Restructure adding and removing policies from users and groups

cmd/admin-group-add.go

@@ -48,6 +48,10 @@ FLAGS:
 EXAMPLES:
   1. Add users 'fivecent' and 'tencent' to the group 'allcents':
      {{.Prompt}} {{.HelpName}} myminio allcents fivecent tencent
+
+  2. Add user "james" to group "staff", then add the "readwrite" policy to the group "staff".
+     {{.Prompt}} {{.HelpName}} myminio staff james
+     {{.Prompt}} mc admin policy attach myminio readwrite --group staff
 `,
 }
 

cmd/admin-policy-add.go

@@ -19,126 +19,25 @@ package cmd
 
 import (
 	"fmt"
-	"os"
 
-	"github.com/fatih/color"
 	"github.com/minio/cli"
-	json "github.com/minio/colorjson"
-	"github.com/minio/madmin-go/v2"
 	"github.com/minio/mc/pkg/probe"
-	"github.com/minio/pkg/console"
 )
 
 var adminPolicyAddCmd = cli.Command{
-	Name:         "add",
-	Usage:        "add new policy",
-	Action:       mainAdminPolicyAdd,
-	OnUsageError: onUsageError,
-	Before:       setGlobalsFromContext,
-	Flags:        globalFlags,
-	CustomHelpTemplate: `NAME:
-  {{.HelpName}} - {{.Usage}}
-
-USAGE:
-  {{.HelpName}} TARGET POLICYNAME POLICYFILE
-
-POLICYNAME:
-  Name of the canned policy on MinIO server.
-
-POLICYFILE:
-  Name of the policy file associated with the policy name.
-
-FLAGS:
-  {{range .VisibleFlags}}{{.}}
-  {{end}}
-EXAMPLES:
-  1. Add a new canned policy 'writeonly'.
-     {{.Prompt}} {{.HelpName}} myminio writeonly /tmp/writeonly.json
- `,
-}
-
-// checkAdminPolicyAddSyntax - validate all the passed arguments
-func checkAdminPolicyAddSyntax(ctx *cli.Context) {
-	if len(ctx.Args()) != 3 {
-		showCommandHelpAndExit(ctx, 1) // last argument is exit code
-	}
+	Name:               "add",
+	Usage:              "add an IAM policy",
+	Action:             mainAdminPolicyAdd,
+	OnUsageError:       onUsageError,
+	Before:             setGlobalsFromContext,
+	Flags:              globalFlags,
+	HideHelpCommand:    true,
+	Hidden:             true,
+	CustomHelpTemplate: `Please use 'mc admin policy create'`,
 }
 
-// userPolicyMessage container for content message structure
-type userPolicyMessage struct {
-	op          string
-	Status      string            `json:"status"`
-	Policy      string            `json:"policy,omitempty"`
-	PolicyInfo  madmin.PolicyInfo `json:"policyInfo,omitempty"`
-	UserOrGroup string            `json:"userOrGroup,omitempty"`
-	IsGroup     bool              `json:"isGroup"`
-}
-
-func (u userPolicyMessage) accountType() string {
-	switch u.op {
-	case "set", "unset", "update":
-		if u.IsGroup {
-			return "group"
-		}
-		return "user"
-	}
-	return ""
-}
-
-func (u userPolicyMessage) String() string {
-	switch u.op {
-	case "info":
-		buf, e := json.MarshalIndent(u.PolicyInfo, "", " ")
-		fatalIf(probe.NewError(e), "Unable to marshal to JSON.")
-		return string(buf)
-	case "list":
-		return console.Colorize("PolicyName", u.Policy)
-	case "remove":
-		return console.Colorize("PolicyMessage", "Removed policy `"+u.Policy+"` successfully.")
-	case "add":
-		return console.Colorize("PolicyMessage", "Added policy `"+u.Policy+"` successfully.")
-	case "set", "unset":
-		return console.Colorize("PolicyMessage",
-			fmt.Sprintf("Policy `%s` is %s on %s `%s`", u.Policy, u.op, u.accountType(), u.UserOrGroup))
-	case "update":
-		return console.Colorize("PolicyMessage",
-			fmt.Sprintf("Policy `%s` is added to %s `%s`", u.Policy, u.accountType(), u.UserOrGroup))
-	}
-
-	return ""
-}
-
-func (u userPolicyMessage) JSON() string {
-	u.Status = "success"
-	jsonMessageBytes, e := json.MarshalIndent(u, "", " ")
-	fatalIf(probe.NewError(e), "Unable to marshal into JSON.")
-
-	return string(jsonMessageBytes)
-}
-
-// mainAdminPolicyAdd is the handle for "mc admin policy add" command.
 func mainAdminPolicyAdd(ctx *cli.Context) error {
-	checkAdminPolicyAddSyntax(ctx)
-
-	console.SetColor("PolicyMessage", color.New(color.FgGreen))
-
-	// Get the alias parameter from cli
-	args := ctx.Args()
-	aliasedURL := args.Get(0)
-
-	policy, e := os.ReadFile(args.Get(2))
-	fatalIf(probe.NewError(e).Trace(args...), "Unable to get policy")
-
-	// Create a new MinIO Admin Client
-	client, err := newAdminClient(aliasedURL)
-	fatalIf(err, "Unable to initialize admin connection.")
-
-	fatalIf(probe.NewError(client.AddCannedPolicy(globalContext, args.Get(1), policy)).Trace(args...), "Unable to add new policy")
-
-	printMsg(userPolicyMessage{
-		op:     ctx.Command.Name,
-		Policy: args.Get(1),
-	})
-
+	err := probe.NewError(fmt.Errorf("Please use 'mc admin policy create'"))
+	fatal(err, "Incorrect command")
 	return nil
 }

cmd/admin-policy-attach.go

@@ -0,0 +1,130 @@
+// Copyright (c) 2015-2022 MinIO, Inc.
+//
+// This file is part of MinIO Object Storage stack
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package cmd
+
+import (
+	"github.com/fatih/color"
+	"github.com/minio/cli"
+	"github.com/minio/madmin-go/v2"
+	"github.com/minio/mc/pkg/probe"
+	"github.com/minio/pkg/console"
+)
+
+var adminAttachPolicyFlags = []cli.Flag{
+	cli.StringFlag{
+		Name:  "user, u",
+		Usage: "attach policy to user",
+	},
+	cli.StringFlag{
+		Name:  "group, g",
+		Usage: "attach policy to group",
+	},
+}
+
+var adminPolicyAttachCmd = cli.Command{
+	Name:         "attach",
+	Usage:        "attach an IAM policy to a user or group",
+	Action:       mainAdminPolicyAttach,
+	OnUsageError: onUsageError,
+	Before:       setGlobalsFromContext,
+	Flags:        append(adminAttachPolicyFlags, globalFlags...),
+	CustomHelpTemplate: `NAME:
+  {{.HelpName}} - {{.Usage}}
+
+USAGE:
+  {{.HelpName}} [FLAGS] TARGET POLICY [POLICY...] [--user USER | --group GROUP]
+
+  Exactly one of --user or --group is required.
+
+POLICY:
+  Name of the policy on the MinIO server.
+
+FLAGS:
+  {{range .VisibleFlags}}{{.}}
+  {{end}}
+EXAMPLES:
+  1. Attach the "readonly" policy to user "james".
+     {{.Prompt}} {{.HelpName}} myminio readonly --user james
+  2. Attach the "audit-policy" and "acct-policy" policies to group "legal".
+     {{.Prompt}} {{.HelpName}} myminio audit-policy acct-policy --group legal
+`,
+}
+
+// mainAdminPolicyAttach is the handler for "mc admin policy attach" command.
+func mainAdminPolicyAttach(ctx *cli.Context) error {
+	return userAttachOrDetachPolicy(ctx, true)
+}
+
+func userAttachOrDetachPolicy(ctx *cli.Context, attach bool) error {
+	if len(ctx.Args()) < 2 {
+		showCommandHelpAndExit(ctx, 1) // last argument is exit code
+	}
+
+	console.SetColor("PolicyMessage", color.New(color.FgGreen))
+	console.SetColor("Policy", color.New(color.FgBlue))
+
+	// Get the alias parameter from cli
+	args := ctx.Args()
+	aliasedURL := args.Get(0)
+
+	// Put args in PolicyAssociationReq, client checks for validity
+	req := madmin.PolicyAssociationReq{
+		User:     ctx.String("user"),
+		Group:    ctx.String("group"),
+		Policies: args.Tail(),
+	}
+
+	// Create a new MinIO Admin Client
+	client, err := newAdminClient(aliasedURL)
+	fatalIf(err, "Unable to initialize admin connection.")
+
+	var e error
+	if attach {
+		e = client.AttachPolicy(globalContext, req)
+	} else {
+		e = client.DetachPolicy(globalContext, req)
+	}
+
+	isGroup := false
+	if req.User == "" {
+		isGroup = true
+	}
+
+	userOrGroup := req.User
+	if isGroup {
+		userOrGroup = req.Group
+	}
+
+	if e == nil {
+		for _, policy := range req.Policies {
+			printMsg(userPolicyMessage{
+				op:          ctx.Command.Name,
+				Policy:      policy,
+				UserOrGroup: userOrGroup,
+				IsGroup:     isGroup,
+			})
+		}
+	} else {
+		if attach {
+			fatalIf(probe.NewError(e), "Unable to attach the policy")
+		} else {
+			fatalIf(probe.NewError(e), "Unable to detach the policy")
+		}
+	}
+	return nil
+}