mirror of
https://github.com/minio/minio.git
synced 2025-01-22 04:03:15 -05:00
c829e3a13b
With this change, MinIO's ILM supports transitioning objects to a remote tier. This change includes support for Azure Blob Storage, AWS S3 compatible object storage incl. MinIO and Google Cloud Storage as remote tier storage backends. Some new additions include: - Admin APIs remote tier configuration management - Simple journal to track remote objects to be 'collected' This is used by object API handlers which 'mutate' object versions by overwriting/replacing content (Put/CopyObject) or removing the version itself (e.g DeleteObjectVersion). - Rework of previous ILM transition to fit the new model In the new model, a storage class (a.k.a remote tier) is defined by the 'remote' object storage type (one of s3, azure, GCS), bucket name and a prefix. * Fixed bugs, review comments, and more unit-tests - Leverage inline small object feature - Migrate legacy objects to the latest object format before transitioning - Fix restore to particular version if specified - Extend SharedDataDirCount to handle transitioned and restored objects - Restore-object should accept version-id for version-suspended bucket (#12091) - Check if remote tier creds have sufficient permissions - Bonus minor fixes to existing error messages Co-authored-by: Poorna Krishnamoorthy <poorna@minio.io> Co-authored-by: Krishna Srinivas <krishna@minio.io> Signed-off-by: Harshavardhana <harsha@minio.io>
247 lines
12 KiB
Go
247 lines
12 KiB
Go
// Copyright (c) 2015-2021 MinIO, Inc.
|
|
//
|
|
// This file is part of MinIO Object Storage stack
|
|
//
|
|
// This program is free software: you can redistribute it and/or modify
|
|
// it under the terms of the GNU Affero General Public License as published by
|
|
// the Free Software Foundation, either version 3 of the License, or
|
|
// (at your option) any later version.
|
|
//
|
|
// This program is distributed in the hope that it will be useful
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
// GNU Affero General Public License for more details.
|
|
//
|
|
// You should have received a copy of the GNU Affero General Public License
|
|
// along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
package iampolicy
|
|
|
|
import (
|
|
"github.com/minio/minio/pkg/bucket/policy/condition"
|
|
)
|
|
|
|
// AdminAction - admin policy action.
|
|
type AdminAction string
|
|
|
|
const (
|
|
// HealAdminAction - allows heal command
|
|
HealAdminAction = "admin:Heal"
|
|
|
|
// Service Actions
|
|
|
|
// StorageInfoAdminAction - allow listing server info
|
|
StorageInfoAdminAction = "admin:StorageInfo"
|
|
// PrometheusAdminAction - prometheus info action
|
|
PrometheusAdminAction = "admin:Prometheus"
|
|
// DataUsageInfoAdminAction - allow listing data usage info
|
|
DataUsageInfoAdminAction = "admin:DataUsageInfo"
|
|
// ForceUnlockAdminAction - allow force unlocking locks
|
|
ForceUnlockAdminAction = "admin:ForceUnlock"
|
|
// TopLocksAdminAction - allow listing top locks
|
|
TopLocksAdminAction = "admin:TopLocksInfo"
|
|
// ProfilingAdminAction - allow profiling
|
|
ProfilingAdminAction = "admin:Profiling"
|
|
// TraceAdminAction - allow listing server trace
|
|
TraceAdminAction = "admin:ServerTrace"
|
|
// ConsoleLogAdminAction - allow listing console logs on terminal
|
|
ConsoleLogAdminAction = "admin:ConsoleLog"
|
|
// KMSCreateKeyAdminAction - allow creating a new KMS master key
|
|
KMSCreateKeyAdminAction = "admin:KMSCreateKey"
|
|
// KMSKeyStatusAdminAction - allow getting KMS key status
|
|
KMSKeyStatusAdminAction = "admin:KMSKeyStatus"
|
|
// ServerInfoAdminAction - allow listing server info
|
|
ServerInfoAdminAction = "admin:ServerInfo"
|
|
// HealthInfoAdminAction - allow obtaining cluster health information
|
|
HealthInfoAdminAction = "admin:OBDInfo"
|
|
// BandwidthMonitorAction - allow monitoring bandwidth usage
|
|
BandwidthMonitorAction = "admin:BandwidthMonitor"
|
|
|
|
// ServerUpdateAdminAction - allow MinIO binary update
|
|
ServerUpdateAdminAction = "admin:ServerUpdate"
|
|
// ServiceRestartAdminAction - allow restart of MinIO service.
