diff --git a/cmd/admin-handlers-config-kv.go b/cmd/admin-handlers-config-kv.go index f7f3093d7..b8616b573 100644 --- a/cmd/admin-handlers-config-kv.go +++ b/cmd/admin-handlers-config-kv.go @@ -60,7 +60,9 @@ func validateAdminReqConfigKV(ctx context.Context, w http.ResponseWriter, r *htt // DelConfigKVHandler - DELETE /minio/admin/v3/del-config-kv func (a adminAPIHandlers) DelConfigKVHandler(w http.ResponseWriter, r *http.Request) { - ctx := newContext(r, w, "DelConfigKVHandler") + ctx := newContext(r, w, "DeleteConfigKV") + + defer logger.AuditLog(w, r, "DeleteConfigKV", mustGetClaimsFromToken(r)) cred, objectAPI := validateAdminReqConfigKV(ctx, w, r) if objectAPI == nil { @@ -100,7 +102,9 @@ func (a adminAPIHandlers) DelConfigKVHandler(w http.ResponseWriter, r *http.Requ // SetConfigKVHandler - PUT /minio/admin/v3/set-config-kv func (a adminAPIHandlers) SetConfigKVHandler(w http.ResponseWriter, r *http.Request) { - ctx := newContext(r, w, "SetConfigKVHandler") + ctx := newContext(r, w, "SetConfigKV") + + defer logger.AuditLog(w, r, "SetConfigKV", mustGetClaimsFromToken(r)) cred, objectAPI := validateAdminReqConfigKV(ctx, w, r) if objectAPI == nil { @@ -159,7 +163,9 @@ func (a adminAPIHandlers) SetConfigKVHandler(w http.ResponseWriter, r *http.Requ // GetConfigKVHandler - GET /minio/admin/v3/get-config-kv?key={key} func (a adminAPIHandlers) GetConfigKVHandler(w http.ResponseWriter, r *http.Request) { - ctx := newContext(r, w, "GetConfigKVHandler") + ctx := newContext(r, w, "GetConfigKV") + + defer logger.AuditLog(w, r, "GetConfigKV", mustGetClaimsFromToken(r)) cred, objectAPI := validateAdminReqConfigKV(ctx, w, r) if objectAPI == nil { @@ -195,7 +201,9 @@ func (a adminAPIHandlers) GetConfigKVHandler(w http.ResponseWriter, r *http.Requ } func (a adminAPIHandlers) ClearConfigHistoryKVHandler(w http.ResponseWriter, r *http.Request) { - ctx := newContext(r, w, "ClearConfigHistoryKVHandler") + ctx := newContext(r, w, "ClearConfigHistoryKV") + + defer logger.AuditLog(w, r, "ClearConfigHistoryKV", mustGetClaimsFromToken(r)) _, objectAPI := validateAdminReqConfigKV(ctx, w, r) if objectAPI == nil { @@ -230,7 +238,9 @@ func (a adminAPIHandlers) ClearConfigHistoryKVHandler(w http.ResponseWriter, r * // RestoreConfigHistoryKVHandler - restores a config with KV settings for the given KV id. func (a adminAPIHandlers) RestoreConfigHistoryKVHandler(w http.ResponseWriter, r *http.Request) { - ctx := newContext(r, w, "RestoreConfigHistoryKVHandler") + ctx := newContext(r, w, "RestoreConfigHistoryKV") + + defer logger.AuditLog(w, r, "RestoreConfigHistoryKV", mustGetClaimsFromToken(r)) _, objectAPI := validateAdminReqConfigKV(ctx, w, r) if objectAPI == nil { @@ -276,7 +286,9 @@ func (a adminAPIHandlers) RestoreConfigHistoryKVHandler(w http.ResponseWriter, r // ListConfigHistoryKVHandler - lists all the KV ids. func (a adminAPIHandlers) ListConfigHistoryKVHandler(w http.ResponseWriter, r *http.Request) { - ctx := newContext(r, w, "ListConfigHistoryKVHandler") + ctx := newContext(r, w, "ListConfigHistoryKV") + + defer logger.AuditLog(w, r, "ListConfigHistoryKV", mustGetClaimsFromToken(r)) cred, objectAPI := validateAdminReqConfigKV(ctx, w, r) if objectAPI == nil { @@ -314,7 +326,9 @@ func (a adminAPIHandlers) ListConfigHistoryKVHandler(w http.ResponseWriter, r *h // HelpConfigKVHandler - GET /minio/admin/v3/help-config-kv?subSys={subSys}&key={key} func (a adminAPIHandlers) HelpConfigKVHandler(w http.ResponseWriter, r *http.Request) { - ctx := newContext(r, w, "HelpConfigKVHandler") + ctx := newContext(r, w, "HelpConfigKV") + + defer