mirrors/object-browser
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
20749d2eaee4ceb86f08d9731d40d73f6cc2cd2e
object-browser/swagger.yml
Lenin Alevski 732e0ef683 ACL for mcs (#123) 
This PR sets the initial version of the ACL for mcs, the idea behind
this is to start using the principle of least privileges when assigning
policies to users when creating users through mcs, currently mcsAdmin policy uses admin:*
and s3:* and by default a user with that policy will have access to everything, if want to limit
that we can create a policy with least privileges.

We need to start validating explicitly if users has acccess to an
specific endpoint based on IAM policy actions.

In this first version every endpoint (you can see it as a page to),
defines a set of well defined admin/s3 actions to work properly, ie:

```
// corresponds to /groups endpoint used by the groups page
var groupsActionSet = iampolicy.NewActionSet(
    iampolicy.ListGroupsAdminAction,
    iampolicy.AddUserToGroupAdminAction,
    //iampolicy.GetGroupAdminAction,
    iampolicy.EnableGroupAdminAction,
    iampolicy.DisableGroupAdminAction,
)

// corresponds to /policies endpoint used by the policies page
var iamPoliciesActionSet = iampolicy.NewActionSet(
    iampolicy.GetPolicyAdminAction,
    iampolicy.DeletePolicyAdminAction,
    iampolicy.CreatePolicyAdminAction,
    iampolicy.AttachPolicyAdminAction,
    iampolicy.ListUserPoliciesAdminAction,
)
```
With that said, for this initial version, now the sessions endpoint will
return a list of authorized pages to be render on the UI, on subsequent
prs we will add this verification of authorization via a server
middleware.
2020-05-18 18:03:06 -07:00

1436 lines
32 KiB
YAML
Raw Blame History

swagger: "2.0"
info:
title: MinIO Console Server
version: 0.1.0
consumes:
- application/json
produces:
- application/json
schemes:
- http
- ws
basePath: /api/v1
# We are going to be taking `Authorization: Bearer TOKEN` header for our authentication
securityDefinitions:
key:
type: oauth2
flow: accessCode
authorizationUrl: http://min.io
tokenUrl: http://min.io
# Apply the key security definition to all APIs
security:
- key: []
paths:
/login:
get:
summary: Returns login strategy, form or sso.
operationId: LoginDetail
responses:
200:
description: A successful response.
schema:
$ref: "#/definitions/loginDetails"
default:
description: Generic error response.
schema:
$ref: "#/definitions/error"
# Exclude this API from the authentication requirement
security: []
tags:
- UserAPI
post:
summary: Login to mcs
operationId: Login
parameters:
- name: body
in: body
required: true
schema:
$ref: '#/definitions/loginRequest'
responses:
201:
description: A successful login.
schema:
$ref: '#/definitions/loginResponse'
default:
description: Generic error response.
schema:
$ref: "#/definitions/error"
# Exclude this API from the authentication requirement
security: []
tags:
- UserAPI
/login/oauth2/auth:
post:
summary: Identity Provider oauth2 callback endpoint.
operationId: LoginOauth2Auth
parameters:
- name: body
in: body
required: true
schema:
$ref: '#/definitions/loginOauth2AuthRequest'
responses:
201:
description: A successful login.
schema:
$ref: '#/definitions/loginResponse'
default:
description: Generic error response.
schema:
$ref: "#/definitions/error"
security: []
tags:
- UserAPI
/logout:
post:
summary: Logout from mcs.
operationId: Logout
responses:
200:
description: A successful response.
default:
description: Generic error response.
schema:
$ref: "#/definitions/error"
tags:
- UserAPI
/session:
get:
summary: Endpoint to check if your session is still valid
operationId: SessionCheck
responses:
200:
description: A successful response.
schema:
$ref: "#/definitions/sessionResponse"
default:
description: Generic error response.
schema:
$ref: "#/definitions/error"
tags:
- UserAPI
/buckets:
get:
summary: List Buckets
operationId: ListBuckets
parameters:
- name: sort_by
in: query
required: false
type: string
- name: offset
in: query
required: false
type: integer
format: int32
- name: limit
in: query
required: false
type: integer
format: int32
responses:
200:
description: A successful response.
