From 1c5454955bbfc312b1e681697c29fc48b329b9df Mon Sep 17 00:00:00 2001 From: Andrea Longo Date: Fri, 28 Apr 2023 14:03:11 -0600 Subject: [PATCH] Expand the mc admin user docs (#836) Restructure the existing `mc admin user` page into separate pages for each subcommand. Also add missing details and correct errors. Staged: http://192.241.195.202:9000/staging/DOCS-785/linux/html/reference/minio-mc-admin/mc-admin-user.html Fixes https://github.com/minio/docs/issues/785 --- source/reference/minio-mc-admin.rst | 12 +- .../minio-mc-admin/mc-admin-user-add.rst | 132 ++++++ .../minio-mc-admin/mc-admin-user-disable.rst | 105 +++++ .../minio-mc-admin/mc-admin-user-enable.rst | 105 +++++ .../minio-mc-admin/mc-admin-user-info.rst | 110 +++++ .../minio-mc-admin/mc-admin-user-list.rst | 105 +++++ .../minio-mc-admin/mc-admin-user-remove.rst | 100 +++++ .../minio-mc-admin/mc-admin-user-sts-info.rst | 90 ++++ .../minio-mc-admin/mc-admin-user-sts.rst | 89 ---- .../mc-admin-user-svcacct-add.rst | 127 ++++++ .../mc-admin-user-svcacct-disable.rst | 82 ++++ .../mc-admin-user-svcacct-edit.rst | 102 +++++ .../mc-admin-user-svcacct-enable.rst | 82 ++++ .../mc-admin-user-svcacct-info.rst | 157 +++++++ .../mc-admin-user-svcacct-list.rst | 82 ++++ .../mc-admin-user-svcacct-remove.rst | 84 ++++ .../minio-mc-admin/mc-admin-user-svcacct.rst | 424 +++--------------- .../minio-mc-admin/mc-admin-user.rst | 380 +++------------- 18 files changed, 1588 insertions(+), 780 deletions(-) create mode 100644 source/reference/minio-mc-admin/mc-admin-user-add.rst create mode 100644 source/reference/minio-mc-admin/mc-admin-user-disable.rst create mode 100644 source/reference/minio-mc-admin/mc-admin-user-enable.rst create mode 100644 source/reference/minio-mc-admin/mc-admin-user-info.rst create mode 100644 source/reference/minio-mc-admin/mc-admin-user-list.rst create mode 100644 source/reference/minio-mc-admin/mc-admin-user-remove.rst create mode 100644 source/reference/minio-mc-admin/mc-admin-user-sts-info.rst delete mode 100644 source/reference/minio-mc-admin/mc-admin-user-sts.rst create mode 100644 source/reference/minio-mc-admin/mc-admin-user-svcacct-add.rst create mode 100644 source/reference/minio-mc-admin/mc-admin-user-svcacct-disable.rst create mode 100644 source/reference/minio-mc-admin/mc-admin-user-svcacct-edit.rst create mode 100644 source/reference/minio-mc-admin/mc-admin-user-svcacct-enable.rst create mode 100644 source/reference/minio-mc-admin/mc-admin-user-svcacct-info.rst create mode 100644 source/reference/minio-mc-admin/mc-admin-user-svcacct-list.rst create mode 100644 source/reference/minio-mc-admin/mc-admin-user-svcacct-remove.rst diff --git a/source/reference/minio-mc-admin.rst b/source/reference/minio-mc-admin.rst index f1233ff1..66bc403d 100644 --- a/source/reference/minio-mc-admin.rst +++ b/source/reference/minio-mc-admin.rst @@ -140,16 +140,6 @@ The following table lists :mc:`mc admin` commands: :start-after: start-mc-admin-user-desc :end-before: end-mc-admin-user-desc - * - :mc:`mc admin user svcacct` - - .. include:: /reference/minio-mc-admin/mc-admin-user-svcacct.rst - :start-after: start-mc-admin-user-svcacct-desc - :end-before: end-mc-admin-user-svcacct-desc - - * - :mc:`mc admin user sts` - - .. include:: /reference/minio-mc-admin/mc-admin-user-sts.rst - :start-after: start-mc-admin-user-sts-desc - :end-before: end-mc-admin-user-sts-desc - .. _mc-admin-install: Installation @@ -227,4 +217,4 @@ See :ref:`minio-mc-global-options`. /reference/minio-mc-admin/mc-admin-trace /reference/minio-mc-admin/mc-admin-update /reference/minio-mc-admin/mc-admin-user - /reference/minio-mc-admin/mc-admin-user-svcacct \ No newline at end of file + diff --git a/source/reference/minio-mc-admin/mc-admin-user-add.rst b/source/reference/minio-mc-admin/mc-admin-user-add.rst new file mode 100644 index 00000000..b23bfaa5 --- /dev/null +++ b/source/reference/minio-mc-admin/mc-admin-user-add.rst @@ -0,0 +1,132 @@ +.. _minio-mc-admin-user-add: + +===================== +``mc admin user add`` +===================== + +.. default-domain:: minio + +.. contents:: Table of Contents + :local: + :depth: 2 + +.. mc:: mc admin user add + + +Syntax +------ + +.. start-mc-admin-user-add-desc + +The :mc:`mc admin user add` command adds a new :ref:`MinIO user ` to the target MinIO deployment. + +.. end-mc-admin-user-add-desc + +To manage external Identity Provider users, see :mc:`OIDC ` or :mc:`AD/LDAP `. + +.. tab-set:: + + .. tab-item:: EXAMPLE + + The following command creates a new user ``newuser`` on the ``myminio`` MinIO deployment: + + .. code-block:: shell + :class: copyable + + mc admin user add myminio newuser newusersecret + + .. tab-item:: SYNTAX + + The command has the following syntax: + + .. code-block:: shell + :class: copyable + + mc [GLOBALFLAGS] admin user add \ + ALIAS \ + ACCESSKEY \ + SECRETKEY + + .. include:: /includes/common-minio-mc.rst + :start-after: start-minio-syntax + :end-before: end-minio-syntax + + +Parameters +~~~~~~~~~~ + +.. mc-cmd:: ACCESSKEY + :required: + + The access key that uniquely identifies the new user, similar to a username. + +.. mc-cmd:: ALIAS + :required: + + The :mc-cmd:`alias ` of a configured MinIO deployment on which to create the new user. + +.. mc-cmd:: SECRETKEY + :required: + + The secret key for the new user. Consider the following guidance when creating a secret key: + + - The key should be *unique* + - The key should be *long* (Greater than 12 characters) + - The key should be *complex* (A mixture of characters, numerals, and symbols) + + +Global Flags +~~~~~~~~~~~~ + +.. include:: /includes/common-minio-mc.rst + :start-after: start-minio-mc-globals + :end-before: end-minio-mc-globals + + +Example +------- + +Create a New User +~~~~~~~~~~~~~~~~~ + +Use :mc-cmd:`mc admin user add` to create a user on a MinIO deployment: + +.. code-block:: shell + :class: copyable + + mc admin user add ALIAS ACCESSKEY SECRETKEY + +- Replace :mc-cmd:`ALIAS ` with the :mc-cmd:`alias ` of the MinIO deployment. + +- Replace :mc-cmd:`ACCESSKEY ` with the access key for the user. + +- Replace :mc-cmd:`SECRETKEY ` with the secret key for the user. + MinIO *does not* provide any method for retrieving the secret key once set. + +Specify a unique, random, and long string for both the ``ACCESSKEY`` and ``SECRETKEY``. +Your organization may have specific internal or regulatory requirements around generating values for use with access or secret keys. + + +Behavior +-------- + +New Users Have No Default Policies +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Newly created users have *no* policies by default and therefore cannot perform any operations on the MinIO deployment. +To configure a user's assigned policies, you can do either or both of the following: + +- Use :mc-cmd:`mc admin policy attach` to associate one or more policies to the user. + +- Use :mc-cmd:`mc admin group add` to associate the user to the group. + Users inherit any policies assigned to the group. + +For more information on MinIO users and groups, see :ref:`minio-users` and :ref:`minio-groups`. +For more information on MinIO policies, see :ref:`MinIO Policy Based Access Control `. + +S3 Compatibility +~~~~~~~~~~~~~~~~ + +.. include:: /includes/common-minio-mc.rst + :start-after: start-minio-mc-s3-compatibility + :end-before: end-minio-mc-s3-compatibility diff --git a/source/reference/minio-mc-admin/mc-admin-user-disable.rst b/source/reference/minio-mc-admin/mc-admin-user-disable.rst new file mode 100644 index 00000000..5f8335a4 --- /dev/null +++ b/source/reference/minio-mc-admin/mc-admin-user-disable.rst @@ -0,0 +1,105 @@ +.. _minio-mc-admin-user-disable: + +========================= +``mc admin user disable`` +========================= + +.. default-domain:: minio + +.. contents:: Table of Contents + :local: + :depth: 2 + +.. mc:: mc admin user disable + + +Syntax +------ + +.. start-mc-admin-user-disable-desc + +The :mc:`mc admin user disable` command disables a :ref:`MinIO user ` on the target MinIO deployment. + +.. end-mc-admin-user-disable-desc + +Clients cannot use the user credentials to