Move heal and watch to tenant details view on operator-ui (#449)

Use insecure: true in the meantime so the wss/watch endpoint works while we add support for custotm TLS transport in the S3 client library. Removed "InsecureSkipVerify: true" from s3AdminClient and s3Client HTTP clients
2020-11-30 12:41:58 -08:00
parent 59b43884ff
commit 4a27ef4b2c
35 changed files with 1320 additions and 539 deletions
--- a/restapi/admin_console.go
+++ b/restapi/admin_console.go
@@ -98,22 +98,26 @@ func getLogTime(lt string) string {

 // getConsoleLogOptionsFromReq return tenant name from url
 // path come as : `/console/<namespace>/<tenantName>`
-func getConsoleLogOptionsFromReq(req *http.Request) (namespace, tenant string) {
+func getConsoleLogOptionsFromReq(req *http.Request) (namespace, tenant string, err error) {
 	re := regexp.MustCompile(`(/console/)(.*?)/(.*?)(\?.*?$|$)`)
 	matches := re.FindAllSubmatch([]byte(req.URL.Path), -1)
-	// len matches is always 4
+	if len(matches) == 0 || len(matches[0]) < 4 {
+		return "", "", fmt.Errorf("invalid url: %s", req.URL.Path)
+	}
 	namespace = strings.TrimSpace(string(matches[0][2]))
 	tenant = strings.TrimSpace(string(matches[0][3]))
-	return namespace, tenant
+	return namespace, tenant, nil
 }

 // getTraceOptionsFromReq return tenant name from url
 // path come as : `/trace/<namespace>/<tenantName>`
-func getTraceOptionsFromReq(req *http.Request) (namespace, tenant string) {
+func getTraceOptionsFromReq(req *http.Request) (namespace, tenant string, err error) {
 	re := regexp.MustCompile(`(/trace/)(.*?)/(.*?)(\?.*?$|$)`)
 	matches := re.FindAllSubmatch([]byte(req.URL.Path), -1)
-	// len matches is always 4
+	if len(matches) == 0 || len(matches[0]) < 4 {
+		return "", "", fmt.Errorf("invalid url: %s", req.URL.Path)
+	}
 	namespace = strings.TrimSpace(string(matches[0][2]))
 	tenant = strings.TrimSpace(string(matches[0][3]))
-	return namespace, tenant
+	return namespace, tenant, nil
 }
--- a/restapi/admin_heal.go
+++ b/restapi/admin_heal.go
@@ -103,6 +103,8 @@ type healStatus struct {
 }

 type healOptions struct {
+	Namespace  string
+	Tenant     string
 	BucketName string
 	Prefix     string
 	ForceStart bool
@@ -313,18 +315,22 @@ func getHRITypeAndName(i madmin.HealResultItem) (typ, name string) {
 }

 // getHealOptionsFromReq return options from request for healing process
-// path come as : `/heal/bucket1` and query params come on request form
+// path come as : `/heal/<namespace>/<tenantName>/bucket1`
+// and query params come on request form
 func getHealOptionsFromReq(req *http.Request) (*healOptions, error) {
 	hOptions := healOptions{}
-	re := regexp.MustCompile(`(/heal/)(.*?)(\?.*?$|$)`)
+	re := regexp.MustCompile(`(/heal/)(.*?)/(.*?)/(.*?)(\?.*?$|$)`)
 	matches := re.FindAllSubmatch([]byte(req.URL.Path), -1)
-	// len matches is always 3
 	// matches comes as e.g.
-	// [["...", "/heal/" "bucket1"]]
+	// [["...", "/heal/", "namespace", "tenant", "bucket1"]]
 	// [["/heal/" "/heal/" ""]]

-	// bucket name is on the second group, third position
-	hOptions.BucketName = strings.TrimSpace(string(matches[0][2]))
+	if len(matches) == 0 || len(matches[0]) < 5 {
+		return nil, fmt.Errorf("invalid url: %s", req.URL.Path)
+	}
+	hOptions.Namespace = strings.TrimSpace(string(matches[0][2]))
+	hOptions.Tenant = strings.TrimSpace(string(matches[0][3]))
+	hOptions.BucketName = strings.TrimSpace(string(matches[0][4]))
 	hOptions.Prefix = req.FormValue("prefix")
 	hOptions.HealOpts.ScanMode = transformScanStr(req.FormValue("scan"))

--- a/restapi/admin_heal_test.go
+++ b/restapi/admin_heal_test.go
@@ -205,42 +205,33 @@ func TestHeal(t *testing.T) {
 	}