schema:
$ref: "#/definitions/listBucketsResponse"
default:
description: Generic error response.
schema:
$ref: "#/definitions/error"
tags:
- UserAPI
post:
summary: Make bucket
operationId: MakeBucket
parameters:
- name: body
in: body
required: true
schema:
$ref: '#/definitions/makeBucketRequest'
responses:
201:
description: A successful response.
default:
description: Generic error response.
schema:
$ref: "#/definitions/error"
tags:
- UserAPI
/buckets/{name}:
get:
summary: Bucket Info
operationId: BucketInfo
parameters:
- name: name
in: path
required: true
type: string
responses:
200:
description: A successful response.
schema:
$ref: "#/definitions/bucket"
default:
description: Generic error response.
schema:
$ref: "#/definitions/error"
tags:
- UserAPI
delete:
summary: Delete Bucket
operationId: DeleteBucket
parameters:
- name: name
in: path
required: true
type: string
responses:
204:
description: A successful response.
default:
description: Generic error response.
schema:
$ref: "#/definitions/error"
tags:
- UserAPI
/buckets/{name}/set-policy:
put:
summary: Bucket Set Policy
operationId: BucketSetPolicy
parameters:
- name: name
in: path
required: true
type: string
- name: body
in: body
required: true
schema:
$ref: "#/definitions/setBucketPolicyRequest"
responses:
200:
description: A successful response.
schema:
$ref: "#/definitions/bucket"
default:
description: Generic error response.
schema:
$ref: "#/definitions/error"
tags:
- UserAPI
/buckets/{bucket_name}/events:
get:
summary: List Bucket Events
operationId: ListBucketEvents
parameters:
- name: bucket_name
in: path
required: true
type: string
- name: offset
in: query
required: false
type: integer
format: int32
- name: limit
in: query
required: false
type: integer
format: int32
responses:
200:
description: A successful response.
schema:
$ref: "#/definitions/listBucketEventsResponse"
default:
description: Generic error response.
schema:
$ref: "#/definitions/error"
tags:
- UserAPI
post:
summary: Create Bucket Event
operationId: CreateBucketEvent
parameters:
- name: bucket_name
in: path
required: true
type: string
- name: body
in: body
required: true
schema:
$ref: '#/definitions/bucketEventRequest'
responses:
201:
description: A successful response.
default:
description: Generic error response.
schema:
$ref: "#/definitions/error"
tags:
- UserAPI
/buckets/{bucket_name}/events/{arn}:
delete:
summary: Delete Bucket Event
operationId: DeleteBucketEvent
parameters:
- name: bucket_name
in: path
required: true
type: string
- name: arn
in: path
required: true
type: string
- name: body
in: body
required: true
schema:
$ref: '#/definitions/notificationDeleteRequest'
responses:
204:
description: A successful response.
default:
description: Generic error response.
schema:
$ref: "#/definitions/error"
tags:
- UserAPI
/service-accounts:
get:
summary: List User's Service Accounts
operationId: ListUserServiceAccounts
parameters:
- name: offset
in: query
required: false
type: integer
format: int32
- name: limit
in: query
required: false
type: integer
format: int32
responses:
200:
description: A successful response.
schema:
$ref: "#/definitions/serviceAccounts"
default:
description: Generic error response.
schema:
$ref: "#/definitions/error"
tags:
- UserAPI
post:
summary: Create Service Account
operationId: CreateServiceAccount
parameters:
- name: body
in: body
required: true
schema:
$ref: '#/definitions/serviceAccountRequest'
responses:
201:
description: A successful response.
schema:
$ref: "#/definitions/serviceAccountCreds"
default:
description: Generic error response.
schema:
$ref: "#/definitions/error"
tags:
- UserAPI
/service-accounts/{access_key}:
delete:
summary: Delete Service Account
operationId: DeleteServiceAccount
parameters:
- name: access_key
in: path
required: true
type: string
responses:
204:
description: A successful response.
