From 4b7839c6b63b75300208e00ee8c886dde5f3c4f5 Mon Sep 17 00:00:00 2001
From: Andreas Auernhammer <git@aead.dev>
Date: Sun, 8 Feb 2026 13:11:11 +0100
Subject: [PATCH] policy: add KMS admin actions

This commit adds policy actions for enabling a builtin KMS as
well as key backup/restore/rotate.

Signed-off-by: Andreas Auernhammer <git@aead.dev>
---
 policy/admin-action.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/policy/admin-action.go b/policy/admin-action.go
index e9a9ef4..bab84fc 100644
--- a/policy/admin-action.go
+++ b/policy/admin-action.go
@@ -52,10 +52,18 @@ const (
 	TraceAdminAction = "admin:ServerTrace"
 	// ConsoleLogAdminAction - allow listing console logs on terminal
 	ConsoleLogAdminAction = "admin:ConsoleLog"
+	// KMSEnableAdminAction - allow enabling the builtin KMS
+	KMSEnableAdminAction = "admin:KMSEnable"
+	// KMSBackupAdminAction - allow backing up builtin KMS keys
+	KMSBackupAdminAction = "admin:KMSBackup"
+	// KMSRestoreAdminAction - allow restoring builtin KMS keys
+	KMSRestoreAdminAction = "admin:KMSRestore"
 	// KMSCreateKeyAdminAction - allow creating a new KMS master key
 	KMSCreateKeyAdminAction = "admin:KMSCreateKey"
 	// KMSKeyStatusAdminAction - allow getting KMS key status
 	KMSKeyStatusAdminAction = "admin:KMSKeyStatus"
+	// KMSKeyRotateAdminAction - allow rotating KMS keys
+	KMSKeyRotateAdminAction = "admin:KMSKeyRotate"
 	// ServerInfoAdminAction - allow listing server info
 	ServerInfoAdminAction = "admin:ServerInfo"
 	// HealthInfoAdminAction - allow obtaining cluster health information