diff --git a/source/administration/bucket-replication.rst b/source/administration/bucket-replication.rst index b514bcf3..54e4aaf0 100644 --- a/source/administration/bucket-replication.rst +++ b/source/administration/bucket-replication.rst @@ -33,7 +33,7 @@ Client-side Bucket Replication You can configure bucket replication at any time, and the remote MinIO deployments may have pre-existing data on the replication target buckets. - - Site Replication extends bucket replication to include :ref:`IAM `, security tokens, service accounts, and bucket-level configurations. + - Site Replication extends bucket replication to include :ref:`IAM `, security tokens, access keys, and bucket-level configurations. Site replication is typically configured when initially deploying the MinIO peer sites. Only one site can hold any bucket or objects at the time of initial configuration. diff --git a/source/administration/identity-access-management.rst b/source/administration/identity-access-management.rst index c9833273..eaad710d 100644 --- a/source/administration/identity-access-management.rst +++ b/source/administration/identity-access-management.rst @@ -51,8 +51,6 @@ Once authenticated, MinIO either allows or rejects the client request depending on whether or not the authenticated identity is *authorized* to perform the operation on the specified resource. -Enabling external identity management disables the MinIO internal IDP, with the exception of the creating :ref:`service accounts `. - .. _minio-access-management: Access Management @@ -140,4 +138,4 @@ JSON syntax. /administration/identity-access-management/minio-identity-management /administration/identity-access-management/oidc-access-management /administration/identity-access-management/ad-ldap-access-management - /administration/identity-access-management/policy-based-access-control \ No newline at end of file + /administration/identity-access-management/policy-based-access-control diff --git a/source/administration/identity-access-management/ad-ldap-access-management.rst b/source/administration/identity-access-management/ad-ldap-access-management.rst index 74342c19..53b49529 100644 --- a/source/administration/identity-access-management/ad-ldap-access-management.rst +++ b/source/administration/identity-access-management/ad-ldap-access-management.rst @@ -53,11 +53,14 @@ MinIO provides an example Go application :minio-git:`ldap.go ` that handles the full login flow. -AD/LDAP users can alternatively create :ref:`service accounts ` associated to their AD/LDAP user Distinguished Name. Service accounts are long-lived credentials which inherit their privileges from the parent user. The parent user can further restrict those privileges while creating the service account. Use either of the following methods to create a new service account +AD/LDAP users can alternatively create :ref:`access keys ` associated to their AD/LDAP user Distinguished Name. +Access Keys are long-lived credentials which inherit their privileges from the parent user. +The parent user can further restrict those privileges while creating the access keys. +Use either of the following methods to create a new access keys: -- Log into the :ref:`MinIO Console ` using the AD/LDAP-managed user credentials. From the :guilabel:`Identity` section of the left navigation, select :guilabel:`Service Accounts` followed by the :guilabel:`Create service account +` button. +- Log into the :ref:`MinIO Console ` using the AD/LDAP-managed user credentials. From the :guilabel:`Identity` section of the left navigation, select :guilabel:`Access Keys` followed by the :guilabel:`Create access keys +` button. -- Use the :mc-cmd:`mc admin user svcacct add` command to create the service account. Specify the user Distinguished Name as the username to which to associate the service account. +- Use the :mc-cmd:`mc admin user svcacct add` command to create the access keys. Specify the user Distinguished Name as the username to which to associate the access keys. Mapping Policies to User DN diff --git a/source/administration/identity-access-management/minio-identity-management.rst b/source/administration/identity-access-management/minio-identity-management.rst index c9b6c3bf..14d23d9d 100644 --- a/source/administration/identity-access-management/minio-identity-management.rst +++ b/source/administration/identity-access-management/minio-identity-management.rst @@ -23,8 +23,8 @@ Administrators use the :mc:`mc admin user` command to create and manage MinIO users. The :minio-git:`MinIO Console ` provides a graphical interface for creating users. -MinIO also supports creating :ref:`service accounts -`. Service accounts are child identities of an +MinIO also supports creating :ref:`access keys +`. Access Keys are child identities of an authenticated parent user and inherit their permissions from the parent. MinIO by default denies access to all actions or resources not explicitly @@ -45,7 +45,7 @@ user's authorized actions and resources *or* assign the user to :ref:`groups - :ref:`minio-external-identity-management-ad-ldap` Enabling external identity management disables the MinIO internal IDP, with - the exception of creating :ref:`service accounts + the exception of creating :ref:`access keys `. .. toctree:: diff --git a/source/administration/identity-access-management/minio-user-management.rst b/source/administration/identity-access-management/minio-user-management.rst index b2d11ce8..d3d0dc53 100644 --- a/source/administration/identity-access-management/minio-user-management.rst +++ b/source/administration/identity-access-management/minio-user-management.rst @@ -39,36 +39,30 @@ For more information, see: - :ref:`minio-external-identity-management-ad-ldap` Enabling external identity management disables the MinIO internal IDP, with -the exception of creating :ref:`service accounts +the exception of creating :ref:`access keys `. .. _minio-idp-service-account: +.. _minio-id-access-keys: -Service Accounts ----------------- +Access Keys +----------- -MinIO service accounts are child identities of an authenticated MinIO user, -including :ref:`externally managed identities -`. Each service account inherits -its privileges based on the :ref:`policies ` attached to it's -parent user *or* those groups in which the parent user has membership. Service -accounts also support an optional inline policy which further restricts access -to a subset of actions and resources available to the parent user. +MinIO Access Keys (formerly "Service Accounts") are child identities of an authenticated MinIO user, including :ref:`externally managed identities `. +Each access key inherits its privileges based on the :ref:`policies ` attached to it's parent user *or* those groups in which the parent user has membership. +Access keys also support an optional inline policy which further restricts access to a subset of actions and resources available to the parent user. -A MinIO user can generate any number of service accounts. This allows -application owners to generate arbitrary service accounts for their applications -without requiring action from the MinIO administrators. Since the generated -service accounts have the same or fewer permissions as the parents, -administrators can focus on managing the top-level parent users without -micro-managing generated service accounts. +A MinIO user can generate any number of access keys. +This allows application owners to generate arbitrary access keys for their applications without requiring action from the MinIO administrators. +Since the generated access keys have the same or fewer permissions as the parents, administrators can focus on managing the top-level parent users without micro-managing generated access keys. -You can create service accounts using either the :ref:`MinIO Console ` *or* by using the :mc-cmd:`mc admin user svcacct add` command. +You can create access keys using either the :ref:`MinIO Console ` *or* by using the :mc-cmd:`mc admin user svcacct add` command. -.. admonition:: Service Accounts are for Programmatic Access +.. admonition:: Access Keys are for Programmatic Access :class: dropdown, note - Service Accounts support programmatic access by applications. You cannot - use a Service Account to log into the MinIO Console. + Access Keys support programmatic