Add support for multiple admins (#8487)

Also define IAM policies for administering
MinIO server

cmd/auth-handler.go

@@ -120,20 +120,16 @@ func getRequestAuthType(r *http.Request) authType {
 
 // checkAdminRequestAuthType checks whether the request is a valid signature V2 or V4 request.
 // It does not accept presigned or JWT or anonymous requests.
-func checkAdminRequestAuthType(ctx context.Context, r *http.Request, region string) APIErrorCode {
+func checkAdminRequestAuthType(ctx context.Context, r *http.Request, action iampolicy.AdminAction, region string) (auth.Credentials, APIErrorCode) {
+	var cred auth.Credentials
+	var owner bool
 	s3Err := ErrAccessDenied
 	if _, ok := r.Header[xhttp.AmzContentSha256]; ok &&
 		getRequestAuthType(r) == authTypeSigned && !skipContentSha256Cksum(r) {
 		// We only support admin credentials to access admin APIs.
-
-		var owner bool
-		_, owner, s3Err = getReqAccessKeyV4(r, region, serviceS3)
+		cred, owner, s3Err = getReqAccessKeyV4(r, region, serviceS3)
 		if s3Err != ErrNone {
-			return s3Err
-		}
-
-		if !owner {
-			return ErrAccessDenied
+			return cred, s3Err
 		}
 
 		// we only support V4 (no presign) with auth body
@@ -144,7 +140,25 @@ func checkAdminRequestAuthType(ctx context.Context, r *http.Request, region stri
 		ctx := logger.SetReqInfo(ctx, reqInfo)
 		logger.LogIf(ctx, errors.New(getAPIError(s3Err).Description), logger.Application)
 	}
-	return s3Err
+
+	var claims map[string]interface{}
+	claims, s3Err = checkClaimsFromToken(r, cred)
+	if s3Err != ErrNone {
+		return cred, s3Err
+	}
+
+	if globalIAMSys.IsAllowed(iampolicy.Args{
+		AccountName:     cred.AccessKey,
+		Action:          iampolicy.Action(action),
+		ConditionValues: getConditionValues(r, "", cred.AccessKey, claims),
+		IsOwner:         owner,
+		Claims:          claims,
+	}) {
+		// Request is allowed return the appropriate access key.
+		return cred, ErrNone
+	}
+
+	return cred, ErrAccessDenied
 }
 
 // Fetch the security token set by the client.