Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
80 changes: 61 additions & 19 deletions policy/admin-action.go
Original file line number Diff line number Diff line change
Expand Up @@ -264,26 +264,68 @@ const (
// DriveInfoAction - allow drive specific summary and detail
DriveInfoAction = "admin:DriveInfo"

// Delta Sharing Actions
// Table Sharing Actions (MinIO AIStor canonical name; OpenSharing is the open-standard name)

// TableSharingAdminAction - allow managing Table Sharing shares and tokens
TableSharingAdminAction = "admin:TableSharing"
// TableSharingCreateShareAction - allow creating Table Sharing shares
TableSharingCreateShareAction = "admin:TableSharingCreateShare"
// TableSharingDeleteShareAction - allow deleting Table Sharing shares
TableSharingDeleteShareAction = "admin:TableSharingDeleteShare"
// TableSharingListSharesAction - allow listing Table Sharing shares
TableSharingListSharesAction = "admin:TableSharingListShares"
// TableSharingGetShareAction - allow getting Table Sharing share details
TableSharingGetShareAction = "admin:TableSharingGetShare"
// TableSharingUpdateShareAction - allow updating Table Sharing shares
TableSharingUpdateShareAction = "admin:TableSharingUpdateShare"
// TableSharingCreateTokenAction - allow creating Table Sharing tokens
TableSharingCreateTokenAction = "admin:TableSharingCreateToken"
// TableSharingDeleteTokenAction - allow deleting Table Sharing tokens
TableSharingDeleteTokenAction = "admin:TableSharingDeleteToken"
// TableSharingListTokensAction - allow listing Table Sharing tokens
TableSharingListTokensAction = "admin:TableSharingListTokens"

// OpenSharing aliases — same action strings as TableSharing; prefer TableSharing* for new code.

// OpenSharingAdminAction - allow managing Open Sharing shares and tokens
OpenSharingAdminAction = TableSharingAdminAction
// OpenSharingCreateShareAction - allow creating Open Sharing shares
OpenSharingCreateShareAction = TableSharingCreateShareAction
// OpenSharingDeleteShareAction - allow deleting Open Sharing shares
OpenSharingDeleteShareAction = TableSharingDeleteShareAction
// OpenSharingListSharesAction - allow listing Open Sharing shares
OpenSharingListSharesAction = TableSharingListSharesAction
// OpenSharingGetShareAction - allow getting Open Sharing share details
OpenSharingGetShareAction = TableSharingGetShareAction
// OpenSharingUpdateShareAction - allow updating Open Sharing shares
OpenSharingUpdateShareAction = TableSharingUpdateShareAction
// OpenSharingCreateTokenAction - allow creating Open Sharing tokens
OpenSharingCreateTokenAction = TableSharingCreateTokenAction
// OpenSharingDeleteTokenAction - allow deleting Open Sharing tokens
OpenSharingDeleteTokenAction = TableSharingDeleteTokenAction
// OpenSharingListTokensAction - allow listing Open Sharing tokens
OpenSharingListTokensAction = TableSharingListTokensAction

// DeltaSharing aliases — same action strings as TableSharing; prefer TableSharing* for new code.

