storj.io/minio@v0.0.0-20230509071714-0cbc90f649b1/pkg/iam/policy/admin-action.go (about) 1 /* 2 * MinIO Cloud Storage, (C) 2019 MinIO, Inc. 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package iampolicy 18 19 import ( 20 "storj.io/minio/pkg/bucket/policy/condition" 21 ) 22 23 // AdminAction - admin policy action. 24 type AdminAction string 25 26 const ( 27 // HealAdminAction - allows heal command 28 HealAdminAction = "admin:Heal" 29 30 // Service Actions 31 32 // StorageInfoAdminAction - allow listing server info 33 StorageInfoAdminAction = "admin:StorageInfo" 34 // PrometheusAdminAction - prometheus info action 35 PrometheusAdminAction = "admin:Prometheus" 36 // DataUsageInfoAdminAction - allow listing data usage info 37 DataUsageInfoAdminAction = "admin:DataUsageInfo" 38 // ForceUnlockAdminAction - allow force unlocking locks 39 ForceUnlockAdminAction = "admin:ForceUnlock" 40 // TopLocksAdminAction - allow listing top locks 41 TopLocksAdminAction = "admin:TopLocksInfo" 42 // ProfilingAdminAction - allow profiling 43 ProfilingAdminAction = "admin:Profiling" 44 // TraceAdminAction - allow listing server trace 45 TraceAdminAction = "admin:ServerTrace" 46 // ConsoleLogAdminAction - allow listing console logs on terminal 47 ConsoleLogAdminAction = "admin:ConsoleLog" 48 // KMSCreateKeyAdminAction - allow creating a new KMS master key 49 KMSCreateKeyAdminAction = "admin:KMSCreateKey" 50 // KMSKeyStatusAdminAction - allow getting KMS key status 51 KMSKeyStatusAdminAction = "admin:KMSKeyStatus" 52 // ServerInfoAdminAction - allow listing server info 53 ServerInfoAdminAction = "admin:ServerInfo" 54 // HealthInfoAdminAction - allow obtaining cluster health information 55 HealthInfoAdminAction = "admin:OBDInfo" 56 // BandwidthMonitorAction - allow monitoring bandwidth usage 57 BandwidthMonitorAction = "admin:BandwidthMonitor" 58 59 // ServerUpdateAdminAction - allow MinIO binary update 60 ServerUpdateAdminAction = "admin:ServerUpdate" 61 // ServiceRestartAdminAction - allow restart of MinIO service. 62 ServiceRestartAdminAction = "admin:ServiceRestart" 63 // ServiceStopAdminAction - allow stopping MinIO service. 64 ServiceStopAdminAction = "admin:ServiceStop" 65 66 // ConfigUpdateAdminAction - allow MinIO config management 67 ConfigUpdateAdminAction = "admin:ConfigUpdate" 68 69 // CreateUserAdminAction - allow creating MinIO user 70 CreateUserAdminAction = "admin:CreateUser" 71 // DeleteUserAdminAction - allow deleting MinIO user 72 DeleteUserAdminAction = "admin:DeleteUser" 73 // ListUsersAdminAction - allow list users permission 74 ListUsersAdminAction = "admin:ListUsers" 75 // EnableUserAdminAction - allow enable user permission 76 EnableUserAdminAction = "admin:EnableUser" 77 // DisableUserAdminAction - allow disable user permission 78 DisableUserAdminAction = "admin:DisableUser" 79 // GetUserAdminAction - allows GET permission on user info 80 GetUserAdminAction = "admin:GetUser" 81 82 // Service account Actions 83 84 // CreateServiceAccountAdminAction - allow create a service account for a user 85 CreateServiceAccountAdminAction = "admin:CreateServiceAccount" 86 // UpdateServiceAccountAdminAction - allow updating a service account 87 UpdateServiceAccountAdminAction = "admin:UpdateServiceAccount" 88 // RemoveServiceAccountAdminAction - allow removing a service account 89 RemoveServiceAccountAdminAction = "admin:RemoveServiceAccount" 90 // ListServiceAccountsAdminAction - allow listing service accounts 91 ListServiceAccountsAdminAction = "admin:ListServiceAccounts" 92 93 // Group Actions 94 95 // AddUserToGroupAdminAction - allow adding user to group permission 96 AddUserToGroupAdminAction = "admin:AddUserToGroup" 97 // RemoveUserFromGroupAdminAction - allow removing user to group permission 98 RemoveUserFromGroupAdminAction = "admin:RemoveUserFromGroup" 99 // GetGroupAdminAction - allow getting group info 100 GetGroupAdminAction = "admin:GetGroup" 101 // ListGroupsAdminAction - allow list groups permission 102 ListGroupsAdminAction = "admin:ListGroups" 103 // EnableGroupAdminAction - allow enable group permission 104 EnableGroupAdminAction = "admin:EnableGroup" 105 // DisableGroupAdminAction - allow disable group permission 106 DisableGroupAdminAction = "admin:DisableGroup" 107 108 // Policy Actions 109 110 // CreatePolicyAdminAction - allow create policy permission 111 CreatePolicyAdminAction = "admin:CreatePolicy" 112 // DeletePolicyAdminAction - allow delete policy permission 113 DeletePolicyAdminAction = "admin:DeletePolicy" 114 // GetPolicyAdminAction - allow get policy permission 115 GetPolicyAdminAction = "admin:GetPolicy" 116 // AttachPolicyAdminAction - allows attaching a policy to a user/group 117 AttachPolicyAdminAction = "admin:AttachUserOrGroupPolicy" 118 // ListUserPoliciesAdminAction - allows listing user policies 119 ListUserPoliciesAdminAction = "admin:ListUserPolicies" 120 121 // Bucket quota Actions 122 123 // SetBucketQuotaAdminAction - allow setting bucket quota 124 SetBucketQuotaAdminAction = "admin:SetBucketQuota" 125 // GetBucketQuotaAdminAction - allow getting bucket quota 126 GetBucketQuotaAdminAction = "admin:GetBucketQuota" 127 128 // Bucket Target admin Actions 129 130 // SetBucketTargetAction - allow setting bucket target 131 SetBucketTargetAction = "admin:SetBucketTarget" 132 // GetBucketTargetAction - allow getting bucket targets 133 GetBucketTargetAction = "admin:GetBucketTarget" 134 135 // AllAdminActions - provides all admin permissions 136 AllAdminActions = "admin:*" 137 ) 138 139 // List of all supported admin actions. 