Merge branch 'master' into proxy-for-mkube

Author: bexsoft

go.sum

@@ -406,6 +406,7 @@ github.com/minio/lsync v1.0.1 h1:AVvILxA976xc27hstd1oR+X9PQG0sPSom1MNb1ImfUs=
 github.com/minio/lsync v1.0.1/go.mod h1:tCFzfo0dlvdGl70IT4IAK/5Wtgb0/BrTmo/jE8pArKA=
 github.com/minio/mc v0.0.0-20200515235434-3b479cf92ed6 h1:2SrKe2vLDLwvnYkYrJelrzyGW8t/8HCbr9yDsw+8XSI=
 github.com/minio/mc v0.0.0-20200515235434-3b479cf92ed6/go.mod h1:U3Jgk0bcSjn+QPUMisrS6nxCWOoQ6rYWSvLCB30apuU=
+github.com/minio/mc v0.0.0-20200519213124-bf731558cda0 h1:D497vXgHka7/Z3oYFEbFIfAEdWBHbfad8KZ5grSROI0=
 github.com/minio/minio v0.0.0-20200421050159-282c9f790a03/go.mod h1:zBua5AiljGs1Irdl2XEyiJjvZVCVDIG8gjozzRBcVlw=
 github.com/minio/minio v0.0.0-20200516011754-9cac385aecdb h1:CQC7D3UDnUycuxhwImcVhMSLet/RbShosAnYcvMtEB8=
 github.com/minio/minio v0.0.0-20200516011754-9cac385aecdb/go.mod h1:wymaytM/HELuwdz7BGZHmQ3XKq2SxPsLeGxyOCaCLiA=

pkg/acl/config.go

@@ -0,0 +1,29 @@
+// This file is part of MinIO Console Server
+// Copyright (c) 2020 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package acl
+
+import (
+	"strings"
+
+	"github.com/minio/minio/pkg/env"
+)
+
+// GetOperatorOnly gets mcs operator mode status set on env variable
+//or default one
+func GetOperatorOnly() string {
+	return strings.ToLower(env.Get(McsOperatorOnly, "off"))
+}

pkg/acl/const.go

@@ -0,0 +1,21 @@
+// This file is part of MinIO Console Server
+// Copyright (c) 2020 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package acl
+
+const (
+	McsOperatorOnly = "MCS_OPERATOR_ONLY"
+)

pkg/acl/endpoints.go

@@ -16,7 +16,9 @@
 
 package acl
 
-import iampolicy "github.com/minio/minio/pkg/iam/policy"
+import (
+	iampolicy "github.com/minio/minio/pkg/iam/policy"
+)
 
 // endpoints definition
 var (
@@ -35,6 +37,7 @@ var (
 	serviceAccounts = "/service-accounts"
 	clusters        = "/clusters"
 	clustersDetail  = "/clusters/:clusterName"
+	heal            = "/heal"
 )
 
 type ConfigurationActionSet struct {
@@ -195,6 +198,16 @@ var clustersActionSet = ConfigurationActionSet{
 	actions:     iampolicy.NewActionSet(),
 }
 
+// healActionSet contains the list of admin actions required for this endpoint to work
+var healActionSet = ConfigurationActionSet{
+	actionTypes: iampolicy.NewActionSet(
+		iampolicy.AllAdminActions,
+	),
+	actions: iampolicy.NewActionSet(
+		iampolicy.HealAdminAction,
+	),
+}
+
 // endpointRules contains the mapping between endpoints and ActionSets, additional rules can be added here
 var endpointRules = map[string]ConfigurationActionSet{
 	configuration:   configurationActionSet,
@@ -210,10 +223,18 @@ var endpointRules = map[string]ConfigurationActionSet{
 	buckets:         bucketsActionSet,
 	bucketsDetail:   bucketsActionSet,
 	serviceAccounts: serviceAccountsActionSet,
-	clusters:        clustersActionSet,
-	clustersDetail:  clustersActionSet,
+	heal:            healActionSet,
+}
+
+// operatorRules contains the mapping between endpoints and ActionSets for operator only mode
+var operatorRules = map[string]ConfigurationActionSet{
+	clusters:       clustersActionSet,
+	clustersDetail: clustersActionSet,
 }
 
