minio/pkg/iam/policy/admin-action.go

155 lines
6.3 KiB
Go
Raw Normal View History

/*
* MinIO Cloud Storage, (C) 2019 MinIO, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package iampolicy
import (
"fmt"
"github.com/minio/minio/pkg/policy/condition"
)
// AdminAction - admin policy action.
type AdminAction string
const (
// HealAdminAction - allows heal command
HealAdminAction = "admin:Heal"
// Service Actions
// ListServerInfoAdminAction - allow listing server info
ListServerInfoAdminAction = "admin:ListServerInfo"
// ServerUpdateAdminAction - allow MinIO binary update
ServerUpdateAdminAction = "admin:ServerUpdate"
//Config Actions
// ConfigUpdateAdminAction - allow MinIO config management
ConfigUpdateAdminAction = "admin:ConfigUpdate"
// User Actions
// CreateUserAdminAction - allow creating MinIO user
CreateUserAdminAction = "admin:CreateUser"
// DeleteUserAdminAction - allow deleting MinIO user
DeleteUserAdminAction = "admin:DeleteUser"
// ListUsersAdminAction - allow list users permission
ListUsersAdminAction = "admin:ListUsers"
// EnableUserAdminAction - allow enable user permission
EnableUserAdminAction = "admin:EnableUser"
// DisableUserAdminAction - allow disable user permission
DisableUserAdminAction = "admin:DisableUser"
// GetUserAdminAction - allows GET permission on user info
GetUserAdminAction = "admin:GetUser"
// Group Actions
// AddUserToGroupAdminAction - allow adding user to group permission
AddUserToGroupAdminAction = "admin:AddUserToGroup"
// RemoveUserFromGroupAdminAction - allow removing user to group permission
RemoveUserFromGroupAdminAction = "admin:RemoveUserFromGroup"
// GetGroupAdminAction - allow getting group info
GetGroupAdminAction = "admin:GetGroup"
// ListGroupsAdminAction - allow list groups permission
ListGroupsAdminAction = "admin:ListGroups"
// EnableGroupAdminAction - allow enable group permission
EnableGroupAdminAction = "admin:EnableGroup"
// DisableGroupAdminAction - allow disable group permission
DisableGroupAdminAction = "admin:DisableGroup"
// Policy Actions
// CreatePolicyAdminAction - allow create policy permission
CreatePolicyAdminAction = "admin:CreatePolicy"
// DeletePolicyAdminAction - allow delete policy permission
DeletePolicyAdminAction = "admin:DeletePolicy"
// GetPolicyAdminAction - allow get policy permission
GetPolicyAdminAction = "admin:GetPolicy"
// AttachPolicyAdminAction - allows attaching a policy to a user/group
AttachPolicyAdminAction = "admin:AttachUserOrGroupPolicy"
// ListUserPoliciesAdminAction - allows listing user policies
ListUserPoliciesAdminAction = "admin:ListUserPolicies"
// AllAdminActions - provides all admin permissions
AllAdminActions = "admin:*"
)
// List of all supported admin actions.
var supportedAdminActions = map[AdminAction]struct{}{
AllAdminActions: {},
HealAdminAction: {},
ListServerInfoAdminAction: {},
ServerUpdateAdminAction: {},
ConfigUpdateAdminAction: {},
CreateUserAdminAction: {},
DeleteUserAdminAction: {},
ListUsersAdminAction: {},
EnableUserAdminAction: {},
DisableUserAdminAction: {},
GetUserAdminAction: {},
AddUserToGroupAdminAction: {},
RemoveUserFromGroupAdminAction: {},
ListGroupsAdminAction: {},
EnableGroupAdminAction: {},
DisableGroupAdminAction: {},
CreatePolicyAdminAction: {},
DeletePolicyAdminAction: {},
GetPolicyAdminAction: {},
AttachPolicyAdminAction: {},
ListUserPoliciesAdminAction: {},
}
func parseAdminAction(s string) (AdminAction, error) {
action := AdminAction(s)
if action.IsValid() {
return action, nil
}
return action, fmt.Errorf("unsupported action '%v'", s)
}
// IsValid - checks if action is valid or not.
func (action AdminAction) IsValid() bool {
_, ok := supportedAdminActions[action]
return ok
}
// adminActionConditionKeyMap - holds mapping of supported condition key for an action.
var adminActionConditionKeyMap = map[Action]condition.KeySet{
AllAdminActions: condition.NewKeySet(condition.AllSupportedAdminKeys...),
HealAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
ListServerInfoAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
ServerUpdateAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
ConfigUpdateAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
CreateUserAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
DeleteUserAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
ListUsersAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
EnableUserAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
DisableUserAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
GetUserAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
AddUserToGroupAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
RemoveUserFromGroupAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
ListGroupsAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
EnableGroupAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
DisableGroupAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
CreatePolicyAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
DeletePolicyAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
GetPolicyAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
AttachPolicyAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
ListUserPoliciesAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
}