From 818f2e2c7e51d6bde19b68a0d4dc285faca5e139 Mon Sep 17 00:00:00 2001 From: Varun Venkatesh Date: Mon, 16 Feb 2026 04:02:38 -0500 Subject: [PATCH 1/4] policy: add scoped admin canned policies Add iamAdmin, infraAdmin, and diagnosticsAdmin to DefaultPolicies for least-privilege admin access. Also add ForceUnlockAdminAction and GenerateBatchJobAction to SupportedAdminActions. --- policy/admin-action.go | 3 + policy/constants.go | 159 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 162 insertions(+) diff --git a/policy/admin-action.go b/policy/admin-action.go index bab84fc..e6b1dd2 100644 --- a/policy/admin-action.go +++ b/policy/admin-action.go @@ -343,10 +343,13 @@ var SupportedAdminActions = map[AdminAction]struct{}{ ExportIAMAction: {}, ImportIAMAction: {}, + ForceUnlockAdminAction: {}, + ListBatchJobsAction: {}, DescribeBatchJobAction: {}, StartBatchJobAction: {}, CancelBatchJobAction: {}, + GenerateBatchJobAction: {}, InventoryControlAction: {}, diff --git a/policy/constants.go b/policy/constants.go index d254f3c..81431c5 100644 --- a/policy/constants.go +++ b/policy/constants.go @@ -124,6 +124,165 @@ var DefaultPolicies = []struct { }, }, + // IAMAdmin - provides IAM management access (users, groups, policies, + // service accounts) but no infrastructure, diagnostics, or S3 data access. + { + Name: "iamAdmin", + Definition: Policy{ + Version: DefaultVersion, + Statements: []Statement{ + { + SID: ID(""), + Effect: Allow, + Actions: NewActionSet( + // User management + CreateUserAdminAction, + DeleteUserAdminAction, + ListUsersAdminAction, + EnableUserAdminAction, + DisableUserAdminAction, + GetUserAdminAction, + // Group management + AddUserToGroupAdminAction, + RemoveUserFromGroupAdminAction, + GetGroupAdminAction, + ListGroupsAdminAction, + EnableGroupAdminAction, + DisableGroupAdminAction, + // Policy management + CreatePolicyAdminAction, + DeletePolicyAdminAction, + GetPolicyAdminAction, + AttachPolicyAdminAction, + UpdatePolicyAssociationAction, + ListUserPoliciesAdminAction, + // Service account management + CreateServiceAccountAdminAction, + UpdateServiceAccountAdminAction, + RemoveServiceAccountAdminAction, + ListServiceAccountsAdminAction, + // Temporary accounts + ListTemporaryAccountsAdminAction, + // IAM import/export + ExportIAMAction, + ImportIAMAction, + ), + Resources: NewResourceSet(), + Conditions: condition.NewFunctions(), + }, + }, + }, + }, + + // InfraAdmin - provides infrastructure and server management access + // (config, pools, healing, tiers, batch jobs, site replication) but no + // IAM or S3 data access. + { + Name: "infraAdmin", + Definition: Policy{ + Version: DefaultVersion, + Statements: []Statement{ + { + SID: ID(""), + Effect: Allow, + Actions: NewActionSet( + // Server lifecycle + ServerUpdateAdminAction, + ServiceRestartAdminAction, + ServiceStopAdminAction, + ServiceFreezeAdminAction, + ServiceCordonAdminAction, + // Server info + ServerInfoAdminAction, + StorageInfoAdminAction, + // Configuration + ConfigUpdateAdminAction, + // Healing & recovery + HealAdminAction, + ForceUnlockAdminAction, + // Pool management + DecommissionAdminAction, + RebalanceAdminAction, + // Bucket admin + SetBucketQuotaAdminAction, + GetBucketQuotaAdminAction, + SetBucketTargetAction, + GetBucketTargetAction, + // Tiers + SetTierAction, + ListTierAction, + // Data & license info + LicenseInfoAdminAction, + DataUsageInfoAdminAction, + // Bucket metadata import/export + ImportBucketMetadataAction, + ExportBucketMetadataAction, + // Batch jobs + StartBatchJobAction, + ListBatchJobsAction, + DescribeBatchJobAction, + CancelBatchJobAction, + GenerateBatchJobAction, + // Inventory + InventoryControlAction, + // Cluster topology (v4 APIs) + ClusterInfoAction, + PoolListAction, + PoolInfoAction, + NodeListAction, + NodeInfoAction, + SetInfoAction, + DriveListAction, + DriveInfoAction, + // Site