Add canned policy support (#6637)

This PR adds an additional API where we can create
a new set of canned policies which can be used with one
or many users.

pkg/madmin/API.md

@@ -38,10 +38,10 @@ func main() {
 
 | Service operations         | Info operations  | Healing operations                    | Config operations        | IAM operations | Misc                                |
 |:----------------------------|:----------------------------|:--------------------------------------|:--------------------------|:------------------------------------|:------------------------------------|
-| [`ServiceStatus`](#ServiceStatus) | [`ServerInfo`](#ServerInfo) | [`Heal`](#Heal) | [`GetConfig`](#GetConfig) | [`AddUser()`](#AddUser) | [`SetAdminCredentials`](#SetAdminCredentials) |
-| [`ServiceSendAction`](#ServiceSendAction) | | | [`SetConfig`](#SetConfig) | [`AddUserPolicy`](#AddUserPolicy) | [`StartProfiling`](#StartProfiling) |
+| [`ServiceStatus`](#ServiceStatus) | [`ServerInfo`](#ServerInfo) | [`Heal`](#Heal) | [`GetConfig`](#GetConfig) | [`AddUser`](#AddUser) | [`SetAdminCredentials`](#SetAdminCredentials) |
+| [`ServiceSendAction`](#ServiceSendAction) | | | [`SetConfig`](#SetConfig) | [`SetUserPolicy`](#SetUserPolicy) | [`StartProfiling`](#StartProfiling) |
 | | |            | [`GetConfigKeys`](#GetConfigKeys) | [`ListUsers`](#ListUsers) | [`DownloadProfilingData`](#DownloadProfilingData) |
-| | |            | [`SetConfigKeys`](#SetConfigKeys) |                                     |
+| | |            | [`SetConfigKeys`](#SetConfigKeys) | [`AddCannedPolicy`](#AddCannedPolicy) | |
 
 
 ## 1. Constructor
@@ -349,6 +349,20 @@ __Example__
 
 ## 8. IAM operations
 
+<a name="AddCannedPolicy"></a>
+### AddCannedPolicy(policyName string, policy string) error
+Create a new canned policy on Minio server.
+
+__Example__
+
+```
+	policy := `{"Version": "2012-10-17","Statement": [{"Action": ["s3:GetObject"],"Effect": "Allow","Resource": ["arn:aws:s3:::my-bucketname/*"],"Sid": ""}]}`
+
+    if err = madmClnt.AddCannedPolicy("get-only", policy); err != nil {
+		log.Fatalln(err)
+	}
+```
+
 <a name="AddUser"></a>
 ### AddUser(user string, secret string) error
 Add a new user on a Minio server.
@@ -361,16 +375,14 @@ __Example__
 	}
 ```
 
-<a name="AddUserPolicy"></a>
-### AddUserPolicy(user string, policy string) error
-Set a new policy for a given user on Minio server.
+<a name="SetUserPolicy"></a>
+### SetUserPolicy(user string, policyName string) error
+Enable a canned policy `get-only` for a given user on Minio server.
 
 __Example__
 
