Add consoleAdmin as a default canned policy (minio#11770)

soulshake · Mar 12, 2021 · 7fa3e41 · 7fa3e41
1 parent 75db500
commit 7fa3e41
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 0 deletions.
diff --git a/cmd/iam.go b/cmd/iam.go
@@ -2089,6 +2089,10 @@ func setDefaultCannedPolicies(policies map[string]iampolicy.Policy) {
 	if !ok {
 		policies["diagnostics"] = iampolicy.AdminDiagnostics
 	}
+	_, ok = policies["consoleAdmin"]
+	if !ok {
+		policies["consoleAdmin"] = iampolicy.Admin
+	}
 }
 
 // buildUserGroupMemberships - builds the memberships map. IMPORTANT:

diff --git a/pkg/iam/policy/constants.go b/pkg/iam/policy/constants.go
@@ -18,6 +18,7 @@ package iampolicy
 
 import (
 	"github.com/minio/minio/pkg/bucket/policy"
+	"github.com/minio/minio/pkg/bucket/policy/condition"
 )
 
 // Policy claim constants
@@ -80,3 +81,24 @@ var AdminDiagnostics = Policy{
 		},
 	},
 }
+
+// Admin - provides admin all-access canned policy
+var Admin = Policy{
+	Version: DefaultVersion,
+	Statements: []Statement{
+		{
+			SID:        policy.ID(""),
+			Effect:     policy.Allow,
+			Actions:    NewActionSet(AllAdminActions),
+			Resources:  NewResourceSet(),
+			Conditions: condition.NewFunctions(),
+		},
+		{
+			SID:        policy.ID(""),
+			Effect:     policy.Allow,
+			Actions:    NewActionSet(AllActions),
+			Resources:  NewResourceSet(NewResource("*", "")),
+			Conditions: condition.NewFunctions(),
+		},
+	},
+}