Enforce policies

2025-10-08 09:20:16 +08:00 · 2023-05-31 16:39:43 +02:00
parent 3a6bb02bfd
commit 401156e4d2
18 changed files with 1720 additions and 311 deletions
--- a/http/handler/api/cluster.go
+++ b/http/handler/api/cluster.go
@@ -54,7 +54,6 @@ func NewCluster(cluster cluster.Cluster, iam iam.IAM) (*ClusterHandler, error) {
 // @ID cluster-3-get-cluster
 // @Produce json
 // @Success 200 {object} api.ClusterAbout
-// @Failure 404 {object} api.Error
 // @Security ApiKeyAuth
 // @Router /api/v3/cluster [get]
 func (h *ClusterHandler) About(c echo.Context) error {
@@ -91,15 +90,23 @@ func (h *ClusterHandler) About(c echo.Context) error {
 // @Tags v16.?.?
 // @ID cluster-3-list-all-node-processes
 // @Produce json
+// @Param domain query string false "Domain to act on"
 // @Success 200 {array} api.ClusterProcess
 // @Security ApiKeyAuth
 // @Router /api/v3/cluster/process [get]
 func (h *ClusterHandler) ListAllNodeProcesses(c echo.Context) error {
+	ctxuser := util.DefaultContext(c, "user", "")
+	domain := util.DefaultQuery(c, "domain", "")
+
 	procs := h.proxy.ListProcesses()

 	processes := []api.ClusterProcess{}

 	for _, p := range procs {
+		if !h.iam.Enforce(ctxuser, domain, "process:"+p.Config.ID, "read") {
+			continue
+		}
+
 		processes = append(processes, api.ClusterProcess{
 			ProcessID: p.Config.ID,
 			NodeID:    p.NodeID,
@@ -193,7 +200,7 @@ func (h *ClusterHandler) GetNode(c echo.Context) error {
 // @ID cluster-3-get-node-version
 // @Produce json
 // @Param id path string true "Node ID"
-// @Success 200 {object} api.ClusterNode
+// @Success 200 {object} api.Version
 // @Failure 404 {object} api.Error
 // @Security ApiKeyAuth
 // @Router /api/v3/cluster/node/{id}/version [get]
@@ -205,7 +212,16 @@ func (h *ClusterHandler) GetNodeVersion(c echo.Context) error {
 		return api.Err(http.StatusNotFound, "Node not found", "%s", err)
 	}

-	version := peer.Version()
+	v := peer.Version()
+
+	version := api.Version{
+		Number:   v.Number,
+		Commit:   v.Commit,
+		Branch:   v.Branch,
+		Build:    v.Build.Format(time.RFC3339),
+		Arch:     v.Arch,
+		Compiler: v.Compiler,
+	}

 	return c.JSON(http.StatusOK, version)
 }
@@ -258,12 +274,15 @@ func (h *ClusterHandler) GetNodeFiles(c echo.Context) error {
 // @ID cluster-3-list-node-processes
 // @Produce json
 // @Param id path string true "Node ID"
+// @Param domain query string false "Domain to act on"
 // @Success 200 {array} api.ClusterProcess
 // @Failure 404 {object} api.Error
 // @Failure 500 {object} api.Error
 // @Security ApiKeyAuth
 // @Router /api/v3/cluster/node/{id}/process [get]
 func (h *ClusterHandler) ListNodeProcesses(c echo.Context) error {
+	ctxuser := util.DefaultContext(c, "user", "")
+	domain := util.DefaultQuery(c, "domain", "")
 	id := util.PathParam(c, "id")

 	peer, err := h.proxy.GetNode(id)
@@ -279,6 +298,10 @@ func (h *ClusterHandler) ListNodeProcesses(c echo.Context) error {
 	processes := []api.ClusterProcess{}