 ``` go
-	policy := `{"Version": "2012-10-17","Statement": [{"Action": ["s3:GetObject"],"Effect": "Allow","Resource": ["arn:aws:s3:::my-bucketname/*"],"Sid": ""}]}`
-
-	if err = madmClnt.AddUserPolicy("newuser", policy); err != nil {
+	if err = madmClnt.SetUserPolicy("newuser", "get-only"); err != nil {
 		log.Fatalln(err)
 	}
 ```

pkg/madmin/examples/add-user-and-policy.go

@@ -46,7 +46,11 @@ func main() {
 	// Create policy
 	policy := `{"Version": "2012-10-17","Statement": [{"Action": ["s3:GetObject"],"Effect": "Allow","Resource": ["arn:aws:s3:::my-bucketname/*"],"Sid": ""}]}`
 
-	if err = madmClnt.AddUserPolicy("newuser", policy); err != nil {
+	if err = madmClnt.AddCannedPolicy("get-only", policy); err != nil {
+		log.Fatalln(err)
+	}
+
+	if err = madmClnt.SetUserPolicy("newuser", "get-only"); err != nil {
 		log.Fatalln(err)
 	}
 }

pkg/madmin/policy-commands.go

@@ -0,0 +1,107 @@
+/*
+ * Minio Cloud Storage, (C) 2018 Minio, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package madmin
+
+import (
+	"encoding/json"
+	"io/ioutil"
+	"net/http"
+	"net/url"
+)
+
+// ListCannedPolicies - list all configured canned policies.
+func (adm *AdminClient) ListCannedPolicies() (map[string][]byte, error) {
+	reqData := requestData{
+		relPath: "/v1/list-canned-policies",
+	}
+
+	// Execute GET on /minio/admin/v1/list-canned-policies
+	resp, err := adm.executeMethod("GET", reqData)
+
+	defer closeResponse(resp)
+	if err != nil {
+		return nil, err
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, httpRespToErrorResponse(resp)
+	}
+
+	respBytes, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+
+	var policies = make(map[string][]byte)
+	if err = json.Unmarshal(respBytes, &policies); err != nil {
+		return nil, err
+	}
+
+	return policies, nil
+}
+
+// RemoveCannedPolicy - remove a policy for a canned.
+func (adm *AdminClient) RemoveCannedPolicy(policyName string) error {
+	queryValues := url.Values{}
+	queryValues.Set("name", policyName)
+
+	reqData := requestData{
+		relPath:     "/v1/remove-canned-policy",
+		queryValues: queryValues,
+	}
+
+	// Execute DELETE on /minio/admin/v1/remove-canned-policy to remove policy.
+	resp, err := adm.executeMethod("DELETE", reqData)
+
+	defer closeResponse(resp)
+	if err != nil {
+		return err
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		return httpRespToErrorResponse(resp)
+	}
+
+	return nil
+}
+
+// AddCannedPolicy - adds a policy for a canned.
+func (adm *AdminClient) AddCannedPolicy(policyName, policy string) error {
+	queryValues := url.Values{}
+	queryValues.Set("name", policyName)
+
+	reqData := requestData{
+		relPath:     "/v1/add-canned-policy",
+		queryValues: queryValues,
+		content:     []byte(policy),
+	}
+
+	// Execute PUT on /minio/admin/v1/add-canned-policy to set policy.
+	resp, err := adm.executeMethod("PUT", reqData)
+
+	defer closeResponse(resp)
+	if err != nil {
+		return err
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		return httpRespToErrorResponse(resp)
+	}
+
+	return nil
+}

pkg/madmin/user-commands.go

@@ -34,8 +34,9 @@ const (
 
 // UserInfo carries information about long term users.
 type UserInfo struct {
-	SecretKey string        `json:"secretKey,omitempty"`
-	Status    AccountStatus `json:"status"`
+	SecretKey  string        `json:"secretKey,omitempty"`
+	PolicyName string        `json:"policyName,omitempty"`
+	Status     AccountStatus `json:"status"`
 }
 
 // RemoveUser - remove a user.
@@ -137,43 +138,18 @@ func (adm *AdminClient) AddUser(accessKey, secretKey string) error {
 	return adm.SetUser(accessKey, secretKey, AccountEnabled)
 }
 
-// RemoveUserPolicy - remove a policy for a user.
-func (adm *AdminClient) RemoveUserPolicy(accessKey string) error {
+// SetUserPolicy - adds a policy for a user.
+func (adm *AdminClient) SetUserPolicy(accessKey, policyName string) error {
 	queryValues := url.Values{}
 	queryValues.Set("accessKey", accessKey)
+	queryValues.Set("name", policyName)
 
 	reqData := requestData{
-		relPath:     "/v1/remove-user-policy",
+		relPath:     "/v1/set-user-policy",
 		queryValues: queryValues,
 	}
 
-	// Execute DELETE on /minio/admin/v1/remove-user-policy to remove policy.
-	resp, err := adm.executeMethod("DELETE", reqData)
-
-	defer closeResponse(resp)
-	if err != nil {
-		return err
-	}
-
-	if resp.StatusCode != http.StatusOK {
-		return httpRespToErrorResponse(resp)
-	}
-
-	return nil
-}
-
-// AddUserPolicy - adds a policy for a user.
-func (adm *AdminClient) AddUserPolicy(accessKey, policy string) error {
-	queryValues := url.Values{}
-	queryValues.Set("accessKey", accessKey)
-
-	reqData := requestData{
-		relPath:     "/v1/add-user-policy",
-		queryValues: queryValues,
-		content:     []byte(policy),
-	}
-
-	// Execute PUT on /minio/admin/v1/add-user-policy to set policy.
+	// Execute PUT on /minio/admin/v1/set-user-policy to set policy.
 	resp, err := adm.executeMethod("PUT", reqData)
 
 	defer closeResponse(resp)