pkg/bucket sub-directory (#8892) Rename to allow for more such features to come in a more proper hierarchical manner. 2020-01-28 06:12:34 +08:00			`"github.com/minio/minio/pkg/bucket/policy/condition"`
Add support for multiple admins (#8487) Also define IAM policies for administering MinIO server 2019-11-19 18:03:18 +08:00			`)`

			`// AdminAction - admin policy action.`
			`type AdminAction string`

			`const (`
			`// HealAdminAction - allows heal command`
			`HealAdminAction = "admin:Heal"`

			`// Service Actions`

Make admin permissions more granular for admin handlers. (#8888) 2020-01-27 10:47:52 +08:00			`// StorageInfoAdminAction - allow listing server info`
			`StorageInfoAdminAction = "admin:StorageInfo"`
Add new admin API to return Accounting Usage (#8689) 2020-02-05 10:20:39 +08:00			`// AccountingUsageInfoAdminAction - allow listing accounting usage info`
			`AccountingUsageInfoAdminAction = "admin:AccountingUsageInfo"`
Make admin permissions more granular for admin handlers. (#8888) 2020-01-27 10:47:52 +08:00			`// DataUsageInfoAdminAction - allow listing data usage info`
			`DataUsageInfoAdminAction = "admin:DataUsageInfo"`
			`// PerfInfoAdminAction - allow listing performance info`
			`PerfInfoAdminAction = "admin:PerfInfo"`
			`// TopLocksAdminAction - allow listing top locks`
			`TopLocksAdminAction = "admin:TopLocksInfo"`
			`// ProfilingAdminAction - allow profiling`
			`ProfilingAdminAction = "admin:Profiling"`
			`// TraceAdminAction - allow listing server trace`
			`TraceAdminAction = "admin:ServerTrace"`
			`// ConsoleLogAdminAction - allow listing console logs on terminal`
			`ConsoleLogAdminAction = "admin:ConsoleLog"`
			`// KMSKeyStatusAdminAction - allow getting KMS key status`
			`KMSKeyStatusAdminAction = "admin:KMSKeyStatus"`
			`// ServerHardwareInfoAdminAction - allow listing server hardware info`
			`ServerHardwareInfoAdminAction = "admin:HardwareInfo"`
			`// ServerInfoAdminAction - allow listing server info`
			`ServerInfoAdminAction = "admin:ServerInfo"`
Implement oboard diagnostics admin API (#9024) - Implement a graph algorithm to test network bandwidth from every node to every other node - Saturate any network bandwidth adaptively, accounting for slow and fast network capacity - Implement parallel drive OBD tests - Implement a paging mechanism for OBD test to provide periodic updates to client - Implement Sys, Process, Host, Mem OBD Infos 2020-03-27 12:07:39 +08:00			`// OBDInfoAdminAction - allow obtaining cluster on-board diagnostics`
			`OBDInfoAdminAction = "admin:OBDInfo"`
Add support for multiple admins (#8487) Also define IAM policies for administering MinIO server 2019-11-19 18:03:18 +08:00
			`// ServerUpdateAdminAction - allow MinIO binary update`
			`ServerUpdateAdminAction = "admin:ServerUpdate"`

			`//Config Actions`

			`// ConfigUpdateAdminAction - allow MinIO config management`
			`ConfigUpdateAdminAction = "admin:ConfigUpdate"`

			`// User Actions`

			`// CreateUserAdminAction - allow creating MinIO user`
			`CreateUserAdminAction = "admin:CreateUser"`
			`// DeleteUserAdminAction - allow deleting MinIO user`
			`DeleteUserAdminAction = "admin:DeleteUser"`
			`// ListUsersAdminAction - allow list users permission`
			`ListUsersAdminAction = "admin:ListUsers"`
			`// EnableUserAdminAction - allow enable user permission`
			`EnableUserAdminAction = "admin:EnableUser"`
			`// DisableUserAdminAction - allow disable user permission`
			`DisableUserAdminAction = "admin:DisableUser"`
			`// GetUserAdminAction - allows GET permission on user info`
			`GetUserAdminAction = "admin:GetUser"`

			`// Group Actions`

			`// AddUserToGroupAdminAction - allow adding user to group permission`
			`AddUserToGroupAdminAction = "admin:AddUserToGroup"`
			`// RemoveUserFromGroupAdminAction - allow removing user to group permission`
			`RemoveUserFromGroupAdminAction = "admin:RemoveUserFromGroup"`
			`// GetGroupAdminAction - allow getting group info`
			`GetGroupAdminAction = "admin:GetGroup"`
			`// ListGroupsAdminAction - allow list groups permission`
			`ListGroupsAdminAction = "admin:ListGroups"`
			`// EnableGroupAdminAction - allow enable group permission`
			`EnableGroupAdminAction = "admin:EnableGroup"`
			`// DisableGroupAdminAction - allow disable group permission`
			`DisableGroupAdminAction = "admin:DisableGroup"`

