Populate AddUserServiceAccount policy restrictor with user permissions (#1987)

Created api to generate single JSON including all user permissions to populate AddUserServiceAccount policy restrictor
2022-05-25 11:34:26 -07:00
parent 69e1d653ce
commit fce2a148b8
12 changed files with 787 additions and 2 deletions
--- a/integration/policy_test.go
+++ b/integration/policy_test.go
@@ -674,7 +674,6 @@ func Test_PolicyListGroupsAPI(t *testing.T) {
 		{
 			name: "List Users for Policy - Valid",
 			args: args{
-
 				api: "/policies/" + base64.StdEncoding.EncodeToString([]byte("policylistgroups")) + "/groups",
 			},
 			expectedStatus: 200,
@@ -794,3 +793,70 @@ func Test_DeletePolicyAPI(t *testing.T) {
 		})
 	}
 }
+
+func Test_GetAUserPolicyAPI(t *testing.T) {
+	assert := assert.New(t)
+	// Create a User with a Policy to use for testing
+	groups := []string{}
+	policies := []string{"readwrite"}
+	_, err := AddUser("getuserpolicyuser", "secretKey", groups, policies)
+	if err != nil {
+		log.Println(err)
+		return
+	}
+	// encode usernames to pass to api
+	bName := []byte("getuserpolicyuser")
+	fName := []byte("failname")
+	encodedName := base64.URLEncoding.EncodeToString(bName)
+	encodedFailName := base64.URLEncoding.EncodeToString(fName)
+
+	type args struct {
+		api string
+	}
+	tests := []struct {
+		name           string
+		args           args
+		expectedStatus int
+		expectedError  error
+	}{
+		{
+			name: "Get User Policy - Invalid",
+			args: args{
+				api: "/user/" + encodedFailName + "/policies",
+			},
+			expectedStatus: 401,
+			expectedError:  nil,
+		},
+		{
+			name: "Get User Policy - Valid",
+			args: args{
+				api: "/user/" + encodedName + "/policies",
+			},
+			expectedStatus: 200,
+			expectedError:  nil,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			client := &http.Client{
+				Timeout: 3 * time.Second,
+			}
+			request, err := http.NewRequest(
+				"GET", fmt.Sprintf("http://localhost:9090/api/v1%s", tt.args.api), nil)
+			if err != nil {
+				log.Println(err)
+				return
+			}
+			request.Header.Add("Cookie", fmt.Sprintf("token=%s", token))
+			request.Header.Add("Content-Type", "application/json")
+			response, err := client.Do(request)
+			if err != nil {
+				log.Println(err)
+				return
+			}
+			if response != nil {
+				assert.Equal(tt.expectedStatus, response.StatusCode, tt.name+" Failed")
+			}
+		})
+	}
+}
--- a/models/a_user_policy_response.go
+++ b/models/a_user_policy_response.go
@@ -0,0 +1,67 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+// This file is part of MinIO Console Server
+// Copyright (c) 2022 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+//
+
+package models
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+
+	"github.com/go-openapi/strfmt"
+	"github.com/go-openapi/swag"
+)
+
+// AUserPolicyResponse a user policy response
+//
+// swagger:model aUserPolicyResponse
+type AUserPolicyResponse struct {
+
+	// policy
+	Policy string `json:"policy,omitempty"`
+}
+
+// Validate validates this a user policy response
+func (m *AUserPolicyResponse) Validate(formats strfmt.Registry) error {
+	return nil
+}
+
+// ContextValidate validates this a user policy response based on context it is used
+func (m *AUserPolicyResponse) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
+	return nil
+}
+
+// MarshalBinary interface implementation
+func (m *AUserPolicyResponse) MarshalBinary() ([]byte, error) {
+	if m == nil {
+		return nil, nil
+	}
+	return swag.WriteJSON(m)
+}
+
+// UnmarshalBinary interface implementation