 	for _, p := range procs {
+		if !h.iam.Enforce(ctxuser, domain, "process:"+p.Config.ID, "read") {
+			continue
+		}
+
 		processes = append(processes, api.ClusterProcess{
 			ProcessID: p.Config.ID,
 			NodeID:    p.NodeID,
@@ -304,11 +327,18 @@ func (h *ClusterHandler) ListNodeProcesses(c echo.Context) error {
 // @Security ApiKeyAuth
 // @Router /api/v3/cluster/db/process [get]
 func (h *ClusterHandler) ListStoreProcesses(c echo.Context) error {
+	ctxuser := util.DefaultContext(c, "user", "")
+	domain := util.DefaultQuery(c, "domain", "")
+
 	procs := h.cluster.ListProcesses()

 	processes := []api.Process{}

 	for _, p := range procs {
+		if !h.iam.Enforce(ctxuser, domain, "process:"+p.Config.ID, "read") {
+			continue
+		}
+
 		process := api.Process{
 			ID:        p.Config.ID,
 			Type:      "ffmpeg",
@@ -338,11 +368,16 @@ func (h *ClusterHandler) ListStoreProcesses(c echo.Context) error {
 // @Param config body api.ProcessConfig true "Process config"
 // @Success 200 {object} api.ProcessConfig
 // @Failure 400 {object} api.Error
+// @Failure 403 {object} api.Error
 // @Security ApiKeyAuth
 // @Router /api/v3/cluster/process [post]
 func (h *ClusterHandler) AddProcess(c echo.Context) error {
+	ctxuser := util.DefaultContext(c, "user", "")
+	superuser := util.DefaultContext(c, "superuser", false)
+
 	process := api.ProcessConfig{
 		ID:        shortuuid.New(),
+		Owner:     ctxuser,
 		Type:      "ffmpeg",
 		Autostart: true,
 	}
@@ -351,6 +386,16 @@ func (h *ClusterHandler) AddProcess(c echo.Context) error {
 		return api.Err(http.StatusBadRequest, "Invalid JSON", "%s", err)
 	}

+	if !h.iam.Enforce(ctxuser, process.Domain, "process:"+process.ID, "write") {
+		return api.Err(http.StatusForbidden, "Forbidden")
+	}
+
+	if !superuser {
+		if !h.iam.Enforce(process.Owner, process.Domain, "process:"+process.ID, "write") {
+			return api.Err(http.StatusForbidden, "Forbidden")
+		}
+	}
+
 	if process.Type != "ffmpeg" {
 		return api.Err(http.StatusBadRequest, "Unsupported process type", "Supported process types are: ffmpeg")
 	}
@@ -379,18 +424,28 @@ func (h *ClusterHandler) AddProcess(c echo.Context) error {
 // @Param config body api.ProcessConfig true "Process config"
 // @Success 200 {object} api.ProcessConfig
 // @Failure 400 {object} api.Error
+// @Failure 403 {object} api.Error
 // @Failure 404 {object} api.Error
 // @Security ApiKeyAuth
 // @Router /api/v3/cluster/process/{id} [put]
 func (h *ClusterHandler) UpdateProcess(c echo.Context) error {
+	ctxuser := util.DefaultContext(c, "user", "")
+	superuser := util.DefaultContext(c, "superuser", false)
+	domain := util.DefaultQuery(c, "domain", "$none")
 	id := util.PathParam(c, "id")

 	process := api.ProcessConfig{
 		ID:        id,
+		Owner:     ctxuser,
+		Domain:    domain,
 		Type:      "ffmpeg",
 		Autostart: true,
 	}

+	if !h.iam.Enforce(ctxuser, domain, "process:"+id, "write") {
+		return api.Err(http.StatusForbidden, "Forbidden")
+	}
+
 	current, err := h.cluster.GetProcess(id)
 	if err != nil {
 		return api.Err(http.StatusNotFound, "Process not found", "%s", id)
@@ -403,6 +458,16 @@ func (h *ClusterHandler) UpdateProcess(c echo.Context) error {
 		return api.Err(http.StatusBadRequest, "Invalid JSON", "%s", err)
 	}