replication + SiteReplicationAddAction, + SiteReplicationDisableAction, + SiteReplicationRemoveAction, + SiteReplicationResyncAction, + SiteReplicationInfoAction, + SiteReplicationOperationAction, + // Replication + ReplicationDiff, + ), + Resources: NewResourceSet(), + Conditions: condition.NewFunctions(), + }, + }, + }, + }, + + // DiagnosticsAdmin - provides monitoring and observability access + // (metrics, profiling, tracing, logs) but no mutating operations or + // S3 data access. Extended version of the "diagnostics" policy. + { + Name: "diagnosticsAdmin", + Definition: Policy{ + Version: DefaultVersion, + Statements: []Statement{ + { + SID: ID(""), + Effect: Allow, + Actions: NewActionSet( + PrometheusAdminAction, + ProfilingAdminAction, + TraceAdminAction, + ConsoleLogAdminAction, + ServerInfoAdminAction, + StorageInfoAdminAction, + HealthInfoAdminAction, + TopLocksAdminAction, + BandwidthMonitorAction, + DataUsageInfoAdminAction, + LicenseInfoAdminAction, + InspectDataAction, + ), + Resources: NewResourceSet(), + Conditions: condition.NewFunctions(), + }, + }, + }, + }, + // Admin - provides admin all-access canned policy { Name: "consoleAdmin", From c0cedb46a3917a873371b4192bf41bd9ad28f2db Mon Sep 17 00:00:00 2001 From: Varun Venkatesh Date: Tue, 17 Feb 2026 18:04:53 -0500 Subject: [PATCH 2/4] policy: remove site replication actions from infraAdmin Site replication requires cross-domain permissions (IAM + S3) that infraAdmin does not grant, causing runtime failures. Defer site replication to a dedicated siteAdmin policy in a follow-up. --- policy/constants.go | 7 ------- 1 file changed, 7 deletions(-) diff --git a/policy/constants.go b/policy/constants.go index 81431c5..b5b3682 100644 --- a/policy/constants.go +++ b/policy/constants.go @@ -234,13 +234,6 @@ var DefaultPolicies = []struct { SetInfoAction, DriveListAction, DriveInfoAction, - // Site replication - SiteReplicationAddAction, - SiteReplicationDisableAction, - SiteReplicationRemoveAction, - SiteReplicationResyncAction, - SiteReplicationInfoAction, - SiteReplicationOperationAction, // Replication ReplicationDiff, ), From 765627661a0d4ee8bfd4eeff188f5f90ebb51fc7 Mon Sep 17 00:00:00 2001 From: Varun Venkatesh Date: Tue, 17 Feb 2026 18:15:29 -0500 Subject: [PATCH 3/4] updated policy comments --- policy/constants.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/constants.go b/policy/constants.go index b5b3682..a0f6640 100644 --- a/policy/constants.go +++ b/policy/constants.go @@ -175,7 +175,7 @@ var DefaultPolicies = []struct { }, // InfraAdmin - provides infrastructure and server management access - // (config, pools, healing, tiers, batch jobs, site replication) but no + // (config, pools, healing, tiers, batch jobs) but no // IAM or S3 data access. { Name: "infraAdmin", From b6c582c209b1222c2b1111ce0d7e18cb03417e29 Mon Sep 17 00:00:00 2001 From: Varun Venkatesh Date: Wed, 18 Feb 2026 17:35:13 -0500 Subject: [PATCH 4/4] policy: remove replication actions from infraAdmin Remove SetBucketTarget, GetBucketTarget, and ReplicationDiff from infraAdmin as these are part of the replication configuration flow and belong in a dedicated replication policy. --- policy/constants.go | 4 ---- 1 file changed, 4 deletions(-) diff --git a/policy/constants.go b/policy/constants.go index a0f6640..835dc7b 100644 --- a/policy/constants.go +++ b/policy/constants.go @@ -206,8 +206,6 @@ var DefaultPolicies = []struct { // Bucket admin SetBucketQuotaAdminAction, GetBucketQuotaAdminAction, - SetBucketTargetAction, - GetBucketTargetAction, // Tiers SetTierAction, ListTierAction, @@ -234,8 +232,6 @@ var DefaultPolicies = []struct { SetInfoAction, DriveListAction, DriveInfoAction, - // Replication - ReplicationDiff, ), Resources: NewResourceSet(), Conditions: condition.NewFunctions(),