1
0
mirror of https://github.com/minio/docs.git synced 2025-07-30 07:03:26 +03:00

SFTP access for Operator Tenants (#993)

Document SFTP access for Operator Tenants, from Operator v5.0.7.
https://github.com/minio/operator/pull/1685
https://github.com/minio/operator/pull/1692

The new Operator SFTP text and the not-Operator version it is based on
were converted to includes rather than have a mess of conditionals in a
single file.

Staged

http://192.241.195.202:9000/staging/DOCS-943-2/k8s/developers/file-transfer-protocol.html

http://192.241.195.202:9000/staging/DOCS-943-2/linux/developers/file-transfer-protocol.html

Partially addresses https://github.com/minio/docs/issues/943
This commit is contained in:
Andrea Longo
2023-09-08 12:45:29 -06:00
committed by GitHub
parent 42efe20e4f
commit 1aea92b141
4 changed files with 397 additions and 213 deletions

View File

@ -14,219 +14,11 @@ File Transfer Protocol (FTP/SFTP)
:local:
:depth: 1
.. versionadded:: MinIO RELEASE.2023-04-20T17-56-55Z
.. cond:: not k8s
Overview
--------
.. include:: /includes/linux/file-transfer-protocol-not-k8s.rst
You can use the File Transfer Protocol (``FTP``) to interact with the objects on a MinIO deployment.
.. cond:: k8s and not (openshift or eks or gke or aks)
You must specifically enable FTP or SFTP when starting the server.
Enabling either server type does not affect other MinIO features.
.. include:: /includes/k8s/file-transfer-protocol-k8s.rst
This page uses the abbreviation ``FTP`` throughout, but you can use any of the supported FTP protocols described below.
Supported Protocols
~~~~~~~~~~~~~~~~~~~
When enabled, MinIO supports FTP access over the following protocols:
- SSH File Transfer Protocol (``SFTP``)
SFTP is defined by the Internet Engineering Task Force (IETF) as an extension of SSH 2.0.
SFTP allows file transfer over SSH for use with :ref:`Transport Layer Security (TLS) <minio-tls>` and virtual private network (VPN) applications.
Your FTP client must support SFTP.
- File Transfer Protocol over SSL/TLS (``FTPS``)
``FTPS`` allows for encrypted FTP communication with TLS certificates over the standard FTP communication channel.
``FTPS`` should not be confused with ``SFTP``, as ``FTPS`` does not communicate over a Secure Shell (``SSH``).
Your FTP client must support FTPS.
- File Transfer Protocol (``FTP``)
Unencrypted file transfer.
MinIO does **not** recommend using unencrypted FTP for file transfer.
Supported Commands
~~~~~~~~~~~~~~~~~~
When enabled, MinIO supports the following ``ftp`` operations:
- ``get``
- ``put``
- ``ls``
- ``mkdir``
- ``rmdir``
- ``delete``
MinIO does not support either ``append`` or ``rename`` operations.
Considerations
--------------
Versioning
~~~~~~~~~~
You cannot use ``FTP`` to read specific :ref:`object versions <minio-bucket-versioning>` other than the latest version.
- For read operations, MinIO only returns the latest version of the requested object(s) to the ftp client.
- For write operations, MinIO applies normal versioning behavior for matching object names.
Use an S3 API Client, such as the :ref:`MinIO Client <minio-client>`.
Authentication and Access
~~~~~~~~~~~~~~~~~~~~~~~~~
``FTP`` access requires the same authentication as any other S3 client.
MinIO supports the following authentication providers:
- :ref:`MinIO IDP <minio-internal-idp>` users and their service accounts
- :ref:`Active Directory/LDAP <minio-external-identity-management-ad-ldap>` users and their service accounts
- :ref:`OpenID/OIDC <minio-external-identity-management-openid>` service accounts
:ref:`STS <minio-security-token-service>` credentials **cannot** access buckets or objects over FTP.
To use STS credentials to authenticate, you must use an S3 API client or port.
Authenticated users can access buckets and objects based on the :ref:`policies <minio-policy>` assigned to the user or parent user account.
The FTP protocol does not require any of the ``admin:*`` `permissions <minio-policy-mc-admin-actions>`.
The FTP protocols do not support any of the MinIO admin actions.
Prerequisites
-------------
- MinIO RELEASE.2023-04-20T17-56-55Z or later.
- Enable an FTP or SFTP port for the server.
- A port to use for the FTP commands and a range of ports to allow the FTP server to request to use for the data transfer.
Procedure
---------
1. Start MinIO with an FTP and/or SFTP port enabled.
.. code-block:: shell
:class: copyable
minio server http://server{1...4}/disk{1...4} \
--ftp="address=:8021" \
--ftp="passive-port-range=30000-40000" \
--sftp="address=:8022" \
--sftp="ssh-private-key=/home/miniouser/.ssh/id_rsa" \
...
See the :mc-cmd:`minio server --ftp` and :mc-cmd:`minio server --sftp` for details on using these flags to start the MinIO service.
To connect to the an ftp port with TLS (``FTPS``), pass the ``tls-private-key`` and ``tls-public-cert`` keys and values, as well, unless using the MinIO default TLS keys.
The output of the command should return a response that resembles the following:
.. code-block:: shell
MinIO FTP Server listening on :8021
MinIO SFTP Server listening on :8022
2. Use your preferred ftp client to connect to the MinIO deployment.
You must connect as a user whose :ref:`policies <minio-policy>` allow access to the desired buckets and objects.
The specifics of connecting to the MinIO deployment depend on your FTP client.
Refer to the documentation for your client.
To connect over TLS or through SSH, you must use a client that supports the desired protocol.
Examples
--------
The examples here use the ``ftp`` CLI client on a Linux system.
Connect to MinIO Using FTP
~~~~~~~~~~~~~~~~~~~~~~~~~~
The following example connects to a server using ``minio`` credentials to list contents in a bucket named ``runner``
.. code-block:: shell
> ftp localhost -P 8021
Connected to localhost.
220 Welcome to MinIO FTP Server
Name (localhost:user): minio
331 User name ok, password required
Password:
230 Password ok, continue
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls runner/
229 Entering Extended Passive Mode (|||39155|)
150 Opening ASCII mode data connection for file list
drwxrwxrwx 1 nobody nobody 0 Jan 1 00:00 chunkdocs/
drwxrwxrwx 1 nobody nobody 0 Jan 1 00:00 testdir/
...
Start MinIO with FTP over TLS (``FTPS``) Enabled
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The following example starts MinIO with ``FTPS`` enabled.
.. code-block:: shell
:class: copyable
minio server http://server{1...4}/disk{1...4} \
--ftp="address=:8021" \
--ftp="passive-port-range=30000-40000" \
--ftp="tls-private-key=path/to/private.key" \
--ftp="tls-public-cert=path/to/public.crt" \
...
.. note::
Omit ``tls-private-key`` and ``tls-public-cert`` to use the MinIO default TLS keys for ``FTPS``.
For more information, see the :ref:`TLS on MinIO documentation <minio-tls>`.
Download an Object over FTP
~~~~~~~~~~~~~~~~~~~~~~~~~~~
This example lists items in a bucket, then downloads the contents of the bucket.
.. code-block:: console
> ftp localhost -P 8021
Connected to localhost.
220 Welcome to MinIO FTP Server
Name (localhost:user): minio
331 User name ok, password required
Password:
230 Password ok, continue
Remote system type is UNIX.
Using binary mode to transfer files.ftp> ls runner/chunkdocs/metadata
229 Entering Extended Passive Mode (|||44269|)
150 Opening ASCII mode data connection for file list
-rwxrwxrwx 1 nobody nobody 45 Apr 1 06:13 chunkdocs/metadata
226 Closing data connection, sent 75 bytes
ftp> get
(remote-file) runner/chunkdocs/metadata
(local-file) test
local: test remote: runner/chunkdocs/metadata
229 Entering Extended Passive Mode (|||37785|)
150 Data transfer starting 45 bytes
45 3.58 KiB/s
226 Closing data connection, sent 45 bytes
45 bytes received in 00:00 (3.55 KiB/s)
...
Connect to MinIO Using SFTP
~~~~~~~~~~~~~~~~~~~~~~~~~~~
The following example connects to an SSH FTP server, lists the contents of a bucket named ``runner``, and downloads an object.
.. code-block:: console
> sftp -P 8022 minio@localhost
minio@localhost's password:
Connected to localhost.
sftp> ls runner/
chunkdocs testdir
sftp> get runner/chunkdocs/metadata metadata
Fetching /runner/chunkdocs/metadata to metadata
metadata 100% 226 16.6KB/s 00:00