+	if !h.iam.Enforce(ctxuser, process.Domain, "process:"+process.ID, "write") {
+		return api.Err(http.StatusForbidden, "Forbidden")
+	}
+
+	if !superuser {
+		if !h.iam.Enforce(process.Owner, process.Domain, "process:"+process.ID, "write") {
+			return api.Err(http.StatusForbidden, "Forbidden")
+		}
+	}
+
 	config := process.Marshal()

 	if err := h.cluster.UpdateProcess("", id, config); err != nil {
@@ -424,12 +489,19 @@ func (h *ClusterHandler) UpdateProcess(c echo.Context) error {
 // @Produce json
 // @Param id path string true "Process ID"
 // @Success 200 {string} string
-// @Failure 404 {object} api.Error
+// @Failure 403 {object} api.Error
+// @Failure 500 {object} api.Error
 // @Security ApiKeyAuth
 // @Router /api/v3/cluster/process/{id} [delete]
 func (h *ClusterHandler) DeleteProcess(c echo.Context) error {
+	ctxuser := util.DefaultContext(c, "user", "")
+	domain := util.DefaultQuery(c, "domain", "$none")
 	id := util.PathParam(c, "id")

+	if !h.iam.Enforce(ctxuser, domain, "process:"+id, "write") {
+		return api.Err(http.StatusForbidden, "", "Not allowed to delete process")
+	}
+
 	if err := h.cluster.RemoveProcess("", id); err != nil {
 		return api.Err(http.StatusInternalServerError, "Process can't be deleted", "%s", err)
 	}
@@ -447,28 +519,128 @@ func (h *ClusterHandler) DeleteProcess(c echo.Context) error {
 // @Param config body api.IAMUser true "Identity"
 // @Success 200 {object} api.IAMUser
 // @Failure 400 {object} api.Error
+// @Failure 403 {object} api.Error
 // @Security ApiKeyAuth
 // @Router /api/v3/cluster/iam/user [post]
 func (h *ClusterHandler) AddIdentity(c echo.Context) error {
+	ctxuser := util.DefaultContext(c, "user", "")
+	superuser := util.DefaultContext(c, "superuser", false)
+	domain := util.DefaultQuery(c, "domain", "$none")
+
 	user := api.IAMUser{}

 	if err := util.ShouldBindJSON(c, &user); err != nil {
 		return api.Err(http.StatusBadRequest, "Invalid JSON", "%s", err)
 	}

-	identity, policies := user.Unmarshal()
+	iamuser, iampolicies := user.Unmarshal()

-	if err := h.cluster.AddIdentity("", identity); err != nil {
+	if !h.iam.Enforce(ctxuser, domain, "iam:"+iamuser.Name, "write") {
+		return api.Err(http.StatusForbidden, "Forbidden", "Not allowed to create user '%s'", iamuser.Name)
+	}
+
+	for _, p := range iampolicies {
+		if !h.iam.Enforce(ctxuser, p.Domain, "iam:"+iamuser.Name, "write") {
+			return api.Err(http.StatusForbidden, "Forbidden", "Not allowed to write policy: %v", p)
+		}
+	}
+
+	if !superuser && iamuser.Superuser {
+		return api.Err(http.StatusForbidden, "Forbidden", "Only superusers can add superusers")
+	}
+
+	if err := h.cluster.AddIdentity("", iamuser); err != nil {
 		return api.Err(http.StatusBadRequest, "Invalid identity", "%s", err.Error())
 	}

