Add support for multiple admins (#8487)

Also define IAM policies for administering
MinIO server

pkg/iam/policy/statement.go

@@ -30,7 +30,7 @@ type Statement struct {
 	SID        policy.ID           `json:"Sid,omitempty"`
 	Effect     policy.Effect       `json:"Effect"`
 	Actions    ActionSet           `json:"Action"`
-	Resources  ResourceSet         `json:"Resource"`
+	Resources  ResourceSet         `json:"Resource,omitempty"`
 	Conditions condition.Functions `json:"Condition,omitempty"`
 }
 
@@ -52,7 +52,8 @@ func (statement Statement) IsAllowed(args Args) bool {
 			resource += "/"
 		}
 
-		if !statement.Resources.Match(resource, args.ConditionValues) {
+		// For admin statements, resource match can be ignored.
+		if !statement.Resources.Match(resource, args.ConditionValues) && !statement.isAdmin() {
 			return false
 		}
 
@@ -61,6 +62,14 @@ func (statement Statement) IsAllowed(args Args) bool {
 
 	return statement.Effect.IsAllowed(check())
 }
+func (statement Statement) isAdmin() bool {
+	for action := range statement.Actions {
+		if !AdminAction(action).IsValid() {
+			return false
+		}
+	}
+	return true
+}
 
 // isValid - checks whether statement is valid or not.
 func (statement Statement) isValid() error {
@@ -72,6 +81,17 @@ func (statement Statement) isValid() error {
 		return fmt.Errorf("Action must not be empty")
 	}
 
+	if statement.isAdmin() {
+		for action := range statement.Actions {
+			keys := statement.Conditions.Keys()
+			keyDiff := keys.Difference(adminActionConditionKeyMap[action])
+			if !keyDiff.IsEmpty() {
+				return fmt.Errorf("unsupported condition keys '%v' used for action '%v'", keyDiff, action)
+			}
+		}
+		return nil
+	}
+
 	if len(statement.Resources) == 0 {
 		return fmt.Errorf("Resource must not be empty")
 	}