authenticate to the MinIO deployment. +Disabling a user does *not* remove that user from the deployment. +Use :mc-cmd:`mc admin user enable` to enable a disabled user on a MinIO deployment. + +To manage external Identity Provider users, see :mc:`OIDC ` or :mc:`AD/LDAP `. + +.. tab-set:: + + .. tab-item:: EXAMPLE + + The following command disables user ``myuser`` on the ``myminio`` MinIO deployment: + + .. code-block:: shell + :class: copyable + + mc admin user disable myminio myuser + + .. tab-item:: SYNTAX + + The command has the following syntax: + + .. code-block:: shell + :class: copyable + + mc [GLOBALFLAGS] admin user disable \ + ALIAS \ + USERNAME + + .. include:: /includes/common-minio-mc.rst + :start-after: start-minio-syntax + :end-before: end-minio-syntax + + +Parameters +~~~~~~~~~~ + +.. mc-cmd:: ALIAS + :required: + + The :mc:`alias ` of the MinIO deployment with the user to disable. + +.. mc-cmd:: USERNAME + :required: + + The username of the user to disable. + + +Global Flags +~~~~~~~~~~~~ + +.. include:: /includes/common-minio-mc.rst + :start-after: start-minio-mc-globals + :end-before: end-minio-mc-globals + +Example +------- + +Disable a User +~~~~~~~~~~~~~~ + +Use :mc-cmd:`mc admin user disable` to disable a user on a MinIO deployment. + +.. code-block:: shell + :class: copyable + + mc admin user disable ALIAS USERNAME + +- Replace :mc-cmd:`ALIAS ` with the :mc-cmd:`alias ` of the MinIO deployment. + +- Replace :mc-cmd:`USERNAME ` with the username of the user to disable. + + +Behavior +-------- + +S3 Compatibility +~~~~~~~~~~~~~~~~ + +.. include:: /includes/common-minio-mc.rst + :start-after: start-minio-mc-s3-compatibility + :end-before: end-minio-mc-s3-compatibility diff --git a/source/reference/minio-mc-admin/mc-admin-user-enable.rst b/source/reference/minio-mc-admin/mc-admin-user-enable.rst new file mode 100644 index 00000000..572cbb7d --- /dev/null +++ b/source/reference/minio-mc-admin/mc-admin-user-enable.rst @@ -0,0 +1,105 @@ +.. _minio-mc-admin-user-enable: + +======================== +``mc admin user enable`` +======================== + +.. default-domain:: minio + +.. contents:: Table of Contents + :local: + :depth: 2 + +.. mc:: mc admin user enable + + +Syntax +------ + +.. start-mc-admin-user-enable-desc + +The :mc:`mc admin user enable` command enables a :ref:`MinIO user ` on the target MinIO deployment. + +.. end-mc-admin-user-enable-desc + +Clients can only use enabled users to authenticate to the MinIO deployment. +Users created using :mc-cmd:`mc admin user add` are enabled by default. + +To manage external Identity Provider users, see :mc:`OIDC ` or :mc:`AD/LDAP `. + +.. tab-set:: + + .. tab-item:: EXAMPLE + + The following command enables user ``myuser`` on the ``myminio`` MinIO deployment: + + .. code-block:: shell + :class: copyable + + mc admin user enable myminio myuser + + .. tab-item:: SYNTAX + + The command has the following syntax: + + .. code-block:: shell + :class: copyable + + mc [GLOBALFLAGS] admin user enable \ + ALIAS \ + USERNAME + + .. include:: /includes/common-minio-mc.rst + :start-after: start-minio-syntax + :end-before: end-minio-syntax + + +Parameters +~~~~~~~~~~ + +.. mc-cmd:: ALIAS + :required: + + The :mc:`alias ` of the MinIO deployment with the user to enable. + +.. mc-cmd:: USERNAME + :required: + + The username of the user to enable. + + +Global Flags +~~~~~~~~~~~~ + +.. include:: /includes/common-minio-mc.rst + :start-after: start-minio-mc-globals + :end-before: end-minio-mc-globals + + +Example +------- + +Enable a User +~~~~~~~~~~~~~ + +Use :mc-cmd:`mc admin user enable` to enable a user on a MinIO deployment. + +.. code-block:: shell + :class: copyable + + mc admin user enable ALIAS USERNAME + +- Replace :mc-cmd:`ALIAS ` with the :mc-cmd:`alias ` of the MinIO deployment. + +- Replace :mc-cmd:`USERNAME ` with the username of the user to enable. + + +Behavior +-------- + +S3 Compatibility +~~~~~~~~~~~~~~~~ + +.. include:: /includes/common-minio-mc.rst + :start-after: start-minio-mc-s3-compatibility + :end-before: end-minio-mc-s3-compatibility diff --git a/source/reference/minio-mc-admin/mc-admin-user-info.rst b/source/reference/minio-mc-admin/mc-admin-user-info.rst new file mode 100644 index 00000000..265f4552 --- /dev/null +++ b/source/reference/minio-mc-admin/mc-admin-user-info.rst @@ -0,0 +1,110 @@ +.. _minio-mc-admin-user-info: + +====================== +``mc admin user info`` +====================== + +.. default-domain:: minio + +.. contents:: Table of Contents + :local: + :depth: 2 + +.. mc:: mc admin user info + + +Syntax +------ + +.. start-mc-admin-user-info-desc + +The :mc:`mc admin user info` command returns detailed information of a :ref:`MinIO user ` on the target MinIO deployment. + +.. end-mc-admin-user-info-desc + +To manage external Identity Provider users, see :mc:`OIDC ` or :mc:`AD/LDAP `. + +.. tab-set:: + + .. tab-item:: EXAMPLE + + The following command returns details of user ``myuser`` on the ``myminio`` MinIO deployment: + + .. code-block:: shell + :class: copyable + + mc admin user info myminio myuser + + .. tab-item:: SYNTAX + + The command has the following syntax: + + .. code-block:: shell + :class: copyable + + mc [GLOBALFLAGS] admin user info \ + ALIAS \ + USERNAME + + .. include:: /includes/common-minio-mc.rst + :start-after: start-minio-syntax + :end-before: end-minio-syntax + + +Parameters +~~~~~~~~~~ + +.. mc-cmd:: ALIAS + :required: + + The :mc-cmd:`alias ` of a configured MinIO deployment to retrieve user information from. + +.. mc-cmd:: USERNAME + + The username to retrieve information for. + + +Global Flags +~~~~~~~~~~~~ + +.. include:: /includes/common-minio-mc.rst + :start-after: start-minio-mc-globals + :end-before: end-minio-mc-globals + + +Example +------- + +View User Details +~~~~~~~~~~~~~~~~~ + +Use :mc-cmd:`mc admin user info` to view detailed user information for a user on a MinIO deployment: + +.. code-block:: shell + :class: copyable + + mc admin user info ALIAS USERNAME + +- Replace :mc-cmd:`ALIAS ` with the :mc-cmd:`alias ` of the MinIO deployment. + +- Replace :mc-cmd:`USERNAME ` with the username of the user to display information for. + +The output resembles the following: + +.. code-block:: shell + + AccessKey: myuser + Status: enabled + PolicyName: readwrite + MemberOf: + + +Behavior +-------- + +S3 Compatibility +~~~~~~~~~~~~~~~~ + +.. include:: /includes/common-minio-mc.rst + :start-after: start-minio-mc-s3-compatibility + :end-before: end-minio-mc-s3-compatibility diff --git a/source/reference/minio-mc-admin/mc-admin-user-list.rst b/source/reference/minio-mc-admin/mc-admin-user-list.rst new file mode 100644 index 00000000..1f89ed68 --- /dev/null +++ b/source/reference/minio-mc-admin/mc-admin-user-list.rst @@ -0,0 +1,105 @@ +.. _minio-mc-admin-user-list: + +====================== +``mc admin user list`` +====================== + +.. default-domain:: minio + +.. contents:: Table of Contents + :local: + :depth: 2 + +.. mc:: mc admin user list + + +Syntax +------ + +.. start-mc-admin-user-list-desc + +The :mc:`mc admin user list` command lists all :ref:`MinIO users ` on the target MinIO deployment. + +.. end-mc-admin-user-list-desc + +:mc-cmd:`mc admin user list` does *not* return the access key or secret key associated to a user. +Use :mc-cmd:`mc admin user info` to retrieve detailed user information, including the user access key. + +To manage external Identity Provider users, see :mc:`OIDC ` or :mc:`AD/LDAP `. + +.. tab-set:: + + .. tab-item:: EXAMPLE + + The following command lists all users on the ``myminio`` MinIO deployment: + + .. code-block:: shell + :class: copyable + + mc admin user list myminio + + .. tab-item:: SYNTAX + + The command has the following syntax: + + .. code-block:: shell + :class: copyable + + mc [GLOBALFLAGS] admin user list \ + ALIAS + + .. include:: /includes/common-minio-mc.rst + :start-after: start-minio-syntax + :end-before: end-minio-syntax + + +Parameters +~~~~~~~~~~ + +.. mc-cmd:: ALIAS + :required: + + The :mc-cmd:`alias ` of a configured MinIO deployment from which the command lists users. + + +Global Flags +~~~~~~~~~~~~ + +.. include:: /includes/common-minio-mc.rst + :start-after: start-minio-mc-globals + :end-before: end-minio-mc-globals + + +Example +------- + +List Available Users +~~~~~~~~~~~~~~~~~~~~ + +Use :mc-cmd:`mc admin user list` to list all users on a MinIO deployment: + +.. code-block:: shell + :class: copyable + + mc admin user list ALIAS + +- Replace :mc-cmd:`ALIAS ` with the :mc-cmd:`alias ` of the MinIO deployment. + +The output resembles the following: + +.. code-block:: shell + + enabled devadmin readwrite + enabled devtest readonly + enabled newuser + + +Behavior +-------- + +S3 Compatibility +~~~~~~~~~~~~~~~~ + +.. include:: /includes/common-minio-mc.rst + :start-after: start-minio-mc-s3-compatibility + :end-before: end-minio-mc-s3-compatibility diff --git a/source/reference/minio-mc-admin/mc-admin-user-remove.rst b/source/reference/minio-mc-admin/mc-admin-user-remove.rst new file mode 100644 index 00000000..89ce9263 --- /dev/null +++ b/source/reference/minio-mc-admin/mc-admin-user-remove.rst @@ -0,0 +1,100 @@ +.. _minio-mc-admin-user-remove: + +======================== +``mc admin user remove`` +======================== + +.. default-domain:: minio + +.. contents:: Table of Contents + :local: + :depth: 2 + +.. mc:: mc admin user remove + +Syntax +------ + +.. start-mc-admin-user-remove-desc + +The :mc:`mc admin user remove` command removes a :ref:`MinIO user ` on the target MinIO deployment. + +.. end-mc-admin-user-remove-desc + +To manage external Identity Provider users, see :mc:`OIDC ` or :mc:`AD/LDAP `. + +.. tab-set:: + + .. tab-item:: EXAMPLE + + The following command removes user ``myuser`` on the ``myminio`` MinIO deployment: + + .. code-block:: shell + :class: copyable + + mc admin user remove myminio myuser + + .. tab-item:: SYNTAX + + Removes a user on the target MinIO deployment. + + The command has the following syntax: + + .. code-block:: shell + :class: copyable + + mc [GLOBALFLAGS] admin user remove \ + ALIAS \ + USERNAME + + .. include:: /includes/common-minio-mc.rst + :start-after: start-minio-syntax + :end-before: end-minio-syntax + + +Parameters +~~~~~~~~~~ + +.. mc-cmd:: ALIAS + :required: + + The :mc:`alias ` of the configured MinIO deployment with the user to remove. + +.. mc-cmd:: USERNAME + :required: + + The username of the user to remove. + +Global Flags +~~~~~~~~~~~~ + +.. include:: /includes/common-minio-mc.rst + :start-after: start-minio-mc-globals + :end-before: end-minio-mc-globals + +Example +------- + +Remove a User +~~~~~~~~~~~~~ + +Use :mc-cmd:`mc admin user remove` to remove a user from a MinIO deployment: + +.. code-block:: shell + :class: copyable + + mc admin user remove ALIAS USERNAME + +- Replace :mc-cmd:`ALIAS ` with the :mc-cmd:`alias ` of the MinIO deployment. + +- Replace :mc-cmd:`USERNAME ` with the username of the user to remove. + +Behavior +-------- + +S3 Compatibility +~~~~~~~~~~~~~~~~ + +.. include:: /includes/common-minio-mc.rst + :start-after: start-minio-mc-s3-compatibility + :end-before: end-minio-mc-s3-compatibility diff --git a/source/reference/minio-mc-admin/mc-admin-user-sts-info.rst b/source/reference/minio-mc-admin/mc-admin-user-sts-info.rst new file mode 100644 index 00000000..6c620f75 --- /dev/null +++ b/source/reference/minio-mc-admin/mc-admin-user-sts-info.rst @@ -0,0 +1,90 @@ +.. _minio-mc-admin-sts-info: + +============================== +``mc admin user sts info`` +============================== + +.. default-domain:: minio + +.. contents:: Table of Contents + :local: + :depth: 2 + +.. mc:: mc admin user sts info + + +Syntax +------ + +.. start-mc-admin-sts-info-desc + +The :mc-cmd:`mc admin user sts info` command retrieves information on the specified STS credential, such as the parent :ref:`MinIO user ` who generated the credentials, associated policies, and expiration. + +.. end-mc-admin-sts-info-desc + +:abbr:`STS (Security Token Service)` credentials provide temporary access to the MinIO deployment. + +.. tab-set:: + + .. tab-item:: EXAMPLE + + The following command retrieves information on the STS credentials with specified access key: + + .. code-block:: shell + :class: copyable + + mc admin user sts info myminio/ "J123C4ZXEQN8RK6ND35I" + + .. tab-item:: SYNTAX + + The command has the following syntax: + + .. code-block:: shell + :class: copyable + + mc [GLOBALFLAGS] admin user sts info \ + [--policy] \ + ALIAS \ + STSACCESSKEY + + .. include:: /includes/common-minio-mc.rst + :start-after: start-minio-syntax + :end-before: end-minio-syntax + + +Parameters +~~~~~~~~~~ + +.. mc-cmd:: ALIAS + :required: + + The :mc-cmd:`alias ` of the MinIO deployment. + +.. mc-cmd:: STSACCESSKEY + :required: + + The access key for the STS credentials. + +.. mc-cmd:: --policy + :optional: + + Prints the policy attached to the specified STS credentials in JSON format. + + +Global Flags +~~~~~~~~~~~~ + +.. include:: /includes/common-minio-mc.rst + :start-after: start-minio-mc-globals + :end-before: end-minio-mc-globals + + +Behavior +-------- + +S3 Compatibility +~~~~~~~~~~~~~~~~ + +.. include:: /includes/common-minio-mc.rst + :start-after: start-minio-mc-s3-compatibility + :end-before: end-minio-mc-s3-compatibility diff --git a/source/reference/minio-mc-admin/mc-admin-user-sts.rst b/source/reference/minio-mc-admin/mc-admin-user-sts.rst deleted file mode 100644 index 28ebf3d6..00000000 --- a/source/reference/minio-mc-admin/mc-admin-user-sts.rst +++ /dev/null @@ -1,89 +0,0 @@ -.. _minio-mc-admin-user-sts: - -===================== -``mc admin user sts`` -===================== - -.. default-domain:: minio - -.. contents:: Table of Contents - :local: - :depth: 2 - -.. mc:: mc admin user sts - -Description ------------ - -.. versionadded:: RELEASE.2023-02-16T19-20-11Z - -.. start-mc-admin-user-sts-desc - -The :mc:`mc admin user sts` command operates on credentials generated using a :ref:`Security Token Service (STS) ` API. - -.. end-mc-admin-user-sts-desc - -:abbr:`STS (Security Token Service)` credentials provide temporary access to the MinIO deployment. - -.. admonition:: Use ``mc admin`` on MinIO Deployments Only - :class: note - - .. include:: /includes/facts-mc-admin.rst - :start-after: start-minio-only - :end-before: end-minio-only - -The :mc:`mc admin user sts` command has the following subcommands: - -.. list-table:: - :header-rows: 1 - :widths: 40 60 - - * - Subcommand - - Description - - * - :mc-cmd:`mc admin user sts info` - - Retrieves information on the specified STS credential, including the parent user who generated the credentials, associated policies, and expiration. - -Syntax ------- - -.. mc-cmd:: info - :fullpath: - - Retrieves information on the specified STS credential, such as the parent user who generated the credentials, associated policies, and expiration. - - .. tab-set:: - - .. tab-item:: EXAMPLE - - The following command retrieves information on the STS credentials with specified access key: - - .. code-block:: shell - :class: copyable - - mc admin user sts info myminio/ "J123C4ZXEQN8RK6ND35I" - - .. tab-item:: SYNTAX - - .. code-block:: shell - :class: copyable - - mc [GLOBALFLAGS] admin user sts info \ - [--policy] \ - ALIAS \ - STSACCESSKEY - - .. mc-cmd:: ALIAS - :required: - - The :ref:`alias ` of the MinIO deployment for which the STS credentials were generated. - - .. mc-cmd:: STSACCESSKEY - :required: - - The access key for the STS credentials. - - .. mc-cmd:: --policy - :optional: - - Prints the policy attached to the specified STS credentials in JSON format. diff --git a/source/reference/minio-mc-admin/mc-admin-user-svcacct-add.rst b/source/reference/minio-mc-admin/mc-admin-user-svcacct-add.rst new file mode 100644 index 00000000..fc834d70 --- /dev/null +++ b/source/reference/minio-mc-admin/mc-admin-user-svcacct-add.rst @@ -0,0 +1,127 @@ +.. _minio-mc-admin-svcacct-add: + +============================= +``mc admin user svcacct add`` +============================= + +.. default-domain:: minio + +.. contents:: Table of Contents + :local: + :depth: 2 + +.. mc:: mc admin user svcacct add + + +Syntax +------ + +.. start-mc-admin-svcacct-add-desc + +The :mc-cmd:`mc admin user svcacct add` command adds a new access key to an existing MinIO or AD/LDAP user. + +.. end-mc-admin-svcacct-add-desc + +.. admonition:: Access keys for OpenID Connect users + :class: note + + To generate service account access keys for :ref:`OpenID Connect users `, use the :ref:`MinIO Console `. + +.. tab-set:: + + .. tab-item:: EXAMPLE + + The following command creates a new access key associated to an existing MinIO user: + + .. code-block:: shell + :class: copyable + + mc admin user svcacct add \ + --access-key "myuserserviceaccount" \ + --secret-key "myuserserviceaccountpassword" \ + --policy "/path/to/policy.json" \ + myminio myuser + + The command returns the access key and secret key for the new account. + + .. tab-item:: SYNTAX + + The command has the following syntax: + + .. code-block:: shell + :class: copyable + + mc [GLOBALFLAGS] admin user svcacct add \ + [--access-key] \ + [--secret-key] \ + [--policy] \ + [--comment] \ + ALIAS \ + USER + + .. include:: /includes/common-minio-mc.rst + :start-after: start-minio-syntax + :end-before: end-minio-syntax + + +Parameters +~~~~~~~~~~ + +.. mc-cmd:: ALIAS + :required: + + The :mc-cmd:`alias ` of the MinIO deployment. + +.. mc-cmd:: USER + :required: + + The username of the user to which MinIO adds the new access key. + + - For :ref:`MinIO-managed users `, specify the access key for the user. + - For :ref:`Active Directory/LDAP users `, specify the Distinguished Name of the user. + - For :ref:`OpenID Connect users `, use the :ref:`MinIO Console ` to generate access keys. + +.. mc-cmd:: --access-key + :optional: + + A string to use as the access key for this account. Omit to let MinIO autogenerate a random value. + + Access Key names *must* be unique across all users. + +.. mc-cmd:: --comment + :optional: + + .. versionadded:: RELEASE.2023-01-28T20-29-38Z + + Add a note to the service account. + For example, you might specify the reason the service account exists. + +.. mc-cmd:: --policy + :optional: + + The path to a :ref:`policy document ` to attach to the new access key. + The attached policy cannot grant access to any action or resource not explicitly allowed by the parent user's policies. + +.. mc-cmd:: --secret-key + :optional: + + The secret key to associate with the new account. Omit to let MinIO autogenerate a random value. + + +Global Flags +~~~~~~~~~~~~ + +.. include:: /includes/common-minio-mc.rst + :start-after: start-minio-mc-globals + :end-before: end-minio-mc-globals + + +Behavior +-------- + +S3 Compatibility +~~~~~~~~~~~~~~~~ + +.. include:: /includes/common-minio-mc.rst + :start-after: start-minio-mc-s3-compatibility + :end-before: end-minio-mc-s3-compatibility diff --git a/source/reference/minio-mc-admin/mc-admin-user-svcacct-disable.rst b/source/reference/minio-mc-admin/mc-admin-user-svcacct-disable.rst new file mode 100644 index 00000000..9a41f82b --- /dev/null +++ b/source/reference/minio-mc-admin/mc-admin-user-svcacct-disable.rst @@ -0,0 +1,82 @@ +.. _minio-mc-admin-svcacct-disable: + +================================= +``mc admin user svcacct disable`` +================================= + +.. default-domain:: minio + +.. contents:: Table of Contents + :local: + :depth: 2 + +.. mc:: mc admin user svcacct disable + + +Syntax +------ + +.. start-mc-admin-svcacct-disable-desc + +The :mc-cmd:`mc admin user svcacct disable` command disables an existing access key. + +.. end-mc-admin-svcacct-disable-desc + +.. tab-set:: + + .. tab-item:: EXAMPLE + + The following command disables the specified access key: + + .. code-block:: shell + :class: copyable + + mc admin user svcacct disable myminio myuserserviceaccount + + .. tab-item:: SYNTAX + + The command has the following syntax: + + .. code-block:: shell + :class: copyable + + mc [GLOBALFLAGS] admin user svcacct disable \ + ALIAS \ + SERVICEACCOUNT + + .. include:: /includes/common-minio-mc.rst + :start-after: start-minio-syntax + :end-before: end-minio-syntax + + +Parameters +~~~~~~~~~~ + +.. mc-cmd:: ALIAS + :required: + + The :mc-cmd:`alias ` of the MinIO deployment. + +.. mc-cmd:: SERVICEACCOUNT + :required: + + The service account access key to disable. + + +Global Flags +~~~~~~~~~~~~ + +.. include:: /includes/common-minio-mc.rst + :start-after: start-minio-mc-globals + :end-before: end-minio-mc-globals + + +Behavior +-------- + +S3 Compatibility +~~~~~~~~~~~~~~~~ + +.. include:: /includes/common-minio-mc.rst + :start-after: start-minio-mc-s3-compatibility + :end-before: end-minio-mc-s3-compatibility diff --git a/source/reference/minio-mc-admin/mc-admin-user-svcacct-edit.rst b/source/reference/minio-mc-admin/mc-admin-user-svcacct-edit.rst new file mode 100644 index 00000000..373f5055 --- /dev/null +++ b/source/reference/minio-mc-admin/mc-admin-user-svcacct-edit.rst @@ -0,0 +1,102 @@ +.. _minio-mc-admin-svcacct-edit: + +============================== +``mc admin user svcacct edit`` +============================== + +.. default-domain:: minio + +.. contents:: Table of Contents + :local: + :depth: 2 + +.. mc:: mc admin user svcacct edit + + +Syntax +------ + +.. start-mc-admin-svcacct-edit-desc + +The :mc-cmd:`mc admin user svcacct edit` command modifies the configuration of an access key associated to the specified user. + +.. end-mc-admin-svcacct-edit-desc + +.. tab-set:: + + .. tab-item:: EXAMPLE + + The following command applies a new policy and secret key to the ``myuserserviceaccount`` access key on the ``myminio`` deployment: + + .. code-block:: shell + :class: copyable + + mc admin user svcacct edit \ + --secret-key "myuserserviceaccountnewsecretkey" \ + --policy "/path/to/new/policy.json" \ + myminio myuserserviceaccount + + .. tab-item:: SYNTAX + + The command has the following syntax: + + .. code-block:: shell + :class: copyable + + mc [GLOBALFLAGS] admin user svcacct edit \ + [--secret-key] \ + [--policy] \ + ALIAS \ + SERVICEACCOUNT + + .. include:: /includes/common-minio-mc.rst + :start-after: start-minio-syntax + :end-before: end-minio-syntax + + +Parameters +~~~~~~~~~~ + +.. mc-cmd:: ALIAS + :required: + + The :mc-cmd:`alias ` of the MinIO deployment. + +.. mc-cmd:: SERVICEACCOUNT + :required: + + The service account to modify. + +.. mc-cmd:: --policy + :optional: + + The path to a :ref:`policy document ` to attach to the new access key. + The attached policy cannot grant access to any action or resource not explicitly allowed by the parent user's policies. + + The new policy overwrites any previously attached policy. + +.. mc-cmd:: --secret-key + :optional: + + The secret key to associate with the new access key. + Overwrites the previous secret key. + Applications using the access keys *must* update to use the new credentials to continue performing operations. + + +Global Flags +~~~~~~~~~~~~ + +.. include:: /includes/common-minio-mc.rst + :start-after: start-minio-mc-globals + :end-before: end-minio-mc-globals + + +Behavior +-------- + +S3 Compatibility +~~~~~~~~~~~~~~~~ + +.. include:: /includes/common-minio-mc.rst + :start-after: start-minio-mc-s3-compatibility + :end-before: end-minio-mc-s3-compatibility diff --git a/source/reference/minio-mc-admin/mc-admin-user-svcacct-enable.rst b/source/reference/minio-mc-admin/mc-admin-user-svcacct-enable.rst new file mode 100644 index 00000000..a72f3742 --- /dev/null +++ b/source/reference/minio-mc-admin/mc-admin-user-svcacct-enable.rst @@ -0,0 +1,82 @@ +.. _minio-mc-admin-svcacct-enable: + +================================ +``mc admin user svcacct enable`` +================================ + +.. default-domain:: minio + +.. contents:: Table of Contents + :local: + :depth: 2 + +.. mc:: mc admin user svcacct enable + + +Syntax +------ + +.. start-mc-admin-svcacct-enable-desc + +The :mc-cmd:`mc admin user svcacct enable` command enables an existing access key. + +.. end-mc-admin-svcacct-enable-desc + +.. tab-set:: + + .. tab-item:: EXAMPLE + + The following command enables the specified access key: + + .. code-block:: shell + :class: copyable + + mc admin user svcacct enable myminio myuserserviceaccount + + .. tab-item:: SYNTAX + + The command has the following syntax: + + .. code-block:: shell + :class: copyable + + mc [GLOBALFLAGS] admin user svcacct enable \ + ALIAS \ + SERVICEACCOUNT + + .. include:: /includes/common-minio-mc.rst + :start-after: start-minio-syntax + :end-before: end-minio-syntax + + +Parameters +~~~~~~~~~~ + +.. mc-cmd:: ALIAS + :required: + + The :mc-cmd:`alias ` of the MinIO deployment. + +.. mc-cmd:: SERVICEACCOUNT + :required: + + The service account access key to enable. + + +Global Flags +~~~~~~~~~~~~ + +.. include:: /includes/common-minio-mc.rst + :start-after: start-minio-mc-globals + :end-before: end-minio-mc-globals + + +Behavior +-------- + +S3 Compatibility +~~~~~~~~~~~~~~~~ + +.. include:: /includes/common-minio-mc.rst + :start-after: start-minio-mc-s3-compatibility + :end-before: end-minio-mc-s3-compatibility diff --git a/source/reference/minio-mc-admin/mc-admin-user-svcacct-info.rst b/source/reference/minio-mc-admin/mc-admin-user-svcacct-info.rst new file mode 100644 index 00000000..745d3aa0 --- /dev/null +++ b/source/reference/minio-mc-admin/mc-admin-user-svcacct-info.rst @@ -0,0 +1,157 @@ +.. _minio-mc-admin-svcacct-info: + +============================== +``mc admin user svcacct info`` +============================== + +.. default-domain:: minio + +.. contents:: Table of Contents + :local: + :depth: 2 + +.. mc:: mc admin user svcacct info + + +Syntax +------ + +.. start-mc-admin-svcacct-info-desc + +The :mc-cmd:`mc admin user svcacct info` command returns a description of the specified access key. + +.. end-mc-admin-svcacct-info-desc + +The description output includes the following details, as available: + +- Access Key +- Parent user of the specified access key +- Access key status (``on`` or ``off``) +- Policy or policies +- Comment +- Expiration + +Use :mc-cmd:`~mc admin user svcacct info --policy` to view the attached policies. + +.. tab-set:: + + .. tab-item:: EXAMPLE + + The following command returns information on the specified access key: + + .. code-block:: shell + :class: copyable + + mc admin user svcacct info myminio myuserserviceaccount + + .. tab-item:: SYNTAX + + The command has the following syntax: + + .. code-block:: shell + :class: copyable + + mc [GLOBALFLAGS] admin user svcacct info \ + [--policy] \ + ALIAS \ + SERVICEACCOUNT + + .. include:: /includes/common-minio-mc.rst + :start-after: start-minio-syntax + :end-before: end-minio-syntax + + +Parameters +~~~~~~~~~~ + +.. mc-cmd:: ALIAS + :required: + + The :mc-cmd:`alias ` of the MinIO deployment. + +.. mc-cmd:: SERVICEACCOUNT + :required: + + The service account access key to display. + + +Global Flags +~~~~~~~~~~~~ + +.. include:: /includes/common-minio-mc.rst + :start-after: start-minio-mc-globals + :end-before: end-minio-mc-globals + +Examples +-------- + +Display Service Account Details +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Use :mc-cmd:`mc admin user svcacct info` to display details of a service account on a MinIO deployment: + +.. code-block:: shell + :class: copyable + + mc admin user svcacct info ALIAS SERVICEACCOUNT + +- Replace :mc-cmd:`ALIAS ` with the :mc-cmd:`alias ` of the MinIO deployment. + +- Replace :mc-cmd:`SERVICEACCOUNT ` with the service account access key. + + +The output resembles the following: + +.. code-block:: shell + + AccessKey: myuserserviceaccount + ParentUser: myuser + Status: on + Comment: + Policy: implied + Expiration: no-expiry + + +Display Service Account Policy Details +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Use :mc-cmd:`mc admin user svcacct info` to display the policies attached to service account: + +.. code-block:: shell + :class: copyable + + mc admin user svcacct info --policy ALIAS SERVICEACCOUNT + +- Replace :mc-cmd:`ALIAS ` with the :mc-cmd:`alias ` of the MinIO deployment. + +- Replace :mc-cmd:`SERVICEACCOUNT ` with the service account access key. + +The output resembles the following: + +.. code-block:: shell + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:*" + ], + "Resource": [ + "arn:aws:s3:::*" + ] + } + ] + } + + +Behavior +-------- + +S3 Compatibility +~~~~~~~~~~~~~~~~ + +.. include:: /includes/common-minio-mc.rst + :start-after: start-minio-mc-s3-compatibility + :end-before: end-minio-mc-s3-compatibility diff --git a/source/reference/minio-mc-admin/mc-admin-user-svcacct-list.rst b/source/reference/minio-mc-admin/mc-admin-user-svcacct-list.rst new file mode 100644 index 00000000..adc2aadf --- /dev/null +++ b/source/reference/minio-mc-admin/mc-admin-user-svcacct-list.rst @@ -0,0 +1,82 @@ +.. _minio-mc-admin-svcacct-list: + +============================== +``mc admin user svcacct list`` +============================== + +.. default-domain:: minio + +.. contents:: Table of Contents + :local: + :depth: 2 + +.. mc:: mc admin user svcacct list + + +Syntax +------ + +.. start-mc-admin-svcacct-list-desc + +The :mc-cmd:`mc admin user svcacct list` command lists all access keys associated to the specified user. + +.. end-mc-admin-svcacct-list-desc + +.. tab-set:: + + .. tab-item:: EXAMPLE + + The following command lists all access keys associated to the user with username ``admin1``: + + .. code-block:: shell + :class: copyable + + mc admin user svcacct list myminio admin1 + + .. tab-item:: SYNTAX + + The command has the following syntax: + + .. code-block:: shell + :class: copyable + + mc [GLOBALFLAGS] admin user svcacct list \ + ALIAS \ + USER + + .. include:: /includes/common-minio-mc.rst + :start-after: start-minio-syntax + :end-before: end-minio-syntax + + +Parameters +~~~~~~~~~~ + +.. mc-cmd:: ALIAS + :required: + + The :mc-cmd:`alias ` of the MinIO deployment. + +.. mc-cmd:: USER + :required: + + The username of the user to display access keys for. + + +Global Flags +~~~~~~~~~~~~ + +.. include:: /includes/common-minio-mc.rst + :start-after: start-minio-mc-globals + :end-before: end-minio-mc-globals + + +Behavior +-------- + +S3 Compatibility +~~~~~~~~~~~~~~~~ + +.. include:: /includes/common-minio-mc.rst + :start-after: start-minio-mc-s3-compatibility + :end-before: end-minio-mc-s3-compatibility diff --git a/source/reference/minio-mc-admin/mc-admin-user-svcacct-remove.rst b/source/reference/minio-mc-admin/mc-admin-user-svcacct-remove.rst new file mode 100644 index 00000000..e90743d7 --- /dev/null +++ b/source/reference/minio-mc-admin/mc-admin-user-svcacct-remove.rst @@ -0,0 +1,84 @@ +.. _minio-mc-admin-svcacct-remove: + +================================ +``mc admin user svcacct remove`` +================================ + +.. default-domain:: minio + +.. contents:: Table of Contents + :local: + :depth: 2 + +.. mc:: mc admin user svcacct remove + + +Syntax +------ + +.. start-mc-admin-svcacct-remove-desc + +The :mc-cmd:`mc admin user svcacct remove` command removes an access key associated to a user on the deployment. + +.. end-mc-admin-svcacct-remove-desc + +Applications can no longer authenticate using that access key after removal. + +.. tab-set:: + + .. tab-item:: EXAMPLE + + The following command removes the specified access key: + + .. code-block:: shell + :class: copyable + + mc admin user svcacct remove myminio myuserserviceaccount + + .. tab-item:: SYNTAX + + The command has the following syntax: + + .. code-block:: shell + :class: copyable + + mc [GLOBALFLAGS] admin user svcacct remove \ + ALIAS \ + SERVICEACCOUNT + + .. include:: /includes/common-minio-mc.rst + :start-after: start-minio-syntax + :end-before: end-minio-syntax + + +Parameters +~~~~~~~~~~ + +.. mc-cmd:: ALIAS + :required: + + The :mc-cmd:`alias ` of the MinIO deployment. + +.. mc-cmd:: SERVICEACCOUNT + :required: + + The service account access key to remove. + + +Global Flags +~~~~~~~~~~~~ + +.. include:: /includes/common-minio-mc.rst + :start-after: start-minio-mc-globals + :end-before: end-minio-mc-globals + + +Behavior +-------- + +S3 Compatibility +~~~~~~~~~~~~~~~~ + +.. include:: /includes/common-minio-mc.rst + :start-after: start-minio-mc-s3-compatibility + :end-before: end-minio-mc-s3-compatibility diff --git a/source/reference/minio-mc-admin/mc-admin-user-svcacct.rst b/source/reference/minio-mc-admin/mc-admin-user-svcacct.rst index dd060bfa..d0c244cb 100644 --- a/source/reference/minio-mc-admin/mc-admin-user-svcacct.rst +++ b/source/reference/minio-mc-admin/mc-admin-user-svcacct.rst @@ -17,23 +17,17 @@ Description .. start-mc-admin-user-svcacct-desc -The :mc:`mc admin user svcacct` command creates and manages :ref:`Access Keys ` on a MinIO deployment. +The :mc:`mc admin user svcacct` command and its subcommands create and manage :ref:`Access Keys ` on a MinIO deployment. .. end-mc-admin-user-svcacct-desc -Each access keys is linked to a :ref:`user identity ` and inherits the :ref:`policies ` attached to it's parent user *or* those groups in which the parent user has membership. Each access key also supports an optional inline policy which further restricts access to a subset of actions and resources available to the parent user. +Each access key is linked to a :ref:`user identity ` and inherits the :ref:`policies ` attached to it's parent user *or* those groups in which the parent user has membership. +Each access key also supports an optional inline policy which further restricts access to a subset of actions and resources available to the parent user. :mc:`mc admin user svcacct` only supports creating access keys for :ref:`MinIO-managed ` and :ref:`Active Directory/LDAP-managed ` accounts. To create access keys for :ref:`OpenID Connect-managed users `, log into the :ref:`MinIO Console ` and generate the access keys through the UI. -.. admonition:: Use ``mc admin`` on MinIO Deployments Only - :class: note - - .. include:: /includes/facts-mc-admin.rst - :start-after: start-minio-only - :end-before: end-minio-only - The :mc:`mc admin user svcacct` command has the following subcommands: .. list-table:: @@ -43,369 +37,51 @@ The :mc:`mc admin user svcacct` command has the following subcommands: * - Subcommand - Description - * - :mc-cmd:`mc admin user svcacct add` - - Adds a new access keys to an existing MinIO or AD/LDAP user + * - :mc:`~mc admin user svcacct add` + - .. include:: /reference/minio-mc-admin/mc-admin-user-svcacct-add.rst + :start-after: start-mc-admin-svcacct-add-desc + :end-before: end-mc-admin-svcacct-add-desc + + * - :mc:`~mc admin user svcacct disable` + - .. include:: /reference/minio-mc-admin/mc-admin-user-svcacct-disable.rst + :start-after: start-mc-admin-svcacct-disable-desc + :end-before: end-mc-admin-svcacct-disable-desc + + * - :mc:`~mc admin user svcacct edit` + - .. include:: /reference/minio-mc-admin/mc-admin-user-svcacct-edit.rst + :start-after: start-mc-admin-svcacct-edit-desc + :end-before: end-mc-admin-svcacct-edit-desc + + * - :mc:`~mc admin user svcacct enable` + - .. include:: /reference/minio-mc-admin/mc-admin-user-svcacct-enable.rst + :start-after: start-mc-admin-svcacct-enable-desc + :end-before: end-mc-admin-svcacct-enable-desc + + * - :mc:`~mc admin user svcacct info` + - .. include:: /reference/minio-mc-admin/mc-admin-user-svcacct-info.rst + :start-after: start-mc-admin-svcacct-info-desc + :end-before: end-mc-admin-svcacct-info-desc + + * - :mc:`~mc admin user svcacct list` + - .. include:: /reference/minio-mc-admin/mc-admin-user-svcacct-list.rst + :start-after: start-mc-admin-svcacct-list-desc + :end-before: end-mc-admin-svcacct-list-desc + + * - :mc:`~mc admin user svcacct remove` + - .. include:: /reference/minio-mc-admin/mc-admin-user-svcacct-remove.rst + :start-after: start-mc-admin-svcacct-remove-desc + :end-before: end-mc-admin-svcacct-remove-desc + + +.. toctree:: + :titlesonly: + :hidden: + + /reference/minio-mc-admin/mc-admin-user-svcacct-add + /reference/minio-mc-admin/mc-admin-user-svcacct-disable + /reference/minio-mc-admin/mc-admin-user-svcacct-edit + /reference/minio-mc-admin/mc-admin-user-svcacct-enable + /reference/minio-mc-admin/mc-admin-user-svcacct-info + /reference/minio-mc-admin/mc-admin-user-svcacct-list + /reference/minio-mc-admin/mc-admin-user-svcacct-remove - * - :mc-cmd:`mc admin user svcacct list` - - Lists the existing access keys associated to a MinIO or AD/LDAP user. - - * - :mc-cmd:`mc admin user svcacct remove` - - Removes a access keys from a MinIO or AD/LDAP user. - - * - :mc-cmd:`mc admin user svcacct info` - - Returns detailed information on a access keys. - - * - :mc-cmd:`mc admin user svcacct edit` - - Modifies the secret key or inline policy associated with a access keys. - - * - :mc-cmd:`mc admin user svcacct enable` - - Enables a access keys. - - * - :mc-cmd:`mc admin user svcacct disable` - - Disables a access keys. - -Syntax ------- - -.. mc-cmd:: add - :fullpath: - - Adds a new access keys associated to the specified user. - - .. tab-set:: - - .. tab-item:: EXAMPLE - - The following command creates a new access keys associated to an existing MinIO user: - - .. code-block:: shell - :class: copyable - - mc admin user svcacct add \ - --access-key "myuserserviceaccount" \ - --secret-key "myuserserviceaccountpassword" \ - --policy "/path/to/policy.json" \ - myminio myuser - - The command returns the access key and secret key for the new account. - - .. tab-item:: SYNTAX - - The command has the following syntax: - - .. code-block:: shell - :class: copyable - - mc [GLOBALFLAGS] admin user svcacct add \ - [--access-key] \ - [--secret-key] \ - [--policy] \ - [--comment] \ - ALIAS \ - USER - - .. mc-cmd:: ALIAS - :required: - - The :ref:`alias ` of the MinIO deployment. - - .. mc-cmd:: USER - :required: - - The name of the user to which MinIO adds the new access keys. - - - For :ref:`MinIO-managed users `, specify the access key for the user. - - For :ref:`Active Directory/LDAP users `, specify the Distinguished Name of the user. - - For :ref:`OpenID Connect users `, use the :ref:`MinIO Console ` to generate access keys. - - .. mc-cmd:: --access-key - :optional: - - The access key to associate with the new access keys. Omit to direct MinIO to autogenerate the access key for the new access keys. - - Access Key names *must* be unique across all users. - - .. mc-cmd:: --secret-key - :optional: - - The secret key to associate with the new access keys. Omit to direct MinIO to autogenerate the secret key for the new access keys. - - .. mc-cmd:: --policy - :optional: - - The path to a :ref:`policy document ` to attach to the new access keys. The attached policy cannot grant access to any action or resource not explicitly allowed by the parent user's policies. - - .. mc-cmd:: --comment - :optional: - - .. versionadded:: RELEASE.2023-01-28T20-29-38Z - - Add a note to the service account. - For example, you might specify the reason the service account exists. - -.. mc-cmd:: list - :fullpath: - :alias: ls - - Lists all access keys associated to the specified user. - - .. tab-set:: - - .. tab-item:: EXAMPLE - - The following command lists all access keys associated to an existing MinIO user: - - .. code-block:: shell - :class: copyable - - mc admin user svcacct list myminio myuser - - .. tab-item:: SYNTAX - - The command has the following syntax: - - .. code-block:: shell - :class: copyable - - mc [GLOBALFLAGS] admin user svcacct list \ - ALIAS \ - USER - - .. mc-cmd:: ALIAS - :required: - - The :ref:`alias ` of the MinIO deployment. - - .. mc-cmd:: USER - :required: - - The name of the user to which MinIO adds the new access keys. - - - For :ref:`MinIO-managed users `, specify the access key for the user. - - For :ref:`Active Directory/LDAP users `, specify the Distinguished Name of the user. - - For :ref:`OpenID Connect users `, use the :ref:`MinIO Console ` to list access keys. - -.. mc-cmd:: remove - :fullpath: - :alias: rm - - Removes a access keys associated to the specified user. Applications can no longer authenticate using that access keys after removal. - - .. tab-set:: - - .. tab-item:: EXAMPLE - - The following command removes the specified access keys: - - .. code-block:: shell - :class: copyable - - mc admin user svcacct remove myminio myuserserviceaccount - - .. tab-item:: SYNTAX - - The command has the following syntax: - - .. code-block:: shell - :class: copyable - - mc [GLOBALFLAGS] admin user svcacct remove \ - ALIAS \ - SERVICEACCOUNT - - .. mc-cmd:: ALIAS - :required: - - The :ref:`alias ` of the MinIO deployment. - - .. mc-cmd:: SERVICEACCOUNT - :required: - - The access key for the access keys to remove. - -.. mc-cmd:: info - :fullpath: - - Returns a description of the specified access key. - The description output includes the following details, as available: - - - Access Key - - Parent user of the specified access key - - Access key status (``on`` or ``off``) - - Policy or policies - - Comment - - Expiration - - .. tab-set:: - - .. tab-item:: EXAMPLE - - The following command returns detailed information on the specified access keys: - - .. code-block:: shell - :class: copyable - - mc admin user svcacct info --policy myminio myuserserviceaccount - - .. tab-item:: SYNTAX - - The command has the following syntax: - - .. code-block:: shell - :class: copyable - - mc [GLOBALFLAGS] admin user svcacct info \ - [--policy] \ - ALIAS \ - SERVICEACCOUNT - - .. mc-cmd:: ALIAS - :required: - - The :ref:`alias ` of the MinIO deployment. - - .. mc-cmd:: SERVICEACCOUNT - :required: - - The access key for the access keys to remove. - - .. mc-cmd:: --policy - :optional: - - Returns the policy attached to the access keys in JSON format. The output is ``null`` if the access keys has no attached policy. - -.. mc-cmd:: edit - :fullpath: - :alias: set - - Modifies the configuration of a access keys associated to the specified user. - - .. tab-set:: - - .. tab-item:: EXAMPLE - - The following command modifies the specified access keys: - - .. code-block:: shell - :class: copyable - - mc admin user svcacct edit \ - --secret-key "myuserserviceaccountnewsecretkey" \ - --policy "/path/to/new/policy.json" \ - myminio myuserserviceaccount - - .. tab-item:: SYNTAX - - The command has the following syntax: - - .. code-block:: shell - :class: copyable - - mc [GLOBALFLAGS] admin user svcacct edit \ - [--secret-key] \ - [--policy] \ - ALIAS \ - SERVICEACCOUNT - - .. mc-cmd:: ALIAS - :required: - - The :ref:`alias ` of the MinIO deployment. - - .. mc-cmd:: SERVICEACCOUNT - :required: - - The access key for the access keys to modify. - - .. mc-cmd:: --secret-key - :optional: - - The secret key to associate with the new access keys. Overwrites the previous secret key. Applications using the access keys *must* update to use the new credentials to continue performing operations. - - .. mc-cmd:: --policy - :optional: - - The path to a :ref:`policy document ` to attach to the new access keys. The attached policy cannot grant access to any action or resource not explicitly allowed by the parent user's policies. - - The new policy overwrites any previously attached policy. - -.. mc-cmd:: enable - :fullpath: - - Enables a access keys for the specified user. Applications can only authenticate using enabled access keys. - - .. tab-set:: - - .. tab-item:: EXAMPLE - - The following command enables the specified access keys: - - .. code-block:: shell - :class: copyable - - mc admin user svcacct enable myminio myuserserviceaccount - - .. tab-item:: SYNTAX - - The command has the following syntax: - - .. code-block:: shell - :class: copyable - - mc [GLOBALFLAGS] admin user svcacct enable \ - ALIAS \ - SERVICEACCOUNT - - .. mc-cmd:: ALIAS - :required: - - The :ref:`alias ` of the MinIO deployment. - - .. mc-cmd:: SERVICEACCOUNT - :required: - - The access key for the access keys to enable. - -.. mc-cmd:: disable - :fullpath: - - Disables a access keys for the specified user. Applications can only authenticate using enabled access keys. - - .. tab-set:: - - .. tab-item:: EXAMPLE - - The following command disables the specified access keys: - - .. code-block:: shell - :class: copyable - - mc admin user svcacct disable myminio myuserserviceaccount - - .. tab-item:: SYNTAX - - The command has the following syntax: - - .. code-block:: shell - :class: copyable - - mc [GLOBALFLAGS] admin user svcacct disable \ - ALIAS \ - SERVICEACCOUNT - - .. mc-cmd:: ALIAS - :required: - - The :ref:`alias ` of the MinIO deployment. - - .. mc-cmd:: SERVICEACCOUNT - :required: - - The access key for the access keys to disable. - -Global Flags -~~~~~~~~~~~~ - -.. include:: /includes/common-minio-mc.rst - :start-after: start-minio-mc-globals - :end-before: end-minio-mc-globals \ No newline at end of file diff --git a/source/reference/minio-mc-admin/mc-admin-user.rst b/source/reference/minio-mc-admin/mc-admin-user.rst index b7133dfe..f93b0714 100644 --- a/source/reference/minio-mc-admin/mc-admin-user.rst +++ b/source/reference/minio-mc-admin/mc-admin-user.rst @@ -15,13 +15,18 @@ Description .. start-mc-admin-user-desc -The :mc:`mc admin user` command manages users on a MinIO deployment. Clients -*must* authenticate to the MinIO deployment with the access key and secret key -associated to a user on the deployment. MinIO users constitute a key component in -MinIO Identity and Access Management. +The :mc:`mc admin user` command and its subcommands manage :ref:`MinIO users `. .. end-mc-admin-user-desc +Clients *must* authenticate to the MinIO deployment with the access key and secret key associated to a user on the deployment. +MinIO users constitute a key component in MinIO Identity and Access Management. + +To manage users who authenticate using a 3rd party IDP, use the :mc:`mc admin` commands for the appropriate provider: + +- For AD/LDAP, use :mc:`mc admin idp ldap` +- For OpenID Connect (OIDC) compatible providers, use :mc:`mc admin idp openid` + .. admonition:: Use ``mc admin`` on MinIO Deployments Only :class: note @@ -29,307 +34,70 @@ MinIO Identity and Access Management. :start-after: start-minio-only :end-before: end-minio-only -Users and Policy-Based Access Control -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -MinIO uses Policy-Based Access Control (PBAC) to support *authorization* of -users who have successfully *authenticated* to the deployment. Each policy -includes rules that dictate the allowed or denied actions/resources on the -deployment. You can assign one or more :ref:`policies -` to a User. Users *also* inherit the policies -of any groups of which they are members. A user's total set of permissions -includes their explicitly assigned policies *and* any policies inherited via -group membership. -Newly created users have *no* policies by default and therefore cannot perform -any operations on the MinIO deployment. To configure a user's assigned policies, -you can do either or both of the following: - -- Use :mc-cmd:`mc admin policy attach` to associate one or more policies to the user. - -- Use :mc-cmd:`mc admin group add` to associate the user to the group. Users - inherit any policies assigned to the group. - -Each user's total set of permissions consists of their explicitly assigned -permission *and* the inherited permissions from each of their assigned groups. - -For more information on MinIO users and groups, see -:ref:`minio-users` and :ref:`minio-groups`. For -more information on MinIO policies, see :ref:`MinIO Policy Based Access Control `. - -.. admonition:: ``Deny`` overrides ``Allow`` - :class: note - - MinIO follows the IAM standard where a ``Deny`` rule overrides ``Allow`` rule - on the same action or resource. For example, if a user has an explicitly - assigned policy with an ``Allow`` rule for an action/resource while one of - its groups has an assigned policy with a ``Deny`` rule for that - action/resource, MinIO would apply only the ``Deny`` rule. - - For more information on IAM policy evaluation logic, see the IAM - documentation on - :iam-docs:`Determining Whether a Request is Allowed or Denied Within an Account - `. - -Examples --------- - -Create a New User -~~~~~~~~~~~~~~~~~ - -Use :mc-cmd:`mc admin user add` to create a user on an S3-compatible host: - -.. code-block:: shell - :class: copyable - - mc admin user add ALIAS ACCESSKEY SECRETKEY - -- Replace :mc-cmd:`ALIAS ` with the - :mc-cmd:`alias ` of the S3-compatible host. - -- Replace :mc-cmd:`ACCESSKEY ` with the - access key for the user. MinIO allows retrieving the access key after - user creation through the :mc-cmd:`mc admin user info` command. - -- Replace :mc-cmd:`SECRETKEY ` with the - secret key for the user. MinIO *does not* provide any method for retrieving - the secret key once set. - -Specify a unique, random, and long string for both the ``ACCESSKEY`` and -``SECRETKEY``. Your organization may have specific internal or regulatory -requirements around generating values for use with access or secret keys. - -List Available Users -~~~~~~~~~~~~~~~~~~~~ - -Use :mc-cmd:`mc admin user list` to list all users on an S3-compatible host: - -.. code-block:: shell - :class: copyable - - mc admin user list ALIAS - -- Replace :mc-cmd:`ALIAS ` with the - :mc-cmd:`alias ` of the S3-compatible host. - -:mc-cmd:`mc admin user list` does *not* return the access key or secret key -associated to a user. Use :mc-cmd:`mc admin user info` to retrieve detailed -user information, including the user access key. - -View User Details -~~~~~~~~~~~~~~~~~ - -Use :mc-cmd:`mc admin user info` to view detailed user information on an -S3-compatible host: - -.. code-block:: shell - :class: copyable - - mc admin user info ALIAS USERNAME - -- Replace :mc-cmd:`ALIAS ` with the - :mc-cmd:`alias ` of the S3-compatible host. - -- Replace :mc-cmd:`USERNAME ` with the name of - the user. - -Remove a User -~~~~~~~~~~~~~ - -Use :mc-cmd:`mc admin user remove` to remove a user from an S3-compatible host: - -.. code-block:: shell - :class: copyable - - mc admin user remove ALIAS USERNAME - -- Replace :mc-cmd:`ALIAS ` with the - :mc-cmd:`alias ` of the S3-compatible host. - -- Replace :mc-cmd:`USERNAME ` with the name of - the user to remove. - -Disable a User -~~~~~~~~~~~~~~ - -Use :mc-cmd:`mc admin user disable` to disable a user on an S3-compatible host. -Disabling a user prevents clients from authenticating to the S3 host with that -user's credentials, but does *not* remove that user from the S3 host. - -Use :mc-cmd:`mc admin user enable` to enable a disabled user on an S3-compatible -host. - -.. code-block:: shell - :class: copyable - - mc admin user disable ALIAS USERNAME - -- Replace :mc-cmd:`ALIAS ` with the - :mc-cmd:`alias ` of the S3-compatible host. - -- Replace :mc-cmd:`USERNAME ` with the name of - the user to disable. - -Enable a User -~~~~~~~~~~~~~ - -Use :mc-cmd:`mc admin user enable` to enable a user on an S3-compatible -host. - -.. code-block:: shell - :class: copyable - - mc admin user enable ALIAS USERNAME - -- Replace :mc-cmd:`ALIAS ` with the - :mc-cmd:`alias ` of the S3-compatible host. - -- Replace :mc-cmd:`USERNAME ` with the name of - the user to enable. - -Syntax ------- - -.. mc-cmd:: add - :fullpath: - - Adds new user to the target MinIO deployment. The command has the following - syntax: - - .. code-block:: shell - :class: copyable - - mc admin user add TARGET ACCESSKEY SECRETKEY - - The command accepts the following arguments: - - .. mc-cmd:: TARGET - - The :mc-cmd:`alias ` of a configured MinIO deployment on which - the command creates the new user. - - .. mc-cmd:: ACCESSKEY - - The access key that uniquely identifies the new user, similar to a - username. - - .. mc-cmd:: SECRETKEY - - The secret key for the new user. Consider the following guidance - when creating a secret key: - - - The key should be *unique* - - The key should be *long* (Greater than 12 characters) - - The key should be *complex* (A mixture of characters, numerals, and symbols) - - -.. mc-cmd:: list - :fullpath: - - Lists all users on the target MinIO deployment. The command has the - following syntax: - - .. code-block:: shell - :class: copyable - - mc admin user list TARGET - - The command accepts the following argument: - - .. mc-cmd:: TARGET - - The :mc-cmd:`alias ` of a configured MinIO deployment from which - the command lists users. - -.. mc-cmd:: info - :fullpath: - - Returns detailed information of a user on the target MinIO deployment. The - command has the following syntax: - - .. code-block:: shell - :class: copyable - - mc admin user info TARGET USERNAME - - The command accepts the following arguments: - - .. mc-cmd:: TARGET - - The :mc-cmd:`alias ` of a configured MinIO deployment from - which the command retrieves the specified user information. - - .. mc-cmd:: USERNAME - - The name of the user whose information the command retrieves. - -.. mc-cmd:: remove - - Removes a user from the target MinIO deployment. The command has the - following syntax: - - .. code-block:: shell - :class: copyable - - mc admin user remove TARGET USERNAME - - The command supports the following arguments: - - .. mc-cmd:: TARGET - - The :mc:`alias ` of a configured MinIO deployment on which - the command removes the specified user. - - .. mc-cmd:: USERNAME - - The name of the user which the command removes. - -.. mc-cmd:: disable - :fullpath: - - Disables a user on the target MinIO deployment. Clients cannot use the - user credentials to authenticate to the MinIO deployment. Disabling - a user does *not* remove that user from the deployment. - - The command has the following syntax: - - .. code-block:: shell - :class: copyable - - mc admin user disable TARGET USERNAME - - The command supports the following arguments: - - .. mc-cmd:: TARGET - - The :mc:`alias ` of a configured MinIO deployment on which - the command disables the specified user. - - .. mc-cmd:: USERNAME - - The name of the user to disable. - -.. mc-cmd:: enable - :fullpath: - - Enables a user on the target deployment. Clients can only use enabled - users to authenticate to the MinIO deployment. Users created using - :mc-cmd:`mc admin user add` are enabled by default. - - The command has the following syntax: - - .. code-block:: shell - :class: copyable - - mc admin user enable TARGET USERNAME - - The command supports the following arguments: - - .. mc-cmd:: TARGET - - The :mc:`alias ` of a configured MinIO deployment on which - the command enables the specified user. - - .. mc-cmd:: USERNAME - - The name of the user to enable. +Subcommands +----------- + +:mc:`mc admin user` includes the following subcommands: + +.. list-table:: + :header-rows: 1 + :widths: 30 70 + :width: 100% + + * - Subcommand + - Description + + * - :mc:`~mc admin user add` + - .. include:: /reference/minio-mc-admin/mc-admin-user-add.rst + :start-after: start-mc-admin-user-add-desc + :end-before: end-mc-admin-user-add-desc + + * - :mc:`~mc admin user disable` + - .. include:: /reference/minio-mc-admin/mc-admin-user-disable.rst + :start-after: start-mc-admin-user-disable-desc + :end-before: end-mc-admin-user-disable-desc + + * - :mc:`~mc admin user enable` + - .. include:: /reference/minio-mc-admin/mc-admin-user-enable.rst + :start-after: start-mc-admin-user-enable-desc + :end-before: end-mc-admin-user-enable-desc + + * - :mc:`~mc admin user info` + - .. include:: /reference/minio-mc-admin/mc-admin-user-info.rst + :start-after: start-mc-admin-user-info-desc + :end-before: end-mc-admin-user-info-desc + + * - :mc:`~mc admin user list` + - .. include:: /reference/minio-mc-admin/mc-admin-user-list.rst + :start-after: start-mc-admin-user-list-desc + :end-before: end-mc-admin-user-list-desc + + * - :mc:`~mc admin user remove` + - .. include:: /reference/minio-mc-admin/mc-admin-user-remove.rst + :start-after: start-mc-admin-user-remove-desc + :end-before: end-mc-admin-user-remove-desc + + * - :mc-cmd:`sts info ` + - .. include:: /reference/minio-mc-admin/mc-admin-user-sts-info.rst + :start-after: start-mc-admin-sts-info-desc + :end-before: end-mc-admin-sts-info-desc + + * - :mc:`~mc admin user svcacct` + - .. include:: /reference/minio-mc-admin/mc-admin-user-svcacct.rst + :start-after: start-mc-admin-user-svcacct-desc + :end-before: end-mc-admin-user-svcacct-desc + +.. toctree:: + :titlesonly: + :hidden: + + /reference/minio-mc-admin/mc-admin-user-add + /reference/minio-mc-admin/mc-admin-user-disable + /reference/minio-mc-admin/mc-admin-user-enable + /reference/minio-mc-admin/mc-admin-user-info + /reference/minio-mc-admin/mc-admin-user-list + /reference/minio-mc-admin/mc-admin-user-remove + /reference/minio-mc-admin/mc-admin-user-sts-info + /reference/minio-mc-admin/mc-admin-user-svcacct