|
|
ServiceRestartAdminAction = "admin:ServiceRestart"
|
|
// ServiceStopAdminAction - allow stopping MinIO service.
|
|
ServiceStopAdminAction = "admin:ServiceStop"
|
|
|
|
// ConfigUpdateAdminAction - allow MinIO config management
|
|
ConfigUpdateAdminAction = "admin:ConfigUpdate"
|
|
|
|
// CreateUserAdminAction - allow creating MinIO user
|
|
CreateUserAdminAction = "admin:CreateUser"
|
|
// DeleteUserAdminAction - allow deleting MinIO user
|
|
DeleteUserAdminAction = "admin:DeleteUser"
|
|
// ListUsersAdminAction - allow list users permission
|
|
ListUsersAdminAction = "admin:ListUsers"
|
|
// EnableUserAdminAction - allow enable user permission
|
|
EnableUserAdminAction = "admin:EnableUser"
|
|
// DisableUserAdminAction - allow disable user permission
|
|
DisableUserAdminAction = "admin:DisableUser"
|
|
// GetUserAdminAction - allows GET permission on user info
|
|
GetUserAdminAction = "admin:GetUser"
|
|
|
|
// Service account Actions
|
|
|
|
// CreateServiceAccountAdminAction - allow create a service account for a user
|
|
CreateServiceAccountAdminAction = "admin:CreateServiceAccount"
|
|
// UpdateServiceAccountAdminAction - allow updating a service account
|
|
UpdateServiceAccountAdminAction = "admin:UpdateServiceAccount"
|
|
// RemoveServiceAccountAdminAction - allow removing a service account
|
|
RemoveServiceAccountAdminAction = "admin:RemoveServiceAccount"
|
|
// ListServiceAccountsAdminAction - allow listing service accounts
|
|
ListServiceAccountsAdminAction = "admin:ListServiceAccounts"
|
|
|
|
// Group Actions
|
|
|
|
// AddUserToGroupAdminAction - allow adding user to group permission
|
|
AddUserToGroupAdminAction = "admin:AddUserToGroup"
|
|
// RemoveUserFromGroupAdminAction - allow removing user to group permission
|
|
RemoveUserFromGroupAdminAction = "admin:RemoveUserFromGroup"
|
|
// GetGroupAdminAction - allow getting group info
|
|
GetGroupAdminAction = "admin:GetGroup"
|
|
// ListGroupsAdminAction - allow list groups permission
|
|
ListGroupsAdminAction = "admin:ListGroups"
|
|
// EnableGroupAdminAction - allow enable group permission
|
|
EnableGroupAdminAction = "admin:EnableGroup"
|
|
// DisableGroupAdminAction - allow disable group permission
|
|
DisableGroupAdminAction = "admin:DisableGroup"
|
|
|
|
// Policy Actions
|
|
|
|
// CreatePolicyAdminAction - allow create policy permission
|
|
CreatePolicyAdminAction = "admin:CreatePolicy"
|
|
// DeletePolicyAdminAction - allow delete policy permission
|
|
DeletePolicyAdminAction = "admin:DeletePolicy"
|
|
// GetPolicyAdminAction - allow get policy permission
|
|
GetPolicyAdminAction = "admin:GetPolicy"
|
|
// AttachPolicyAdminAction - allows attaching a policy to a user/group
|
|
AttachPolicyAdminAction = "admin:AttachUserOrGroupPolicy"
|
|
// ListUserPoliciesAdminAction - allows listing user policies
|
|
ListUserPoliciesAdminAction = "admin:ListUserPolicies"
|
|
|
|
// Bucket quota Actions
|
|
|
|
// SetBucketQuotaAdminAction - allow setting bucket quota
|
|
SetBucketQuotaAdminAction = "admin:SetBucketQuota"
|
|
// GetBucketQuotaAdminAction - allow getting bucket quota
|
|
GetBucketQuotaAdminAction = "admin:GetBucketQuota"
|
|
|
|
// Bucket Target admin Actions
|
|
|
|
// SetBucketTargetAction - allow setting bucket target
|
|
SetBucketTargetAction = "admin:SetBucketTarget"
|
|
// GetBucketTargetAction - allow getting bucket targets
|
|
GetBucketTargetAction = "admin:GetBucketTarget"
|
|
|
|
// Remote Tier admin Actions
|
|
|
|
// SetTierAction - allow adding/editing a remote tier
|
|
SetTierAction = "admin:SetTier"
|
|
// ListTierAction - allow listing remote tiers
|
|
ListTierAction = "admin:ListTier"
|
|
|
|
// AllAdminActions - provides all admin permissions
|
|
AllAdminActions = "admin:*"
|
|
)
|
|
|
|
// List of all supported admin actions.
