ACL for mcs (#123)

This PR sets the initial version of the ACL for mcs, the idea behind this is to start using the principle of least privileges when assigning policies to users when creating users through mcs, currently mcsAdmin policy uses admin:* and s3:* and by default a user with that policy will have access to everything, if want to limit that we can create a policy with least privileges. We need to start validating explicitly if users has acccess to an specific endpoint based on IAM policy actions. In this first version every endpoint (you can see it as a page to), defines a set of well defined admin/s3 actions to work properly, ie: ``` // corresponds to /groups endpoint used by the groups page var groupsActionSet = iampolicy.NewActionSet( iampolicy.ListGroupsAdminAction, iampolicy.AddUserToGroupAdminAction, //iampolicy.GetGroupAdminAction, iampolicy.EnableGroupAdminAction, iampolicy.DisableGroupAdminAction, ) // corresponds to /policies endpoint used by the policies page var iamPoliciesActionSet = iampolicy.NewActionSet( iampolicy.GetPolicyAdminAction, iampolicy.DeletePolicyAdminAction, iampolicy.CreatePolicyAdminAction, iampolicy.AttachPolicyAdminAction, iampolicy.ListUserPoliciesAdminAction, ) ``` With that said, for this initial version, now the sessions endpoint will return a list of authorized pages to be render on the UI, on subsequent prs we will add this verification of authorization via a server middleware.
2020-05-18 18:03:06 -07:00
parent e8491d80cb
commit 732e0ef683
23 changed files with 1080 additions and 335 deletions
--- a/README.md
+++ b/README.md
@@ -14,31 +14,30 @@ $ mc admin user add myminio mcs YOURMCSSECRET
 $ set -o history
 ```

-2. Create a policy for `mcs`
+2. Create a policy for `mcs` with access to everything (for testing and debugging)

 ```
 $ cat > mcsAdmin.json << EOF
 {
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Action": [
-        "admin:*"
-      ],
-      "Effect": "Allow",
-      "Sid": ""
-    },
-    {
-      "Action": [
-        "s3:*"
-      ],
-      "Effect": "Allow",
-      "Resource": [
-        "arn:aws:s3:::*"
-      ],
-      "Sid": ""
-    }
-  ]
+	"Version": "2012-10-17",
+	"Statement": [{
+			"Action": [
+				"admin:*"
+			],
+			"Effect": "Allow",
+			"Sid": ""
+		},
+		{
+			"Action": [
+                "s3:*"
+			],
+			"Effect": "Allow",
+			"Resource": [
+				"arn:aws:s3:::*"
+			],
+			"Sid": ""
+		}
+	]
 }
 EOF
 $ mc admin policy add myminio mcsAdmin mcsAdmin.json
@@ -50,6 +49,49 @@ $ mc admin policy add myminio mcsAdmin mcsAdmin.json
 $ mc admin policy set myminio mcsAdmin user=mcs
 ```

+
+### Note
+Additionally, you can create policies to limit the privileges for `mcs` users, for example, if you want the user to only have access to dashboard, buckets, notifications and watch page, the policy should look like this:
+```
+{
+	"Version": "2012-10-17",
+	"Statement": [{
+			"Action": [
+				"admin:ServerInfo",
+			],
+			"Effect": "Allow",
+			"Sid": ""
+		},
+		{
+			"Action": [
+				"s3:ListenBucketNotification",
+				"s3:PutBucketNotification",
+				"s3:GetBucketNotification",
+				"s3:ListMultipartUploadParts",
+				"s3:ListBucketMultipartUploads",
+				"s3:ListBucket",
+				"s3:HeadBucket",
+				"s3:GetObject",
+				"s3:GetBucketLocation",
+				"s3:AbortMultipartUpload",
+				"s3:CreateBucket",
+				"s3:PutObject",
+				"s3:DeleteObject",
+				"s3:DeleteBucket",
+				"s3:PutBucketPolicy",
+				"s3:DeleteBucketPolicy",
+				"s3:GetBucketPolicy"
+			],
+			"Effect": "Allow",
+			"Resource": [
+				"arn:aws:s3:::*"
+			],
+			"Sid": ""
+		}
+	]
+}
+```
+
 ## Run MCS server
 To run the server: