minio · cesnietor · May 27, 2020 · May 26, 2020
diff --git a/pkg/acl/config.go b/pkg/acl/config.go
@@ -0,0 +1,29 @@
+// This file is part of MinIO Console Server
+// Copyright (c) 2020 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package acl
+
+import (
+	"strings"
+
+	"github.com/minio/minio/pkg/env"
+)
+
+// GetOperatorOnly gets mcs operator mode status set on env variable
+//or default one
+func GetOperatorOnly() string {
+	return strings.ToLower(env.Get(McsOperatorOnly, "off"))
+}
diff --git a/pkg/acl/const.go b/pkg/acl/const.go
@@ -0,0 +1,21 @@
+// This file is part of MinIO Console Server
+// Copyright (c) 2020 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package acl
+
+const (
+	McsOperatorOnly = "MCS_OPERATOR_ONLY"
+)
diff --git a/pkg/acl/endpoints.go b/pkg/acl/endpoints.go
@@ -16,7 +16,9 @@
 
 package acl
 
-import iampolicy "github.com/minio/minio/pkg/iam/policy"
+import (
+	iampolicy "github.com/minio/minio/pkg/iam/policy"
+)
 
 // endpoints definition
 var (
@@ -221,11 +223,18 @@ var endpointRules = map[string]ConfigurationActionSet{
 	buckets:         bucketsActionSet,
 	bucketsDetail:   bucketsActionSet,
 	serviceAccounts: serviceAccountsActionSet,
-	clusters:        clustersActionSet,
-	clustersDetail:  clustersActionSet,
 	heal:            healActionSet,
 }
 
+// operatorRules contains the mapping between endpoints and ActionSets for operator only mode
+var operatorRules = map[string]ConfigurationActionSet{
+	clusters:       clustersActionSet,
+	clustersDetail: clustersActionSet,
+}
+
+// operatorOnly ENV variable
+var operatorOnly = GetOperatorOnly()
+
 // GetActionsStringFromPolicy extract the admin/s3 actions from a given policy and return them in []string format
 //
 // ie:
@@ -275,13 +284,19 @@ func actionsStringToActionSet(actions []string) iampolicy.ActionSet {
 // GetAuthorizedEndpoints return a list of allowed endpoint based on a provided *iampolicy.Policy
 // ie: pages the user should have access based on his current privileges
 func GetAuthorizedEndpoints(actions []string) []string {
+	rangeTake := endpointRules
+
+	if operatorOnly == "on" {
+		rangeTake = operatorRules
+	}
+
 	if len(actions) == 0 {
 		return []string{}
 	}
 	// Prepare new ActionSet structure that will hold all the user actions
 	userAllowedAction := actionsStringToActionSet(actions)
 	allowedEndpoints := []string{}
-	for endpoint, rules := range endpointRules {
+	for endpoint, rules := range rangeTake {
 		// check if user policy matches s3:* or admin:* typesIntersection
 		endpointActionTypes := rules.actionTypes
 		typesIntersection := endpointActionTypes.Intersection(userAllowedAction)

diff --git a/pkg/acl/endpoints_test.go b/pkg/acl/endpoints_test.go
@@ -23,21 +23,34 @@ import (
 	iampolicy "github.com/minio/minio/pkg/iam/policy"
 )
 
-func TestGetAuthorizedEndpoints(t *testing.T) {
-	type args struct {
-		actions []string
+type args struct {
+	actions []string
+}
+
+type endpoint struct {
+	name string
+	args args
+	want int
+}
+
+func validateEndpoints(t *testing.T, configs []endpoint) {
+	for _, tt := range configs {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := GetAuthorizedEndpoints(tt.args.actions); !reflect.DeepEqual(len(got), tt.want) {
+				t.Errorf("GetAuthorizedEndpoints() = %v, want %v", len(got), tt.want)
+			}
+		})
 	}
-	tests := []struct {
-		name string
-		args args
-		want int
-	}{
+}
+
+func TestGetAuthorizedEndpoints(t *testing.T) {
+	tests := []endpoint{
 		{
 			name: "dashboard endpoint",
 			args: args{
 				[]string{"admin:ServerInfo"},
 			},
-			want: 4,
+			want: 2,
 		},
 		{
 			name: "policies endpoint",
@@ -50,7 +63,7 @@ func TestGetAuthorizedEndpoints(t *testing.T) {
 					"admin:ListUserPolicies",
 				},
 			},
-			want: 4,
+			want: 2,
 		},
 		{
 			name: "all admin endpoints",
@@ -59,7 +72,7 @@ func TestGetAuthorizedEndpoints(t *testing.T) {
 					"admin:*",
 				},
 			},
-			want: 13,
+			want: 11,
 		},
 		{
 			name: "all s3 endpoints",
@@ -68,7 +81,7 @@ func TestGetAuthorizedEndpoints(t *testing.T) {
 					"s3:*",
 				},
 			},
-			want: 6,
+			want: 4,
 		},
 		{
 			name: "all admin and s3 endpoints",
@@ -78,7 +91,7 @@ func TestGetAuthorizedEndpoints(t *testing.T) {
 					"s3:*",
 				},
 			},
-			want: 16,
+			want: 14,
 		},
 		{
 			name: "no endpoints",
@@ -88,13 +101,52 @@ func TestGetAuthorizedEndpoints(t *testing.T) {
 			want: 0,
 		},
 	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			if got := GetAuthorizedEndpoints(tt.args.actions); !reflect.DeepEqual(len(got), tt.want) {
-				t.Errorf("GetAuthorizedEndpoints() = %v, want %v", len(got), tt.want)
-			}
-		})
+
+	validateEndpoints(t, tests)
+}
+
+func TestOperatorOnlyEndpoints(t *testing.T) {
+	operatorOnly = "on"
+
+	tests := []endpoint{
+		{
+			name: "Operator Only - all admin endpoints",
+			args: args{
+				[]string{
+					"admin:*",
+				},
+			},
+			want: 2,
+		},
+		{
+			name: "Operator Only - all s3 endpoints",
+			args: args{
+				[]string{
+					"s3:*",
+				},
+			},
+			want: 2,
+		},
+		{
+			name: "Operator Only - all admin and s3 endpoints",
+			args: args{
+				[]string{
+					"admin:*",
+					"s3:*",
+				},
+			},
+			want: 2,
+		},
+		{
+			name: "Operator Only - no endpoints",
+			args: args{
+				[]string{},
+			},
+			want: 0,
+		},
 	}
+
+	validateEndpoints(t, tests)
 }
 
 func TestGetActionsStringFromPolicy(t *testing.T) {