-	if err := h.cluster.SetPolicies("", identity.Name, policies); err != nil {
+	if err := h.cluster.SetPolicies("", iamuser.Name, iampolicies); err != nil {
 		return api.Err(http.StatusBadRequest, "Invalid policies", "%s", err.Error())
 	}

 	return c.JSON(http.StatusOK, user)
 }

+// UpdateIdentity replaces an existing user
+// @Summary Replace an existing user
+// @Description Replace an existing user.
+// @Tags v16.?.?
+// @ID cluster-3-update-identity
+// @Accept json
+// @Produce json
+// @Param name path string true "Username"
+// @Param domain query string false "Domain of the acting user"
+// @Param user body api.IAMUser true "User definition"
+// @Success 200 {object} api.IAMUser
+// @Failure 400 {object} api.Error
+// @Failure 403 {object} api.Error
+// @Failure 404 {object} api.Error
+// @Failure 500 {object} api.Error
+// @Security ApiKeyAuth
+// @Router /api/v3/cluster/iam/user/{name} [put]
+func (h *ClusterHandler) UpdateIdentity(c echo.Context) error {
+	ctxuser := util.DefaultContext(c, "user", "")
+	superuser := util.DefaultContext(c, "superuser", false)
+	domain := util.DefaultQuery(c, "domain", "$none")
+	name := util.PathParam(c, "name")
+
+	if !h.iam.Enforce(ctxuser, domain, "iam:"+name, "write") {
+		return api.Err(http.StatusForbidden, "Forbidden", "Not allowed to modify this user")
+	}
+
+	var iamuser identity.User
+	var err error
+
+	if name != "$anon" {
+		iamuser, err = h.iam.GetIdentity(name)
+		if err != nil {
+			return api.Err(http.StatusNotFound, "Not found", "%s", err)
+		}
+	} else {
+		iamuser = identity.User{
+			Name: "$anon",
+		}
+	}
+
+	iampolicies := h.iam.ListPolicies(name, "", "", nil)
+
+	user := api.IAMUser{}
+	user.Marshal(iamuser, iampolicies)
+
+	if err := util.ShouldBindJSON(c, &user); err != nil {
+		return api.Err(http.StatusBadRequest, "Invalid JSON", "%s", err)
+	}
+
+	iamuser, iampolicies = user.Unmarshal()
+
+	if !h.iam.Enforce(ctxuser, domain, "iam:"+iamuser.Name, "write") {
+		return api.Err(http.StatusForbidden, "Forbidden", "Not allowed to create user '%s'", iamuser.Name)
+	}
+
+	for _, p := range iampolicies {
+		if !h.iam.Enforce(ctxuser, p.Domain, "iam:"+iamuser.Name, "write") {
+			return api.Err(http.StatusForbidden, "Forbidden", "Not allowed to write policy: %v", p)
+		}
+	}
+
+	if !superuser && iamuser.Superuser {
+		return api.Err(http.StatusForbidden, "Forbidden", "Only superusers can modify superusers")
+	}
+
+	if name != "$anon" {
+		err = h.cluster.UpdateIdentity("", name, iamuser)
+		if err != nil {
+			return api.Err(http.StatusBadRequest, "Bad request", "%s", err)
+		}
+	}
+
+	err = h.cluster.SetPolicies("", name, iampolicies)
+	if err != nil {
+		return api.Err(http.StatusInternalServerError, "", "set policies: %w", err)
+	}
+
+	return c.JSON(http.StatusOK, user)
+}
+
 // UpdateIdentityPolicies replaces existing user policies
 // @Summary Replace policies of an user
 // @Description Replace policies of an user
@@ -481,6 +653,7 @@ func (h *ClusterHandler) AddIdentity(c echo.Context) error {
 // @Param user body []api.IAMPolicy true "Policy definitions"
 // @Success 200 {array} api.IAMPolicy
 // @Failure 400 {object} api.Error
+// @Failure 403 {object} api.Error
 // @Failure 404 {object} api.Error
 // @Failure 500 {object} api.Error
 // @Security ApiKeyAuth
@@ -559,9 +732,111 @@ func (h *ClusterHandler) UpdateIdentityPolicies(c echo.Context) error {
 // @Security ApiKeyAuth
 // @Router /api/v3/cluster/db/user [get]
 func (h *ClusterHandler) ListStoreIdentities(c echo.Context) error {
-	identities := h.cluster.ListIdentities()
+	ctxuser := util.DefaultContext(c, "user", "")
+	domain := util.DefaultQuery(c, "domain", "$none")