access by applications. + You cannot use an access key to log into the MinIO Console. .. _minio-users-root: diff --git a/source/administration/identity-access-management/oidc-access-management.rst b/source/administration/identity-access-management/oidc-access-management.rst index 9b64e8a1..255b99c3 100644 --- a/source/administration/identity-access-management/oidc-access-management.rst +++ b/source/administration/identity-access-management/oidc-access-management.rst @@ -59,7 +59,11 @@ MinIO provides an example Go application :minio-git:`web-identity.go ` that handles the full login flow. -OIDC users can alternatively create :ref:`service accounts ` associated to their AD/LDAP user. Service accounts are long-lived credentials which inherit their privileges from the parent user. The parent user can further restrict those privileges while creating the service account. To create a new service account, log into the :ref:`MinIO Console ` using the OIDC-managed user credentials. From the :guilabel:`Identity` section of the left navigation, select :guilabel:`Service Accounts` followed by the :guilabel:`Create service account +` button. +OIDC users can alternatively create :ref:`access keys `. +Access Keys are long-lived credentials which inherit their privileges from the parent user. +The parent user can further restrict those privileges while creating the access keys. +To create a new access key, log into the :ref:`MinIO Console ` using the OIDC-managed user credentials. +From the :guilabel:`Identity` section of the left navigation, select :guilabel:`Access Keys` followed by the :guilabel:`Create access keys +` button. Identifying the JWT Claim Value ------------------------------- diff --git a/source/administration/identity-access-management/policy-based-access-control.rst b/source/administration/identity-access-management/policy-based-access-control.rst index e07f1aa0..234701a3 100644 --- a/source/administration/identity-access-management/policy-based-access-control.rst +++ b/source/administration/identity-access-management/policy-based-access-control.rst @@ -712,19 +712,19 @@ services: .. policy-action:: admin:CreateServiceAccount - Allows creating MinIO Service Account + Allows creating MinIO Access Key .. policy-action:: admin:UpdateServiceAccount - Allows updating MinIO Service Account + Allows updating MinIO Access Key .. policy-action:: admin:RemoveServiceAccount - Allows deleting MinIO Service Account + Allows deleting MinIO Access Key .. policy-action:: admin:ListServiceAccounts - Allows listing MinIO Service Account + Allows listing MinIO Access Key .. policy-action:: admin:SetBucketQuota diff --git a/source/administration/minio-console.rst b/source/administration/minio-console.rst index 550ee366..7248dcff 100644 --- a/source/administration/minio-console.rst +++ b/source/administration/minio-console.rst @@ -171,6 +171,41 @@ Each bucket has :guilabel:`Manage` and :guilabel:`Browse` buttons. - Select :guilabel:`Browse` to view the contents of the bucket. You can view and download individual objects, upload new objects, or use the :guilabel:`Rewind` function to view only those :ref:`versions ` of an object which existed at the selected timestamp. +.. _minio-console-user-access-keys: + +Access Keys +----------- + +.. image:: /images/minio-console/console-access-keys.png + :width: 600px + :alt: MinIO Console Access Keys + :align: center + +The :guilabel:`Access Keys` section displays all :ref:`minio-id-access-keys` associated to the authenticated user. + +Access Keys support providing applications authentication credentials which inherit permissions from the "parent" user. + +For deployments using an external identity manager such as Active Directory or an OIDC-compatible provider, access keys provide a way for users to create long-lived credentials. + +- You can select the access key row to view its custom policy, if one exists. + + You can create or modify the policy from this screen. + Access key policies cannot exceed the permissions granted to the parent user. + +- You can create a new access key by selecting :guilabel:`Create access key`. + + The Console auto-generates an access key and password. + You can select the eye :octicon:`eye` icon on the password field to reveal the value. + You can override these values as needed. + + You can set a custom policy for the access key that further restricts the permissions granted to users authenticating with that key. + Select :guilabel:`Restrict beyond user policy` to open the policy editor and modify as necessary. + + Ensure you have saved the access key password to a secure location before selecting :guilabel:`Create` to create the access key. + You cannot retrieve or reset the password value after creating the access key. + + To rotate credentials for an application, create a new access key and delete the old one once the application updates to using the new credentials. + Identity -------- @@ -200,7 +235,7 @@ Some subsections may not be visible if the authenticated user does not have the You can view and modify the user's assigned :ref:`groups ` and :ref:`policies `. - You can also view and manage any :ref:`Service Accounts ` associated to the user. + You can also view and manage any :ref:`Access Keys ` associated to the user. .. tab-item:: Groups @@ -227,43 +262,18 @@ Some subsections may not be visible if the authenticated user does not have the Changing a user's group membership modifies the policies that user inherits. See :ref:`minio-access-management` for more information. - .. tab-item:: Service Accounts - - .. image:: /images/minio-console/console-service-accounts.png - :width: 600px - :alt: MinIO Console Service Accounts - :align: center - - The :guilabel:`Service Accounts` section displays all :ref:`minio-idp-service-account` associated to the authenticated user. - - Service accounts support providing applications authentication credentials which inherit permissions from the "parent" user. - - For deployments using an external identity manager such as Active Directory or an OIDC-compatible provider, service accounts provide a way for users to create long-lived credentials. - - - You can select the service account row to view its custom policy, if one exists. - - You can create or modify the policy from this screen. - Service account policies cannot exceed the permissions granted to the parent user. - - - You can create a new service account by selecting the :guilabel:`Create service account` button. - - The Console auto-generates an access key and password for the account. - You can override these values as necessary. - - You can set a custom policy for the service account that further restricts the permissions granted to the account. - - The Console only displays the service account credentials *once*. You cannot - change or retrieve the credentials later. To rotate credentials for an - application, create a new service account and delete the old one once the - application updates to using the new credentials. - .. tab-item:: Policies + .. image:: /images/minio-console/console-policies.png + :width: 600px + :alt: MinIO Console Manage Policies + :align: center + The :guilabel:`Policies` section displays all :ref:`policies ` on the MinIO deployment. The Policies section allows you to create, modify, or delete policies. :ref:`Policies ` define the authorized actions and resources to which an authenticated user has access. - Each policy describes one or more actions a user, group of users, or service account can perform or conditions they must meet. + Each policy describes one or more actions a user, group of users, or access key can perform or conditions they must meet. The policies are JSON formatted text files compatible with Amazon AWS Identity and Access Management policy syntax, structure, and behavior. Refer to :ref:`Policy Based Action Control ` for details on managing access in MinIO with policies. @@ -442,23 +452,15 @@ Support ------- The :guilabel:`Support` section provides an interface for generating health and performance reports. -You can also register your deployment with |subnet| to allow upload of health reports directly through the MinIO Console. +Support functionality requires registering your deployment with |subnet|. +Unregistered deployments display a :guilabel:`Register