- {% block alertbar -%}
+
+
+
+ {{ miniosidebar() }}
+
+
+
+
+ {% block alertbar -%}
We're building a new version of the MinIO Documentation!
@@ -30,14 +69,17 @@
- {% endblock %}
- {% block body %} {% endblock %}
-
+
-
-
+
{%- endblock %}
diff --git a/source/security/minio-authentication-authorization-review.rst b/source/security/minio-authentication-authorization-review.rst
deleted file mode 100644
index 37228775..00000000
--- a/source/security/minio-authentication-authorization-review.rst
+++ /dev/null
@@ -1,836 +0,0 @@
-================================
-Authentication and Authorization
-================================
-
-.. default-domain:: minio
-
-.. contents:: On This Page
- :local:
- :depth: 2
-
-Overview
---------
-
-*Authentication* is the process of verifying the identity of a connecting
-client. MinIO authentication requires providing user credentials in the form of
-an access key (username) and corresponding secret key (password). The MinIO
-deployment only grants access *if*:
-
-- The access key corresponds to a user on the deployment, *and*
-- The secret key corresponds to the specified access key.
-
-*Authorization* is the process of restricting the actions and resources the
-authenticated client can perform on the deployment. MinIO uses Policy-Based
-Access Control (PBAC), where each policy describes one or more rules that
-outline the permissions of a user or group of users. MinIO supports a subset of
-:iam-docs:`IAM actions and conditions
-
` when creating policies.
-By default, MinIO *denies* access to actions or resources not explicitly
-referenced in a user's assigned or inherited policies.
-
-- For more information on MinIO user management, see
- :ref:`minio-auth-authz-users`.
-
-- For more information on MinIO group management, see
- :ref:`minio-auth-authz-groups`.
-
-- For more information on MinIO policy creation, see
- :ref:`minio-auth-authz-pbac-policies`.
-
-.. _minio-auth-authz-users:
-
-Users
------
-
-A *user* is an identity with associated privileges on a MinIO deployment. Each
-user consists of a unique access key (username) and corresponding secret key
-(password). The access key and secret key support *authentication* on the MinIO
-deployment, similar to a username and password. Clients must specify both a
-valid access key (username) and the corresponding secret key (password) to
-access the MinIO deployment.
-
-Each user can have one or more assigned :ref:`policies
-` that explicitly list the actions and resources
-to which the user is allowed or denied access. Policies support *authorization*
-of operations on the MinIO deployment, such that clients can only perform
-an operation if the user's assigned policies allow access to both the operation
-*action* and the target *resources*.
-
-For example, consider the following table of users. Each user is assigned
-a :ref:`built-in policy ` or
-a supported :ref:`action `. The table
-describes a subset of operations a client could perform if authenticated
-as that user:
-
-.. list-table::
- :header-rows: 1
- :widths: 20 40 40
- :width: 100%
-
- * - User
- - Policy
- - Operations
-
- * - ``Operations``
- - | :userpolicy:`readwrite` on ``finance`` bucket
- | :userpolicy:`readonly` on ``audit`` bucket
-
- - | ``PUT`` and ``GET`` on ``finance`` bucket.
- | ``PUT`` on ``audit`` bucket
-
- * - ``Auditing``
- - | :userpolicy:`readonly` on ``audit`` bucket
- - ``GET`` on ``audit`` bucket
-
- * - ``Admin``
- - :policy-action:`admin:*`
- - All :mc-cmd:`mc admin` commands.
-
-Users also inherit permissions from their assigned :ref:`groups
-`. A user's total set of permissions consists of their
-explicitly assigned permissions *and* the inherited permissions from each of
-their assigned groups.
-
-.. admonition:: ``Deny`` overrides ``Allow``
- :class: note
-
- MinIO follows the IAM policy evaluation rules where a ``Deny`` rule overrides
- ``Allow`` rule on the same action/resource. For example, if a user has an
- explicitly assigned policy with an ``Allow`` rule for an action/resource
- while one of its groups has an assigned policy with a ``Deny`` rule for that
- action/resource, MinIO would apply only the ``Deny`` rule.