 	// Test-3: getHealOptionsFromReq return heal options from request
-	u, _ := url.Parse("http://localhost/api/v1/heal/bucket1?prefix=file/&recursive=true&force-start=true&force-stop=true&remove=true&dry-run=true&scan=deep")
+	u, _ := url.Parse("http://localhost/api/v1/heal/namespace/tenantName/bucket1?prefix=file/&recursive=true&force-start=true&force-stop=true&remove=true&dry-run=true&scan=deep")
 	req := &http.Request{
 		URL: u,
 	}
 	opts, err := getHealOptionsFromReq(req)
-	if err != nil {
-		t.Errorf("Failed on %s:, error occurred: %s", "getHealOptionsFromReq", err.Error())
-	}
-	expectedOptions := healOptions{
-		BucketName: "bucket1",
-		ForceStart: true,
-		ForceStop:  true,
-		Prefix:     "file/",
-		HealOpts: madmin.HealOpts{
-			Recursive: true,
-			DryRun:    true,
-			ScanMode:  madmin.HealDeepScan,
-		},
-	}
-	assert.Equal(expectedOptions.BucketName, opts.BucketName)
-	assert.Equal(expectedOptions.Prefix, opts.Prefix)
-	assert.Equal(expectedOptions.Recursive, opts.Recursive)
-	assert.Equal(expectedOptions.ForceStart, opts.ForceStart)
-	assert.Equal(expectedOptions.DryRun, opts.DryRun)
-	assert.Equal(expectedOptions.ScanMode, opts.ScanMode)
-	// Test-3: getHealOptionsFromReq return error if boolean value not valid
-	u, _ = url.Parse("http://localhost/api/v1/heal/bucket1?prefix=file/&recursive=nonbool&force-start=true&force-stop=true&remove=true&dry-run=true&scan=deep")
-	req = &http.Request{
-		URL: u,
-	}
-	opts, err = getHealOptionsFromReq(req)
-	if assert.Error(err) {
-		assert.Equal("strconv.ParseBool: parsing \"nonbool\": invalid syntax", err.Error())
+	if assert.NoError(err) {
+		expectedOptions := healOptions{
+			BucketName: "bucket1",
+			ForceStart: true,
+			ForceStop:  true,
+			Prefix:     "file/",
+			HealOpts: madmin.HealOpts{
+				Recursive: true,
+				DryRun:    true,
+				ScanMode:  madmin.HealDeepScan,
+			},
+		}
+		assert.Equal(expectedOptions.BucketName, opts.BucketName)
+		assert.Equal(expectedOptions.Prefix, opts.Prefix)
+		assert.Equal(expectedOptions.Recursive, opts.Recursive)
+		assert.Equal(expectedOptions.ForceStart, opts.ForceStart)
+		assert.Equal(expectedOptions.DryRun, opts.DryRun)
+		assert.Equal(expectedOptions.ScanMode, opts.ScanMode)
 	}
+
 	// Test-4: getHealOptionsFromReq return error if boolean value not valid
-	u, _ = url.Parse("http://localhost/api/v1/heal/bucket1?prefix=file/&recursive=true&force-start=true&force-stop=true&remove=nonbool&dry-run=true&scan=deep")
+	u, _ = url.Parse("http://localhost/api/v1/heal/namespace/tenantName/bucket1?prefix=file/&recursive=nonbool&force-start=true&force-stop=true&remove=true&dry-run=true&scan=deep")
 	req = &http.Request{
 		URL: u,
 	}
@@ -249,7 +240,7 @@ func TestHeal(t *testing.T) {
 		assert.Equal("strconv.ParseBool: parsing \"nonbool\": invalid syntax", err.Error())
 	}
 	// Test-5: getHealOptionsFromReq return error if boolean value not valid
-	u, _ = url.Parse("http://localhost/api/v1/heal/bucket1?prefix=file/&recursive=true&force-start=nonbool&force-stop=true&remove=true&dry-run=true&scan=deep")
+	u, _ = url.Parse("http://localhost/api/v1/heal/namespace/tenantName/bucket1?prefix=file/&recursive=true&force-start=true&force-stop=true&remove=nonbool&dry-run=true&scan=deep")
 	req = &http.Request{
 		URL: u,
 	}
@@ -258,7 +249,7 @@ func TestHeal(t *testing.T) {
 		assert.Equal("strconv.ParseBool: parsing \"nonbool\": invalid syntax", err.Error())
 	}
 	// Test-6: getHealOptionsFromReq return error if boolean value not valid
-	u, _ = url.Parse("http://localhost/api/v1/heal/bucket1?prefix=file/&recursive=true&force-start=true&force-stop=nonbool&remove=true&dry-run=true&scan=deep")
+	u, _ = url.Parse("http://localhost/api/v1/heal/namespace/tenantName/bucket1?prefix=file/&recursive=true&force-start=nonbool&force-stop=true&remove=true&dry-run=true&scan=deep")
 	req = &http.Request{
 		URL: u,
 	}
@@ -267,7 +258,16 @@ func TestHeal(t *testing.T) {
 		assert.Equal("strconv.ParseBool: parsing \"nonbool\": invalid syntax", err.Error())
 	}
 	// Test-7: getHealOptionsFromReq return error if boolean value not valid
-	u, _ = url.Parse("http://localhost/api/v1/heal/bucket1?prefix=file/&recursive=true&force-start=true&force-stop=true&remove=true&dry-run=nonbool&scan=deep")
+	u, _ = url.Parse("http://localhost/api/v1/heal/namespace/tenantName/bucket1?prefix=file/&recursive=true&force-start=true&force-stop=nonbool&remove=true&dry-run=true&scan=deep")
+	req = &http.Request{
+		URL: u,
+	}
+	opts, err = getHealOptionsFromReq(req)
+	if assert.Error(err) {
+		assert.Equal("strconv.ParseBool: parsing \"nonbool\": invalid syntax", err.Error())
+	}
+	// Test-8: getHealOptionsFromReq return error if boolean value not valid
+	u, _ = url.Parse("http://localhost/api/v1/heal/namespace/tenantName/bucket1?prefix=file/&recursive=true&force-start=true&force-stop=true&remove=true&dry-run=nonbool&scan=deep")
 	req = &http.Request{
 		URL: u,
 	}
--- a/restapi/admin_tenants.go
+++ b/restapi/admin_tenants.go
@@ -231,6 +231,24 @@ func GetTenantServiceURL(mi *operator.Tenant) (svcURL string) {
 }

 func getTenantAdminClient(ctx context.Context, client K8sClientI, tenant *operator.Tenant, svcURL string, insecure bool) (*madmin.AdminClient, error) {
+	tenantCreds, err := getTenantCreds(ctx, client, tenant)
+	if err != nil {
+		return nil, err
+	}
+	sessionToken := ""
+	mAdmin, pErr := NewAdminClientWithInsecure(svcURL, tenantCreds.accessKey, tenantCreds.secretKey, sessionToken, insecure)
+	if pErr != nil {
+		return nil, pErr.Cause
+	}
+	return mAdmin, nil
+}
+
+type tenantKeys struct {
+	accessKey string
+	secretKey string
+}
+
+func getTenantCreds(ctx context.Context, client K8sClientI, tenant *operator.Tenant) (*tenantKeys, error) {
 	if tenant == nil || tenant.Spec.CredsSecret == nil {
 		return nil, errors.New("invalid arguments")
 	}
@@ -239,12 +257,12 @@ func getTenantAdminClient(ctx context.Context, client K8sClientI, tenant *operat
 	if err != nil {
 		return nil, err
 	}
-	accessKey, ok := creds.Data["accesskey"]
+	tenantAccessKey, ok := creds.Data["accesskey"]
 	if !ok {
 		log.Println("tenant's secret doesn't contain accesskey")
 		return nil, errorGeneric
 	}
-	secretkey, ok := creds.Data["secretkey"]
+	tenantSecretKey, ok := creds.Data["secretkey"]
 	if !ok {
 		log.Println("tenant's secret doesn't contain secretkey")
 		return nil, errorGeneric
@@ -252,14 +270,7 @@ func getTenantAdminClient(ctx context.Context, client K8sClientI, tenant *operat
 	// TODO:
 	// We need to avoid using minio root credentials to talk to tenants, and instead use a different user credentials
 	// when that its implemented we also need to check here if the tenant has LDAP enabled so we authenticate first against AD
-	tenantAccessKey := string(accessKey)
-	tenantSecretKey := string(secretkey)
-	sessionToken := ""
-	mAdmin, pErr := NewAdminClientWithInsecure(svcURL, tenantAccessKey, tenantSecretKey, sessionToken, insecure)
-	if pErr != nil {
-		return nil, pErr.Cause
-	}
-	return mAdmin, nil
+	return &tenantKeys{accessKey: string(tenantAccessKey), secretKey: string(tenantSecretKey)}, nil
 }

 func getTenant(ctx context.Context, operatorClient OperatorClientI, namespace, tenantName string) (*operator.Tenant, error) {
@@ -1052,7 +1063,8 @@ func getTenantUsageResponse(session *models.Principal, params admin_api.GetTenan
 		k8sClient,
 		minTenant,
 		svcURL,
-		true)
+		true,
+	)
 	if err != nil {
 		return nil, prepareError(err, errorUnableToGetTenantUsage)
 	}
--- a/restapi/client.go
+++ b/restapi/client.go
@@ -364,9 +364,32 @@ func newS3BucketClient(claims *models.Principal, bucketName string, prefix strin
 	return s3Client, nil
 }