Your Cluster` button to register with your |subnet| account. +See the :guilabel:`License` section in the Console or visit the `MinIO SUBNET ` website for more information on registration. This section contains the following subsections. Some subsections may not be visible if the authenticated user does not have the :ref:`required administrative permissions `. .. tab-set:: - .. tab-item:: Register - - .. image:: /images/minio-console/console-register.png - :width: 600px - :alt: MinIO Console - SUBNET Registration login form - :align: center - - The :guilabel:`Register` section provides a login form to connect your MinIO deployment to |subnet|. - - After registration, you can upload your deployment health reports directly to SUBNET for reference by MinIO Engineering. .. tab-item:: Health .. image:: /images/minio-console/console-health.png @@ -523,6 +525,8 @@ For deployments not registered via |subnet|, the Console displays a table compar :alt: MinIO Console - License Plans :align: center +Existing customers can register the deployment with their |subnet| account by clicking :guilabel:`Register this cluster` in the top-right corner of the screen. + MinIO is Open Source software under the :minio-git:`GNU AGPLv3 license `. Applications using MinIO should follow local laws and regulations around licensing to ensure compliance with the AGPLv3 license, which may include open sourcing the application stack. diff --git a/source/administration/object-management/object-lifecycle-management.rst b/source/administration/object-management/object-lifecycle-management.rst index e67ca399..0eb2f0ae 100644 --- a/source/administration/object-management/object-lifecycle-management.rst +++ b/source/administration/object-management/object-lifecycle-management.rst @@ -10,41 +10,47 @@ Object Lifecycle Management :local: :depth: 1 -MinIO Object Lifecycle Management allows creating rules for time or date -based automatic transition or expiry of objects. For object transition, -MinIO automatically moves the object to a configured remote storage -tier. For object expiry, MinIO automatically deletes the object. +Use MinIO Object Lifecycle Management to create rules for time or date based automatic transition or expiry of objects. +For object transition, MinIO automatically moves the object to a configured remote storage tier. +For object expiry, MinIO automatically deletes the object. -MinIO lifecycle management is built for behavior and syntax compatibility with -:s3-docs:`AWS S3 Lifecycle Management `. For -example, you can export S3 lifecycle management rules and import them into -MinIO or vice-versa. MinIO uses JSON to describe lifecycle management rules, -and conversion to or from XML may be required. +MinIO derives it's behavior and syntax from :s3-docs:`S3 lifecycle ` for compatibility in migrating workloads and lifecycle rules from S3 to MinIO. +For example, you can export S3 lifecycle management rules and import them into MinIO or vice-versa. +MinIO uses JSON to describe lifecycle management rules and may require conversion to or from XML as part of importing S3 lifecycle rules. .. _minio-lifecycle-management-tiering: Object Transition ("Tiering") ----------------------------- -MinIO supports creating object transition lifecycle management rules, where -MinIO can automatically move an object to a remote storage "tier". MinIO -supports any S3-compatible service as a remote tier *in addition to* the -following public cloud storage services: +MinIO supports creating object transition lifecycle management rules, where MinIO can automatically move an object to a remote storage "tier". +MinIO supports any of the following remote tier targets: +- :ref:`MinIO or other S3-compatible storage ` - :ref:`Amazon S3 ` - :ref:`Google Cloud Storage ` - :ref:`Microsoft Azure Blob Storage ` -MinIO object transition supports use cases like moving aged data from MinIO -clusters in private or public cloud infrastructure to low-cost private or public -cloud storage solutions. MinIO manages retrieving tiered objects on-the-fly -without any additional application-side logic. +MinIO object transition supports use cases like moving aged data from MinIO clusters in private or public cloud infrastructure to low-cost private or public cloud storage solutions. +MinIO manages retrieving tiered objects on-the-fly without any additional application-side logic. -Use the :mc:`mc admin tier` command to create a remote target for tiering -data to a supported Cloud Service Provider object storage. You can then use the -:mc-cmd:`mc ilm add --transition-days` command to transition objects to the -remote tier after a specified number of calendar days. +Use the :mc:`mc admin tier` command to create a remote target for tiering data that target. +You can then use the :mc-cmd:`mc ilm add --transition-days` command to transition objects to that tier after a specified number of calendar days. + +.. versionadded:: RELEASE.2022-11-10T18-20-21Z + +You can verify the tiering status of an object using :mc-cmd:`mc ls` against the bucket or bucket prefix. +The output includes the storage tier of each object: + +.. code-block:: shell + + $ mc ls play/mybucket + [2022-11-08 11:30:24 PST] 52MB STANDARD log-data.csv + [2022-11-09 12:20:18 PST] 120MB WARM event-2022-11-09.mp4 + +- ``STANDARD`` marks objects stored on the MinIO deployment. +- ``WARM`` marks objects stored on the remote tier with matching name. Exclusive Access to Remote Data ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -63,77 +69,59 @@ Availability of Remote Data Versioned Buckets ~~~~~~~~~~~~~~~~~ -MinIO adopts :s3-docs:`S3 behavior -` for transition rules -on :ref:`versioned buckets `. Specifically, MinIO by -default applies the transition operation to the *current* object version. +MinIO adopts :s3-docs:`S3 behavior ` for transition rules on :ref:`versioned buckets `. +Specifically, MinIO by default applies the transition operation to the *current* object version. -To transition noncurrent object versions, specify the -:mc-cmd:`~mc ilm add --noncurrent-transition-days` and -:mc-cmd:`~mc ilm add --noncurrent-transition-tier` options -when creating the transition rule. +To transition noncurrent object versions, specify the :mc-cmd:`~mc ilm add --noncurrent-transition-days` and :mc-cmd:`~mc ilm add --noncurrent-transition-tier` options when creating the transition rule. .. _minio-lifecycle-management-expiration: Object Expiration ----------------- -MinIO lifecycle management supports expiring objects on a bucket. Object -"expiration" involves performing a ``DELETE`` operation on the object. For -example, you can create a lifecycle management rule to expire any object -older than 365 days. +MinIO lifecycle management supports expiring objects on a bucket. +Object "expiration" involves performing a ``DELETE`` operation on the object. +For example, you can create a lifecycle management rule to expire any object older than 365 days. .. todo: Diagram of MinIO Expiration -Use :mc-cmd:`mc ilm add --expire-days` to expire objects after a specified -number of calendar days. +Use :mc-cmd:`mc ilm add --expire-days` to expire objects after a specified number of calendar days. -For buckets with :ref:`replication ` configured, MinIO -does not replicate objects deleted by a lifecycle management expiration rule. +For buckets with :ref:`replication ` configured, MinIO does not replicate objects deleted by a lifecycle management expiration rule. See :ref:`minio-replication-behavior-delete` for more information. Versioned Buckets ~~~~~~~~~~~~~~~~~ -MinIO adopts :s3-docs:`S3 behavior -` for expiration rules -on :ref:`versioned buckets `. MinIO has two -specific default behaviors for versioned buckets: +MinIO adopts :s3-docs:`S3 behavior ` for expiration rules on :ref:`versioned buckets `. +MinIO has two specific default behaviors for versioned buckets: -- MinIO applies the expiration option to only the *current* object version by - creating a ``DeleteMarker`` as is normal with versioned delete. +- MinIO applies the expiration option to only the *current* object version by creating a ``DeleteMarker`` as is normal with versioned delete. - To expire noncurrent object versions, specify the - :mc-cmd:`~mc ilm add --noncurrent-expire-days` option - when creating the expiration