140 var supportedAdminActions = map[AdminAction]struct{}{ 141 HealAdminAction: {}, 142 StorageInfoAdminAction: {}, 143 DataUsageInfoAdminAction: {}, 144 TopLocksAdminAction: {}, 145 ProfilingAdminAction: {}, 146 PrometheusAdminAction: {}, 147 TraceAdminAction: {}, 148 ConsoleLogAdminAction: {}, 149 KMSKeyStatusAdminAction: {}, 150 ServerInfoAdminAction: {}, 151 HealthInfoAdminAction: {}, 152 BandwidthMonitorAction: {}, 153 ServerUpdateAdminAction: {}, 154 ServiceRestartAdminAction: {}, 155 ServiceStopAdminAction: {}, 156 ConfigUpdateAdminAction: {}, 157 CreateUserAdminAction: {}, 158 DeleteUserAdminAction: {}, 159 ListUsersAdminAction: {}, 160 EnableUserAdminAction: {}, 161 DisableUserAdminAction: {}, 162 GetUserAdminAction: {}, 163 AddUserToGroupAdminAction: {}, 164 RemoveUserFromGroupAdminAction: {}, 165 GetGroupAdminAction: {}, 166 ListGroupsAdminAction: {}, 167 EnableGroupAdminAction: {}, 168 DisableGroupAdminAction: {}, 169 CreateServiceAccountAdminAction: {}, 170 UpdateServiceAccountAdminAction: {}, 171 RemoveServiceAccountAdminAction: {}, 172 ListServiceAccountsAdminAction: {}, 173 CreatePolicyAdminAction: {}, 174 DeletePolicyAdminAction: {}, 175 GetPolicyAdminAction: {}, 176 AttachPolicyAdminAction: {}, 177 ListUserPoliciesAdminAction: {}, 178 SetBucketQuotaAdminAction: {}, 179 GetBucketQuotaAdminAction: {}, 180 SetBucketTargetAction: {}, 181 GetBucketTargetAction: {}, 182 AllAdminActions: {}, 183 } 184 185 // IsValid - checks if action is valid or not. 186 func (action AdminAction) IsValid() bool { 187 _, ok := supportedAdminActions[action] 188 return ok 189 } 190 191 // adminActionConditionKeyMap - holds mapping of supported condition key for an action. 192 var adminActionConditionKeyMap = map[Action]condition.KeySet{ 193 AllAdminActions: condition.NewKeySet(condition.AllSupportedAdminKeys...), 194 HealAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...), 195 StorageInfoAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...), 196 ServerInfoAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...), 197 DataUsageInfoAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...), 198 HealthInfoAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...), 199 BandwidthMonitorAction: condition.NewKeySet(condition.AllSupportedAdminKeys...), 200 TopLocksAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...), 201 ProfilingAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...), 202 TraceAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...), 203 ConsoleLogAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...), 204 KMSKeyStatusAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...), 205 ServerUpdateAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...), 206 ServiceRestartAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...), 207 ServiceStopAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...), 208 ConfigUpdateAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...), 209 CreateUserAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...), 210 DeleteUserAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...), 211 ListUsersAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...), 212 EnableUserAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...), 213 DisableUserAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...), 214 GetUserAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...), 215 AddUserToGroupAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...), 216 RemoveUserFromGroupAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...), 217 ListGroupsAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...), 218 EnableGroupAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...), 219 DisableGroupAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...), 220 CreateServiceAccountAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...), 221 UpdateServiceAccountAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...), 222 RemoveServiceAccountAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...), 223 ListServiceAccountsAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...), 224 225 CreatePolicyAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...), 226 DeletePolicyAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...), 227 GetPolicyAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...), 228 AttachPolicyAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...), 229 ListUserPoliciesAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...), 230 SetBucketQuotaAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...), 231 GetBucketQuotaAdminAction: condition.NewKeySet(condition.AllSupportedAdminKeys...), 232 SetBucketTargetAction: condition.NewKeySet(condition.AllSupportedAdminKeys...), 233 GetBucketTargetAction: condition.NewKeySet(condition.AllSupportedAdminKeys...), 234 }