+// newTenantS3BucketClient creates a new mc S3Client for an specific tenant on a namespace to talk to the server based on a bucket
+func newTenantS3BucketClient(claims *models.Principal, tenantEndpoint, bucketName string, isSecure bool) (*mc.S3Client, error) {
+	if strings.TrimSpace(bucketName) != "" {
+		tenantEndpoint += fmt.Sprintf("/%s", bucketName)
+	}
+
+	if claims == nil {
+		return nil, fmt.Errorf("the provided credentials are invalid")
+	}
+
+	s3Config := newS3Config(tenantEndpoint, claims.AccessKeyID, claims.SecretAccessKey, claims.SessionToken, !isSecure)
+	client, pErr := mc.S3New(s3Config)
+	if pErr != nil {
+		return nil, pErr.Cause
+	}
+	s3Client, ok := client.(*mc.S3Client)
+	if !ok {
+		return nil, fmt.Errorf("the provided url doesn't point to a S3 server")
+	}
+
+	return s3Client, nil
+}
+
 // newS3Config simply creates a new Config struct using the passed
 // parameters.
-func newS3Config(endpoint, accessKey, secretKey, sessionToken string, isSecure bool) *mc.Config {
+func newS3Config(endpoint, accessKey, secretKey, sessionToken string, insecure bool) *mc.Config {
 	// We have a valid alias and hostConfig. We populate the
 	// consoleCredentials from the match found in the config file.
 	s3Config := new(mc.Config)
@@ -375,12 +398,13 @@ func newS3Config(endpoint, accessKey, secretKey, sessionToken string, isSecure b
 	s3Config.AppVersion = ""     // TODO: get this from constant or build
 	s3Config.AppComments = []string{}
 	s3Config.Debug = false
-	s3Config.Insecure = isSecure
+	s3Config.Insecure = insecure

 	s3Config.HostURL = endpoint
 	s3Config.AccessKey = accessKey
 	s3Config.SecretKey = secretKey
 	s3Config.SessionToken = sessionToken
 	s3Config.Signature = "S3v4"
+
 	return s3Config
 }
--- a/restapi/configure_console.go
+++ b/restapi/configure_console.go
@@ -133,6 +133,8 @@ func configureAPI(api *operations.ConsoleAPI) http.Handler {
 	registerObjectsHandlers(api)
 	// Register Bucket Quota's Handlers
 	registerBucketQuotaHandlers(api)
+	// List buckets
+	registerOperatorBucketsHandlers(api)

 	api.PreServerShutdown = func() {}

--- a/restapi/embedded_spec.go
+++ b/restapi/embedded_spec.go
@@ -1982,6 +1982,43 @@ func init() {
        }
      }
    },
+    "/operator/{namespace}/{tenant}/buckets": {
+      "get": {
+        "tags": [
+          "OperatorAPI"
+        ],
+        "summary": "List Buckets for Operator Console",
+        "operationId": "OperatorListBuckets",
+        "parameters": [
+          {
+            "type": "string",
+            "name": "namespace",
+            "in": "path",
+            "required": true
+          },
+          {
+            "type": "string",
+            "name": "tenant",
+            "in": "path",
+            "required": true
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/listBucketsResponse"
+            }
+          },
+          "default": {
+            "description": "Generic error response.",
+            "schema": {
+              "$ref": "#/definitions/error"
+            }
+          }
+        }
+      }
+    },
    "/policies": {
      "get": {
        "tags": [
@@ -6848,6 +6885,43 @@ func init() {
        }
      }
    },
+    "/operator/{namespace}/{tenant}/buckets": {
+      "get": {
+        "tags": [
+          "OperatorAPI"
+        ],
+        "summary": "List Buckets for Operator Console",
+        "operationId": "OperatorListBuckets",
+        "parameters": [
+          {
+            "type": "string",
+            "name": "namespace",
+            "in": "path",
+            "required": true
+          },
+          {
+            "type": "string",
+            "name": "tenant",
+            "in": "path",
+            "required": true
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/listBucketsResponse"
+            }
+          },
+          "default": {
+            "description": "Generic error response.",
+            "schema": {
+              "$ref": "#/definitions/error"
+            }
+          }
+        }
+      }
+    },
    "/policies": {
      "get": {
        "tags": [
--- a/restapi/operations/console_api.go
+++ b/restapi/operations/console_api.go
@@ -38,6 +38,7 @@ import (

 	"github.com/minio/console/models"
 	"github.com/minio/console/restapi/operations/admin_api"
+	"github.com/minio/console/restapi/operations/operator_api"
 	"github.com/minio/console/restapi/operations/user_api"
 )