-	return c.JSON(http.StatusOK, identities)
+	updatedAt, identities := h.cluster.ListIdentities()
+
+	users := make([]api.IAMUser, len(identities))
+
+	for i, iamuser := range identities {
+		if !h.iam.Enforce(ctxuser, domain, "iam:"+iamuser.Name, "read") {
+			continue
+		}
+
+		if !h.iam.Enforce(ctxuser, domain, "iam:"+iamuser.Name, "write") {
+			iamuser = identity.User{
+				Name: iamuser.Name,
+			}
+		}
+
+		_, policies := h.cluster.ListUserPolicies(iamuser.Name)
+		users[i].Marshal(iamuser, policies)
+	}
+
+	c.Response().Header().Set("Last-Modified", updatedAt.UTC().Format("Mon, 02 Jan 2006 15:04:05 GMT"))
+
+	return c.JSON(http.StatusOK, users)
+}
+
+// ListStoreIdentity returns the list of identities stored in the DB of the cluster
+// @Summary List of identities in the cluster
+// @Description List of identities in the cluster
+// @Tags v16.?.?
+// @ID cluster-3-db-list-identity
+// @Produce json
+// @Success 200 {object} api.IAMUser
+// @Failure 403 {object} api.Error
+// @Failure 404 {object} api.Error
+// @Security ApiKeyAuth
+// @Router /api/v3/cluster/db/user/{name} [get]
+func (h *ClusterHandler) ListStoreIdentity(c echo.Context) error {
+	ctxuser := util.DefaultContext(c, "user", "")
+	domain := util.DefaultQuery(c, "domain", "$none")
+	name := util.PathParam(c, "name")
+
+	if !h.iam.Enforce(ctxuser, domain, "iam:"+name, "read") {
+		return api.Err(http.StatusForbidden, "Forbidden", "Not allowed to access this user")
+	}
+
+	var updatedAt time.Time
+	var iamuser identity.User
+	var err error
+
+	if name != "$anon" {
+		updatedAt, iamuser, err = h.cluster.ListIdentity(name)
+		if err != nil {
+			return api.Err(http.StatusNotFound, "", "%s", err)
+		}
+
+		if ctxuser != iamuser.Name {
+			if !h.iam.Enforce(ctxuser, domain, "iam:"+name, "write") {
+				iamuser = identity.User{
+					Name: iamuser.Name,
+				}
+			}
+		}
+	} else {
+		iamuser = identity.User{
+			Name: "$anon",
+		}
+	}
+
+	policiesUpdatedAt, policies := h.cluster.ListUserPolicies(name)
+	if updatedAt.IsZero() {
+		updatedAt = policiesUpdatedAt
+	}
+
+	user := api.IAMUser{}
+	user.Marshal(iamuser, policies)
+
+	c.Response().Header().Set("Last-Modified", updatedAt.UTC().Format("Mon, 02 Jan 2006 15:04:05 GMT"))
+
+	return c.JSON(http.StatusOK, user)
+}
+
+// ReloadIAM reloads the identities and policies from the cluster store to IAM
+// @Summary Reload identities and policies
+// @Description Reload identities and policies
+// @Tags v16.?.?
+// @ID cluster-3-iam-reload
+// @Produce json
+// @Success 200 {string} string
+// @Success 500 {object} api.Error
+// @Security ApiKeyAuth
+// @Router /api/v3/cluster/iam/reload [get]
+func (h *ClusterHandler) ReloadIAM(c echo.Context) error {
+	err := h.iam.ReloadIndentities()
+	if err != nil {
+		return api.Err(http.StatusInternalServerError, "", "reload identities: %w", err)
+	}
+
+	err = h.iam.ReloadPolicies()
+	if err != nil {
+		return api.Err(http.StatusInternalServerError, "", "reload policies: %w", err)
+	}
+
+	return c.JSON(http.StatusOK, "OK")
 }