|
|
var supportedAdminActions = map[AdminAction]struct{}{
|
|
HealAdminAction: {},
|
|
StorageInfoAdminAction: {},
|
|
DataUsageInfoAdminAction: {},
|
|
TopLocksAdminAction: {},
|
|
ProfilingAdminAction: {},
|
|
PrometheusAdminAction: {},
|
|
TraceAdminAction: {},
|
|
ConsoleLogAdminAction: {},
|
|
KMSKeyStatusAdminAction: {},
|
|
ServerInfoAdminAction: {},
|
|
HealthInfoAdminAction: {},
|
|
BandwidthMonitorAction: {},
|
|
ServerUpdateAdminAction: {},
|
|
ServiceRestartAdminAction: {},
|
|
ServiceStopAdminAction: {},
|
|
ConfigUpdateAdminAction: {},
|
|
CreateUserAdminAction: {},
|
|
DeleteUserAdminAction: {},
|
|
ListUsersAdminAction: {},
|
|
EnableUserAdminAction: {},
|
|
DisableUserAdminAction: {},
|
|
GetUserAdminAction: {},
|
|
AddUserToGroupAdminAction: {},
|
|
RemoveUserFromGroupAdminAction: {},
|
|
GetGroupAdminAction: {},
|
|
ListGroupsAdminAction: {},
|
|
EnableGroupAdminAction: {},
|
|
DisableGroupAdminAction: {},
|
|
CreateServiceAccountAdminAction: {},
|
|
UpdateServiceAccountAdminAction: {},
|
|
RemoveServiceAccountAdminAction: {},
|
|
ListServiceAccountsAdminAction: {},
|
|
CreatePolicyAdminAction: {},
|
|
DeletePolicyAdminAction: {},
|
|
GetPolicyAdminAction: {},
|
|
AttachPolicyAdminAction: {},
|
|
ListUserPoliciesAdminAction: {},
|
|
SetBucketQuotaAdminAction: {},
|
|
GetBucketQuotaAdminAction: {},
|
|
SetBucketTargetAction: {},
|
|
GetBucketTargetAction: {},
|
|
SetTierAction: {},
|
|
ListTierAction: {},
|
|
AllAdminActions: {},
|
|
}
|
|
|
|
// IsValid - checks if action is valid or not.
|
|
func (action AdminAction) IsValid() bool {
|
|
_, ok := supportedAdminActions[action]
|
|
return ok
|
|
}
|
|
|
|
// adminActionConditionKeyMap - holds mapping of supported condition key for an action.
|
|
var adminActionConditionKeyMap = map[Action]condition.KeySet{
|
|
AllAdminActions: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
HealAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
StorageInfoAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
ServerInfoAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
DataUsageInfoAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
HealthInfoAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
BandwidthMonitorAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
TopLocksAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
ProfilingAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
TraceAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
ConsoleLogAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
KMSKeyStatusAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
ServerUpdateAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
ServiceRestartAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
ServiceStopAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
ConfigUpdateAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
CreateUserAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
DeleteUserAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
ListUsersAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
EnableUserAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
DisableUserAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
GetUserAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
AddUserToGroupAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
RemoveUserFromGroupAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
ListGroupsAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
EnableGroupAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
DisableGroupAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
CreateServiceAccountAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
UpdateServiceAccountAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
RemoveServiceAccountAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
ListServiceAccountsAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
|
|
CreatePolicyAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
DeletePolicyAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
GetPolicyAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
AttachPolicyAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
ListUserPoliciesAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
SetBucketQuotaAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
GetBucketQuotaAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
SetBucketTargetAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
GetBucketTargetAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
SetTierAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
ListTierAction: condition.NewKeySet(condition.AllSupportedAdminKeys...),
|
|
}
|