@@ -220,6 +221,9 @@ func NewConsoleAPI(spec *loads.Document) *ConsoleAPI {
 		AdminAPINotificationEndpointListHandler: admin_api.NotificationEndpointListHandlerFunc(func(params admin_api.NotificationEndpointListParams, principal *models.Principal) middleware.Responder {
 			return middleware.NotImplemented("operation admin_api.NotificationEndpointList has not yet been implemented")
 		}),
+		OperatorAPIOperatorListBucketsHandler: operator_api.OperatorListBucketsHandlerFunc(func(params operator_api.OperatorListBucketsParams, principal *models.Principal) middleware.Responder {
+			return middleware.NotImplemented("operation operator_api.OperatorListBuckets has not yet been implemented")
+		}),
 		AdminAPIPolicyInfoHandler: admin_api.PolicyInfoHandlerFunc(func(params admin_api.PolicyInfoParams, principal *models.Principal) middleware.Responder {
 			return middleware.NotImplemented("operation admin_api.PolicyInfo has not yet been implemented")
 		}),
@@ -457,6 +461,8 @@ type ConsoleAPI struct {
 	UserAPIMakeBucketHandler user_api.MakeBucketHandler
 	// AdminAPINotificationEndpointListHandler sets the operation handler for the notification endpoint list operation
 	AdminAPINotificationEndpointListHandler admin_api.NotificationEndpointListHandler
+	// OperatorAPIOperatorListBucketsHandler sets the operation handler for the operator list buckets operation
+	OperatorAPIOperatorListBucketsHandler operator_api.OperatorListBucketsHandler
 	// AdminAPIPolicyInfoHandler sets the operation handler for the policy info operation
 	AdminAPIPolicyInfoHandler admin_api.PolicyInfoHandler
 	// UserAPIPostBucketsBucketNameObjectsUploadHandler sets the operation handler for the post buckets bucket name objects upload operation
@@ -743,6 +749,9 @@ func (o *ConsoleAPI) Validate() error {
 	if o.AdminAPINotificationEndpointListHandler == nil {
 		unregistered = append(unregistered, "admin_api.NotificationEndpointListHandler")
 	}
+	if o.OperatorAPIOperatorListBucketsHandler == nil {
+		unregistered = append(unregistered, "operator_api.OperatorListBucketsHandler")
+	}
 	if o.AdminAPIPolicyInfoHandler == nil {
 		unregistered = append(unregistered, "admin_api.PolicyInfoHandler")
 	}
@@ -1137,6 +1146,10 @@ func (o *ConsoleAPI) initHandlerCache() {
 	if o.handlers["GET"] == nil {
 		o.handlers["GET"] = make(map[string]http.Handler)
 	}
+	o.handlers["GET"]["/operator/{namespace}/{tenant}/buckets"] = operator_api.NewOperatorListBuckets(o.context, o.OperatorAPIOperatorListBucketsHandler)
+	if o.handlers["GET"] == nil {
+		o.handlers["GET"] = make(map[string]http.Handler)
+	}
 	o.handlers["GET"]["/policies/{name}"] = admin_api.NewPolicyInfo(o.context, o.AdminAPIPolicyInfoHandler)
 	if o.handlers["POST"] == nil {
 		o.handlers["POST"] = make(map[string]http.Handler)
--- a/restapi/operations/operator_api/operator_list_buckets.go
+++ b/restapi/operations/operator_api/operator_list_buckets.go
@@ -0,0 +1,90 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+// This file is part of MinIO Console Server
+// Copyright (c) 2020 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+//
+
+package operator_api
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the generate command
+
+import (
+	"net/http"
+
+	"github.com/go-openapi/runtime/middleware"
+
+	"github.com/minio/console/models"
+)
+
+// OperatorListBucketsHandlerFunc turns a function with the right signature into a operator list buckets handler
+type OperatorListBucketsHandlerFunc func(OperatorListBucketsParams, *models.Principal) middleware.Responder
+
+// Handle executing the request and returning a response
+func (fn OperatorListBucketsHandlerFunc) Handle(params OperatorListBucketsParams, principal *models.Principal) middleware.Responder {
+	return fn(params, principal)
+}
+
+// OperatorListBucketsHandler interface for that can handle valid operator list buckets params
+type OperatorListBucketsHandler interface {
+	Handle(OperatorListBucketsParams, *models.Principal) middleware.Responder
+}
+
+// NewOperatorListBuckets creates a new http.Handler for the operator list buckets operation
+func NewOperatorListBuckets(ctx *middleware.Context, handler OperatorListBucketsHandler) *OperatorListBuckets {
+	return &OperatorListBuckets{Context: ctx, Handler: handler}
+}
+
+/*OperatorListBuckets swagger:route GET /operator/{namespace}/{tenant}/buckets OperatorAPI operatorListBuckets
+
+List Buckets for Operator Console
+
+*/
+type OperatorListBuckets struct {
+	Context *middleware.Context
+	Handler OperatorListBucketsHandler
+}
+
+func (o *OperatorListBuckets) ServeHTTP(rw http.ResponseWriter, r *http.Request) {
+	route, rCtx, _ := o.Context.RouteInfo(r)
+	if rCtx != nil {
+		r = rCtx
+	}
+	var Params = NewOperatorListBucketsParams()
+
+	uprinc, aCtx, err := o.Context.Authorize(r, route)
+	if err != nil {
+		o.Context.Respond(rw, r, route.Produces, route, err)
+		return
+	}
+	if aCtx != nil {
+		r = aCtx
+	}
+	var principal *models.Principal
+	if uprinc != nil {
+		principal = uprinc.(*models.Principal) // this is really a models.Principal, I promise
+	}
+
+	if err := o.Context.BindValidRequest(r, route, &Params); err != nil { // bind params
+		o.Context.Respond(rw, r, route.Produces, route, err)
+		return
+	}
+
+	res := o.Handler.Handle(Params, principal) // actually handle the request
+
+	o.Context.Respond(rw, r, route.Produces, route, res)
+
+}
--- a/restapi/operations/operator_api/operator_list_buckets_parameters.go
+++ b/restapi/operations/operator_api/operator_list_buckets_parameters.go
@@ -0,0 +1,114 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+// This file is part of MinIO Console Server
+// Copyright (c) 2020 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+//
+
+package operator_api
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"net/http"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime/middleware"
+	"github.com/go-openapi/strfmt"
+)
+
+// NewOperatorListBucketsParams creates a new OperatorListBucketsParams object
+// no default values defined in spec.
+func NewOperatorListBucketsParams() OperatorListBucketsParams {
+
+	return OperatorListBucketsParams{}
+}
+
+// OperatorListBucketsParams contains all the bound params for the operator list buckets operation
+// typically these are obtained from a http.Request
+//
+// swagger:parameters OperatorListBuckets
+type OperatorListBucketsParams struct {
+
+	// HTTP Request Object
+	HTTPRequest *http.Request `json:"-"`
+
+	/*
+	  Required: true
+	  In: path
+	*/
+	Namespace string
+	/*
+	  Required: true
+	  In: path
+	*/
+	Tenant string
+}
+
+// BindRequest both binds and validates a request, it assumes that complex things implement a Validatable(strfmt.Registry) error interface
+// for simple values it will use straight method calls.
+//
+// To ensure default values, the struct must have been initialized with NewOperatorListBucketsParams() beforehand.
+func (o *OperatorListBucketsParams) BindRequest(r *http.Request, route *middleware.MatchedRoute) error {
+	var res []error
+
+	o.HTTPRequest = r
+
+	rNamespace, rhkNamespace, _ := route.Params.GetOK("namespace")
+	if err := o.bindNamespace(rNamespace, rhkNamespace, route.Formats); err != nil {
+		res = append(res, err)
+	}
+
+	rTenant, rhkTenant, _ := route.Params.GetOK("tenant")
+	if err := o.bindTenant(rTenant, rhkTenant, route.Formats); err != nil {
+		res = append(res, err)
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
+
+// bindNamespace binds and validates parameter Namespace from path.
+func (o *OperatorListBucketsParams) bindNamespace(rawData []string, hasKey bool, formats strfmt.Registry) error {
+	var raw string
+	if len(rawData) > 0 {
+		raw = rawData[len(rawData)-1]
+	}
+
+	// Required: true
+	// Parameter is provided by construction from the route
+
+	o.Namespace = raw
+
+	return nil
+}
+
+// bindTenant binds and validates parameter Tenant from path.
+func (o *OperatorListBucketsParams) bindTenant(rawData []string, hasKey bool, formats strfmt.Registry) error {
+	var raw string
+	if len(rawData) > 0 {
+		raw = rawData[len(rawData)-1]
+	}
+
+	// Required: true
+	// Parameter is provided by construction from the route
+
+	o.Tenant = raw
+
+	return nil
+}
--- a/restapi/operations/operator_api/operator_list_buckets_responses.go
+++ b/restapi/operations/operator_api/operator_list_buckets_responses.go
@@ -0,0 +1,133 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+// This file is part of MinIO Console Server
+// Copyright (c) 2020 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+//
+
+package operator_api
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"net/http"
+
+	"github.com/go-openapi/runtime"
+
+	"github.com/minio/console/models"
+)
+
+// OperatorListBucketsOKCode is the HTTP code returned for type OperatorListBucketsOK
+const OperatorListBucketsOKCode int = 200
+