logger.AuditLog(w, r, "HelpHistoryKV", mustGetClaimsFromToken(r)) _, objectAPI := validateAdminReqConfigKV(ctx, w, r) if objectAPI == nil { @@ -340,7 +354,9 @@ func (a adminAPIHandlers) HelpConfigKVHandler(w http.ResponseWriter, r *http.Req // SetConfigHandler - PUT /minio/admin/v3/config func (a adminAPIHandlers) SetConfigHandler(w http.ResponseWriter, r *http.Request) { - ctx := newContext(r, w, "SetConfigHandler") + ctx := newContext(r, w, "SetConfig") + + defer logger.AuditLog(w, r, "SetConfig", mustGetClaimsFromToken(r)) cred, objectAPI := validateAdminReqConfigKV(ctx, w, r) if objectAPI == nil { @@ -395,7 +411,9 @@ func (a adminAPIHandlers) SetConfigHandler(w http.ResponseWriter, r *http.Reques // GetConfigHandler - GET /minio/admin/v3/config // Get config.json of this minio setup. func (a adminAPIHandlers) GetConfigHandler(w http.ResponseWriter, r *http.Request) { - ctx := newContext(r, w, "GetConfigHandler") + ctx := newContext(r, w, "GetConfig") + + defer logger.AuditLog(w, r, "GetConfig", mustGetClaimsFromToken(r)) cred, objectAPI := validateAdminReqConfigKV(ctx, w, r) if objectAPI == nil { diff --git a/cmd/admin-handlers-quota.go b/cmd/admin-handlers-quota.go index 6e28a0fa0..d4a7ba59f 100644 --- a/cmd/admin-handlers-quota.go +++ b/cmd/admin-handlers-quota.go @@ -23,6 +23,7 @@ import ( "github.com/gorilla/mux" "github.com/minio/minio/cmd/config" + "github.com/minio/minio/cmd/logger" "github.com/minio/minio/pkg/env" iampolicy "github.com/minio/minio/pkg/iam/policy" ) @@ -38,6 +39,9 @@ const ( // to enforce total quota for the specified bucket. func (a adminAPIHandlers) PutBucketQuotaConfigHandler(w http.ResponseWriter, r *http.Request) { ctx := newContext(r, w, "PutBucketQuotaConfig") + + defer logger.AuditLog(w, r, "PutBucketQuotaConfig", mustGetClaimsFromToken(r)) + objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.SetBucketQuotaAdminAction) if objectAPI == nil { writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL) @@ -91,6 +95,8 @@ func (a adminAPIHandlers) PutBucketQuotaConfigHandler(w http.ResponseWriter, r * func (a adminAPIHandlers) GetBucketQuotaConfigHandler(w http.ResponseWriter, r *http.Request) { ctx := newContext(r, w, "GetBucketQuotaConfig") + defer logger.AuditLog(w, r, "GetBucketQuotaConfig", mustGetClaimsFromToken(r)) + objectAPI, _ := validateAdminUsersReq(ctx, w, r, iampolicy.GetBucketQuotaAdminAction) if objectAPI == nil { writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL) @@ -122,6 +128,9 @@ func (a adminAPIHandlers) GetBucketQuotaConfigHandler(w http.ResponseWriter, r * // Removes quota configuration on the specified bucket. func (a adminAPIHandlers) RemoveBucketQuotaConfigHandler(w http.ResponseWriter, r *http.Request) { ctx := newContext(r, w, "RemoveBucketQuotaConfig") + + defer logger.AuditLog(w, r, "RemoveBucketQuotaConfig", mustGetClaimsFromToken(r)) + objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.SetBucketQuotaAdminAction) if objectAPI == nil { writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL) diff --git a/cmd/admin-handlers-users.go b/cmd/admin-handlers-users.go index 74af6321d..ddbc5caeb 100644 --- a/cmd/admin-handlers-users.go +++ b/cmd/admin-handlers-users.go @@ -55,6 +55,8 @@ func validateAdminUsersReq(ctx context.Context, w http.ResponseWriter, r *http.R func (a adminAPIHandlers) RemoveUser(w http.ResponseWriter, r *http.Request) { ctx := newContext(r, w, "RemoveUser") + defer logger.AuditLog(w, r, "RemoveUser", mustGetClaimsFromToken(r)) + objectAPI, _ := validateAdminUsersReq(ctx, w, r, iampolicy.DeleteUserAdminAction) if objectAPI == nil { return @@ -91,6 +93,8 @@ func (a adminAPIHandlers) RemoveUser(w http.ResponseWriter, r *http.Request) { func (a adminAPIHandlers) ListUsers(w http.ResponseWriter, r *http.Request) { ctx := newContext(r, w, "ListUsers") + defer logger.AuditLog(w, r, "ListUsers", mustGetClaimsFromToken(r)) + objectAPI, cred := validateAdminUsersReq(ctx, w, r, iampolicy.ListUsersAdminAction) if objectAPI == nil { return @@ -123,6 +127,8 @@ func (a adminAPIHandlers) ListUsers(w http.ResponseWriter, r *http.Request) { func (a adminAPIHandlers) GetUserInfo(w http.ResponseWriter, r *http.Request) { ctx := newContext(r, w, "GetUserInfo") + defer logger.AuditLog(w, r, "GetUserInfo", mustGetClaimsFromToken(r)) + objectAPI, _ := validateAdminUsersReq(ctx, w, r, iampolicy.GetUserAdminAction) if objectAPI == nil { return @@ -150,6 +156,8 @@ func (a adminAPIHandlers) GetUserInfo(w http.ResponseWriter, r *http.Request) { func (a adminAPIHandlers) UpdateGroupMembers(w http.ResponseWriter, r *http.Request) { ctx := newContext(r, w, "UpdateGroupMembers") + defer logger.AuditLog(w, r, "UpdateGroupMembers", mustGetClaimsFromToken(r)) + objectAPI, _ := validateAdminUsersReq(ctx, w, r, iampolicy.AddUserToGroupAdminAction) if objectAPI == nil { return @@ -193,6 +201,8 @@ func (a adminAPIHandlers) UpdateGroupMembers(w http.ResponseWriter, r *http.Requ func (a adminAPIHandlers) GetGroup(w http.ResponseWriter, r *http.Request) { ctx := newContext(r, w, "GetGroup") + defer logger.AuditLog(w, r, "GetGroup", mustGetClaimsFromToken(r)) + objectAPI, _ := validateAdminUsersReq(ctx, w, r, iampolicy.GetGroupAdminAction) if objectAPI == nil { return @@ -220,6 +230,8 @@ func (a adminAPIHandlers) GetGroup(w http.ResponseWriter, r *http.Request) { func (a adminAPIHandlers) ListGroups(w http.ResponseWriter, r *http.Request) { ctx := newContext(r, w, "ListGroups") + defer logger.AuditLog(w, r, "ListGroups", mustGetClaimsFromToken(r)) + objectAPI, _ := validateAdminUsersReq(ctx, w, r, iampolicy.ListGroupsAdminAction) if objectAPI == nil { return @@ -244,6 +256,8 @@ func (a adminAPIHandlers) ListGroups(w http.ResponseWriter, r *http.Request) { func (a adminAPIHandlers) SetGroupStatus(w http.ResponseWriter, r *http.Request) { ctx := newContext(r, w, "SetGroupStatus") + defer logger.AuditLog(w, r, "SetGroupStatus", mustGetClaimsFromToken(r)) + objectAPI, _ := validateAdminUsersReq(ctx, w, r, iampolicy.EnableGroupAdminAction) if objectAPI == nil { return @@ -279,6 +293,8 @@ func (a adminAPIHandlers) SetGroupStatus(w http.ResponseWriter, r *http.Request) func (a adminAPIHandlers) SetUserStatus(w http.ResponseWriter, r *http.Request) { ctx := newContext(r, w, "SetUserStatus") + defer logger.AuditLog(w, r, "SetUserStatus", mustGetClaimsFromToken(r)) + objectAPI, _ := validateAdminUsersReq(ctx, w, r, iampolicy.EnableUserAdminAction) if objectAPI == nil { return @@ -312,6 +328,8 @@ func (a adminAPIHandlers) SetUserStatus(w http.ResponseWriter, r *http.Request) func (a adminAPIHandlers) AddUser(w http.ResponseWriter, r *http.Request) { ctx := newContext(r, w, "AddUser") + defer logger.AuditLog(w, r, "AddUser", mustGetClaimsFromToken(r)) + objectAPI, cred := validateAdminUsersReq(ctx, w, r, iampolicy.CreateUserAdminAction) if objectAPI == nil { return @@ -365,6 +383,8 @@ func (a adminAPIHandlers) AddUser(w http.ResponseWriter, r *http.Request) { func (a adminAPIHandlers) AddServiceAccount(w http.ResponseWriter, r *http.Request) { ctx := newContext(r, w, "AddServiceAccount") + defer