 // ListIdentities returns the list of identities stored in IAM
@@ -574,28 +849,80 @@ func (h *ClusterHandler) ListStoreIdentities(c echo.Context) error {
 // @Security ApiKeyAuth
 // @Router /api/v3/cluster/iam/user [get]
 func (h *ClusterHandler) ListIdentities(c echo.Context) error {
+	ctxuser := util.DefaultContext(c, "user", "")
+	domain := util.DefaultQuery(c, "domain", "$none")
+
 	identities := h.iam.ListIdentities()

-	return c.JSON(http.StatusOK, identities)
-}
+	users := make([]api.IAMUser, len(identities))

-// ReloadIdentities reloads the identities from the cluster store to IAM
-// @Summary Reload identities
-// @Description Reload identities
-// @Tags v16.?.?
-// @ID cluster-3-iam-reload-identities
-// @Produce json
-// @Success 200 {string} string
-// @Success 500 {object} api.Error
-// @Security ApiKeyAuth
-// @Router /api/v3/cluster/iam/user/reload [get]
-func (h *ClusterHandler) ReloadIdentities(c echo.Context) error {
-	err := h.iam.ReloadIndentities()
-	if err != nil {
-		return api.Err(http.StatusInternalServerError, "", "reload identities: %w", err)
+	for i, iamuser := range identities {
+		if !h.iam.Enforce(ctxuser, domain, "iam:"+iamuser.Name, "read") {
+			continue
+		}
+
+		if !h.iam.Enforce(ctxuser, domain, "iam:"+iamuser.Name, "write") {
+			iamuser = identity.User{
+				Name: iamuser.Name,
+			}
+		}
+
+		policies := h.iam.ListPolicies(iamuser.Name, "", "", nil)
+
+		users[i].Marshal(iamuser, policies)
 	}

-	return c.JSON(http.StatusOK, "OK")
+	return c.JSON(http.StatusOK, users)
+}
+
+// ListIdentity returns the identity stored in IAM
+// @Summary Identity in IAM
+// @Description Identity in IAM
+// @Tags v16.?.?
+// @ID cluster-3-iam-list-identity
+// @Produce json
+// @Success 200 {object} api.IAMUser
+// @Failure 403 {object} api.Error
+// @Failure 404 {object} api.Error
+// @Security ApiKeyAuth
+// @Router /api/v3/cluster/iam/user/{name} [get]
+func (h *ClusterHandler) ListIdentity(c echo.Context) error {
+	ctxuser := util.DefaultContext(c, "user", "")
+	domain := util.DefaultQuery(c, "domain", "$none")
+	name := util.PathParam(c, "name")
+
+	if !h.iam.Enforce(ctxuser, domain, "iam:"+name, "read") {
+		return api.Err(http.StatusForbidden, "", "Not allowed to access this user")
+	}
+
+	var iamuser identity.User
+	var err error
+
+	if name != "$anon" {
+		iamuser, err = h.iam.GetIdentity(name)
+		if err != nil {
+			return api.Err(http.StatusNotFound, "", "%s", err)
+		}
+
+		if ctxuser != iamuser.Name {
+			if !h.iam.Enforce(ctxuser, domain, "iam:"+name, "write") {
+				iamuser = identity.User{
+					Name: iamuser.Name,
+				}
+			}
+		}
+	} else {
+		iamuser = identity.User{
+			Name: "$anon",
+		}
+	}
+
+	iampolicies := h.iam.ListPolicies(name, "", "", nil)
+
+	user := api.IAMUser{}
+	user.Marshal(iamuser, iampolicies)
+
+	return c.JSON(http.StatusOK, user)
 }