+// operatorOnly ENV variable
+var operatorOnly = GetOperatorOnly()
+
 // GetActionsStringFromPolicy extract the admin/s3 actions from a given policy and return them in []string format
 //
 // ie:
@@ -263,13 +284,19 @@ func actionsStringToActionSet(actions []string) iampolicy.ActionSet {
 // GetAuthorizedEndpoints return a list of allowed endpoint based on a provided *iampolicy.Policy
 // ie: pages the user should have access based on his current privileges
 func GetAuthorizedEndpoints(actions []string) []string {
+	rangeTake := endpointRules
+
+	if operatorOnly == "on" {
+		rangeTake = operatorRules
+	}
+
 	if len(actions) == 0 {
 		return []string{}
 	}
 	// Prepare new ActionSet structure that will hold all the user actions
 	userAllowedAction := actionsStringToActionSet(actions)
 	allowedEndpoints := []string{}
-	for endpoint, rules := range endpointRules {
+	for endpoint, rules := range rangeTake {
 		// check if user policy matches s3:* or admin:* typesIntersection
 		endpointActionTypes := rules.actionTypes
 		typesIntersection := endpointActionTypes.Intersection(userAllowedAction)

pkg/acl/endpoints_test.go

@@ -23,21 +23,34 @@ import (
 	iampolicy "github.com/minio/minio/pkg/iam/policy"
 )
 
-func TestGetAuthorizedEndpoints(t *testing.T) {
-	type args struct {
-		actions []string
+type args struct {
+	actions []string
+}
+
+type endpoint struct {
+	name string
+	args args
+	want int
+}
+
+func validateEndpoints(t *testing.T, configs []endpoint) {
+	for _, tt := range configs {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := GetAuthorizedEndpoints(tt.args.actions); !reflect.DeepEqual(len(got), tt.want) {
+				t.Errorf("GetAuthorizedEndpoints() = %v, want %v", len(got), tt.want)
+			}
+		})
 	}
-	tests := []struct {
-		name string
-		args args
-		want int
-	}{
+}
+
+func TestGetAuthorizedEndpoints(t *testing.T) {
+	tests := []endpoint{
 		{
 			name: "dashboard endpoint",
 			args: args{
 				[]string{"admin:ServerInfo"},
 			},
-			want: 4,
+			want: 2,
 		},
 		{
 			name: "policies endpoint",
@@ -50,7 +63,7 @@ func TestGetAuthorizedEndpoints(t *testing.T) {
 					"admin:ListUserPolicies",
 				},
 			},
-			want: 4,
+			want: 2,
 		},
 		{
 			name: "all admin endpoints",
@@ -59,7 +72,7 @@ func TestGetAuthorizedEndpoints(t *testing.T) {
 					"admin:*",
 				},
 			},
-			want: 12,
+			want: 11,
 		},
 		{
 			name: "all s3 endpoints",
@@ -68,7 +81,7 @@ func TestGetAuthorizedEndpoints(t *testing.T) {
 					"s3:*",
 				},
 			},
-			want: 6,
+			want: 4,
 		},
 		{
 			name: "all admin and s3 endpoints",
@@ -78,7 +91,7 @@ func TestGetAuthorizedEndpoints(t *testing.T) {
 					"s3:*",
 				},
 			},
-			want: 15,
+			want: 14,
 		},
 		{
 			name: "no endpoints",
@@ -88,13 +101,52 @@ func TestGetAuthorizedEndpoints(t *testing.T) {
 			want: 0,
 		},
 	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			if got := GetAuthorizedEndpoints(tt.args.actions); !reflect.DeepEqual(len(got), tt.want) {
-				t.Errorf("GetAuthorizedEndpoints() = %v, want %v", len(got), tt.want)
-			}
-		})
+
+	validateEndpoints(t, tests)
+}
+
+func TestOperatorOnlyEndpoints(t *testing.T) {
+	operatorOnly = "on"
+
+	tests := []endpoint{
+		{
+			name: "Operator Only - all admin endpoints",
+			args: args{
+				[]string{
+					"admin:*",
+				},
+			},
+			want: 2,
+		},
+		{
+			name: "Operator Only - all s3 endpoints",
+			args: args{
+				[]string{
+					"s3:*",
+				},
+			},
+			want: 2,
+		},
+		{
+			name: "Operator Only - all admin and s3 endpoints",
+			args: args{
+				[]string{
+					"admin:*",
+					"s3:*",
+				},
+			},
+			want: 2,
+		},
+		{
+			name: "Operator Only - no endpoints",
+			args: args{
+				[]string{},
+			},
+			want: 0,
+		},
 	}
+
+	validateEndpoints(t, tests)
 }
 
 func TestGetActionsStringFromPolicy(t *testing.T) {