logger.AuditLog(w, r, "AddServiceAccount", mustGetClaimsFromToken(r)) + // Get current object layer instance. objectAPI := newObjectLayerWithoutSafeModeFn() if objectAPI == nil || globalNotificationSys == nil || globalIAMSys == nil { @@ -442,6 +462,8 @@ func (a adminAPIHandlers) AddServiceAccount(w http.ResponseWriter, r *http.Reque func (a adminAPIHandlers) ListServiceAccounts(w http.ResponseWriter, r *http.Request) { ctx := newContext(r, w, "ListServiceAccounts") + defer logger.AuditLog(w, r, "ListServiceAccounts", mustGetClaimsFromToken(r)) + // Get current object layer instance. objectAPI := newObjectLayerWithoutSafeModeFn() if objectAPI == nil || globalNotificationSys == nil || globalIAMSys == nil { @@ -495,6 +517,8 @@ func (a adminAPIHandlers) ListServiceAccounts(w http.ResponseWriter, r *http.Req func (a adminAPIHandlers) DeleteServiceAccount(w http.ResponseWriter, r *http.Request) { ctx := newContext(r, w, "DeleteServiceAccount") + defer logger.AuditLog(w, r, "DeleteServiceAccount", mustGetClaimsFromToken(r)) + // Get current object layer instance. objectAPI := newObjectLayerWithoutSafeModeFn() if objectAPI == nil || globalNotificationSys == nil || globalIAMSys == nil { @@ -552,6 +576,8 @@ func (a adminAPIHandlers) DeleteServiceAccount(w http.ResponseWriter, r *http.Re func (a adminAPIHandlers) InfoCannedPolicyV2(w http.ResponseWriter, r *http.Request) { ctx := newContext(r, w, "InfoCannedPolicyV2") + defer logger.AuditLog(w, r, "InfoCannedPolicyV2", mustGetClaimsFromToken(r)) + objectAPI, _ := validateAdminUsersReq(ctx, w, r, iampolicy.GetPolicyAdminAction) if objectAPI == nil { return @@ -577,6 +603,8 @@ func (a adminAPIHandlers) InfoCannedPolicyV2(w http.ResponseWriter, r *http.Requ func (a adminAPIHandlers) InfoCannedPolicy(w http.ResponseWriter, r *http.Request) { ctx := newContext(r, w, "InfoCannedPolicy") + defer logger.AuditLog(w, r, "InfoCannedPolicy", mustGetClaimsFromToken(r)) + objectAPI, _ := validateAdminUsersReq(ctx, w, r, iampolicy.GetPolicyAdminAction) if objectAPI == nil { return @@ -596,6 +624,8 @@ func (a adminAPIHandlers) InfoCannedPolicy(w http.ResponseWriter, r *http.Reques func (a adminAPIHandlers) ListCannedPoliciesV2(w http.ResponseWriter, r *http.Request) { ctx := newContext(r, w, "ListCannedPoliciesV2") + defer logger.AuditLog(w, r, "ListCannedPoliciesV2", mustGetClaimsFromToken(r)) + objectAPI, _ := validateAdminUsersReq(ctx, w, r, iampolicy.ListUserPoliciesAdminAction) if objectAPI == nil { return @@ -628,6 +658,8 @@ func (a adminAPIHandlers) ListCannedPoliciesV2(w http.ResponseWriter, r *http.Re func (a adminAPIHandlers) ListCannedPolicies(w http.ResponseWriter, r *http.Request) { ctx := newContext(r, w, "ListCannedPolicies") + defer logger.AuditLog(w, r, "ListCannedPolicies", mustGetClaimsFromToken(r)) + objectAPI, _ := validateAdminUsersReq(ctx, w, r, iampolicy.ListUserPoliciesAdminAction) if objectAPI == nil { return @@ -660,6 +692,8 @@ func (a adminAPIHandlers) ListCannedPolicies(w http.ResponseWriter, r *http.Requ func (a adminAPIHandlers) RemoveCannedPolicy(w http.ResponseWriter, r *http.Request) { ctx := newContext(r, w, "RemoveCannedPolicy") + defer logger.AuditLog(w, r, "RemoveCannedPolicy", mustGetClaimsFromToken(r)) + objectAPI, _ := validateAdminUsersReq(ctx, w, r, iampolicy.DeletePolicyAdminAction) if objectAPI == nil { return @@ -686,6 +720,8 @@ func (a adminAPIHandlers) RemoveCannedPolicy(w http.ResponseWriter, r *http.Requ func (a adminAPIHandlers) AddCannedPolicy(w http.ResponseWriter, r *http.Request) { ctx := newContext(r, w, "AddCannedPolicy") + defer