From fde8c386380cdf8b0270ea4efb32b2177bef51c7 Mon Sep 17 00:00:00 2001 From: Harshavardhana Date: Wed, 24 Oct 2018 17:14:27 -0700 Subject: [PATCH] Add default canned policies (#6690) --- cmd/iam.go | 19 ++++++++++++ docs/multi-user/README.md | 2 +- pkg/iam/policy/constants.go | 60 +++++++++++++++++++++++++++++++++++++ 3 files changed, 80 insertions(+), 1 deletion(-) create mode 100644 pkg/iam/policy/constants.go diff --git a/cmd/iam.go b/cmd/iam.go index f6a8246c9..5b887e234 100644 --- a/cmd/iam.go +++ b/cmd/iam.go @@ -632,6 +632,22 @@ func reloadUsers(objectAPI ObjectLayer, prefix string, usersMap map[string]auth. return nil } +// Set default canned policies only if not already overridden by users. +func setDefaultCannedPolicies(policies map[string]iampolicy.Policy) { + _, ok := policies["writeonly"] + if !ok { + policies["writeonly"] = iampolicy.WriteOnly + } + _, ok = policies["readonly"] + if !ok { + policies["readonly"] = iampolicy.ReadOnly + } + _, ok = policies["readwrite"] + if !ok { + policies["readwrite"] = iampolicy.ReadWrite + } +} + // Refresh IAMSys. func (sys *IAMSys) refresh(objAPI ObjectLayer) error { iamUsersMap := make(map[string]auth.Credentials) @@ -660,6 +676,9 @@ func (sys *IAMSys) refresh(objAPI ObjectLayer) error { } } + // Sets default canned policies, if none set. + setDefaultCannedPolicies(iamCannedPolicyMap) + sys.Lock() defer sys.Unlock() diff --git a/docs/multi-user/README.md b/docs/multi-user/README.md index 0744d78a1..a70381bed 100644 --- a/docs/multi-user/README.md +++ b/docs/multi-user/README.md @@ -10,7 +10,7 @@ In this document we will explain in detail on how to configure multiple users. - Install Minio - [Minio Quickstart Guide](https://docs.minio.io/docs/minio-quickstart-guide) ### 2. Create a new user with canned policy -Use [`mc admin policies`](https://docs.minio.io/docs/minio-admin-complete-guide.html#policies) to create canned policies. +Use [`mc admin policies`](https://docs.minio.io/docs/minio-admin-complete-guide.html#policies) to create canned policies. Server provides a default set of canned policies namely `writeonly`, `readonly` and `readwrite` *(these policies apply to all resources on the server)*. These can be overridden by custom policies using `mc admin policies` command. Create new canned policy file `getonly.json`. This policy enables users to download all objects under `my-bucketname`. ```json diff --git a/pkg/iam/policy/constants.go b/pkg/iam/policy/constants.go new file mode 100644 index 000000000..1886a726f --- /dev/null +++ b/pkg/iam/policy/constants.go @@ -0,0 +1,60 @@ +/* + * Minio Cloud Storage, (C) 2018 Minio, Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package iampolicy + +import ( + "github.com/minio/minio/pkg/policy" +) + +// ReadWrite - provides full access to all buckets and all objects +var ReadWrite = Policy{ + Version: DefaultVersion, + Statements: []Statement{ + { + SID: policy.ID(""), + Effect: policy.Allow, + Actions: NewActionSet(AllActions), + Resources: NewResourceSet(NewResource("*", "")), + }, + }, +} + +// ReadOnly - read only. +var ReadOnly = Policy{ + Version: DefaultVersion, + Statements: []Statement{ + { + SID: policy.ID(""), + Effect: policy.Allow, + Actions: NewActionSet(GetBucketLocationAction, GetObjectAction), + Resources: NewResourceSet(NewResource("*", "")), + }, + }, +} + +// WriteOnly - provides write access. +var WriteOnly = Policy{ + Version: DefaultVersion, + Statements: []Statement{ + { + SID: policy.ID(""), + Effect: policy.Allow, + Actions: NewActionSet(PutObjectAction), + Resources: NewResourceSet(NewResource("*", "")), + }, + }, +}