default:
description: Generic error response.
schema:
$ref: "#/definitions/error"
tags:
- UserAPI
/users:
get:
summary: List Users
operationId: ListUsers
parameters:
- name: offset
in: query
required: false
type: integer
format: int32
- name: limit
in: query
required: false
type: integer
format: int32
responses:
200:
description: A successful response.
schema:
$ref: "#/definitions/listUsersResponse"
default:
description: Generic error response.
schema:
$ref: "#/definitions/error"
tags:
- AdminAPI
post:
summary: Add User
operationId: AddUser
parameters:
- name: body
in: body
required: true
schema:
$ref: '#/definitions/addUserRequest'
responses:
201:
description: A successful response.
schema:
$ref: '#/definitions/user'
default:
description: Generic error response.
schema:
$ref: "#/definitions/error"
tags:
- AdminAPI
/users/{name}:
get:
summary: Get User Info
operationId: GetUserInfo
parameters:
- name: name
in: path
required: true
type: string
responses:
200:
description: A successful response.
schema:
$ref: "#/definitions/user"
default:
description: Generic error response.
schema:
$ref: "#/definitions/error"
tags:
- AdminAPI
put:
summary: Update User Info
operationId: UpdateUserInfo
parameters:
- name: name
in: path
required: true
type: string
- name: body
in: body
required: true
schema:
$ref: "#/definitions/updateUser"
responses:
200:
description: A successful response.
schema:
$ref: "#/definitions/user"
default:
description: Generic error response.
schema:
$ref: "#/definitions/error"
tags:
- AdminAPI
delete:
summary: Remove user
operationId: RemoveUser
parameters:
- name: name
in: path
required: true
type: string
responses:
204:
description: A successful response.
default:
description: Generic error response.
schema:
$ref: "#/definitions/error"
tags:
- AdminAPI
/users/{name}/groups:
put:
summary: Update Groups for a user
operationId: UpdateUserGroups
parameters:
- name: name
in: path
required: true
type: string
- name: body
in: body
required: true
schema:
$ref: "#/definitions/updateUserGroups"
responses:
200:
description: A successful response.
schema:
$ref: "#/definitions/user"
default:
description: Generic error response.
schema:
$ref: "#/definitions/error"
tags:
- AdminAPI
/users-groups-bulk:
put:
summary: Bulk functionality to Add Users to Groups
operationId: BulkUpdateUsersGroups
parameters:
- name: body
in: body
required: true
schema:
$ref: "#/definitions/bulkUserGroups"
responses:
200:
description: A successful response.
default:
description: Generic error response.
schema:
$ref: "#/definitions/error"
tags:
- AdminAPI
/groups:
get:
summary: List Groups
operationId: ListGroups
parameters:
- name: offset
in: query
required: false
type: integer
format: int32
- name: limit
in: query
required: false
type: integer
format: int32
responses:
200:
description: A successful response.
schema:
$ref: "#/definitions/listGroupsResponse"
default:
description: Generic error response.
schema:
$ref: "#/definitions/error"
tags:
- AdminAPI
post:
summary: Add Group
operationId: AddGroup
parameters:
- name: body
in: body
required: true
schema:
$ref: '#/definitions/addGroupRequest'
responses:
201:
description: A successful response.
default:
description: Generic error response.
schema:
$ref: "#/definitions/error"
tags:
- AdminAPI
/groups/{name}:
get:
summary: Group info
operationId: GroupInfo
parameters:
- name: name
in: path
required: true
type: string
responses:
200:
description: A successful response.
schema:
$ref: "#/definitions/group"
default:
description: Generic error response.
schema:
$ref: "#/definitions/error"
tags:
- AdminAPI
delete:
summary: Remove group
operationId: RemoveGroup
parameters:
- name: name
in: path
required: true
type: string
responses:
204:
description: A successful response.
default:
description: Generic error response.
schema:
$ref: "#/definitions/error"
tags:
- AdminAPI
put:
summary: Update Group Members or Status
operationId: UpdateGroup
parameters:
- name: name
in: path
required: true
type: string
- name: body
in: body
required: true
schema:
$ref: "#/definitions/updateGroupRequest"
responses:
200:
description: A successful response.