// DeltaSharingAdminAction - allow managing Delta Sharing shares and tokens
DeltaSharingAdminAction = "admin:DeltaSharing"
DeltaSharingAdminAction = TableSharingAdminAction
// DeltaSharingCreateShareAction - allow creating Delta Sharing shares
DeltaSharingCreateShareAction = "admin:DeltaSharingCreateShare"
DeltaSharingCreateShareAction = TableSharingCreateShareAction
// DeltaSharingDeleteShareAction - allow deleting Delta Sharing shares
DeltaSharingDeleteShareAction = "admin:DeltaSharingDeleteShare"
DeltaSharingDeleteShareAction = TableSharingDeleteShareAction
// DeltaSharingListSharesAction - allow listing Delta Sharing shares
DeltaSharingListSharesAction = "admin:DeltaSharingListShares"
DeltaSharingListSharesAction = TableSharingListSharesAction
// DeltaSharingGetShareAction - allow getting Delta Sharing share details
DeltaSharingGetShareAction = "admin:DeltaSharingGetShare"
DeltaSharingGetShareAction = TableSharingGetShareAction
// DeltaSharingUpdateShareAction - allow updating Delta Sharing shares
DeltaSharingUpdateShareAction = "admin:DeltaSharingUpdateShare"
DeltaSharingUpdateShareAction = TableSharingUpdateShareAction
// DeltaSharingCreateTokenAction - allow creating Delta Sharing tokens
DeltaSharingCreateTokenAction = "admin:DeltaSharingCreateToken"
DeltaSharingCreateTokenAction = TableSharingCreateTokenAction
// DeltaSharingDeleteTokenAction - allow deleting Delta Sharing tokens
DeltaSharingDeleteTokenAction = "admin:DeltaSharingDeleteToken"
DeltaSharingDeleteTokenAction = TableSharingDeleteTokenAction
// DeltaSharingListTokensAction - allow listing Delta Sharing tokens
DeltaSharingListTokensAction = "admin:DeltaSharingListTokens"
DeltaSharingListTokensAction = TableSharingListTokensAction
Comment on lines +312 to +328

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Legacy admin:DeltaSharing* policy strings are no longer recognized.

Line 312-328 aliases DeltaSharing* identifiers to new admin:TableSharing* values, and Line 439-447 registers only TableSharing* in SupportedAdminActions. Because validation/matching is string-based (see AdminAction.IsValid()), persisted policies containing old literals like admin:DeltaSharingCreateShare will fail to validate/match after upgrade.

Please preserve legacy wire-string compatibility (e.g., keep legacy admin:DeltaSharing* strings accepted in validation/matching, even if canonical output is TableSharing*).

Based on learnings, rename/removal should be treated as breaking specifically when persisted policy data may still reference old action strings, which is the risk introduced here.

Also applies to: 439-447

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@policy/admin-action.go` around lines 312 - 328, The DeltaSharing* aliases
(e.g., DeltaSharingCreateShareAction) must remain accepted by string-based
validation/matching: update SupportedAdminActions and/or AdminAction.IsValid()
to recognize legacy "admin:DeltaSharing*" literals while keeping the canonical
constants as TableSharing*; specifically ensure DeltaSharingCreateShareAction,
DeltaSharingDeleteShareAction, DeltaSharingListSharesAction,
DeltaSharingGetShareAction, DeltaSharingUpdateShareAction,
DeltaSharingCreateTokenAction, DeltaSharingDeleteTokenAction,
DeltaSharingListTokensAction are included in the set checked by
SupportedAdminActions (or have IsValid() consult a backward-compatibility map
from legacy string -> canonical TableSharing*), so persisted policies containing
"admin:DeltaSharing..." continue to validate/match but any new outputs still use
the TableSharing* canonical names.

Source: Learnings

// ReadAlertsAction - allow reading stored alerts
ReadAlertsAction = "admin:ReadAlerts"

Expand Down Expand Up @@ -394,15 +436,15 @@ var SupportedAdminActions = map[AdminAction]struct{}{

ServiceCordonAdminAction: {},

DeltaSharingAdminAction: {},
DeltaSharingCreateShareAction: {},
DeltaSharingDeleteShareAction: {},
DeltaSharingListSharesAction: {},
DeltaSharingGetShareAction: {},
DeltaSharingUpdateShareAction: {},
DeltaSharingCreateTokenAction: {},
DeltaSharingDeleteTokenAction: {},
DeltaSharingListTokensAction: {},
TableSharingAdminAction: {},
TableSharingCreateShareAction: {},
TableSharingDeleteShareAction: {},
TableSharingListSharesAction: {},
TableSharingGetShareAction: {},
TableSharingUpdateShareAction: {},
TableSharingCreateTokenAction: {},
TableSharingDeleteTokenAction: {},
TableSharingListTokensAction: {},

ReadAPILogsAction: {},
ReadErrorLogsAction: {},
Expand Down
Loading