 // ListStorePolicies returns the list of policies stored in the DB of the cluster
@@ -608,7 +935,20 @@ func (h *ClusterHandler) ReloadIdentities(c echo.Context) error {
 // @Security ApiKeyAuth
 // @Router /api/v3/cluster/db/policies [get]
 func (h *ClusterHandler) ListStorePolicies(c echo.Context) error {
-	policies := h.cluster.ListPolicies()
+	updatedAt, clusterpolicies := h.cluster.ListPolicies()
+
+	policies := []api.IAMPolicy{}
+
+	for _, pol := range clusterpolicies {
+		policies = append(policies, api.IAMPolicy{
+			Name:     pol.Name,
+			Domain:   pol.Domain,
+			Resource: pol.Resource,
+			Actions:  pol.Actions,
+		})
+	}
+
+	c.Response().Header().Set("Last-Modified", updatedAt.UTC().Format("Mon, 02 Jan 2006 15:04:05 GMT"))

 	return c.JSON(http.StatusOK, policies)
 }
@@ -623,28 +963,20 @@ func (h *ClusterHandler) ListStorePolicies(c echo.Context) error {
 // @Security ApiKeyAuth
 // @Router /api/v3/cluster/iam/policies [get]
 func (h *ClusterHandler) ListPolicies(c echo.Context) error {
-	policies := h.iam.ListPolicies("", "", "", nil)
+	iampolicies := h.iam.ListPolicies("", "", "", nil)

-	return c.JSON(http.StatusOK, policies)
-}
+	policies := []api.IAMPolicy{}

-// ReloadPolicies reloads the policies from the cluster store to IAM
-// @Summary Reload policies
-// @Description Reload policies
-// @Tags v16.?.?
-// @ID cluster-3-iam-reload-policies
-// @Produce json
-// @Success 200 {string} string
-// @Success 500 {object} api.Error
-// @Security ApiKeyAuth
-// @Router /api/v3/cluster/iam/policies/reload [get]
-func (h *ClusterHandler) ReloadPolicies(c echo.Context) error {
-	err := h.iam.ReloadPolicies()
-	if err != nil {
-		return api.Err(http.StatusInternalServerError, "", "reload policies: %w", err)
+	for _, pol := range iampolicies {
+		policies = append(policies, api.IAMPolicy{
+			Name:     pol.Name,
+			Domain:   pol.Domain,
+			Resource: pol.Resource,
+			Actions:  pol.Actions,
+		})
 	}

-	return c.JSON(http.StatusOK, "OK")
+	return c.JSON(http.StatusOK, policies)
 }

 // Delete deletes the identity with the given name from the cluster
@@ -655,12 +987,29 @@ func (h *ClusterHandler) ReloadPolicies(c echo.Context) error {
 // @Produce json
 // @Param name path string true "Identity name"
 // @Success 200 {string} string
+// @Failure 403 {object} api.Error
 // @Failure 404 {object} api.Error
 // @Security ApiKeyAuth
 // @Router /api/v3/cluster/iam/user/{name} [delete]
 func (h *ClusterHandler) RemoveIdentity(c echo.Context) error {
+	ctxuser := util.DefaultContext(c, "user", "")
+	superuser := util.DefaultContext(c, "superuser", false)
+	domain := util.DefaultQuery(c, "domain", "$none")
 	name := util.PathParam(c, "name")

+	if !h.iam.Enforce(ctxuser, domain, "iam:"+name, "write") {
+		return api.Err(http.StatusForbidden, "Forbidden", "Not allowed to delete this user")
+	}
+
+	iamuser, err := h.iam.GetIdentity(name)
+	if err != nil {
+		return api.Err(http.StatusNotFound, "Not found", "%s", err)
+	}
+
+	if !superuser && iamuser.Superuser {
+		return api.Err(http.StatusForbidden, "Forbidden", "Only superusers can remove superusers")
+	}
+
 	if err := h.cluster.RemoveIdentity("", name); err != nil {
 		return api.Err(http.StatusBadRequest, "Invalid identity", "%s", err.Error())
 	}