logger.AuditLog(w, r, "AddCannedPolicy", mustGetClaimsFromToken(r)) + objectAPI, _ := validateAdminUsersReq(ctx, w, r, iampolicy.CreatePolicyAdminAction) if objectAPI == nil { return @@ -736,6 +772,8 @@ func (a adminAPIHandlers) AddCannedPolicy(w http.ResponseWriter, r *http.Request func (a adminAPIHandlers) SetPolicyForUserOrGroup(w http.ResponseWriter, r *http.Request) { ctx := newContext(r, w, "SetPolicyForUserOrGroup") + defer logger.AuditLog(w, r, "SetPolicyForUserOrGroup", mustGetClaimsFromToken(r)) + objectAPI, _ := validateAdminUsersReq(ctx, w, r, iampolicy.AttachPolicyAdminAction) if objectAPI == nil { return diff --git a/cmd/admin-handlers.go b/cmd/admin-handlers.go index d659cbcba..43b4ede9a 100644 --- a/cmd/admin-handlers.go +++ b/cmd/admin-handlers.go @@ -101,6 +101,8 @@ func updateServer(updateURL, sha256Hex string, latestReleaseTime time.Time) (us func (a adminAPIHandlers) ServerUpdateHandler(w http.ResponseWriter, r *http.Request) { ctx := newContext(r, w, "ServerUpdate") + defer logger.AuditLog(w, r, "ServerUpdate", mustGetClaimsFromToken(r)) + objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ServerUpdateAdminAction) if objectAPI == nil { return @@ -174,20 +176,17 @@ func (a adminAPIHandlers) ServerUpdateHandler(w http.ResponseWriter, r *http.Req } } -// ServiceActionHandler - POST /minio/admin/v3/service?action={action} +// ServiceHandler - POST /minio/admin/v3/service?action={action} // ---------- // restarts/stops minio server gracefully. In a distributed setup, -func (a adminAPIHandlers) ServiceActionHandler(w http.ResponseWriter, r *http.Request) { - ctx := newContext(r, w, "ServiceAction") +func (a adminAPIHandlers) ServiceHandler(w http.ResponseWriter, r *http.Request) { + ctx := newContext(r, w, "Service") + + defer logger.AuditLog(w, r, "Service", mustGetClaimsFromToken(r)) vars := mux.Vars(r) action := vars["action"] - objectAPI, _ := validateAdminReq(ctx, w, r, "") - if objectAPI == nil { - return - } - var serviceSig serviceSignal switch madmin.ServiceAction(action) { case madmin.ServiceActionRestart: @@ -200,6 +199,16 @@ func (a adminAPIHandlers) ServiceActionHandler(w http.ResponseWriter, r *http.Re return } + var objectAPI ObjectLayer + if serviceSig == serviceRestart { + objectAPI, _ = validateAdminReq(ctx, w, r, iampolicy.ServiceRestartAdminAction) + } else { + objectAPI, _ = validateAdminReq(ctx, w, r, iampolicy.ServiceStopAdminAction) + } + if objectAPI == nil { + return + } + // Notify all other MinIO peers signal service. for _, nerr := range globalNotificationSys.SignalService(serviceSig) { if nerr.Err != nil { @@ -268,6 +277,9 @@ type ServerInfo struct { // Get server information func (a adminAPIHandlers) StorageInfoHandler(w http.ResponseWriter, r *http.Request) { ctx := newContext(r, w, "StorageInfo") + + defer logger.AuditLog(w, r, "StorageInfo", mustGetClaimsFromToken(r)) + objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.StorageInfoAdminAction) if objectAPI == nil { return @@ -293,6 +305,9 @@ func (a adminAPIHandlers) StorageInfoHandler(w http.ResponseWriter, r *http.Requ // Get server/cluster data usage info func (a adminAPIHandlers) DataUsageInfoHandler(w http.ResponseWriter, r *http.Request) { ctx := newContext(r, w, "DataUsageInfo") + + defer logger.AuditLog(w, r, "DataUsageInfo", mustGetClaimsFromToken(r)) + objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.DataUsageInfoAdminAction) if objectAPI == nil { return @@ -315,6 +330,9 @@ func (a adminAPIHandlers) DataUsageInfoHandler(w http.ResponseWriter, r *http.Re func (a