-
- For more information on IAM policy evaluation logic, see the IAM
- documentation on
- :iam-docs:`Determining Whether a Request is Allowed or Denied Within an Account
- `.
-
-``root`` User
-~~~~~~~~~~~~~
-
-By default, MinIO deployments provide ``root`` user with access to all actions
-and resources on the deployment. The ``root`` user credentials are set when
-starting the ``minio`` server. When specifying the ``root`` access key and
-secret key, consider using *long, unique, and random* strings. Exercise all
-possible precautions in storing the access key and secret key, such that only
-known and trusted individuals who *require* superuser access to the deployment
-can retrieve the ``root`` credentials.
-
-- MinIO *strongly discourages* using the ``root`` user for regular client access
- regardless of the environment (development, staging, or production).
-
-- MinIO *strongly recommends* creating users such that each client has access to
- the minimal set of actions and resources required to perform their assigned
- workloads.
-
-.. _minio-auth-authz-groups:
-
-Groups
-------
-
-A *group* is a collection of :ref:`users `. Each group
-can have one or more assigned :ref:`policies `
-that explicitly list the actions and resources to which group members are
-allowed or denied access.
-
-For example, consider the following groups. Each group is assigned a
-:ref:`built-in policy ` or supported
-:ref:`policy action `. Each group also has one or
-more assigned users. Each user's total set of permissions consists of their
-explicitly assigned permission *and* the inherited permissions from each of
-their assigned groups.
-
-.. list-table::
- :header-rows: 1
- :widths: 20 40 40
- :width: 100%
-
- * - Group
- - Policy
- - Members
-
- * - ``Operations``
- - | :userpolicy:`readwrite` on ``finance`` bucket
- | :userpolicy:`readonly` on ``audit`` bucket
-
- - ``john.doe``, ``jane.doe``
-
- * - ``Auditing``
- - | :userpolicy:`readonly` on ``audit`` bucket
- - ``jen.doe``, ``joe.doe``
-
- * - ``Admin``
- - :policy-action:`admin:*`
- - ``greg.doe``, ``jen.doe``
-
-Groups provide a simplified method for managing shared permissions among
-users with common access patterns and workloads. Client's *cannot* authenticate
-to a MinIO deployment using a group as an identity.
-
-.. admonition:: ``Deny`` overrides ``Allow``
- :class: note
-
- MinIO follows the IAM standard where a ``Deny`` rule overrides ``Allow`` rule
- on the same action or resource. For example, if a user has an explicitly
- assigned policy with an ``Allow`` rule for an action/resource while one of
- its groups has an assigned policy with a ``Deny`` rule for that
- action/resource, MinIO would apply only the ``Deny`` rule.
-
- For more information on IAM policy evaluation logic, see the IAM
- documentation on
- :iam-docs:`Determining Whether a Request is Allowed or Denied Within an Account
- `.
-
-.. _minio-auth-authz-pbac-policies:
-
-Policies
---------
-
-MinIO uses Policy-Based Access Control (PBAC) for supporting *authorization* of
-users who have successfully *authenticated* to the deployment. Each policy
-describes one or more rules that outline the permissions of a user or group of
-users. MinIO PBAC follows the guidelines and standards set by AWS Identity and
-Access Management (IAM). MinIO supports a subset of :iam-docs:`IAM actions and
-conditions ` when
-creating policies. By default, MinIO *denies* access to actions or resources not
-explicitly referenced in a user's assigned or inherited policies.
-
-This section focuses on MinIO's implementation and extensions of IAM policies
-and access management. A complete description of IAM or IAM policies is out
-of scope of this documentation. Consider deferring to the
-:iam-docs:`IAM documentation <>` for more complete documentation on the
-IAM service.
-
-.. _minio-auth-authz-pbac-built-in:
-
-Built-In Policies
-~~~~~~~~~~~~~~~~~
-
-MinIO provides the following built-in policies for assigning to users
-and groups:
-
-.. userpolicy:: readonly
-
- Grants read-only permissions for all buckets and objects on the MinIO server.
