Add default canned policies (#6690)

cmd/iam.go

@@ -632,6 +632,22 @@ func reloadUsers(objectAPI ObjectLayer, prefix string, usersMap map[string]auth.
 	return nil
 }
 
+// Set default canned policies only if not already overridden by users.
+func setDefaultCannedPolicies(policies map[string]iampolicy.Policy) {
+	_, ok := policies["writeonly"]
+	if !ok {
+		policies["writeonly"] = iampolicy.WriteOnly
+	}
+	_, ok = policies["readonly"]
+	if !ok {
+		policies["readonly"] = iampolicy.ReadOnly
+	}
+	_, ok = policies["readwrite"]
+	if !ok {
+		policies["readwrite"] = iampolicy.ReadWrite
+	}
+}
+
 // Refresh IAMSys.
 func (sys *IAMSys) refresh(objAPI ObjectLayer) error {
 	iamUsersMap := make(map[string]auth.Credentials)
@@ -660,6 +676,9 @@ func (sys *IAMSys) refresh(objAPI ObjectLayer) error {
 		}
 	}
 
+	// Sets default canned policies, if none set.
+	setDefaultCannedPolicies(iamCannedPolicyMap)
+
 	sys.Lock()
 	defer sys.Unlock()
 

docs/multi-user/README.md

@@ -10,7 +10,7 @@ In this document we will explain in detail on how to configure multiple users.
 - Install Minio - [Minio Quickstart Guide](https://docs.minio.io/docs/minio-quickstart-guide)
 
 ### 2. Create a new user with canned policy
-Use [`mc admin policies`](https://docs.minio.io/docs/minio-admin-complete-guide.html#policies) to create canned policies.
+Use [`mc admin policies`](https://docs.minio.io/docs/minio-admin-complete-guide.html#policies) to create canned policies. Server provides a default set of canned policies namely `writeonly`, `readonly` and `readwrite` *(these policies apply to all resources on the server)*. These can be overridden by custom policies using `mc admin policies` command.
 
 Create new canned policy file `getonly.json`. This policy enables users to download all objects under `my-bucketname`.
 ```json

pkg/iam/policy/constants.go

@@ -0,0 +1,60 @@
+/*
+ * Minio Cloud Storage, (C) 2018 Minio, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package iampolicy
+
+import (
+	"github.com/minio/minio/pkg/policy"
+)
+
+// ReadWrite - provides full access to all buckets and all objects
+var ReadWrite = Policy{
+	Version: DefaultVersion,
+	Statements: []Statement{
+		{
+			SID:       policy.ID(""),
+			Effect:    policy.Allow,
+			Actions:   NewActionSet(AllActions),
+			Resources: NewResourceSet(NewResource("*", "")),
+		},
+	},
+}
+
+// ReadOnly - read only.
+var ReadOnly = Policy{
+	Version: DefaultVersion,
+	Statements: []Statement{
+		{
+			SID:       policy.ID(""),
+			Effect:    policy.Allow,
+			Actions:   NewActionSet(GetBucketLocationAction, GetObjectAction),
+			Resources: NewResourceSet(NewResource("*", "")),
+		},
+	},
+}
+
+// WriteOnly - provides write access.
+var WriteOnly = Policy{
+	Version: DefaultVersion,
+	Statements: []Statement{
+		{
+			SID:       policy.ID(""),
+			Effect:    policy.Allow,
+			Actions:   NewActionSet(PutObjectAction),
+			Resources: NewResourceSet(NewResource("*", "")),
+		},
+	},
+}