Skip to content

feat: add replicationAdmin and securityAuditAdmin canned policies #227

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
harshavardhana merged 7 commits into from
Apr 9, 2026
Merged

feat: add replicationAdmin and securityAuditAdmin canned policies #227

Changes from 5 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
f1edacf
policy: add tablesReadOnly and tablesReadWrite canned policies
Mar 19, 2026
fd1ba38
fix(policy): add S3TablesCreateTableAction to tablesReadWrite canned …
Mar 19, 2026
1fd29ef
Merge upstream/main: add iamAdmin and infraAdmin alongside tablesRead…
Mar 22, 2026
3c1af6d
feat: add replicationAdmin and securityAuditAdmin canned policies
Mar 31, 2026
11a611b
Merge branch 'main' into replication-security-audit-policies
varun0630 Apr 8, 2026
c75839b
Revise copyright and license headers in constants.go
varun0630 Apr 8, 2026
869e920
Remove unnecessary blank line in constants.go
varun0630 Apr 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
140 changes: 126 additions & 14 deletions policy/constants.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,19 +1,14 @@
// Copyright (c) 2015-2021 MinIO, Inc.
// MinIO, Inc. CONFIDENTIAL
//
// This file is part of MinIO Object Storage stack
// [2014] - [2026] MinIO, Inc. All Rights Reserved.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
// NOTICE: All information contained herein is, and remains the property
// of MinIO, Inc and its suppliers, if any. The intellectual and technical
// concepts contained herein are proprietary to MinIO, Inc and its suppliers
// and may be covered by U.S. and Foreign Patents, patents in process, and are
// protected by trade secret or copyright law. Dissemination of this information
// or reproduction of this material is strictly forbidden unless prior written
// permission is obtained from MinIO, Inc.
Comment thread
varun0630 marked this conversation as resolved.
Outdated

package policy

Expand Down Expand Up @@ -340,6 +335,123 @@ var DefaultPolicies = []struct {
},
},

// ReplicationAdmin - provides site replication and bucket replication
// management access, but no IAM, general infrastructure, or S3 data access.
{
Name: "replicationAdmin",
Definition: Policy{
Version: DefaultVersion,
Statements: []Statement{
{
SID: ID(""),
Effect: Allow,
Actions: NewActionSet(
// Site replication management
SiteReplicationAddAction,
SiteReplicationDisableAction,
SiteReplicationRemoveAction,
SiteReplicationResyncAction,
SiteReplicationInfoAction,
SiteReplicationOperationAction,
// Tables replication management
TablesReplicationAddAction,
TablesReplicationRemoveAction,
TablesReplicationInfoAction,
// Replication diagnostics
ReplicationDiff,
),
Resources: NewResourceSet(),
Conditions: condition.NewFunctions(),
},
{
SID: ID(""),
Effect: Allow,
Actions: NewActionSet(
// Bucket-level replication config
GetReplicationConfigurationAction,
PutReplicationConfigurationAction,
ResetBucketReplicationStateAction,
GetObjectVersionForReplicationAction,
),
Resources: NewResourceSet(NewResource("*")),
Conditions: condition.NewFunctions(),
},
},
},
},

// SecurityAuditAdmin - provides read-only access to IAM configuration,
// server topology, diagnostics, and bucket security settings for compliance
// auditing. Mirrors the intent of AWS SecurityAudit. No write, delete, or
// S3 data access.
{
Name: "securityAuditAdmin",
Definition: Policy{
Version: DefaultVersion,
Statements: []Statement{
{
SID: ID(""),
Effect: Allow,
Actions: NewActionSet(
// IAM read
ListUsersAdminAction,
GetUserAdminAction,
ListGroupsAdminAction,
GetGroupAdminAction,
GetPolicyAdminAction,
ListUserPoliciesAdminAction,
ListServiceAccountsAdminAction,
ListTemporaryAccountsAdminAction,
ExportIAMAction,
// Replication info (read-only)
SiteReplicationInfoAction,
TablesReplicationInfoAction,
// Server & cluster topology (read-only)
ServerInfoAdminAction,
StorageInfoAdminAction,
DataUsageInfoAdminAction,
LicenseInfoAdminAction,
ClusterInfoAction,
PoolListAction,
PoolInfoAction,
NodeListAction,
NodeInfoAction,
SetInfoAction,
DriveListAction,
DriveInfoAction,
// Diagnostics (read-only)
ProfilingAdminAction,
TraceAdminAction,
ConsoleLogAdminAction,
TopLocksAdminAction,
HealthInfoAdminAction,
BandwidthMonitorAction,
PrometheusAdminAction,
),
Resources: NewResourceSet(),
Conditions: condition.NewFunctions(),
},
{
SID: ID(""),
Effect: Allow,
Actions: NewActionSet(
// Bucket security config (read-only)
GetBucketPolicyAction,
GetBucketLocationAction,
GetBucketNotificationAction,
GetBucketObjectLockConfigurationAction,
GetBucketEncryptionAction,
GetBucketTaggingAction,
GetBucketVersioningAction,
GetReplicationConfigurationAction,
),
Resources: NewResourceSet(NewResource("*")),
Conditions: condition.NewFunctions(),
},
},
},
},

// Admin - provides admin all-access canned policy
{
Name: "consoleAdmin",
Expand Down
Loading