rule. + To expire noncurrent object versions, specify the :mc-cmd:`~mc ilm add --noncurrent-expire-days` option when creating the expiration rule. -- MinIO does not expire ``DeleteMarkers`` *even if* no other versions of - that object exist. +- MinIO does not expire ``DeleteMarkers`` *even if* no other versions of that object exist. - To expire delete markers when there are no remaining versions for that - object, specify the :mc-cmd:`~mc ilm add --expire-delete-marker` - option when creating the expiration rule. + To expire delete markers when there are no remaining versions for that object, specify the :mc-cmd:`~mc ilm add --expire-delete-marker` option when creating the expiration rule. .. _minio-lifecycle-management-scanner: Lifecycle Management Object Scanner ----------------------------------- -MinIO uses a built-in scanner to actively check objects against all -configured lifecycle management rules. The scanner is a low-priority process -that yields to high IO workloads to prevent performance spikes triggered -by rule timing. The scanner may therefore not detect an object as eligible -for a configured transition or expiration lifecycle rule until *after* -the lifecycle rule period has passed. +MinIO uses a built-in scanner to actively check objects against all configured lifecycle management rules. +The scanner is a low-priority process that yields to high :abbr:`I/O (Input / Output)` workloads to prevent performance spikes triggered by rule timing. +The scanner may therefore not detect an object as eligible for a configured transition or expiration lifecycle rule until *after* the lifecycle rule period has passed. -Delayed application of lifecycle management rules is typically associated to -limited node resources and cluster size. Scanner speed tends to slow as -clusters grow as more time is required to visit all buckets and objects. -This can be exacerbated if the cluster hardware is undersized for regular -workloads, as the scanner will yield to high cluster load to avoid performance -loss. Consider regularly checking cluster metrics, capacity, and resource -usage to ensure the cluster hardware is scaling alongside cluster and workload -growth. +Scanner performance typically depends on the available node resources, the size of the cluster, and the complexity of bucket hierarchy (objects and prefixes). +For example, a cluster that starts with 100TB of data that then grows to 200TB of data may require more time to scan the entire namespace of buckets and objects given the same hardware and workload. +As the cluster or workload increases, scanner performance decreases as it yields more frequently to ensure priority of normal S3 operations. + +Consider regularly checking cluster metrics, capacity, and resource usage to ensure the cluster hardware is scaling alongside cluster and workload growth: + +- :ref:`minio-metrics-and-alerts-capacity` +- :ref:`minio-metrics-and-alerts-lifecycle-management` +- :ref:`minio-metrics-and-alerts-scanner` .. toctree:: :hidden: diff --git a/source/glossary.rst b/source/glossary.rst index d84902ed..338a4740 100644 --- a/source/glossary.rst +++ b/source/glossary.rst @@ -7,6 +7,10 @@ Glossary .. glossary:: :sorted: + access keys + A MinIO deployment or tenant user account with limited account typically used with API calls. + Access Keys were previously referred to as "Service Accounts" + active-active A method of :term:`replication` that provides bidirectional mirroring of data. With active-active configuration, changing the data at at any storage location also changes the data at the other storage location(s). @@ -215,8 +219,10 @@ Glossary A set of ``minio server`` nodes which combine their drives and resources to support object storage and retrieval requests. service account + Renamed to :term:`access keys`. A MinIO deployment or tenant user account with limited account typically used with API calls. + single-node multi-drive SNMD A system :term:`topology` that deploys MinIO on one compute resource with more than one attached volume. diff --git a/source/images/minio-console/console-access-keys.png b/source/images/minio-console/console-access-keys.png new file mode 100644 index 00000000..ae4a5e57 Binary files /dev/null and b/source/images/minio-console/console-access-keys.png differ diff --git a/source/images/minio-console/console-add-notification-target.png b/source/images/minio-console/console-add-notification-target.png index dfd6a2f1..153f1132 100644 Binary files a/source/images/minio-console/console-add-notification-target.png and b/source/images/minio-console/console-add-notification-target.png differ diff --git a/source/images/minio-console/console-bucket-create-bucket-with-locking.png b/source/images/minio-console/console-bucket-create-bucket-with-locking.png index 27ed2f53..57ab442e 100644 Binary files a/source/images/minio-console/console-bucket-create-bucket-with-locking.png and b/source/images/minio-console/console-bucket-create-bucket-with-locking.png differ diff --git a/source/images/minio-console/console-bucket-manage.png b/source/images/minio-console/console-bucket-manage.png index 6824acda..a3c18089 100644 Binary files a/source/images/minio-console/console-bucket-manage.png and b/source/images/minio-console/console-bucket-manage.png differ diff --git a/source/images/minio-console/console-bucket-none.png b/source/images/minio-console/console-bucket-none.png index 2fac6c9a..9b75199a 100644 Binary files a/source/images/minio-console/console-bucket-none.png and b/source/images/minio-console/console-bucket-none.png differ diff --git a/source/images/minio-console/console-bucket.png b/source/images/minio-console/console-bucket.png index 98c77427..9a2110db 100644 Binary files a/source/images/minio-console/console-bucket.png and b/source/images/minio-console/console-bucket.png differ diff --git a/source/images/minio-console/console-drives.png b/source/images/minio-console/console-drives.png index a98a220a..96ae5ea3 100644 Binary files a/source/images/minio-console/console-drives.png and b/source/images/minio-console/console-drives.png differ diff --git a/source/images/minio-console/console-groups.png b/source/images/minio-console/console-groups.png index a0da9686..27035c59 100644 Binary files a/source/images/minio-console/console-groups.png and b/source/images/minio-console/console-groups.png differ diff --git a/source/images/minio-console/console-health.png b/source/images/minio-console/console-health.png index 93a19150..18f89d25 100644 Binary files a/source/images/minio-console/console-health.png and b/source/images/minio-console/console-health.png differ diff --git a/source/images/minio-console/console-inspect.png b/source/images/minio-console/console-inspect.png index 16568ef3..a6e4f9ba 100644 Binary files a/source/images/minio-console/console-inspect.png and b/source/images/minio-console/console-inspect.png differ diff --git a/source/images/minio-console/console-license.png b/source/images/minio-console/console-license.png index ea3aeaa2..a1ef61b3 100644 Binary files a/source/images/minio-console/console-license.png and b/source/images/minio-console/console-license.png differ diff --git a/source/images/minio-console/console-login.png b/source/images/minio-console/console-login.png index 7385a294..3a8f0280 100644 Binary files a/source/images/minio-console/console-login.png and b/source/images/minio-console/console-login.png differ diff --git a/source/images/minio-console/console-metrics-simple.png b/source/images/minio-console/console-metrics-simple.png index 9f58d46e..e988ec18 100644 Binary files a/source/images/minio-console/console-metrics-simple.png and b/source/images/minio-console/console-metrics-simple.png differ diff --git a/source/images/minio-console/console-metrics.png b/source/images/minio-console/console-metrics.png index 996621bb..a46148d2 100644 Binary files a/source/images/minio-console/console-metrics.png and b/source/images/minio-console/console-metrics.png differ diff --git a/source/images/minio-console/console-object-browser.png b/source/images/minio-console/console-object-browser.png index 0a3c2dc9..a1538a8c 100644 Binary files a/source/images/minio-console/console-object-browser.png and b/source/images/minio-console/console-object-browser.png differ diff --git