schema:
$ref: "#/definitions/group"
default:
description: Generic error response.
schema:
$ref: "#/definitions/error"
tags:
- AdminAPI
/policies:
get:
summary: List Policies
operationId: ListPolicies
parameters:
- name: offset
in: query
required: false
type: integer
format: int32
- name: limit
in: query
required: false
type: integer
format: int32
responses:
200:
description: A successful response.
schema:
$ref: "#/definitions/listPoliciesResponse"
default:
description: Generic error response.
schema:
$ref: "#/definitions/error"
tags:
- AdminAPI
post:
summary: Add Policy
operationId: AddPolicy
parameters:
- name: body
in: body
required: true
schema:
$ref: '#/definitions/addPolicyRequest'
responses:
201:
description: A successful response.
schema:
$ref: '#/definitions/policy'
default:
description: Generic error response.
schema:
$ref: "#/definitions/error"
tags:
- AdminAPI
/policies/{name}:
delete:
summary: Remove policy
operationId: RemovePolicy
parameters:
- name: name
in: path
required: true
type: string
responses:
204:
description: A successful response.
default:
description: Generic error response.
schema:
$ref: "#/definitions/error"
tags:
- AdminAPI
get:
summary: Policy info
operationId: PolicyInfo
parameters:
- name: name
in: path
required: true
type: string
responses:
200:
description: A successful response.
schema:
$ref: "#/definitions/policy"
default:
description: Generic error response.
schema:
$ref: "#/definitions/error"
tags:
- AdminAPI
/configs:
get:
summary: List Configurations
operationId: ListConfig
parameters:
- name: offset
in: query
required: false
type: integer
format: int32
- name: limit
in: query
required: false
type: integer
format: int32
responses:
200:
description: A successful response.
schema:
$ref: "#/definitions/listConfigResponse"
default:
description: Generic error response.
schema:
$ref: "#/definitions/error"
tags:
- AdminAPI
/set-policy/{name}:
put:
summary: Set policy
operationId: SetPolicy
parameters:
- name: name
in: path
required: true
type: string
- name: body
in: body
required: true
schema:
$ref: '#/definitions/setPolicyRequest'
responses:
204:
description: A successful response.
default:
description: Generic error response.
schema:
$ref: "#/definitions/error"
tags:
- AdminAPI
/configs/{name}:
get:
summary: Configuration info
operationId: ConfigInfo
parameters:
- name: name
in: path
required: true
type: string
responses:
200:
description: A successful response.
schema:
$ref: "#/definitions/configuration"
default:
description: Generic error response.
schema:
$ref: "#/definitions/error"
tags:
- AdminAPI
put:
summary: Set Configuration
operationId: SetConfig
parameters:
- name: name
in: path
required: true
type: string
- name: body
in: body
required: true
schema:
$ref: "#/definitions/setConfigRequest"
responses:
204:
description: A successful response.
default:
description: Generic error response.
schema:
$ref: "#/definitions/error"
tags:
- AdminAPI
/service/restart:
post:
summary: Restart Service
operationId: RestartService
responses:
204:
description: A successful response.
default:
description: Generic error response.
schema:
$ref: "#/definitions/error"
tags:
- AdminAPI
/profiling/start:
post:
summary: Start recording profile data
operationId: ProfilingStart
parameters:
- name: body
in: body
required: true
schema:
$ref: '#/definitions/profilingStartRequest'
responses:
201:
description: A successful response.
schema:
$ref: '#/definitions/startProfilingList'
default:
description: Generic error response.
schema:
$ref: "#/definitions/error"
tags:
- AdminAPI
/profiling/stop:
post:
summary: Stop and download profile data
operationId: ProfilingStop
produces:
- application/octet-stream
responses:
201:
description: A successful response.
schema:
type: file
default:
description: Generic error response.
schema:
$ref: "#/definitions/error"
tags:
- AdminAPI
/admin/info:
get:
summary: Returns information about the deployment
operationId: AdminInfo
responses:
200:
description: A successful response.