			`// Policy Actions`

			`// CreatePolicyAdminAction - allow create policy permission`
			`CreatePolicyAdminAction = "admin:CreatePolicy"`
			`// DeletePolicyAdminAction - allow delete policy permission`
			`DeletePolicyAdminAction = "admin:DeletePolicy"`
			`// GetPolicyAdminAction - allow get policy permission`
			`GetPolicyAdminAction = "admin:GetPolicy"`
			`// AttachPolicyAdminAction - allows attaching a policy to a user/group`
			`AttachPolicyAdminAction = "admin:AttachUserOrGroupPolicy"`
			`// ListUserPoliciesAdminAction - allows listing user policies`
			`ListUserPoliciesAdminAction = "admin:ListUserPolicies"`
			`// AllAdminActions - provides all admin permissions`
			`AllAdminActions = "admin:*"`
			`)`

			`// List of all supported admin actions.`
			`var supportedAdminActions = map[AdminAction]struct{}{`
			`AllAdminActions: {},`
			`HealAdminAction: {},`
Make admin permissions more granular for admin handlers. (#8888) 2020-01-27 10:47:52 +08:00			`ServerInfoAdminAction: {},`
			`StorageInfoAdminAction: {},`
			`DataUsageInfoAdminAction: {},`
			`PerfInfoAdminAction: {},`
			`TopLocksAdminAction: {},`
			`ProfilingAdminAction: {},`
			`TraceAdminAction: {},`
			`ConsoleLogAdminAction: {},`
			`KMSKeyStatusAdminAction: {},`
			`ServerHardwareInfoAdminAction: {},`
Add support for multiple admins (#8487) Also define IAM policies for administering MinIO server 2019-11-19 18:03:18 +08:00			`ServerUpdateAdminAction: {},`
			`ConfigUpdateAdminAction: {},`
			`CreateUserAdminAction: {},`
			`DeleteUserAdminAction: {},`
			`ListUsersAdminAction: {},`
			`EnableUserAdminAction: {},`
			`DisableUserAdminAction: {},`
			`GetUserAdminAction: {},`
			`AddUserToGroupAdminAction: {},`
			`RemoveUserFromGroupAdminAction: {},`
			`ListGroupsAdminAction: {},`
			`EnableGroupAdminAction: {},`
			`DisableGroupAdminAction: {},`
			`CreatePolicyAdminAction: {},`
			`DeletePolicyAdminAction: {},`
			`GetPolicyAdminAction: {},`
			`AttachPolicyAdminAction: {},`
			`ListUserPoliciesAdminAction: {},`
			`}`

			`func parseAdminAction(s string) (AdminAction, error) {`
			`action := AdminAction(s)`
			`if action.IsValid() {`
			`return action, nil`
			`}`

Add more context aware error for policy parsing errors (#8726) In existing functionality we simply return a generic error such as "MalformedPolicy" which indicates just a generic string "invalid resource" which is not very meaningful when there might be multiple types of errors during policy parsing. This PR ensures that we send these errors back to client to indicate the actual error, brings in two concrete types such as - iampolicy.Error - policy.Error Refer #8202 2020-01-04 03:28:52 +08:00			`return action, Errorf("unsupported action '%v'", s)`
Add support for multiple admins (#8487) Also define IAM policies for administering MinIO server 2019-11-19 18:03:18 +08:00			`}`

			`// IsValid - checks if action is valid or not.`
			`func (action AdminAction) IsValid() bool {`
			`_, ok := supportedAdminActions[action]`
			`return ok`
			`}`

			`// adminActionConditionKeyMap - holds mapping of supported condition key for an action.`
			`var adminActionConditionKeyMap = map[Action]condition.KeySet{`
			`AllAdminActions: condition.NewKeySet(condition.AllSupportedAdminKeys...),`
			`HealAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),`
Make admin permissions more granular for admin handlers. (#8888) 2020-01-27 10:47:52 +08:00			`StorageInfoAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),`
			`ServerInfoAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),`
			`DataUsageInfoAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),`
			`PerfInfoAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),`
			`TopLocksAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),`
			`ProfilingAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),`
			`TraceAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),`
			`ConsoleLogAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),`
			`KMSKeyStatusAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),`
			`ServerHardwareInfoAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),`
Add support for multiple admins (#8487) Also define IAM policies for administering MinIO server 2019-11-19 18:03:18 +08:00			`ServerUpdateAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),`
			`ConfigUpdateAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),`
			`CreateUserAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),`
			`DeleteUserAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),`
			`ListUsersAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),`
			`EnableUserAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),`
			`DisableUserAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),`
			`GetUserAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),`
			`AddUserToGroupAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),`
			`RemoveUserFromGroupAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),`
			`ListGroupsAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),`
			`EnableGroupAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),`
			`DisableGroupAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),`
			`CreatePolicyAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),`
			`DeletePolicyAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),`
			`GetPolicyAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),`
			`AttachPolicyAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),`
			`ListUserPoliciesAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),`
			`}`