-
-.. userpolicy:: readwrite
-
- Grants read and write permissions for all buckets and objects on the
- MinnIO server.
-
-.. userpolicy:: diagnostics
-
- Grants permission to perform diagnostic actions on the MinIO server.
-
-.. userpolicy:: writeonly
-
- Grants write-only permissions for all buckets and objects on the MinIO
- server.
-
-.. _minio-auth-authz-pbac-document:
-
-Policy Document Structure
-~~~~~~~~~~~~~~~~~~~~~~~~~
-
-MinIO policy documents use the same schema as
-:aws-docs:`AWS IAM Policy ` documents.
-
-The following sample document provides a general schema for creating custom
-policies for use with a MinIO deployment. For more complete documentation on IAM
-policy elements, see the :aws-docs:`IAM JSON Policy Elements Reference
-`.
-
-.. code-block:: javascript
- :class: copyable
-
- {
- "Version" : "2012-10-17",
- "Statement" : [
- {
- "Effect" : "Allow",
- "Action" : [ "s3:", ... ],
- "Resource" : "arn:minio:s3:::*",
- "Condition" : { ... }
- },
- {
- "Effect" : "Deny",
- "Action" : [ "s3:", ... ],
- "Resource" : "arn:minio:s3:::*",
- "Condition" : { ... }
- }
- ]
- }
-
-- For the ``Statement.Action`` array, specify one or more
- :ref:`supported S3 actions `. MinIO deployments
- supports a subset of AWS S3 actions.
-
-- For the ``Statement.Resource`` key, you can replace the ``*`` with
- the specific bucket to which the policy statement should apply.
- Using ``*`` applies the statement to all resources on the MinIO deployment.
-
-- For the ``Statement.Condition`` key, you can specify one or more
- :ref:`supported Conditions `. MinIO
- deployments supports a subset of AWS S3 conditions.
-
-.. _minio-auth-authz-pbac-actions:
-
-Supported Policy Actions
-~~~~~~~~~~~~~~~~~~~~~~~~
-
-MinIO policy documents support a subset of IAM
-:iam-docs:`S3 Action keys `.
-
-The following table lists the MinIO-supported policy action keys.
-
-.. policy-action:: s3:*
-
- Selector for all supported S3 actions.
-
-.. policy-action:: s3:AbortMultipartUpload
-
- Corresponds to the :s3-api:`s3:AbortMultipartUpload
- ` IAM action.
-
-.. policy-action:: s3:CreateBucket
-
- Corresponds to the :s3-api:`s3:CreateBucket ` IAM
- action.
-
-.. policy-action:: s3:DeleteBucket
-
- Corresponds to the :s3-api:`s3:DeleteBucket ` IAM
- action.
-
-.. policy-action:: s3:ForceDeleteBucket
-
- Corresponds to the :s3-api:`s3:DeleteBucket `
- IAM action for operations with the ``x-minio-force-delete`` flag.
-
-.. policy-action:: s3:DeleteBucketPolicy
-
- Corresponds to the :s3-api:`s3:DeleteBucketPolicy
- ` IAM action.
-
-.. policy-action:: s3:DeleteObject
-
- Corresponds to the :s3-api:`s3:DeleteObject ` IAM
- action.
-
-.. policy-action:: s3:GetBucketLocation
-
- Corresponds to the :s3-api:`s3:GetBucketLocation
- ` IAM action.
-
-.. policy-action:: s3:GetBucketNotification
-
- Corresponds to the :s3-api:`s3:GetBucketNotification
- ` IAM action.
-
-.. policy-action:: s3:GetBucketPolicy
-
- Corresponds to the :s3-api:`s3:GetBucketPolicy `
- IAM action.
-
-.. policy-action:: s3:GetObject
-
- Corresponds to the :s3-api:`s3:GetObject ` IAM action.
-
-.. policy-action:: s3:HeadBucket
-
- Corresponds to the :s3-api:`s3:HeadBucket ` IAM action.
-
- *This action is unused in MinIO.*
-
-.. policy-action:: s3:ListAllMyBuckets
-
- Corresponds to the :s3-api:`s3:ListAllMyBuckets `
- IAM action.
-
-.. policy-action:: s3:ListBucket
-
- Corresponds to the :s3-api:`s3:ListBucket ` IAM action.
-
-.. policy-action:: s3:ListMultipartUploads
-
- Corresponds to the :s3-api:`s3:ListMultipartUploads
- ` IAM action.
-
-.. policy-action:: s3:ListenNotification
-
- MinIO Extension for controlling API operations related to MinIO Bucket
- Notifications.
-
- This action is **not** intended for use with other S3-compatible services.
-
-.. policy-action:: s3:ListenBucketNotification
-
- MinIO Extension for controlling API operations related to MinIO Bucket
- Notifications.
-
- This action is **not** intended for use with other S3-compatible services.
-
-.. policy-action:: s3:ListParts
-
- Corresponds to the :s3-api:`s3:ListParts ` IAM action.
-
-.. policy-action:: s3:PutBucketLifecycle
-
- Corresponds to the :s3-api:`s3:PutBucketLifecycle
- ` IAM action.
-
-.. policy-action:: s3:GetBucketLifecycle
-
- Corresponds to the :s3-api:`s3:GetBucketLifecycle
- ` IAM action.
-
-.. policy-action:: s3:PutObjectNotification
-
- Corresponds to the :s3-api:`s3:PutObjectNotification
- ` IAM action.
-
-.. policy-action:: s3:PutBucketPolicy
-
- Corresponds to the :s3-api:`s3:PutBucketPolicy `
- IAM action.
-
-.. policy-action:: s3:PutObject
-
- Corresponds to the :s3-api:`s3:PutObject ` IAM action.
-
-.. policy-action:: s3:DeleteObjectVersion
-
- Corresponds to the :s3-api:`s3:DeleteObjectVersion
- ` IAM action.
-
-.. policy-action:: s3:DeleteObjectVersionTagging
-
- Corresponds to the :s3-api:`s3:DeleteObjectVersionTagging
- ` IAM action.
-
-.. policy-action:: s3:GetObjectVersion
-
- Corresponds to the :s3-api:`s3:GetObjectVersion
- ` IAM action.
-
-.. policy-action:: s3:GetObjectVersionTagging
-
- Corresponds to the :s3-api:`s3:GetObjectVersionTagging
- ` IAM action.
-
-.. policy-action:: s3:PutObjectVersionTagging
-
- Corresponds to the :s3-api:`s3:PutObjectVersionTagging
- ` IAM action.
-
-.. policy-action:: s3:BypassGovernanceRetention
-
- Corresponds to the :s3-docs:`s3:BypassGovernanceRetention
- ` IAM action.
-
- This action applies to the following API operations on objects locked under
- :mc-cmd:`GOVERNANCE ` retention mode:
-
- - ``PutObjectRetention``
- - ``PutObject``
- - ``DeleteObject``
-
-.. policy-action:: s3:PutObjectRetention
-
- Corresponds to the :s3-api:`s3:PutObjectRetention
- ` IAM action.
-
-.. policy-action:: s3:GetObjectRetention
-
- Corresponds to the :s3-api:`s3:GetObjectRetention
- ` IAM action.
-
- This action applies to the following API operations on objects locked under
- any retention mode:
-
- - ``GetObject``
- - ``HeadObject``
-
-.. policy-action:: s3:GetObjectLegalHold
-
- Corresponds to the :s3-api:`s3:GetObjectLegalHold
- ` IAM action.
-
- This action applies to the following API operations on objects locked under
- legal hold:
-
- - ``GetObject``
-
-.. policy-action:: s3:PutObjectLegalHold
-
- Corresponds to the :s3-api:`s3:PutObjectLegalHold
- ` IAM action.
-
- This action applies to the following API operations on objects locked
- under legal hold:
-
- - ``PutObject``
-
-.. policy-action:: s3:GetBucketObjectLockConfiguration
-
- Corresponds to the :s3-api:`s3:GetBucketObjectLockConfiguration
- ` IAM action.
-
-.. policy-action:: s3:PutBucketObjectLockConfiguration
-
- Corresponds to the :s3-api:`s3:PutBucketObjectLockConfiguration
- ` IAM action.
-
-.. policy-action:: s3:GetBucketTagging
-
- Corresponds to the :s3-api:`s3:GetBucketTagging `
- IAM action.
-
-.. policy-action:: s3:PutBucketTagging
-
- Corresponds to the :s3-api:`s3:PutBucketTagging `
- IAM action.
-
-.. policy-action:: s3:Get
-
- Corresponds to the :s3-api:`s3:Get ` IAM action.
-
-.. policy-action:: s3:Put
-
- Corresponds to the :s3-api:`s3:Put ` IAM action.
-
-.. policy-action:: s3:Delete
-
- Corresponds to the :s3-api:`s3:Delete ` IAM action.
-
-.. policy-action:: s3:PutBucketEncryption
-
- Corresponds to the :s3-api:`s3:PutBucketEncryption
- ` IAM action.
-
-.. policy-action:: s3:GetBucketEncryption
-
- Corresponds to the :s3-api:`s3:GetBucketEncryption
- ` IAM action.
-
-.. policy-action:: s3:PutBucketVersioning
-
- Corresponds to the :s3-api:`s3:PutBucketVersioning
- ` IAM action.
-
-.. policy-action:: s3:GetBucketVersioning
-
- Corresponds to the :s3-api:`s3:GetBucketVersioning
- ` IAM action.
-
-.. policy-action:: s3:GetReplicationConfiguration
-
- Corresponds to the :s3-api:`s3:GetReplicationConfiguration
- ` IAM action.
-
-.. policy-action:: s3:PutReplicationConfiguration
-
- Corresponds to the :s3-api:`s3:PutReplicationConfiguration
- ` IAM action.
-
-.. policy-action:: s3:ReplicateObject
-
- Corresponds to the :s3-api:`s3:ReplicateObject `
- IAM action.
-
-.. policy-action:: s3:ReplicateDelete
-
- Corresponds to the :s3-api:`s3:ReplicateDelete `
- IAM action.
-
-.. policy-action:: s3:ReplicateTags
-
- Corresponds to the :s3-api:`s3:ReplicateTags ` IAM
- action.
-
-.. policy-action:: s3:GetObjectVersionForReplication
-
- Corresponds to the :s3-api:`s3:GetObjectVersionForReplication
- ` IAM action.
-
-
-.. _minio-auth-authz-pbac-mc-admin-actions:
-
-``mc admin`` Policy Action Keys
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-MinIO supports the following actions for use with defining policies
-for :mc-cmd:`mc admin` operations. These actions are *only* valid for
-MinIO deployments and are *not* intended for use with other S3-compatible
-services:
-
-.. policy-action:: admin:*
-
- Selector for all admin action keys.
-
-.. policy-action:: admin:Heal
-
- Allows heal command
-
-.. policy-action:: admin:StorageInfo
-
- Allows listing server info
-
-.. policy-action:: admin:DataUsageInfo
-
- Allows listing data usage info
-
-.. policy-action:: admin:TopLocksInfo
-
- Allows listing top locks
-
-.. policy-action:: admin:Profiling
-
- Allows profiling
-
-.. policy-action:: admin:ServerTrace
-
- Allows listing server trace
-
-.. policy-action:: admin:ConsoleLog
-
- Allows listing console logs on terminal
-
-.. policy-action:: admin:KMSCreateKey
-
- Allows creating a new KMS master key
-
-.. policy-action:: admin:KMSKeyStatus
-
- Allows getting KMS key status
-
-.. policy-action:: admin:ServerInfo
-
- Allows listing server info
-
-.. policy-action:: admin:OBDInfo
-
- Allows obtaining cluster on-board diagnostics
-
-.. policy-action:: admin:ServerUpdate
-
- Allows MinIO binary update
-
-.. policy-action:: admin:ServiceRestart
-
- Allows restart of MinIO service.
-
-.. policy-action:: admin:ServiceStop
-
- Allows stopping MinIO service.
-
-.. policy-action:: admin:ConfigUpdate
-
- Allows MinIO config management
-
-.. policy-action:: admin:CreateUser
-
- Allows creating MinIO user
-
-.. policy-action:: admin:DeleteUser
-
- Allows deleting MinIO user
-
-.. policy-action:: admin:ListUsers
-
- Allows list users permission
-
-.. policy-action:: admin:EnableUser
-
- Allows enable user permission
-
-.. policy-action:: admin:DisableUser
-
- Allows disable user permission
-
-.. policy-action:: admin:GetUser
-
- Allows GET permission on user info
-
-.. policy-action:: admin:AddUserToGroup
-
- Allows adding user to group permission
-
-.. policy-action:: admin:RemoveUserFromGroup
-
- Allows removing user to group permission
-
-.. policy-action:: admin:GetGroup
-
- Allows getting group info
-
-.. policy-action:: admin:ListGroups
-
- Allows list groups permission
-
-.. policy-action:: admin:EnableGroup
-
- Allows enable group permission
-
-.. policy-action:: admin:DisableGroup
-
- Allows disable group permission
-
-.. policy-action:: admin:CreatePolicy"
-
- Allows create policy permission
-
-.. policy-action:: admin:DeletePolicy
-
- Allows delete policy permission
-
-.. policy-action:: admin:GetPolicy
-
- Allows get policy permission
-
-.. policy-action:: admin:AttachUserOrGroupPolicy
-
- Allows attaching a policy to a user/group
-
-.. policy-action:: admin:ListUserPolicies
-
- Allows listing user policies
-
-.. policy-action:: admin:SetBucketQuota
-
- Allows setting bucket quota
-
-.. policy-action:: admin:GetBucketQuota
-
- Allows getting bucket quota
-
-.. policy-action:: admin:SetBucketTarget
-
- Allows setting bucket target
-
-.. policy-action:: admin:GetBucketTarget
-
- Allows getting bucket targets
-
-.. _minio-auth-authz-pbac-conditions:
-
-Supported Policy Condition Keys
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-MinIO policy documents support IAM
-:iam-docs:`conditional statements `.
-
-Each condition element consists of
-:iam-docs:`operators `
-and condition keys. MinIO supports a subset of IAM condition keys. For complete
-information on any listed condition key, see the
-:iam-docs:`IAM Condition Element Documentation
-`
-
-MinIO supports the following condition keys for all supported
-:ref:`actions `:
-
-- ``aws:Referer``
-- ``aws:SourceIp``
-- ``aws:UserAgent``
-- ``aws:SecureTransport``
-- ``aws:CurrentTime``
-- ``aws:EpochTime``
-- ``aws:PrincipalType``
-- ``aws:userid``
-- ``aws:username``
-- ``s3:x-amz-content-sha256``
-
-The following table lists additional supported condition keys for specific
-actions:
-
-.. list-table::
- :header-rows: 1
- :widths: 30 70
- :width: 100%
-
- * - Action Key
- - Condition Keys
-
- * - :policy-action:`s3:GetObject`
- - | ``s3:x-amz-server-side-encryption``
- | ``s3:x-amz-server-side-encryption-customer-algorithm``
-
- * - :policy-action:`s3:ListBucket`
- - | ``s3:prefix``
- | ``s3:delimiter``
- | ``s3:max-keys``
-
- * - :policy-action:`s3:PutObject`
- - | ``s3:x-amz-copy-source``
- | ``s3:x-amz-server-side-encryption``
- | ``s3:x-amz-server-side-encryption-customer-algorithm``
- | ``s3:x-amz-metadata-directive``
- | ``s3:x-amz-storage-class``
- | ``s3:object-lock-retain-until-date``
- | ``s3:object-lock-mode``
- | ``s3:object-lock-legal-hold``
-
- * - :policy-action:`s3:PutObjectRetention`
- - | ``s3:x-amz-object-lock-remaining-retention-days``
- | ``s3:x-amz-object-lock-retain-until-date``
- | ``s3:x-amz-object-lock-mode``
-
- * - :policy-action:`s3:PutObjectLegalHold`
- - ``s3:object-lock-legal-hold``
-
- * - :policy-action:`s3:BypassGovernanceRetention`
- - | ``s3:object-lock-remaining-retention-days``
- | ``s3:object-lock-retain-until-date``
- | ``s3:object-lock-mode``
- | ``s3:object-lock-legal-hold``
-
- * - :policy-action:`s3:GetObjectVersion`
- - ``s3:versionid``
-
- * - :policy-action:`s3:GetObjectVersionTagging`
- - ``s3:versionid``
-
- * - :policy-action:`s3:DeleteObjectVersion`
- - ``s3:versionid``
-
- * - :policy-action:`s3:DeleteObjectVersionTagging`
- - ``s3:versionid``
-
-``mc admin`` Policy Condition Keys
-``````````````````````````````````
-
-MinIO supports the following conditions for use with defining policies for
-:mc-cmd:`mc admin` :ref:`actions `.
-
-- ``aws:Referer``
-- ``aws:SourceIp``
-- ``aws:UserAgent``
-- ``aws:SecureTransport``
-- ``aws:CurrentTime``
-- ``aws:EpochTime``
-
-For complete information on any listed condition key, see the :iam-docs:`IAM
-Condition Element Documentation `
-
-Creating Custom Policies
-~~~~~~~~~~~~~~~~~~~~~~~~
-
-Use the ``mc admin policy`` command to add a policy to the MinIO
-server. The policy *must* be a valid JSON document formatted according to
-IAM policy specifications. For example:
-
-.. code-block:: shell
-
- mc config host add myminio http://myminio1.example.net:9000
-
- mc admin policy add myminio/ new_policy new_policy.json
-
-To add this policy to a user or group, use the ``mc admin policy set`` command:
-
-.. code-block:: shell
-
- mc admin policy set myminio/ new_policy user=user_name
-
- mc admin policy set myminio/ new_policy group=group_name
-
diff --git a/source/security/minio-authentication-authorization.rst b/source/security/minio-authentication-authorization.rst
index 51cdb6c5..37228775 100644
--- a/source/security/minio-authentication-authorization.rst
+++ b/source/security/minio-authentication-authorization.rst
@@ -13,8 +13,8 @@ Overview
*Authentication* is the process of verifying the identity of a connecting
client. MinIO authentication requires providing user credentials in the form of
-an access key and corresponding secret key. The MinIO deployment only grants
-access *if*:
+an access key (username) and corresponding secret key (password). The MinIO
+deployment only grants access *if*:
- The access key corresponds to a user on the deployment, *and*
- The secret key corresponds to the specified access key.
@@ -37,15 +37,6 @@ referenced in a user's assigned or inherited policies.
- For more information on MinIO policy creation, see
:ref:`minio-auth-authz-pbac-policies`.
-MinIO also supports Secure Token Service (STS) authentication, where clients use
-a supported OIDC-compliant third-party identity provider to perform
-authentication. MinIO uses the security token returned by the provider to
-generate a random access key and secret key that the client can use for
-authenticating to the deployment. The username specified to the third-party
-identity provider *must* match an existing user on the MinIO deployment. MinIO
-uses the policies associated to that existing user for authorizing client
-operations. For more information, see :ref:`minio-sts-overview`.
-
.. _minio-auth-authz-users:
Users
@@ -569,8 +560,8 @@ The following table lists the MinIO-supported policy action keys.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
MinIO supports the following actions for use with defining policies
-for :mc-cmd:`mc admin` operations. These actions are **only** valid for
-MinIO deployments and are **not** intended for use with other S3-compatible
+for :mc-cmd:`mc admin` operations. These actions are *only* valid for
+MinIO deployments and are *not* intended for use with other S3-compatible
services:
.. policy-action:: admin:*