schema:
$ref: "#/definitions/adminInfoResponse"
default:
description: Generic error response.
schema:
$ref: "#/definitions/error"
tags:
- AdminAPI
/admin/arns:
get:
summary: Returns a list of active ARNs in the instance
operationId: ArnList
responses:
200:
description: A successful response.
schema:
$ref: "#/definitions/arnsResponse"
default:
description: Generic error response.
schema:
$ref: "#/definitions/error"
tags:
- AdminAPI
/admin/notification_endpoints:
get:
summary: Returns a list of active notification endpoints
operationId: NotificationEndpointList
responses:
200:
description: A successful response.
schema:
$ref: "#/definitions/notifEndpointResponse"
default:
description: Generic error response.
schema:
$ref: "#/definitions/error"
tags:
- AdminAPI
post:
summary: Allows to configure a new notification endpoint
operationId: AddNotificationEndpoint
parameters:
- name: body
in: body
required: true
schema:
$ref: '#/definitions/notificationEndpoint'
responses:
201:
description: A successful response.
schema:
$ref: '#/definitions/notificationEndpoint'
default:
description: Generic error response.
schema:
$ref: "#/definitions/error"
tags:
- AdminAPI
definitions:
bucketAccess:
type: string
enum:
- PRIVATE
- PUBLIC
- CUSTOM
default: PRIVATE
bucket:
type: object
required:
- name
properties:
name:
type: string
minLength: 3
size:
type: integer
format: int64
access:
$ref: "#/definitions/bucketAccess"
creation_date:
type: string
listBucketsResponse:
type: object
properties:
buckets:
type: array
items:
$ref: "#/definitions/bucket"
title: list of resulting buckets
total:
type: integer
format: int64
title: number of buckets accessible to tenant user
makeBucketRequest:
type: object
required:
- name
properties:
name:
type: string
error:
type: object
required:
- message
properties:
code:
type: integer
format: int64
message:
type: string
user:
type: object
properties:
accessKey:
type: string
policy:
type: string
memberOf:
type: array
items:
type: string
status:
type: string
listUsersResponse:
type: object
properties:
users:
type: array
items:
$ref: "#/definitions/user"
title: list of resulting users
addUserRequest:
type: object
required:
- accessKey
- secretKey
- groups
properties:
accessKey:
type: string
secretKey:
type: string
groups:
type: array
items:
type: string
group:
type: object
properties:
name:
type: string
status:
type: string
members:
type: array
items:
type: string
policy:
type: string
addGroupRequest:
type: object
required:
- group
- members
properties:
group:
type: string
members:
type: array
items:
type: string
listGroupsResponse:
type: object
properties:
groups:
type: array
items:
type: string
title: list of groups
total:
type: integer
format: int64
title: total number of groups
policy:
type: object
properties:
name:
type: string
policy:
type: string
policyEntity:
type: string
enum:
- user
- group
default: user
setPolicyRequest:
type: object
required:
- entityType
- entityName
properties:
entityType:
$ref: "#/definitions/policyEntity"
entityName:
type: string
addPolicyRequest:
type: object
required:
- name
- policy
properties:
name:
type: string
policy:
type: string
listPoliciesResponse:
type: object
properties:
policies:
type: array
items:
$ref: "#/definitions/policy"
title: list of policies
total:
type: integer
format: int64
title: total number of policies
updateGroupRequest:
type: object
required:
- members
- status
properties:
members:
type: array
items:
type: string
status:
type: string
configDescription:
type: object
properties:
key:
type: string
description:
type: string
configurationKV:
type: object
properties:
key:
type: string
value:
type: string
configuration:
type: object
properties:
name:
type: string
key_values:
type: array
items:
$ref: "#/definitions/configurationKV"
listConfigResponse:
type: object
properties:
configurations:
type: array
items:
$ref: '#/definitions/configDescription'
total:
type: integer
format: int64
title: total number of configurations
setConfigRequest:
type: object
required:
- key_values
properties:
key_values:
type: array
minItems: 1
items:
$ref: "#/definitions/configurationKV"