a/source/images/minio-console/console-performance.png b/source/images/minio-console/console-performance.png index 58d938ca..7bc03f3e 100644 Binary files a/source/images/minio-console/console-performance.png and b/source/images/minio-console/console-performance.png differ diff --git a/source/images/minio-console/console-policies.png b/source/images/minio-console/console-policies.png new file mode 100644 index 00000000..6164b7ac Binary files /dev/null and b/source/images/minio-console/console-policies.png differ diff --git a/source/images/minio-console/console-profile.png b/source/images/minio-console/console-profile.png index 88f962fc..bd14261f 100644 Binary files a/source/images/minio-console/console-profile.png and b/source/images/minio-console/console-profile.png differ diff --git a/source/images/minio-console/console-service-accounts.png b/source/images/minio-console/console-service-accounts.png deleted file mode 100644 index 39c132d8..00000000 Binary files a/source/images/minio-console/console-service-accounts.png and /dev/null differ diff --git a/source/images/minio-console/console-settings-configuration.png b/source/images/minio-console/console-settings-configuration.png index b4bc2d7a..1e16e602 100644 Binary files a/source/images/minio-console/console-settings-configuration.png and b/source/images/minio-console/console-settings-configuration.png differ diff --git a/source/images/minio-console/console-settings-notifications.png b/source/images/minio-console/console-settings-notifications.png index 42cec12d..df4caf6f 100644 Binary files a/source/images/minio-console/console-settings-notifications.png and b/source/images/minio-console/console-settings-notifications.png differ diff --git a/source/images/minio-console/console-settings-site-replication-add.png b/source/images/minio-console/console-settings-site-replication-add.png index ab2e9b29..b7638d39 100644 Binary files a/source/images/minio-console/console-settings-site-replication-add.png and b/source/images/minio-console/console-settings-site-replication-add.png differ diff --git a/source/images/minio-console/console-settings-site-replication-confirm-delete.png b/source/images/minio-console/console-settings-site-replication-confirm-delete.png index 4c9108be..a6fcce41 100644 Binary files a/source/images/minio-console/console-settings-site-replication-confirm-delete.png and b/source/images/minio-console/console-settings-site-replication-confirm-delete.png differ diff --git a/source/images/minio-console/console-settings-site-replication-edit-endpoint.png b/source/images/minio-console/console-settings-site-replication-edit-endpoint.png index 337eefa6..30c768d2 100644 Binary files a/source/images/minio-console/console-settings-site-replication-edit-endpoint.png and b/source/images/minio-console/console-settings-site-replication-edit-endpoint.png differ diff --git a/source/images/minio-console/console-settings-site-replication-status-item.png b/source/images/minio-console/console-settings-site-replication-status-item.png index ee47ede2..b8be1945 100644 Binary files a/source/images/minio-console/console-settings-site-replication-status-item.png and b/source/images/minio-console/console-settings-site-replication-status-item.png differ diff --git a/source/images/minio-console/console-settings-site-replication-status-summary.png b/source/images/minio-console/console-settings-site-replication-status-summary.png index a8d93752..edd090ad 100644 Binary files a/source/images/minio-console/console-settings-site-replication-status-summary.png and b/source/images/minio-console/console-settings-site-replication-status-summary.png differ diff --git a/source/images/minio-console/console-settings-site-replication.png b/source/images/minio-console/console-settings-site-replication.png index 0d3db275..92da2dd3 100644 Binary files a/source/images/minio-console/console-settings-site-replication.png and b/source/images/minio-console/console-settings-site-replication.png differ diff --git a/source/images/minio-console/console-settings-tiers.png b/source/images/minio-console/console-settings-tiers.png index dfd06d46..e0b21165 100644 Binary files a/source/images/minio-console/console-settings-tiers.png and b/source/images/minio-console/console-settings-tiers.png differ diff --git a/source/images/minio-console/console-site-replication-delete-button.png b/source/images/minio-console/console-site-replication-delete-button.png index 3cdae00d..280fc79f 100644 Binary files a/source/images/minio-console/console-site-replication-delete-button.png and b/source/images/minio-console/console-site-replication-delete-button.png differ diff --git a/source/images/minio-console/console-site-replication-edit-button.png b/source/images/minio-console/console-site-replication-edit-button.png index 00124903..ff78dc55 100644 Binary files a/source/images/minio-console/console-site-replication-edit-button.png and b/source/images/minio-console/console-site-replication-edit-button.png differ diff --git a/source/images/minio-console/console-site-replication-list-of-sites.png b/source/images/minio-console/console-site-replication-list-of-sites.png index 0e37cc19..a4dd6887 100644 Binary files a/source/images/minio-console/console-site-replication-list-of-sites.png and b/source/images/minio-console/console-site-replication-list-of-sites.png differ diff --git a/source/images/minio-console/console-trace.png b/source/images/minio-console/console-trace.png index 755a9af3..93832f6b 100644 Binary files a/source/images/minio-console/console-trace.png and b/source/images/minio-console/console-trace.png differ diff --git a/source/images/minio-console/console-users.png b/source/images/minio-console/console-users.png index e0727741..a6ece22f 100644 Binary files a/source/images/minio-console/console-users.png and b/source/images/minio-console/console-users.png differ diff --git a/source/images/minio-console/console-watch.png b/source/images/minio-console/console-watch.png index 0e4f3559..d14ac05d 100644 Binary files a/source/images/minio-console/console-watch.png and b/source/images/minio-console/console-watch.png differ diff --git a/source/images/minio-console/minio-console.png b/source/images/minio-console/minio-console.png index 226d727d..b5f7ddc6 100644 Binary files a/source/images/minio-console/minio-console.png and b/source/images/minio-console/minio-console.png differ diff --git a/source/includes/common-minio-external-auth.rst b/source/includes/common-minio-external-auth.rst index 81adb4b8..a29896b9 100644 --- a/source/includes/common-minio-external-auth.rst +++ b/source/includes/common-minio-external-auth.rst @@ -143,7 +143,7 @@ Specify the Distinguished Name (DN) for an AD/LDAP account MinIO uses when querying the AD/LDAP server. Enables :ref:`Lookup-Bind ` authentication to the AD/LDAP server. -The DN account should be a read-only service account with sufficient +The DN account should be a read-only access keys with sufficient privileges to support querying performing user and group lookups. .. end-minio-ad-ldap-lookup-bind-dn diff --git a/source/includes/common-replication.rst b/source/includes/common-replication.rst index 691bf1ed..5b52e282 100644 --- a/source/includes/common-replication.rst +++ b/source/includes/common-replication.rst @@ -74,7 +74,7 @@ Bucket replication requires specific permissions on the source and destination d mc admin user add TARGET ReplicationAdmin LongRandomSecretKey mc admin policy set TARGET ReplicationAdminPolicy user=ReplicationAdmin - MinIO deployments configured for :ref:`Active Directory/LDAP ` or :ref:`OpenID Connect ` user management should instead create a dedicated :ref:`service account ` for bucket replication. + MinIO deployments configured for :ref:`Active Directory/LDAP ` or :ref:`OpenID Connect ` user management should instead create a dedicated :ref:`access keys ` for bucket replication. .. tab-item:: Replication Remote User @@ -101,9 +101,9 @@ Bucket replication requires specific permissions on the source and destination d mc admin user add TARGET ReplicationRemoteUser LongRandomSecretKey mc admin policy set TARGET ReplicationRemoteUserPolicy user=ReplicationRemoteUser - MinIO deployments configured for :ref:`Active Directory/LDAP ` or :ref:`OpenID Connect ` user management should instead create a dedicated :ref:`service