adminAPIHandlers) AccountingUsageInfoHandler(w http.ResponseWriter, r *http.Request) { ctx := newContext(r, w, "AccountingUsageInfo") + + defer logger.AuditLog(w, r, "AccountingUsageInfo", mustGetClaimsFromToken(r)) + objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.AccountingUsageInfoAdminAction) if objectAPI == nil { return @@ -430,6 +448,8 @@ type PeerLocks struct { func (a adminAPIHandlers) TopLocksHandler(w http.ResponseWriter, r *http.Request) { ctx := newContext(r, w, "TopLocks") + defer logger.AuditLog(w, r, "TopLocks", mustGetClaimsFromToken(r)) + objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.TopLocksAdminAction) if objectAPI == nil { return @@ -475,6 +495,8 @@ type StartProfilingResult struct { func (a adminAPIHandlers) StartProfilingHandler(w http.ResponseWriter, r *http.Request) { ctx := newContext(r, w, "StartProfiling") + defer logger.AuditLog(w, r, "StartProfiling", mustGetClaimsFromToken(r)) + objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ProfilingAdminAction) if objectAPI == nil { return @@ -571,6 +593,8 @@ func (f dummyFileInfo) Sys() interface{} { return f.sys } func (a adminAPIHandlers) DownloadProfilingHandler(w http.ResponseWriter, r *http.Request) { ctx := newContext(r, w, "DownloadProfiling") + defer logger.AuditLog(w, r, "DownloadProfiling", mustGetClaimsFromToken(r)) + objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ProfilingAdminAction) if objectAPI == nil { return @@ -663,6 +687,8 @@ func extractHealInitParams(vars map[string]string, qParms url.Values, r io.Reade func (a adminAPIHandlers) HealHandler(w http.ResponseWriter, r *http.Request) { ctx := newContext(r, w, "Heal") + defer logger.AuditLog(w, r, "Heal", mustGetClaimsFromToken(r)) + objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.HealAdminAction) if objectAPI == nil { return @@ -809,6 +835,8 @@ func (a adminAPIHandlers) HealHandler(w http.ResponseWriter, r *http.Request) { func (a adminAPIHandlers) BackgroundHealStatusHandler(w http.ResponseWriter, r *http.Request) { ctx := newContext(r, w, "HealBackgroundStatus") + defer logger.AuditLog(w, r, "HealBackgroundStatus", mustGetClaimsFromToken(r)) + objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.HealAdminAction) if objectAPI == nil { return @@ -970,6 +998,7 @@ func mustTrace(entry interface{}, trcAll, errOnly bool) bool { // The handler sends http trace to the connected HTTP client. func (a adminAPIHandlers) TraceHandler(w http.ResponseWriter, r *http.Request) { ctx := newContext(r, w, "HTTPTrace") + trcAll := r.URL.Query().Get("all") == "true" trcErr := r.URL.Query().Get("err") == "true" @@ -1025,6 +1054,8 @@ func (a adminAPIHandlers) TraceHandler(w http.ResponseWriter, r *http.Request) { func (a adminAPIHandlers) ConsoleLogHandler(w http.ResponseWriter, r *http.Request) { ctx := newContext(r, w, "ConsoleLog") + defer logger.AuditLog(w, r, "ConsoleLog", mustGetClaimsFromToken(r)) + objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ConsoleLogAdminAction) if objectAPI == nil { return @@ -1092,7 +1123,9 @@ func (a adminAPIHandlers) ConsoleLogHandler(w http.ResponseWriter, r *http.Reque // KMSKeyStatusHandler - GET /minio/admin/v3/kms/key/status?key-id= func (a adminAPIHandlers) KMSKeyStatusHandler(w http.ResponseWriter, r *http.Request) { - ctx := newContext(r, w, "KMSKeyStatusHandler") + ctx := newContext(r, w, "KMSKeyStatus") + + defer logger.AuditLog(w, r, "KMSKeyStatus", mustGetClaimsFromToken(r)) objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.KMSKeyStatusAdminAction) if objectAPI == nil { @@ -1164,6 +1197,9 @@ func (a adminAPIHandlers) KMSKeyStatusHandler(w http.ResponseWriter, r *http.Req // Get server on-board diagnostics func (a adminAPIHandlers) OBDInfoHandler(w http.ResponseWriter, r *http.Request) { ctx := newContext(r, w, "OBDInfo") + + defer logger.AuditLog(w, r, "OBDInfo", mustGetClaimsFromToken(r)) + objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.OBDInfoAdminAction) if objectAPI == nil { return @@ -1326,6 +1362,9 @@ func (a adminAPIHandlers) OBDInfoHandler(w http.ResponseWriter, r *http.Request) // Get server information func (a adminAPIHandlers) ServerInfoHandler(w http.ResponseWriter, r *http.Request) { ctx := newContext(r, w, "ServerInfo") + + defer logger.AuditLog(w, r, "ServerInfo", mustGetClaimsFromToken(r)) + objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ServerInfoAdminAction) if objectAPI == nil { return diff --git a/cmd/admin-router.go b/cmd/admin-router.go index 9b9af6682..519b6fc8f 100644 --- a/cmd/admin-router.go +++ b/cmd/admin-router.go @@ -50,7 +50,7 @@ func registerAdminRouter(router *mux.Router, enableConfigOps, enableIAMOps, enab for _, adminVersion := range adminVersions { // Restart and stop MinIO service. - adminRouter.Methods(http.MethodPost).Path(adminVersion+"/service").HandlerFunc(httpTraceAll(adminAPI.ServiceActionHandler)).Queries("action", "{action:.*}") + adminRouter.Methods(http.MethodPost).Path(adminVersion+"/service").HandlerFunc(httpTraceAll(adminAPI.ServiceHandler)).Queries("action", "{action:.*}") // Update MinIO servers. adminRouter.Methods(http.MethodPost).Path(adminVersion+"/update").HandlerFunc(httpTraceAll(adminAPI.ServerUpdateHandler)).Queries("updateURL", "{updateURL:.*}") diff --git a/pkg/iam/policy/admin-action.go b/pkg/iam/policy/admin-action.go index 04a8eda47..00a8329f3 100644 --- a/pkg/iam/policy/admin-action.go +++ b/pkg/iam/policy/admin-action.go @@ -52,17 +52,16 @@ const ( // ServerUpdateAdminAction - allow MinIO binary update ServerUpdateAdminAction = "admin:ServerUpdate" - - //Config Actions + // ServiceRestartAdminAction - allow restart of MinIO service. + ServiceRestartAdminAction = "admin:ServiceRestart" + // ServiceStopAdminAction - allow stopping MinIO service. + ServiceStopAdminAction = "admin:ServiceStop" // ConfigUpdateAdminAction - allow MinIO config management ConfigUpdateAdminAction = "admin:ConfigUpdate" - // User Actions - // CreateUserAdminAction - allow creating MinIO user CreateUserAdminAction = "admin:CreateUser" - // DeleteUserAdminAction - allow deleting MinIO user DeleteUserAdminAction = "admin:DeleteUser" // ListUsersAdminAction - allow list users permission @@ -127,6 +126,8 @@ var supportedAdminActions = map[AdminAction]struct{}{ ConsoleLogAdminAction: {}, KMSKeyStatusAdminAction: {}, ServerUpdateAdminAction: {}, + ServiceRestartAdminAction: {}, + ServiceStopAdminAction: {}, ConfigUpdateAdminAction: {}, CreateUserAdminAction: {}, DeleteUserAdminAction: {}, @@ -177,6 +178,8 @@ var adminActionConditionKeyMap = map[Action]condition.KeySet{ ConsoleLogAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...), KMSKeyStatusAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...), ServerUpdateAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...), + ServiceRestartAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...), + ServiceStopAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...), ConfigUpdateAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...), CreateUserAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...), DeleteUserAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),