add missing admin actions, enhance AccountUsageInfo (#9607)

cmd/iam.go

@@ -28,7 +28,6 @@ import (
 	"github.com/minio/minio/cmd/config"
 	"github.com/minio/minio/cmd/logger"
 	"github.com/minio/minio/pkg/auth"
-	"github.com/minio/minio/pkg/bucket/policy"
 	iampolicy "github.com/minio/minio/pkg/iam/policy"
 	"github.com/minio/minio/pkg/madmin"
 )
@@ -1345,110 +1344,6 @@ func (sys *IAMSys) policyDBSet(name, policyName string, userType IAMUserType, is
 	return nil
 }
 
-var iamAccountReadAccessActions = iampolicy.NewActionSet(
-	iampolicy.ListMultipartUploadPartsAction,
-	iampolicy.ListBucketMultipartUploadsAction,
-	iampolicy.ListBucketAction,
-	iampolicy.HeadBucketAction,
-	iampolicy.GetObjectAction,
-	iampolicy.GetBucketLocationAction,
-
-	// iampolicy.ListAllMyBucketsAction,
-)
-
-var iamAccountWriteAccessActions = iampolicy.NewActionSet(
-	iampolicy.AbortMultipartUploadAction,
-	iampolicy.CreateBucketAction,
-	iampolicy.PutObjectAction,
-	iampolicy.DeleteObjectAction,
-	iampolicy.DeleteBucketAction,
-)
-
-var iamAccountOtherAccessActions = iampolicy.NewActionSet(
-	iampolicy.BypassGovernanceRetentionAction,
-	iampolicy.PutObjectRetentionAction,
-	iampolicy.GetObjectRetentionAction,
-	iampolicy.GetObjectLegalHoldAction,
-	iampolicy.PutObjectLegalHoldAction,
-	iampolicy.GetBucketObjectLockConfigurationAction,
-	iampolicy.PutBucketObjectLockConfigurationAction,
-
-	iampolicy.ListenBucketNotificationAction,
-
-	iampolicy.PutBucketLifecycleAction,
-	iampolicy.GetBucketLifecycleAction,
-
-	iampolicy.PutBucketNotificationAction,
-	iampolicy.GetBucketNotificationAction,
-
-	iampolicy.PutBucketPolicyAction,
-	iampolicy.DeleteBucketPolicyAction,
-	iampolicy.GetBucketPolicyAction,
-
-	iampolicy.PutBucketEncryptionAction,
-	iampolicy.GetBucketEncryptionAction,
-)
-
-// GetAccountAccess iterates over all policies documents associated to a user
-// and returns if the user has read and/or write access to any resource.
-func (sys *IAMSys) GetAccountAccess(accountName, bucket string) (rd, wr, o bool) {
-	policies, err := sys.PolicyDBGet(accountName, false)
-	if err != nil {
-		return false, false, false
-	}
-
-	if len(policies) == 0 {
-		// No policy found.
-		return false, false, false
-	}
-
-	// Policies were found, evaluate all of them.
-	sys.store.rlock()
-	defer sys.store.runlock()
-
-	var availablePolicies []iampolicy.Policy
-	for _, pname := range policies {
-		p, found := sys.iamPolicyDocsMap[pname]
-		if found {
-			availablePolicies = append(availablePolicies, p)
-		}
-	}
-
-	if len(availablePolicies) == 0 {
-		return false, false, false
-	}
-
-	combinedPolicy := availablePolicies[0]
-	for i := 1; i < len(availablePolicies); i++ {
-		combinedPolicy.Statements = append(combinedPolicy.Statements,
-			availablePolicies[i].Statements...)
-	}
-
-	allActions := iampolicy.NewActionSet(iampolicy.AllActions)
-	for _, st := range combinedPolicy.Statements {
-		// Ignore if this is not an allow policy statement
-		if st.Effect != policy.Allow {
-			continue
-		}
-		// Fast calculation if there is s3:* permissions to any resource
-		if !st.Actions.Intersection(allActions).IsEmpty() {
-			rd, wr, o = true, true, true
-			break
-		}
-		if !st.Actions.Intersection(iamAccountReadAccessActions).IsEmpty() {
-			rd = true
-		}
-		if !st.Actions.Intersection(iamAccountWriteAccessActions).IsEmpty() {
-			wr = true
-		}
-		if !st.Actions.Intersection(iamAccountOtherAccessActions).IsEmpty() {
-			o = true
-		}
-	}
-
-	return
-}
-
 // PolicyDBGet - gets policy set on a user or group. Since a user may
 // be a member of multiple groups, this function returns an array of
 // applicable policies (each group is mapped to at most one policy).