+/*OperatorListBucketsOK A successful response.
+
+swagger:response operatorListBucketsOK
+*/
+type OperatorListBucketsOK struct {
+
+	/*
+	  In: Body
+	*/
+	Payload *models.ListBucketsResponse `json:"body,omitempty"`
+}
+
+// NewOperatorListBucketsOK creates OperatorListBucketsOK with default headers values
+func NewOperatorListBucketsOK() *OperatorListBucketsOK {
+
+	return &OperatorListBucketsOK{}
+}
+
+// WithPayload adds the payload to the operator list buckets o k response
+func (o *OperatorListBucketsOK) WithPayload(payload *models.ListBucketsResponse) *OperatorListBucketsOK {
+	o.Payload = payload
+	return o
+}
+
+// SetPayload sets the payload to the operator list buckets o k response
+func (o *OperatorListBucketsOK) SetPayload(payload *models.ListBucketsResponse) {
+	o.Payload = payload
+}
+
+// WriteResponse to the client
+func (o *OperatorListBucketsOK) WriteResponse(rw http.ResponseWriter, producer runtime.Producer) {
+
+	rw.WriteHeader(200)
+	if o.Payload != nil {
+		payload := o.Payload
+		if err := producer.Produce(rw, payload); err != nil {
+			panic(err) // let the recovery middleware deal with this
+		}
+	}
+}
+
+/*OperatorListBucketsDefault Generic error response.
+
+swagger:response operatorListBucketsDefault
+*/
+type OperatorListBucketsDefault struct {
+	_statusCode int
+
+	/*
+	  In: Body
+	*/
+	Payload *models.Error `json:"body,omitempty"`
+}
+
+// NewOperatorListBucketsDefault creates OperatorListBucketsDefault with default headers values
+func NewOperatorListBucketsDefault(code int) *OperatorListBucketsDefault {
+	if code <= 0 {
+		code = 500
+	}
+
+	return &OperatorListBucketsDefault{
+		_statusCode: code,
+	}
+}
+
+// WithStatusCode adds the status to the operator list buckets default response
+func (o *OperatorListBucketsDefault) WithStatusCode(code int) *OperatorListBucketsDefault {
+	o._statusCode = code
+	return o
+}
+
+// SetStatusCode sets the status to the operator list buckets default response
+func (o *OperatorListBucketsDefault) SetStatusCode(code int) {
+	o._statusCode = code
+}
+
+// WithPayload adds the payload to the operator list buckets default response
+func (o *OperatorListBucketsDefault) WithPayload(payload *models.Error) *OperatorListBucketsDefault {
+	o.Payload = payload
+	return o
+}
+
+// SetPayload sets the payload to the operator list buckets default response
+func (o *OperatorListBucketsDefault) SetPayload(payload *models.Error) {
+	o.Payload = payload
+}
+
+// WriteResponse to the client
+func (o *OperatorListBucketsDefault) WriteResponse(rw http.ResponseWriter, producer runtime.Producer) {
+
+	rw.WriteHeader(o._statusCode)
+	if o.Payload != nil {
+		payload := o.Payload
+		if err := producer.Produce(rw, payload); err != nil {
+			panic(err) // let the recovery middleware deal with this
+		}
+	}
+}
--- a/restapi/operations/operator_api/operator_list_buckets_urlbuilder.go
+++ b/restapi/operations/operator_api/operator_list_buckets_urlbuilder.go
@@ -0,0 +1,124 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+// This file is part of MinIO Console Server
+// Copyright (c) 2020 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+//
+
+package operator_api
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the generate command
+
+import (
+	"errors"
+	"net/url"
+	golangswaggerpaths "path"
+	"strings"
+)
+
+// OperatorListBucketsURL generates an URL for the operator list buckets operation
+type OperatorListBucketsURL struct {
+	Namespace string
+	Tenant    string
+
+	_basePath string
+	// avoid unkeyed usage
+	_ struct{}
+}
+
+// WithBasePath sets the base path for this url builder, only required when it's different from the
+// base path specified in the swagger spec.
+// When the value of the base path is an empty string
+func (o *OperatorListBucketsURL) WithBasePath(bp string) *OperatorListBucketsURL {
+	o.SetBasePath(bp)
+	return o
+}
+
+// SetBasePath sets the base path for this url builder, only required when it's different from the
+// base path specified in the swagger spec.
+// When the value of the base path is an empty string
+func (o *OperatorListBucketsURL) SetBasePath(bp string) {
+	o._basePath = bp
+}
+
+// Build a url path and query string
+func (o *OperatorListBucketsURL) Build() (*url.URL, error) {
+	var _result url.URL
+
+	var _path = "/operator/{namespace}/{tenant}/buckets"
+
+	namespace := o.Namespace
+	if namespace != "" {
+		_path = strings.Replace(_path, "{namespace}", namespace, -1)
+	} else {
+		return nil, errors.New("namespace is required on OperatorListBucketsURL")
+	}
+
+	tenant := o.Tenant
+	if tenant != "" {
+		_path = strings.Replace(_path, "{tenant}", tenant, -1)
+	} else {
+		return nil, errors.New("tenant is required on OperatorListBucketsURL")
+	}
+
+	_basePath := o._basePath
+	if _basePath == "" {
+		_basePath = "/api/v1"
+	}
+	_result.Path = golangswaggerpaths.Join(_basePath, _path)
+
+	return &_result, nil
+}
+
+// Must is a helper function to panic when the url builder returns an error
+func (o *OperatorListBucketsURL) Must(u *url.URL, err error) *url.URL {
+	if err != nil {
+		panic(err)
+	}
+	if u == nil {
+		panic("url can't be nil")
+	}
+	return u
+}
+
+// String returns the string representation of the path with query string
+func (o *OperatorListBucketsURL) String() string {
+	return o.Must(o.Build()).String()
+}
+
+// BuildFull builds a full url with scheme, host, path and query string
+func (o *OperatorListBucketsURL) BuildFull(scheme, host string) (*url.URL, error) {
+	if scheme == "" {
+		return nil, errors.New("scheme is required for a full url on OperatorListBucketsURL")
+	}
+	if host == "" {
+		return nil, errors.New("host is required for a full url on OperatorListBucketsURL")
+	}
+
+	base, err := o.Build()
+	if err != nil {
+		return nil, err
+	}
+
+	base.Scheme = scheme
+	base.Host = host
+	return base, nil
+}
+
+// StringFull returns the string representation of a complete url
+func (o *OperatorListBucketsURL) StringFull(scheme, host string) string {
+	return o.Must(o.BuildFull(scheme, host)).String()
+}
--- a/restapi/operator_buckets.go
+++ b/restapi/operator_buckets.go
@@ -0,0 +1,94 @@
+// This file is part of MinIO Console Server
+// Copyright (c) 2020 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package restapi
+
+import (
+	"context"
+	"time"
+
+	"github.com/go-openapi/runtime/middleware"
+	"github.com/minio/console/cluster"
+	"github.com/minio/console/models"
+	"github.com/minio/console/restapi/operations"
+	"github.com/minio/console/restapi/operations/operator_api"
+)
+
+func registerOperatorBucketsHandlers(api *operations.ConsoleAPI) {
+	// list buckets
+	api.OperatorAPIOperatorListBucketsHandler = operator_api.OperatorListBucketsHandlerFunc(func(params operator_api.OperatorListBucketsParams, session *models.Principal) middleware.Responder {
+		listBucketsResponse, err := getOperatorListBucketsResponse(session, params.Namespace, params.Tenant)
+		if err != nil {
+			return operator_api.NewOperatorListBucketsDefault(int(err.Code)).WithPayload(err)
+		}
+		return operator_api.NewOperatorListBucketsOK().WithPayload(listBucketsResponse)
+	})
+}
+
+// getListBucketsResponse performs listBuckets() and serializes it to the handler's output
+func getOperatorListBucketsResponse(session *models.Principal, namespace, tenant string) (*models.ListBucketsResponse, *models.Error) {
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+
+	opClientClientSet, err := cluster.OperatorClient(session.SessionToken)
+	if err != nil {
+		return nil, prepareError(err)
+	}
+	clientSet, err := cluster.K8sClient(session.SessionToken)
+	if err != nil {
+		return nil, prepareError(err)
+	}
+
+	opClient := &operatorClient{
+		client: opClientClientSet,
+	}
+	k8sClient := &k8sClient{
+		client: clientSet,
+	}
+
+	minTenant, err := getTenant(ctx, opClient, namespace, tenant)
+	if err != nil {
+		return nil, prepareError(err)
+	}
+	minTenant.EnsureDefaults()
+
+	svcURL := GetTenantServiceURL(minTenant)
+	// getTenantAdminClient will use all certificates under ~/.console/certs/CAs to trust the TLS connections with MinIO tenants
+	mAdmin, err := getTenantAdminClient(
+		ctx,
+		k8sClient,
+		minTenant,
+		svcURL,
+		true,
+	)
+	if err != nil {
+		return nil, prepareError(err)
+	}
+	// create a minioClient interface implementation
+	// defining the client to be used
+	adminClient := adminClient{client: mAdmin}
+	buckets, err := getAccountUsageInfo(ctx, adminClient)
+	if err != nil {
+		return nil, prepareError(err)
+	}
+
+	// serialize output
+	listBucketsResponse := &models.ListBucketsResponse{
+		Buckets: buckets,
+		Total:   int64(len(buckets)),
+	}
+	return listBucketsResponse, nil
+}
--- a/restapi/user_buckets.go
+++ b/restapi/user_buckets.go
@@ -245,8 +245,8 @@ func getBucketVersionedResponse(session *models.Principal, bucketName string) (*
 	return listBucketsResponse, nil
 }