account ` for bucket replication. + MinIO deployments configured for :ref:`Active Directory/LDAP ` or :ref:`OpenID Connect ` user management should instead create a dedicated :ref:`access keys ` for bucket replication. -See :mc:`mc admin user`, :mc:`mc admin user svcacct`, and :mc:`mc admin policy` for more complete documentation on adding users, service accounts, and policies to a MinIO deployment. +See :mc:`mc admin user`, :mc:`mc admin user svcacct`, and :mc:`mc admin policy` for more complete documentation on adding users, access keys, and policies to a MinIO deployment. .. end-replication-required-permissions @@ -121,7 +121,7 @@ Each MinIO deployment ("peer site") synchronizes the following changes across th - Creation and deletion of IAM users, groups, policies, and policy mappings to users or groups (for LDAP users or groups) - Creation of Security Token Service (STS) credentials for session tokens verifiable from the local ``root`` credentials -- Creation and deletion of :ref:`service accounts ` (except those owned by the ``root`` user) +- Creation and deletion of :ref:`access keys ` (except those owned by the ``root`` user) Site replication enables :ref:`bucket versioning ` for all new and existing buckets on all replicated sites. diff --git a/source/includes/common/installation.rst b/source/includes/common/installation.rst index 83f6a6e2..aebf4a4e 100644 --- a/source/includes/common/installation.rst +++ b/source/includes/common/installation.rst @@ -41,7 +41,7 @@ You can deploy MinIO using one of the following topologies: Site Replication ---------------- -Site replication expands the features of bucket replication to include IAM, security tokens, service accounts, and bucket features the same across all sites. +Site replication expands the features of bucket replication to include IAM, security tokens, access keys, and bucket features the same across all sites. :ref:`Site replication ` links multiple MinIO deployments together and keeps the buckets, objects, and Identity and Access Management (IAM) settings in sync across all connected sites. diff --git a/source/includes/k8s/steps-configure-ad-ldap-external-identity-management.rst b/source/includes/k8s/steps-configure-ad-ldap-external-identity-management.rst index ffd1b338..0893a25d 100644 --- a/source/includes/k8s/steps-configure-ad-ldap-external-identity-management.rst +++ b/source/includes/k8s/steps-configure-ad-ldap-external-identity-management.rst @@ -107,9 +107,9 @@ Enter the user's AD/LDAP credentials and log in to access the Console. Once logged in, you can perform any action for which the authenticated user is :ref:`authorized `. -You can also create :ref:`service accounts ` for supporting applications which must perform operations on MinIO. -Service accounts are long-lived credentials which inherit their privileges from the parent user. -The parent user can further restrict those privileges while creating the service account. +You can also create :ref:`access keys ` for supporting applications which must perform operations on MinIO. +Access Keys are long-lived credentials which inherit their privileges from the parent user. +The parent user can further restrict those privileges while creating the access keys. 5) Generate S3-Compatible Temporary Credentials using AD/LDAP Credentials ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/source/includes/k8s/steps-configure-openid-external-identity-management.rst b/source/includes/k8s/steps-configure-openid-external-identity-management.rst index 2ba4c363..543a24a2 100644 --- a/source/includes/k8s/steps-configure-openid-external-identity-management.rst +++ b/source/includes/k8s/steps-configure-openid-external-identity-management.rst @@ -125,9 +125,9 @@ Enter the user's OIDC credentials and log in to access the Console. Once logged in, you can perform any action for which the authenticated user is :ref:`authorized `. -You can also create :ref:`service accounts ` for supporting applications which must perform operations on MinIO. -Service accounts are long-lived credentials which inherit their privileges from the parent user. -The parent user can further restrict those privileges while creating the service account. +You can also create :ref:`access keys ` for supporting applications which must perform operations on MinIO. +Access Keys are long-lived credentials which inherit their privileges from the parent user. +The parent user can further restrict those privileges while creating the access keys. 5) Generate S3-Compatible Temporary Credentials using OIDC Credentials ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/source/operations/external-iam/configure-ad-ldap-external-identity-management.rst b/source/operations/external-iam/configure-ad-ldap-external-identity-management.rst index 43c621eb..3566e672 100644 --- a/source/operations/external-iam/configure-ad-ldap-external-identity-management.rst +++ b/source/operations/external-iam/configure-ad-ldap-external-identity-management.rst @@ -55,7 +55,7 @@ Instructions on configuring AD/LDAP are out of scope for this procedure. - For AD/LDAP deployments external to the Kubernetes cluster, you must ensure the cluster supports routing communications between Kubernetes services and pods and the external network. This may require configuration or deployment of additional Kubernetes network components and/or enabling access to the public internet. -MinIO requires a read-only service account with which it :ref:`binds ` to perform authenticated user and group queries. +MinIO requires a read-only access keys with which it :ref:`binds ` to perform authenticated user and group queries. Ensure each AD/LDAP user and group intended for use with MinIO has a corresponding :ref:`policy ` on the MinIO deployment. An AD/LDAP user with no assigned policy *and* with membership in groups with no assigned policy has no permission to access any action or resource on the MinIO cluster. @@ -222,8 +222,8 @@ An AD/LDAP user with no assigned policy *and* with membership in groups with no user is :ref:`authorized `. - You can also create :ref:`service accounts ` for - supporting applications which must perform operations on MinIO. Service accounts + You can also create :ref:`access keys ` for + supporting applications which must perform operations on MinIO. Access Keys are long-lived credentials which inherit their privileges from the parent user. The parent user can further restrict those privileges while creating the service account. diff --git a/source/operations/external-iam/configure-openid-external-identity-management.rst b/source/operations/external-iam/configure-openid-external-identity-management.rst index 9a2f09ca..254c7960 100644 --- a/source/operations/external-iam/configure-openid-external-identity-management.rst +++ b/source/operations/external-iam/configure-openid-external-identity-management.rst @@ -19,7 +19,7 @@ The procedure on this page provides instructions for: .. cond:: k8s - Configuring a MinIO Tenant to use an external OIDC provider. - - Accessing the Tenant Console using AD/LDAP Credentials. + - Accessing the Tenant Console using OIDC Credentials. - Using the MinIO ``AssumeRoleWithWebIdentity`` Security Token Service (STS) API to generate temporary credentials for use by applications. .. cond:: linux or container or macos or windows @@ -66,7 +66,7 @@ An OpenID user with no assigned policy has no permission to access any action or This procedure assumes your Kubernetes cluster has sufficient resources to :ref:`deploy a new MinIO Tenant `. - You can also use this procedure as guidance for modifying an existing MinIO Tenant to enable AD/LDAP Identity Management. + You can also use this procedure as guidance for modifying an existing MinIO Tenant to enable OIDC Identity Management. .. cond:: linux or container or macos or windows @@ -215,8 +215,8 @@ An OpenID user with no assigned policy has no permission to access any action or user is :ref:`authorized `. - You can also create :ref:`service accounts ` for - supporting applications which must perform operations on MinIO. Service accounts + You can also create :ref:`access keys ` for + supporting applications which must perform operations on MinIO. Access Keys are long-lived credentials which inherit their privileges from the parent user. The