arn_resource_id:
type: string
title: Used if configuration is an event notification's target
notificationEventType:
type: string
enum:
- put
- delete
- get
notificationConfig:
type: object
required:
- arn
properties:
id:
type: string
arn:
type: string
events:
type: array
items:
$ref: "#/definitions/notificationEventType"
title: "filter specific type of event. Defaults to all event (default: '[put,delete,get]')"
prefix:
type: string
title: "filter event associated to the specified prefix"
suffix:
type: string
title: "filter event associated to the specified suffix"
notificationDeleteRequest:
type: object
required:
- events
- prefix
- suffix
properties:
events:
type: array
minLength: 1
items:
$ref: "#/definitions/notificationEventType"
title: "filter specific type of event. Defaults to all event (default: '[put,delete,get]')"
prefix:
type: string
title: "filter event associated to the specified prefix"
suffix:
type: string
title: "filter event associated to the specified suffix"
bucketEventRequest:
type: object
required:
- configuration
properties:
configuration:
$ref: "#/definitions/notificationConfig"
ignoreExisting:
type: boolean
listBucketEventsResponse:
type: object
properties:
events:
type: array
items:
$ref: "#/definitions/notificationConfig"
total:
type: integer
format: int64
title: total number of bucket events
setBucketPolicyRequest:
type: object
required:
- access
properties:
access:
$ref: "#/definitions/bucketAccess"
loginDetails:
type: object
properties:
loginStrategy:
type: string
enum: [form,redirect]
redirect:
type: string
loginOauth2AuthRequest:
type: object
required:
- state
- code
properties:
state:
type: string
code:
type: string
loginRequest:
type: object
required:
- accessKey
- secretKey
properties:
accessKey:
type: string
secretKey:
type: string
loginResponse:
type: object
properties:
sessionId:
type: string
# Structure that holds the `Bearer {TOKEN}` present on authenticated requests
principal:
type: string
startProfilingItem:
type: object
properties:
nodeName:
type: string
success:
type: boolean
error:
type: string
startProfilingList:
type: object
properties:
total:
type: integer
format: int64
title: number of start results
startResults:
type: array
items:
$ref: "#/definitions/startProfilingItem"
profilerType:
type: string
enum:
- cpu
- mem
- block
- mutex
- trace
- threads
- goroutines
profilingStartRequest:
type: object
required:
- type
properties:
type:
$ref: "#/definitions/profilerType"
sessionResponse:
type: object
properties:
pages:
type: array
items:
type: string
status:
type: string
enum: [ok]
adminInfoResponse:
type: object
properties:
buckets:
type: integer
objects:
type: integer
usage:
type: integer
arnsResponse:
type: object
properties:
arns:
type: array
items:
type: string
updateUserGroups:
type: object
required:
- groups
properties:
groups:
type: array
items:
type: string
nofiticationService:
type: string
enum:
- webhook
- amqp
- kafka
- mqtt
- nats
- nsq
- mysql
- postgres
- elasticsearch
- redis
notificationEndpointItem:
type: object
properties:
service:
$ref: "#/definitions/nofiticationService"
account_id:
type: string
status:
type: string
notificationEndpoint:
type: object
required:
- service
- account_id
- properties
properties:
service:
$ref: "#/definitions/nofiticationService"
account_id:
type: string
properties:
type: object
additionalProperties:
type: string
notifEndpointResponse:
type: object
properties:
notification_endpoints:
type: array
items:
$ref: "#/definitions/notificationEndpointItem"
updateUser:
type: object
required:
- status
- groups
properties:
status:
type: string
groups:
type: array
items:
type: string
bulkUserGroups:
type: object
required:
- users
- groups
properties:
users:
type: array
items:
type: string
groups:
type: array
items:
type: string
serviceAccounts:
type: array
items:
type: string
serviceAccountRequest:
type: object
properties:
policy:
type: string
title : "policy to be applied to the Service Account if any"
serviceAccountCreds:
type: object
properties:
accessKey:
type: string
secretKey:
type: string
Reference in New Issue View Git Blame Copy Permalink