-// getaAcountUsageInfo fetches a list of all buckets allowed to that particular client from MinIO Servers
-func getaAcountUsageInfo(ctx context.Context, client MinioAdmin) ([]*models.Bucket, error) {
+// getAccountUsageInfo fetches a list of all buckets allowed to that particular client from MinIO Servers
+func getAccountUsageInfo(ctx context.Context, client MinioAdmin) ([]*models.Bucket, error) {
 	info, err := client.accountUsageInfo(ctx)
 	if err != nil {
 		return []*models.Bucket{}, err
@@ -271,7 +271,7 @@ func getListBucketsResponse(session *models.Principal) (*models.ListBucketsRespo
 	// create a minioClient interface implementation
 	// defining the client to be used
 	adminClient := adminClient{client: mAdmin}
-	buckets, err := getaAcountUsageInfo(ctx, adminClient)
+	buckets, err := getAccountUsageInfo(ctx, adminClient)
 	if err != nil {
 		return nil, prepareError(err)
 	}
--- a/restapi/user_buckets_test.go
+++ b/restapi/user_buckets_test.go
@@ -110,7 +110,7 @@ func TestListBucket(t *testing.T) {
 	// get list buckets response this response should have Name, CreationDate, Size and Access
 	// as part of of each bucket
 	function := "getaAcountUsageInfo()"
-	bucketList, err := getaAcountUsageInfo(ctx, adminClient)
+	bucketList, err := getAccountUsageInfo(ctx, adminClient)
 	if err != nil {
 		t.Errorf("Failed on %s:, error occurred: %s", function, err.Error())
 	}
@@ -127,7 +127,7 @@ func TestListBucket(t *testing.T) {
 	minioAccountUsageInfoMock = func(ctx context.Context) (madmin.AccountUsageInfo, error) {
 		return madmin.AccountUsageInfo{}, errors.New("error")
 	}
-	_, err = getaAcountUsageInfo(ctx, adminClient)
+	_, err = getAccountUsageInfo(ctx, adminClient)
 	if assert.Error(err) {
 		assert.Equal("error", err.Error())
 	}
--- a/restapi/user_watch.go
+++ b/restapi/user_watch.go
@@ -30,11 +30,13 @@ import (
 )