parent user can further restrict those privileges while creating the service account. diff --git a/source/operations/install-deploy-manage/multi-site-replication.rst b/source/operations/install-deploy-manage/multi-site-replication.rst index fe9facba..dc19eaca 100644 --- a/source/operations/install-deploy-manage/multi-site-replication.rst +++ b/source/operations/install-deploy-manage/multi-site-replication.rst @@ -48,9 +48,9 @@ After enabling site replication, identity and access management (IAM) settings s #. Policies #. User accounts (for local users) #. Groups - #. Service accounts + #. Access Keys - Service accounts for ``root`` do not sync. + Access Keys for ``root`` do not sync. #. Policy mapping for synced user accounts #. Policy mapping for :ref:`Security Token Service (STS) users ` @@ -58,7 +58,7 @@ After enabling site replication, identity and access management (IAM) settings s .. tab-item:: OIDC #. Policies - #. Service accounts associated to OIDC accounts with a valid :ref:`MinIO Policy `. ``root`` service accounts do not sync. + #. Access Keys associated to OIDC accounts with a valid :ref:`MinIO Policy `. ``root`` access keys do not sync. #. Policy mapping for synced user accounts #. Policy mapping for :ref:`Security Token Service (STS) users ` @@ -66,7 +66,7 @@ After enabling site replication, identity and access management (IAM) settings s #. Policies #. Groups - #. Service accounts associated to LDAP accounts with a valid :ref:`MinIO Policy `. ``root`` service accounts do not sync. + #. Access Keys associated to LDAP accounts with a valid :ref:`MinIO Policy `. ``root`` access keys do not sync. #. Policy mapping for synced user accounts #. Policy mapping for :ref:`Security Token Service (STS) users ` diff --git a/source/operations/monitoring/metrics-and-alerts.rst b/source/operations/monitoring/metrics-and-alerts.rst index 4d1357ec..c8ff0bdc 100644 --- a/source/operations/monitoring/metrics-and-alerts.rst +++ b/source/operations/monitoring/metrics-and-alerts.rst @@ -138,6 +138,8 @@ These metrics are only populated for MinIO clusters with Total number of replication operations failed for a given bucket. You can identify the bucket using the ``{ bucket="STRING" }`` label. +.. _minio-metrics-and-alerts-capacity: + Capacity Metrics ~~~~~~~~~~~~~~~~ @@ -172,6 +174,8 @@ Capacity Metrics Total storage used on a specific drive for a node in a MinIO deployment. You can identify the drive and node using the ``{ disk="/path/to/disk",server="STRING"}`` labels respectively. +.. _minio-metrics-and-alerts-lifecycle-management: + Lifecycle Management Metrics ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -240,6 +244,31 @@ Node and Drive Health Metrics Time elapsed (in nano seconds) since last self healing activity. This is set to -1 until initial self heal +Notification Queue Metrics +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. metric:: minio_audit_target_queue_length + + Total number of unsent audit messages in the queue. + +.. metric:: minio_audit_total_messages + + Total number of audit messages sent since last server start. + +.. metric:: minio_audit_failed_messages + + Total number of audit messages which failed to send since last server start. + +.. metric:: minio_notify_current_send_in_progress + + Total number of notification messages in progress to configured targets. + +.. metric:: minio_notify_target_queue_length + + Total number of unsent notification messages in the queue. + +.. _minio-metrics-and-alerts-scanner: + Scanner Metrics ~~~~~~~~~~~~~~~ diff --git a/source/operations/server-side-encryption/configure-minio-kes-gcp.rst b/source/operations/server-side-encryption/configure-minio-kes-gcp.rst index dc1edf66..35b943ca 100644 --- a/source/operations/server-side-encryption/configure-minio-kes-gcp.rst +++ b/source/operations/server-side-encryption/configure-minio-kes-gcp.rst @@ -151,7 +151,7 @@ configurations: The ``Secret manager Admin`` role meets the minimum required permissions. - GCP should return a set of credentials associated to the new service account, + GCP should return a set of credentials associated to the new access keys, including private keys. Copy these credentials to a safe and secure location for use with this procedure. diff --git a/source/reference/minio-mc-admin.rst b/source/reference/minio-mc-admin.rst index 071a43ae..dd42e48a 100644 --- a/source/reference/minio-mc-admin.rst +++ b/source/reference/minio-mc-admin.rst @@ -66,12 +66,12 @@ The following table lists :mc:`mc admin` commands: :end-before: end-mc-admin-heal-desc * - :mc-cmd:`mc admin idp ldap` - - .. include:: /reference/minio-mc-admin/mc-admin-heal.rst + - .. include:: /reference/minio-mc-admin/mc-admin-idp-ldap.rst :start-after: start-mc-admin-idp-ldap-desc :end-before: end-mc-admin-idp-ldap-desc * - :mc-cmd:`mc admin idp openid` - - .. include:: /reference/minio-mc-admin/mc-admin-heal.rst + - .. include:: /reference/minio-mc-admin/mc-admin-idp-openid.rst :start-after: start-mc-admin-idp-openid-desc :end-before: end-mc-admin-idp-openid-desc diff --git a/source/reference/minio-mc-admin/mc-admin-user-svcacct.rst b/source/reference/minio-mc-admin/mc-admin-user-svcacct.rst index 100ca76e..4602acd7 100644 --- a/source/reference/minio-mc-admin/mc-admin-user-svcacct.rst +++ b/source/reference/minio-mc-admin/mc-admin-user-svcacct.rst @@ -17,15 +17,15 @@ Description .. start-mc-admin-user-svcacct-desc -The :mc:`mc admin user svcacct` command creates and manages :ref:`Service Accounts ` on a MinIO deployment. +The :mc:`mc admin user svcacct` command creates and manages :ref:`Access Keys ` on a MinIO deployment. .. end-mc-admin-user-svcacct-desc -Each service account is linked to a :ref:`user identity ` and inherits the :ref:`policies ` attached to it's parent user *or* those groups in which the parent user has membership. Service accounts also support an optional inline policy which further restricts access to a subset of actions and resources available to the parent user. +Each access keys is linked to a :ref:`user identity ` and inherits the :ref:`policies ` attached to it's parent user *or* those groups in which the parent user has membership. Each access key also supports an optional inline policy which further restricts access to a subset of actions and resources available to the parent user. -:mc:`mc admin user svcacct` only supports creating service accounts for :ref:`MinIO-managed ` and :ref:`Active Directory/LDAP-managed ` accounts. +:mc:`mc admin user svcacct` only supports creating access keys for :ref:`MinIO-managed ` and :ref:`Active Directory/LDAP-managed ` accounts. -To create service accounts for :ref:`OpenID Connect-managed users `, log into the :ref:`MinIO Console ` and generate the service account through the UI. +To create access keys for :ref:`OpenID Connect-managed users `, log into the :ref:`MinIO Console ` and generate the access keys through the UI. .. admonition:: Use ``mc admin`` on MinIO Deployments Only :class: note @@ -44,25 +44,25 @@ The :mc:`mc admin user svcacct` command has the following subcommands: - Description * - :mc-cmd:`mc admin user svcacct add` - - Adds a new service account to an existing MinIO or AD/LDAP user + - Adds a new access keys to an existing MinIO or AD/LDAP user * - :mc-cmd:`mc admin user svcacct list` - - Lists the existing service accounts associated to a MinIO or AD/LDAP user. + - Lists the existing access keys associated to a MinIO or AD/LDAP user. * - :mc-cmd:`mc admin user svcacct remove` - - Removes a service account from a MinIO or AD/LDAP user. + - Removes a access keys from a MinIO or AD/LDAP user. * - :mc-cmd:`mc admin user svcacct info` - - Returns detailed information on a service account. + - Returns detailed information on a access keys. * - :mc-cmd:`mc admin user svcacct edit` - - Modifies the secret key or inline policy associated with a service account. + - Modifies the secret key or inline policy associated with a access keys. * - :mc-cmd:`mc admin user svcacct enable` - - Enables a service account. + - Enables a access keys. * - :mc-cmd:`mc admin user svcacct disable` - - Disables a service account. + - Disables a access keys. Syntax ------ @@ -70,13 +70,13 @@ Syntax .. mc-cmd:: add :fullpath: - Adds a new service account associated to the specified user. + Adds a new access