+func (m *AUserPolicyResponse) UnmarshalBinary(b []byte) error {
+	var res AUserPolicyResponse
+	if err := swag.ReadJSON(b, &res); err != nil {
+		return err
+	}
+	*m = res
+	return nil
+}
--- a/portal-ui/src/common/utils.ts
+++ b/portal-ui/src/common/utils.ts
@@ -696,3 +696,4 @@ export const getCookieValue = (cookieName: string) => {
      ?.pop() || ""
  );
 };
+
--- a/portal-ui/src/screens/Console/Users/AddUserServiceAccountScreen.tsx
+++ b/portal-ui/src/screens/Console/Users/AddUserServiceAccountScreen.tsx
@@ -125,6 +125,20 @@ const AddServiceAccount = ({ classes, match }: IAddServiceAccountProps) => {
    secretKey,
  ]);

+  useEffect(() => {
+    if(isRestrictedByPolicy){
+    api
+      .invoke("GET", `/api/v1/user/${encodeURLString(userName)}/policies`) 
+      
+      .then((res) => {
+      setPolicyJSON(JSON.stringify(JSON.parse(res.policy), null, 4));
+      })
+      .catch((err: ErrorResponseHandler) => {
+        setErrorSnackMessage(err);
+    });
+  }
+  }, [isRestrictedByPolicy, userName]);
+
  const addUserServiceAccount = (e: React.FormEvent) => {
    e.preventDefault();
    setAddSending(true);
--- a/restapi/admin_policies.go
+++ b/restapi/admin_policies.go
@@ -133,6 +133,14 @@ func registersPoliciesHandler(api *operations.ConsoleAPI) {
 		}
 		return policyApi.NewGetUserPolicyOK().WithPayload(userPolicyResponse)
 	})
+	// Gets policies for specified user
+	api.PolicyGetSAUserPolicyHandler = policyApi.GetSAUserPolicyHandlerFunc(func(params policyApi.GetSAUserPolicyParams, session *models.Principal) middleware.Responder {
+		userPolicyResponse, err := getSAUserPolicyResponse(session, params)
+		if err != nil {
+			return policyApi.NewGetSAUserPolicyDefault(int(err.Code)).WithPayload(err)
+		}
+		return policyApi.NewGetSAUserPolicyOK().WithPayload(userPolicyResponse)
+	})
 }

 func getListAccessRulesWithBucketResponse(session *models.Principal, params bucketApi.ListAccessRulesWithBucketParams) (*models.ListAccessRulesResponse, *models.Error) {
@@ -363,10 +371,88 @@ func getUserPolicyResponse(session *models.Principal) (string, *models.Error) {
 		return "nil", ErrorWithContext(ctx, err)
 	}
 	rawPolicy := policies.ReplacePolicyVariables(tokenClaims, accountInfo)
-
 	return string(rawPolicy), nil
 }

+func getSAUserPolicyResponse(session *models.Principal, params policyApi.GetSAUserPolicyParams) (*models.AUserPolicyResponse, *models.Error) {
+	ctx, cancel := context.WithCancel(params.HTTPRequest.Context())
+	defer cancel()
+	// serialize output
+	if session == nil {
+		return nil, ErrorWithContext(ctx, ErrPolicyNotFound)
+	}
+	// initialize admin client
+	mAdminClient, err := NewMinioAdminClient(&models.Principal{
+		STSAccessKeyID:     session.STSAccessKeyID,
+		STSSecretAccessKey: session.STSSecretAccessKey,
+		STSSessionToken:    session.STSSessionToken,
+	})
+	if err != nil {
+		return nil, ErrorWithContext(ctx, err)
+	}
+	userAdminClient := AdminClient{Client: mAdminClient}
+
+	userName, err := utils.DecodeBase64(params.Name)
+	if err != nil {
+		return nil, ErrorWithContext(ctx, err)
+	}
+
+	user, err := getUserInfo(ctx, userAdminClient, userName)
+	if err != nil {
+		return nil, ErrorWithContext(ctx, err)
+	}
+	var userPolicies []string
+	if len(user.PolicyName) > 0 {
+		userPolicies = strings.Split(user.PolicyName, ",")
+	}
+
+	for _, group := range user.MemberOf {
+		groupDesc, err := groupInfo(ctx, userAdminClient, group)
+		if err != nil {
+			return nil, ErrorWithContext(ctx, err)
+		}
+		if groupDesc.Policy != "" {
+			userPolicies = append(userPolicies, strings.Split(groupDesc.Policy, ",")...)
+		}
+	}
+
+	allKeys := make(map[string]bool)
+	var userPolicyList []string
+
+	for _, item := range userPolicies {
+		if _, value := allKeys[item]; !value {
+			allKeys[item] = true
+			userPolicyList = append(userPolicyList, item)
+		}
+	}
+	var userStatements []iampolicy.Statement
+
+	for _, pol := range userPolicyList {
+		policy, err := getPolicyStatements(ctx, userAdminClient, pol)
+		if err != nil {
+			return nil, ErrorWithContext(ctx, err)
+		}
+		userStatements = append(userStatements, policy...)
+	}
+
+	combinedPolicy := iampolicy.Policy{
+		Version:    "2012-10-17",
+		Statements: userStatements,
+	}
+
+	stringPolicy, err := json.Marshal(combinedPolicy)
+	if err != nil {
+		return nil, ErrorWithContext(ctx, err)
+	}
+	parsedPolicy := string(stringPolicy)
+
+	getUserPoliciesResponse := &models.AUserPolicyResponse{
+		Policy: parsedPolicy,
+	}
+
+	return getUserPoliciesResponse, nil
+}
+
 func getListGroupsForPolicyResponse(session *models.Principal, params policyApi.ListGroupsForPolicyParams) ([]string, *models.Error) {
 	ctx, cancel := context.WithCancel(params.HTTPRequest.Context())
 	defer cancel()
@@ -510,6 +596,17 @@ func policyInfo(ctx context.Context, client MinioAdmin, name string) (*models.Po
 	return policy, nil
 }

+// getPolicy Statements calls MinIO server to retrieve information of a canned policy.
+// and returns the associated Statements
+func getPolicyStatements(ctx context.Context, client MinioAdmin, name string) ([]iampolicy.Statement, error) {
+	policyRaw, err := client.getPolicy(ctx, name)
+	if err != nil {
+		return nil, err
+	}
+
+	return policyRaw.Statements, nil
+}
+
 // getPolicyInfoResponse performs policyInfo() and serializes it to the handler's output
 func getPolicyInfoResponse(session *models.Principal, params policyApi.PolicyInfoParams) (*models.Policy, *models.Error) {
 	ctx, cancel := context.WithCancel(params.HTTPRequest.Context())
--- a/restapi/embedded_spec.go
+++ b/restapi/embedded_spec.go
@@ -3999,6 +3999,37 @@ func init() {
        }
      }
    },
+    "/user/{name}/policies": {
+      "get": {
+        "tags": [
+          "Policy"
+        ],
+        "summary": "returns policies assigned for a specified user",
+        "operationId": "GetSAUserPolicy",
+        "parameters": [
+          {
+            "type": "string",
+            "name": "name",
+            "in": "path",
+            "required": true
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/aUserPolicyResponse"
+            }
+          },
+          "default": {
+            "description": "Generic error response.",
+            "schema": {
+              "$ref": "#/definitions/error"
+            }
+          }
+        }
+      }
+    },
    "/user/{name}/service-account-credentials": {
      "post": {
        "tags": [
@@ -4250,6 +4281,14 @@ func init() {
        }
      }
    },
+    "aUserPolicyResponse": {
+      "type": "object",
+      "properties": {
+        "policy": {
+          "type": "string"
+        }
+      }
+    },
    "accessRule": {
      "type": "object",
      "properties": {
@@ -11033,6 +11072,37 @@ func init() {
        }
      }
    },
+    "/user/{name}/policies": {
+      "get": {
+        "tags": [
+          "Policy"
+        ],
+        "summary": "returns policies assigned for a specified user",
+        "operationId": "GetSAUserPolicy",
+        "parameters": [
+          {
+            "type": "string",
+            "name": "name",
+            "in": "path",
+            "required": true
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/aUserPolicyResponse"
+            }
+          },
+          "default": {
+            "description": "Generic error response.",
+            "schema": {
+              "$ref": "#/definitions/error"
+            }
+          }
+        }
+      }
+    },
    "/user/{name}/service-account-credentials": {
      "post": {
        "tags": [
@@ -11410,6 +11480,14 @@ func init() {
        }
      }
    },
+    "aUserPolicyResponse": {
+      "type": "object",
+      "properties": {
+        "policy": {
+          "type": "string"
+        }
+      }
+    },
    "accessRule": {
      "type": "object",
      "properties": {
--- a/restapi/operations/console_api.go
+++ b/restapi/operations/console_api.go
@@ -237,6 +237,9 @@ func NewConsoleAPI(spec *loads.Document) *ConsoleAPI {
 		ObjectGetObjectMetadataHandler: object.GetObjectMetadataHandlerFunc(func(params object.GetObjectMetadataParams, principal *models.Principal) middleware.Responder {
 			return middleware.NotImplemented("operation object.GetObjectMetadata has not yet been implemented")
 		}),
+		PolicyGetSAUserPolicyHandler: policy.GetSAUserPolicyHandlerFunc(func(params policy.GetSAUserPolicyParams, principal *models.Principal) middleware.Responder {
+			return middleware.NotImplemented("operation policy.GetSAUserPolicy has not yet been implemented")
+		}),
 		ServiceAccountGetServiceAccountPolicyHandler: service_account.GetServiceAccountPolicyHandlerFunc(func(params service_account.GetServiceAccountPolicyParams, principal *models.Principal) middleware.Responder {
 			return middleware.NotImplemented("operation service_account.GetServiceAccountPolicy has not yet been implemented")
 		}),
@@ -613,6 +616,8 @@ type ConsoleAPI struct {
 	BucketGetBucketVersioningHandler bucket.GetBucketVersioningHandler
 	// ObjectGetObjectMetadataHandler sets the operation handler for the get object metadata operation
 	ObjectGetObjectMetadataHandler object.GetObjectMetadataHandler
+	// PolicyGetSAUserPolicyHandler sets the operation handler for the get s a user policy operation
+	PolicyGetSAUserPolicyHandler policy.GetSAUserPolicyHandler
 	// ServiceAccountGetServiceAccountPolicyHandler sets the operation handler for the get service account policy operation
 	ServiceAccountGetServiceAccountPolicyHandler service_account.GetServiceAccountPolicyHandler
 	// SiteReplicationGetSiteReplicationInfoHandler sets the operation handler for the get site replication info operation
@@ -1000,6 +1005,9 @@ func (o *ConsoleAPI) Validate() error {
 	if o.ObjectGetObjectMetadataHandler == nil {
 		unregistered = append(unregistered, "object.GetObjectMetadataHandler")
 	}
+	if o.PolicyGetSAUserPolicyHandler == nil {
+		unregistered = append(unregistered, "policy.GetSAUserPolicyHandler")
+	}
 	if o.ServiceAccountGetServiceAccountPolicyHandler == nil {
 		unregistered = append(unregistered, "service_account.GetServiceAccountPolicyHandler")
 	}
@@ -1527,6 +1535,10 @@ func (o *ConsoleAPI) initHandlerCache() {
 	if o.handlers["GET"] == nil {
 		o.handlers["GET"] = make(map[string]http.Handler)
 	}
+	o.handlers["GET"]["/user/{name}/policies"] = policy.NewGetSAUserPolicy(o.context, o.PolicyGetSAUserPolicyHandler)
+	if o.handlers["GET"] == nil {
+		o.handlers["GET"] = make(map[string]http.Handler)
+	}
 	o.handlers["GET"]["/service-accounts/{access_key}/policy"] = service_account.NewGetServiceAccountPolicy(o.context, o.ServiceAccountGetServiceAccountPolicyHandler)
 	if o.handlers["GET"] == nil {
 		o.handlers["GET"] = make(map[string]http.Handler)
--- a/restapi/operations/policy/get_s_a_user_policy.go
+++ b/restapi/operations/policy/get_s_a_user_policy.go
@@ -0,0 +1,88 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+// This file is part of MinIO Console Server
+// Copyright (c) 2022 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+//
+
+package policy
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the generate command
+
+import (
+	"net/http"
+
+	"github.com/go-openapi/runtime/middleware"
+
+	"github.com/minio/console/models"
+)
+
+// GetSAUserPolicyHandlerFunc turns a function with the right signature into a get s a user policy handler
+type GetSAUserPolicyHandlerFunc func(GetSAUserPolicyParams, *models.Principal) middleware.Responder
+
+// Handle executing the request and returning a response
+func (fn GetSAUserPolicyHandlerFunc) Handle(params GetSAUserPolicyParams, principal *models.Principal) middleware.Responder {
+	return fn(params, principal)
+}
+
+// GetSAUserPolicyHandler interface for that can handle valid get s a user policy params
+type GetSAUserPolicyHandler interface {
+	Handle(GetSAUserPolicyParams, *models.Principal) middleware.Responder
+}
+
+// NewGetSAUserPolicy creates a new http.Handler for the get s a user policy operation
+func NewGetSAUserPolicy(ctx *middleware.Context, handler GetSAUserPolicyHandler) *GetSAUserPolicy {
+	return &GetSAUserPolicy{Context: ctx, Handler: handler}
+}
+
+/* GetSAUserPolicy swagger:route GET /user/{name}/policies Policy getSAUserPolicy
+
+returns policies assigned for a specified user
+
+*/
+type GetSAUserPolicy struct {
+	Context *middleware.Context
+	Handler GetSAUserPolicyHandler
+}
+
+func (o *GetSAUserPolicy) ServeHTTP(rw http.ResponseWriter, r *http.Request) {
+	route, rCtx, _ := o.Context.RouteInfo(r)
+	if rCtx != nil {
+		*r = *rCtx
+	}
+	var Params = NewGetSAUserPolicyParams()
+	uprinc, aCtx, err := o.Context.Authorize(r, route)
+	if err != nil {
+		o.Context.Respond(rw, r, route.Produces, route, err)
+		return
+	}
+	if aCtx != nil {
+		*r = *aCtx
+	}
+	var principal *models.Principal
+	if uprinc != nil {
+		principal = uprinc.(*models.Principal) // this is really a models.Principal, I promise
+	}
+
+	if err := o.Context.BindValidRequest(r, route, &Params); err != nil { // bind params
+		o.Context.Respond(rw, r, route.Produces, route, err)
+		return
+	}
+
+	res := o.Handler.Handle(Params, principal) // actually handle the request
+	o.Context.Respond(rw, r, route.Produces, route, res)
+
+}
--- a/restapi/operations/policy/get_s_a_user_policy_parameters.go
+++ b/restapi/operations/policy/get_s_a_user_policy_parameters.go
@@ -0,0 +1,88 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+// This file is part of MinIO Console Server
+// Copyright (c) 2022 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+//
+
+package policy
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"net/http"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime/middleware"
+	"github.com/go-openapi/strfmt"
+)
+
+// NewGetSAUserPolicyParams creates a new GetSAUserPolicyParams object
+//
+// There are no default values defined in the spec.
+func NewGetSAUserPolicyParams() GetSAUserPolicyParams {
+
+	return GetSAUserPolicyParams{}
+}
+
+// GetSAUserPolicyParams contains all the bound params for the get s a user policy operation
+// typically these are obtained from a http.Request
+//
+// swagger:parameters GetSAUserPolicy
+type GetSAUserPolicyParams struct {
+
+	// HTTP Request Object
+	HTTPRequest *http.Request `json:"-"`
+
+	/*
+	  Required: true
+	  In: path
+	*/
+	Name string
+}
+
+// BindRequest both binds and validates a request, it assumes that complex things implement a Validatable(strfmt.Registry) error interface
+// for simple values it will use straight method calls.
+//
+// To ensure default values, the struct must have been initialized with NewGetSAUserPolicyParams() beforehand.
+func (o *GetSAUserPolicyParams) BindRequest(r *http.Request, route *middleware.MatchedRoute) error {
+	var res []error
+
+	o.HTTPRequest = r
+
+	rName, rhkName, _ := route.Params.GetOK("name")
+	if err := o.bindName(rName, rhkName, route.Formats); err != nil {
+		res = append(res, err)
+	}
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
+
+// bindName binds and validates parameter Name from path.
+func (o *GetSAUserPolicyParams) bindName(rawData []string, hasKey bool, formats strfmt.Registry) error {
+	var raw string
+	if len(rawData) > 0 {
+		raw = rawData[len(rawData)-1]
+	}
+
+	// Required: true
+	// Parameter is provided by construction from the route
+	o.Name = raw
+
+	return nil
+}
--- a/restapi/operations/policy/get_s_a_user_policy_responses.go
+++ b/restapi/operations/policy/get_s_a_user_policy_responses.go
@@ -0,0 +1,133 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+// This file is part of MinIO Console Server
+// Copyright (c) 2022 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+//
+
+package policy
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"net/http"
+
+	"github.com/go-openapi/runtime"
+
+	"github.com/minio/console/models"
+)
+
+// GetSAUserPolicyOKCode is the HTTP code returned for type GetSAUserPolicyOK
+const GetSAUserPolicyOKCode int = 200
+
+/*GetSAUserPolicyOK A successful response.
+
+swagger:response getSAUserPolicyOK
+*/
+type GetSAUserPolicyOK struct {
+
+	/*
+	  In: Body
+	*/
+	Payload *models.AUserPolicyResponse `json:"body,omitempty"`
+}
+
+// NewGetSAUserPolicyOK creates GetSAUserPolicyOK with default headers values
+func NewGetSAUserPolicyOK() *GetSAUserPolicyOK {
+
+	return &GetSAUserPolicyOK{}
+}
+
+// WithPayload adds the payload to the get s a user policy o k response
+func (o *GetSAUserPolicyOK) WithPayload(payload *models.AUserPolicyResponse) *GetSAUserPolicyOK {
+	o.Payload = payload
+	return o
+}
+
+// SetPayload sets the payload to the get s a user policy o k response
+func (o *GetSAUserPolicyOK) SetPayload(payload *models.AUserPolicyResponse) {
+	o.Payload = payload
+}
+
+// WriteResponse to the client
+func (o *GetSAUserPolicyOK) WriteResponse(rw http.ResponseWriter, producer runtime.Producer) {
+
+	rw.WriteHeader(200)
+	if o.Payload != nil {
+		payload := o.Payload
+		if err := producer.Produce(rw, payload); err != nil {
+			panic(err) // let the recovery middleware deal with this
+		}
+	}
+}
+
+/*GetSAUserPolicyDefault Generic error response.
+
+swagger:response getSAUserPolicyDefault
+*/
+type GetSAUserPolicyDefault struct {
+	_statusCode int
+
+	/*
+	  In: Body
+	*/
+	Payload *models.Error `json:"body,omitempty"`
+}
+
+// NewGetSAUserPolicyDefault creates GetSAUserPolicyDefault with default headers values
+func NewGetSAUserPolicyDefault(code int) *GetSAUserPolicyDefault {
+	if code <= 0 {
+		code = 500
+	}
+
+	return &GetSAUserPolicyDefault{
+		_statusCode: code,
+	}
+}
+
+// WithStatusCode adds the status to the get s a user policy default response
+func (o *GetSAUserPolicyDefault) WithStatusCode(code int) *GetSAUserPolicyDefault {
+	o._statusCode = code
+	return o
+}
+
+// SetStatusCode sets the status to the get s a user policy default response
+func (o *GetSAUserPolicyDefault) SetStatusCode(code int) {
+	o._statusCode = code
+}
+
+// WithPayload adds the payload to the get s a user policy default response
+func (o *GetSAUserPolicyDefault) WithPayload(payload *models.Error) *GetSAUserPolicyDefault {
+	o.Payload = payload
+	return o
+}
+
+// SetPayload sets the payload to the get s a user policy default response
+func (o *GetSAUserPolicyDefault) SetPayload(payload *models.Error) {
+	o.Payload = payload
+}
+
+// WriteResponse to the client
+func (o *GetSAUserPolicyDefault) WriteResponse(rw http.ResponseWriter, producer runtime.Producer) {
+
+	rw.WriteHeader(o._statusCode)
+	if o.Payload != nil {
+		payload := o.Payload
+		if err := producer.Produce(rw, payload); err != nil {
+			panic(err) // let the recovery middleware deal with this
+		}
+	}
+}
--- a/restapi/operations/policy/get_s_a_user_policy_urlbuilder.go
+++ b/restapi/operations/policy/get_s_a_user_policy_urlbuilder.go
@@ -0,0 +1,116 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+// This file is part of MinIO Console Server
+// Copyright (c) 2022 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+//
+
+package policy
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the generate command
+
+import (
+	"errors"
+	"net/url"
+	golangswaggerpaths "path"
+	"strings"
+)
+
+// GetSAUserPolicyURL generates an URL for the get s a user policy operation
+type GetSAUserPolicyURL struct {
+	Name string
+
+	_basePath string
+	// avoid unkeyed usage
+	_ struct{}
+}
+
+// WithBasePath sets the base path for this url builder, only required when it's different from the
+// base path specified in the swagger spec.
+// When the value of the base path is an empty string
+func (o *GetSAUserPolicyURL) WithBasePath(bp string) *GetSAUserPolicyURL {
+	o.SetBasePath(bp)
+	return o
+}
+
+// SetBasePath sets the base path for this url builder, only required when it's different from the
+// base path specified in the swagger spec.
+// When the value of the base path is an empty string
+func (o *GetSAUserPolicyURL) SetBasePath(bp string) {
+	o._basePath = bp
+}
+
+// Build a url path and query string
+func (o *GetSAUserPolicyURL) Build() (*url.URL, error) {
+	var _result url.URL
+
+	var _path = "/user/{name}/policies"
+
+	name := o.Name
+	if name != "" {
+		_path = strings.Replace(_path, "{name}", name, -1)
+	} else {
+		return nil, errors.New("name is required on GetSAUserPolicyURL")
+	}
+
+	_basePath := o._basePath
+	if _basePath == "" {
+		_basePath = "/api/v1"
+	}
+	_result.Path = golangswaggerpaths.Join(_basePath, _path)
+
+	return &_result, nil
+}
+
+// Must is a helper function to panic when the url builder returns an error
+func (o *GetSAUserPolicyURL) Must(u *url.URL, err error) *url.URL {
+	if err != nil {
+		panic(err)
+	}
+	if u == nil {
+		panic("url can't be nil")
+	}
+	return u
+}
+
+// String returns the string representation of the path with query string
+func (o *GetSAUserPolicyURL) String() string {
+	return o.Must(o.Build()).String()
+}
+
+// BuildFull builds a full url with scheme, host, path and query string
+func (o *GetSAUserPolicyURL) BuildFull(scheme, host string) (*url.URL, error) {
+	if scheme == "" {
+		return nil, errors.New("scheme is required for a full url on GetSAUserPolicyURL")
+	}
+	if host == "" {
+		return nil, errors.New("host is required for a full url on GetSAUserPolicyURL")
+	}
+
+	base, err := o.Build()
+	if err != nil {
+		return nil, err
+	}
+
+	base.Scheme = scheme
+	base.Host = host
+	return base, nil
+}
+
+// StringFull returns the string representation of a complete url
+func (o *GetSAUserPolicyURL) StringFull(scheme, host string) string {
+	return o.Must(o.BuildFull(scheme, host)).String()
+}
--- a/swagger-console.yml
+++ b/swagger-console.yml
@@ -1607,6 +1607,26 @@ paths:
            $ref: "#/definitions/error"
      tags:
        - Policy
+  /user/{name}/policies:
+    get:
+      summary: returns policies assigned for a specified user
+      operationId: GetSAUserPolicy
+      parameters:
+        - name: name
+          in: path
+          required: true
+          type: string
+      responses:
+        200:
+          description: A successful response.
+          schema:
+            $ref: "#/definitions/aUserPolicyResponse"
+        default:
+          description: Generic error response.
+          schema:
+            $ref: "#/definitions/error"
+      tags:
+        - Policy
  /user/{name}/service-accounts:
    get:
      summary: returns a list of service accounts for a user
@@ -4848,3 +4868,8 @@ definitions:
        type: array
        items:
          type: string
+  aUserPolicyResponse:
+    type: object
+    properties:
+      policy:
+        type: string