 type watchOptions struct {
+	Namespace  string
+	Tenant     string
 	BucketName string
 	mc.WatchOptions
 }

-func startWatch(ctx context.Context, conn WSConn, wsc MCClient, options watchOptions) error {
+func startWatch(ctx context.Context, conn WSConn, wsc MCClient, options *watchOptions) error {
 	wo, pErr := wsc.watch(ctx, options.WatchOptions)
 	if pErr != nil {
 		fmt.Println("error initializing watch:", pErr.Cause)
@@ -80,21 +82,26 @@ func startWatch(ctx context.Context, conn WSConn, wsc MCClient, options watchOpt

 // getWatchOptionsFromReq gets bucket name, events, prefix, suffix from a websocket
 // watch path if defined.
-// path come as : `/watch/bucket1` and query params come on request form
-func getWatchOptionsFromReq(req *http.Request) watchOptions {
+// path come as : `/watch/<namespace>/<tenantName>/bucket1` and query
+// params come on request form
+func getWatchOptionsFromReq(req *http.Request) (*watchOptions, error) {
 	wOptions := watchOptions{}
 	// Default Events if not defined
 	wOptions.Events = []string{"put", "get", "delete"}

-	re := regexp.MustCompile(`(/watch/)(.*?$)`)
+	re := regexp.MustCompile(`(/watch/)(.*?)/(.*?)/(.*?)(\?.*?$|$)`)
 	matches := re.FindAllSubmatch([]byte(req.URL.Path), -1)
-	// len matches is always 3
 	// matches comes as e.g.
-	// [["...", "/watch/" "bucket1"]]
+	// [["...", "/watch/", "namespace", "tenant", "bucket1"]]
 	// [["/watch/" "/watch/" ""]]

-	// bucket name is on the second group, third position
-	wOptions.BucketName = strings.TrimSpace(string(matches[0][2]))
+	if len(matches) == 0 || len(matches[0]) < 5 {
+		return nil, fmt.Errorf("invalid url: %s", req.URL.Path)
+	}
+
+	wOptions.Namespace = strings.TrimSpace(string(matches[0][2]))
+	wOptions.Tenant = strings.TrimSpace(string(matches[0][3]))
+	wOptions.BucketName = strings.TrimSpace(string(matches[0][4]))

 	events := req.FormValue("events")
 	if strings.TrimSpace(events) != "" {
@@ -102,5 +109,5 @@ func getWatchOptionsFromReq(req *http.Request) watchOptions {
 	}
 	wOptions.Prefix = req.FormValue("prefix")
 	wOptions.Suffix = req.FormValue("suffix")
-	return wOptions
+	return &wOptions, nil
 }
--- a/restapi/user_watch_test.go
+++ b/restapi/user_watch_test.go
@@ -47,7 +47,7 @@ func TestWatch(t *testing.T) {
 	testReceiver := make(chan []mc.EventInfo, testStreamSize)
 	isClosed := false // testReceiver is closed?
 	textToReceive := "test message"
-	testOptions := watchOptions{}
+	testOptions := &watchOptions{}
 	testOptions.BucketName = "bucktest"
 	testOptions.Prefix = "file/"
 	testOptions.Suffix = ".png"
@@ -199,60 +199,67 @@ func TestWatch(t *testing.T) {
 	}

 	// Test-6: getWatchOptionsFromReq return parameters from path
-	u, err := url.Parse("http://localhost/api/v1/watch/bucket1?prefix=&suffix=.jpg&events=put,get")
+	u, err := url.Parse("http://localhost/api/v1/watch/namespace/tenantName/bucket1?prefix=&suffix=.jpg&events=put,get")
 	if err != nil {
 		t.Errorf("Failed on %s:, error occurred: %s", "url.Parse()", err.Error())
 	}
 	req := &http.Request{
 		URL: u,
 	}
-	opts := getWatchOptionsFromReq(req)
-	expectedOptions := watchOptions{
-		BucketName: "bucket1",
+	opts, err := getWatchOptionsFromReq(req)
+	if assert.NoError(err) {
+		expectedOptions := watchOptions{
+			BucketName: "bucket1",
+		}
+		expectedOptions.Prefix = ""
+		expectedOptions.Suffix = ".jpg"
+		expectedOptions.Events = []string{"put", "get"}
+		assert.Equal(expectedOptions.BucketName, opts.BucketName)
+		assert.Equal(expectedOptions.Prefix, opts.Prefix)
+		assert.Equal(expectedOptions.Suffix, opts.Suffix)
+		assert.Equal(expectedOptions.Events, opts.Events)
 	}
-	expectedOptions.Prefix = ""
-	expectedOptions.Suffix = ".jpg"
-	expectedOptions.Events = []string{"put", "get"}
-	assert.Equal(expectedOptions.BucketName, opts.BucketName)
-	assert.Equal(expectedOptions.Prefix, opts.Prefix)
-	assert.Equal(expectedOptions.Suffix, opts.Suffix)
-	assert.Equal(expectedOptions.Events, opts.Events)

 	// Test-7: getWatchOptionsFromReq return default events if not defined
-	u, err = url.Parse("http://localhost/api/v1/watch/bucket1?prefix=&suffix=.jpg&events=")
+	u, err = url.Parse("http://localhost/api/v1/watch/namespace/tenantName/bucket1?prefix=&suffix=.jpg&events=")
 	if err != nil {
 		t.Errorf("Failed on %s:, error occurred: %s", "url.Parse()", err.Error())
 	}
 	req = &http.Request{
 		URL: u,
 	}
-	opts = getWatchOptionsFromReq(req)
-	expectedOptions = watchOptions{
-		BucketName: "bucket1",
+	opts, err = getWatchOptionsFromReq(req)
+	if assert.NoError(err) {
+		expectedOptions := watchOptions{
+			BucketName: "bucket1",
+		}
+		expectedOptions.Prefix = ""
+		expectedOptions.Suffix = ".jpg"
+		expectedOptions.Events = []string{"put", "get", "delete"}
+		assert.Equal(expectedOptions.BucketName, opts.BucketName)
+		assert.Equal(expectedOptions.Prefix, opts.Prefix)
+		assert.Equal(expectedOptions.Suffix, opts.Suffix)
+		assert.Equal(expectedOptions.Events, opts.Events)
+
 	}
-	expectedOptions.Prefix = ""
-	expectedOptions.Suffix = ".jpg"
-	expectedOptions.Events = []string{"put", "get", "delete"}
-	assert.Equal(expectedOptions.BucketName, opts.BucketName)
-	assert.Equal(expectedOptions.Prefix, opts.Prefix)
-	assert.Equal(expectedOptions.Suffix, opts.Suffix)
-	assert.Equal(expectedOptions.Events, opts.Events)

 	// Test-8: getWatchOptionsFromReq return default events if not defined
-	u, err = url.Parse("http://localhost/api/v1/watch/bucket2?prefix=&suffix=")
+	u, err = url.Parse("http://localhost/api/v1/watch/namespace/tenantName/bucket2?prefix=&suffix=")
 	if err != nil {
 		t.Errorf("Failed on %s:, error occurred: %s", "url.Parse()", err.Error())
 	}
 	req = &http.Request{
 		URL: u,
 	}
-	opts = getWatchOptionsFromReq(req)
-	expectedOptions = watchOptions{
-		BucketName: "bucket2",
+	opts, err = getWatchOptionsFromReq(req)
+	if assert.NoError(err) {
+		expectedOptions := watchOptions{
+			BucketName: "bucket2",
+		}
+		expectedOptions.Events = []string{"put", "get", "delete"}
+		assert.Equal(expectedOptions.BucketName, opts.BucketName)
+		assert.Equal(expectedOptions.Prefix, opts.Prefix)
+		assert.Equal(expectedOptions.Suffix, opts.Suffix)
+		assert.Equal(expectedOptions.Events, opts.Events)
 	}
-	expectedOptions.Events = []string{"put", "get", "delete"}
-	assert.Equal(expectedOptions.BucketName, opts.BucketName)
-	assert.Equal(expectedOptions.Prefix, opts.Prefix)
-	assert.Equal(expectedOptions.Suffix, opts.Suffix)
-	assert.Equal(expectedOptions.Events, opts.Events)
 }
--- a/restapi/ws_handle.go
+++ b/restapi/ws_handle.go
@@ -122,7 +122,12 @@ func serveWS(w http.ResponseWriter, req *http.Request) {
 	switch {
 	case strings.HasPrefix(wsPath, `/trace`):
 		// Trace api only for operator Console
-		namespace, tenant := getTraceOptionsFromReq(req)
+		namespace, tenant, err := getTraceOptionsFromReq(req)
+		if err != nil {
+			log.Println("error getting trace options:", err)
+			closeWsConn(conn)
+			return
+		}
 		wsAdminClient, err := newWebSocketTenantAdminClient(conn, session, namespace, tenant)
 		if err != nil {
 			closeWsConn(conn)
@@ -131,7 +136,12 @@ func serveWS(w http.ResponseWriter, req *http.Request) {
 		go wsAdminClient.trace()
 	case strings.HasPrefix(wsPath, `/console`):
 		// Trace api only for operator Console
-		namespace, tenant := getConsoleLogOptionsFromReq(req)
+		namespace, tenant, err := getConsoleLogOptionsFromReq(req)
+		if err != nil {
+			log.Println("error getting log options:", err)
+			closeWsConn(conn)
+			return
+		}
 		wsAdminClient, err := newWebSocketTenantAdminClient(conn, session, namespace, tenant)
 		if err != nil {
 			closeWsConn(conn)
@@ -145,15 +155,20 @@ func serveWS(w http.ResponseWriter, req *http.Request) {
 			closeWsConn(conn)
 			return
 		}
-		wsAdminClient, err := newWebSocketAdminClient(conn, session)
+		wsAdminClient, err := newWebSocketTenantAdminClient(conn, session, hOptions.Namespace, hOptions.Tenant)
 		if err != nil {
 			closeWsConn(conn)
 			return
 		}
 		go wsAdminClient.heal(hOptions)
 	case strings.HasPrefix(wsPath, `/watch`):
-		wOptions := getWatchOptionsFromReq(req)
-		wsS3Client, err := newWebSocketS3Client(conn, session, wOptions.BucketName)
+		wOptions, err := getWatchOptionsFromReq(req)
+		if err != nil {
+			log.Println("error getting watch options:", err)
+			closeWsConn(conn)
+			return
+		}
+		wsS3Client, err := newWebSocketS3Client(conn, session, wOptions.Namespace, wOptions.Tenant, wOptions.BucketName)
 		if err != nil {
 			closeWsConn(conn)
 			return
@@ -195,13 +210,14 @@ func newWebSocketTenantAdminClient(conn *websocket.Conn, session *models.Princip
 	minTenant.EnsureDefaults()

 	svcURL := GetTenantServiceURL(minTenant)
-	// TODO: in the feature we need to load all tenants public certificates under ~/.console/certs/CAs to avoid using insecure: true
+	// getTenantAdminClient will use all certificates under ~/.console/certs/CAs to trust the TLS connections with MinIO tenants
 	mAdmin, err := getTenantAdminClient(
 		ctx,
 		k8sClient,
 		minTenant,
 		svcURL,
-		true)
+		true,
+	)
 	if err != nil {
 		return nil, err
 	}
@@ -216,34 +232,50 @@ func newWebSocketTenantAdminClient(conn *websocket.Conn, session *models.Princip
 	return wsAdminClient, nil
 }

-// newWebSocketAdminClient returns a wsAdminClient authenticated as an admin user
-func newWebSocketAdminClient(conn *websocket.Conn, autClaims *models.Principal) (*wsAdminClient, error) {
-	// Only start Websocket Interaction after user has been
-	// authenticated with MinIO
-	mAdmin, err := newAdminFromClaims(autClaims)
-	if err != nil {
-		log.Println("error creating Madmin Client:", err)
-		// close connection
-		conn.WriteMessage(websocket.CloseMessage, websocket.FormatCloseMessage(websocket.CloseNormalClosure, ""))
-		conn.Close()
-		return nil, err
-	}
-	// create a websocket connection interface implementation
-	// defining the connection to be used
-	wsConnection := wsConn{conn: conn}
-	// create a minioClient interface implementation
-	// defining the client to be used
-	adminClient := adminClient{client: mAdmin}
-	// create websocket client and handle request
-	wsAdminClient := &wsAdminClient{conn: wsConnection, client: adminClient}
-	return wsAdminClient, nil
-}
-
 // newWebSocketS3Client returns a wsAdminClient authenticated as Console admin
-func newWebSocketS3Client(conn *websocket.Conn, claims *models.Principal, bucketName string) (*wsS3Client, error) {
+func newWebSocketS3Client(conn *websocket.Conn, claims *models.Principal, namespace, tenant, bucketName string) (*wsS3Client, error) {
 	// Only start Websocket Interaction after user has been
 	// authenticated with MinIO
-	s3Client, err := newS3BucketClient(claims, bucketName, "")
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+
+	opClientClientSet, err := cluster.OperatorClient(claims.SessionToken)
+	if err != nil {
+		return nil, err
+	}
+
+	clientSet, err := cluster.K8sClient(claims.SessionToken)
+	if err != nil {
+		return nil, err
+	}
+
+	opClient := &operatorClient{
+		client: opClientClientSet,
+	}
+	k8sClient := &k8sClient{
+		client: clientSet,
+	}
+
+	minTenant, err := getTenant(ctx, opClient, namespace, tenant)
+	if err != nil {
+		return nil, err
+	}
+	minTenant.EnsureDefaults()
+
+	// Get Tenant Creds and substitute session ones
+	tenantCreds, err := getTenantCreds(ctx, k8sClient, minTenant)
+	if err != nil {
+		return nil, err
+	}
+
+	tenantClaims := &models.Principal{
+		AccessKeyID:     tenantCreds.accessKey,
+		SecretAccessKey: tenantCreds.secretKey,
+	}
+
+	svcURL := GetTenantServiceURL(minTenant)
+	// TODO: change isSecure: true to minTenant.TLS() and add support to S3Client to accept custom TLS Transport
+	s3Client, err := newTenantS3BucketClient(tenantClaims, svcURL, bucketName, false)
 	if err != nil {
 		log.Println("error creating S3Client:", err)
 		conn.WriteMessage(websocket.CloseMessage, websocket.FormatCloseMessage(websocket.CloseNormalClosure, ""))
@@ -332,7 +364,7 @@ func (wsc *wsAdminClient) console() {
 	sendWsCloseMessage(wsc.conn, err)
 }

-func (wsc *wsS3Client) watch(params watchOptions) {
+func (wsc *wsS3Client) watch(params *watchOptions) {
 	defer func() {
 		log.Println("watch stopped")
 		// close connection after return