keys associated to the specified user. .. tab-set:: .. tab-item:: EXAMPLE - The following command creates a new service account associated to an existing MinIO user: + The following command creates a new access keys associated to an existing MinIO user: .. code-block:: shell :class: copyable @@ -109,40 +109,40 @@ Syntax .. mc-cmd:: USER :required: - The name of the user to which MinIO adds the new service account. + The name of the user to which MinIO adds the new access keys. - For :ref:`MinIO-managed users `, specify the access key for the user. - For :ref:`Active Directory/LDAP users `, specify the Distinguished Name of the user. - - For :ref:`OpenID Connect users `, use the :ref:`MinIO Console ` to generate service accounts. + - For :ref:`OpenID Connect users `, use the :ref:`MinIO Console ` to generate access keys. .. mc-cmd:: --access-key :optional: - The access key to associate with the new service account. Omit to direct MinIO to autogenerate the access key for the new service account. + The access key to associate with the new access keys. Omit to direct MinIO to autogenerate the access key for the new access keys. - Service account names *must* be unique across all users. + Access Key names *must* be unique across all users. .. mc-cmd:: --secret-key :optional: - The secret key to associate with the new service account. Omit to direct MinIO to autogenerate the secret key for the new service account. + The secret key to associate with the new access keys. Omit to direct MinIO to autogenerate the secret key for the new access keys. .. mc-cmd:: --policy :optional: - The path to a :ref:`policy document ` to attach to the new service account. The attached policy cannot grant access to any action or resource not explicitly allowed by the parent user's policies. + The path to a :ref:`policy document ` to attach to the new access keys. The attached policy cannot grant access to any action or resource not explicitly allowed by the parent user's policies. .. mc-cmd:: list :fullpath: :alias: ls - Lists all service accounts associated to the specified user. + Lists all access keys associated to the specified user. .. tab-set:: .. tab-item:: EXAMPLE - The following command lists all service accounts associated to an existing MinIO user: + The following command lists all access keys associated to an existing MinIO user: .. code-block:: shell :class: copyable @@ -168,23 +168,23 @@ Syntax .. mc-cmd:: USER :required: - The name of the user to which MinIO adds the new service account. + The name of the user to which MinIO adds the new access keys. - For :ref:`MinIO-managed users `, specify the access key for the user. - For :ref:`Active Directory/LDAP users `, specify the Distinguished Name of the user. - - For :ref:`OpenID Connect users `, use the :ref:`MinIO Console ` to list service accounts. + - For :ref:`OpenID Connect users `, use the :ref:`MinIO Console ` to list access keys. .. mc-cmd:: remove :fullpath: :alias: rm - Removes a service account associated to the specified user. Applications can no longer authenticate using that service account after removal. + Removes a access keys associated to the specified user. Applications can no longer authenticate using that access keys after removal. .. tab-set:: .. tab-item:: EXAMPLE - The following command removes the specified service account: + The following command removes the specified access keys: .. code-block:: shell :class: copyable @@ -210,18 +210,18 @@ Syntax .. mc-cmd:: SERVICEACCOUNT :required: - The access key for the service account to remove. + The access key for the access keys to remove. .. mc-cmd:: info :fullpath: - Returns a description of a service account associated to the specified user. The description includes the parent user of the specified service account, its status, and whether the service account has an assigned inline policy. + Returns a description of a access keys associated to the specified user. The description includes the parent user of the specified access keys, its status, and whether the access keys has an assigned inline policy. .. tab-set:: .. tab-item:: EXAMPLE - The following command returns detailed information on the specified service account: + The following command returns detailed information on the specified access keys: .. code-block:: shell :class: copyable @@ -248,24 +248,24 @@ Syntax .. mc-cmd:: SERVICEACCOUNT :required: - The access key for the service account to remove. + The access key for the access keys to remove. .. mc-cmd:: --policy :optional: - Returns the policy attached to the service account in JSON format. The output is ``null`` if the service account has no attached policy. + Returns the policy attached to the access keys in JSON format. The output is ``null`` if the access keys has no attached policy. .. mc-cmd:: edit :fullpath: :alias: set - Modifies the configuration of a service account associated to the specified user. + Modifies the configuration of a access keys associated to the specified user. .. tab-set:: .. tab-item:: EXAMPLE - The following command modifies the specified service account: + The following command modifies the specified access keys: .. code-block:: shell :class: copyable @@ -296,30 +296,30 @@ Syntax .. mc-cmd:: SERVICEACCOUNT :required: - The access key for the service account to modify. + The access key for the access keys to modify. .. mc-cmd:: --secret-key :optional: - The secret key to associate with the new service account. Overwrites the previous secret key. Applications using the service account *must* update to use the new credentials to continue performing operations. + The secret key to associate with the new access keys. Overwrites the previous secret key. Applications using the access keys *must* update to use the new credentials to continue performing operations. .. mc-cmd:: --policy :optional: - The path to a :ref:`policy document ` to attach to the new service account. The attached policy cannot grant access to any action or resource not explicitly allowed by the parent user's policies. + The path to a :ref:`policy document ` to attach to the new access keys. The attached policy cannot grant access to any action or resource not explicitly allowed by the parent user's policies. The new policy overwrites any previously attached policy. .. mc-cmd:: enable :fullpath: - Enables a service account for the specified user. Applications can only authenticate using enabled service accounts. + Enables a access keys for the specified user. Applications can only authenticate using enabled access keys. .. tab-set:: .. tab-item:: EXAMPLE - The following command enables the specified service account: + The following command enables the specified access keys: .. code-block:: shell :class: copyable @@ -345,18 +345,18 @@ Syntax .. mc-cmd:: SERVICEACCOUNT :required: - The access key for the service account to enable. + The access key for the access keys to enable. .. mc-cmd:: disable :fullpath: - Disables a service account for the specified user. Applications can only authenticate using enabled service accounts. + Disables a access keys for the specified user. Applications can only authenticate using enabled access keys. .. tab-set:: .. tab-item:: EXAMPLE - The following command disables the specified service account: + The following command disables the specified access keys: .. code-block:: shell :class: copyable @@ -382,7 +382,7 @@ Syntax .. mc-cmd:: SERVICEACCOUNT :required: - The access key for the service account to disable. + The access key for the access keys to disable. Global Flags ~~~~~~~~~~~~ diff --git a/source/reference/minio-mc/mc-ls.rst b/source/reference/minio-mc/mc-ls.rst index 03d013a6..c27b6152 100644 --- a/source/reference/minio-mc/mc-ls.rst +++ b/source/reference/minio-mc/mc-ls.rst @@ -42,6 +42,17 @@ results as the ``ls`` command. mc ls --recursive --versions myminio/mydata + The output resembles the following:: + + .. code-block:: shell + + [2022-11-08 11:30:24 PST] 52MB STANDARD log-data.csv + [2022-11-09 12:20:18 PST] 120MB WARM videos/event-2022-11-09.mp4 + + - ``STANDARD`` marks objects stored on the MinIO deployment + - ``WARM`` marks objects stored on the remote tier with matching name + - ``videos/`` indicates the prefix for the object + .. tab-item:: SYNTAX The command has the following syntax: