minio/docs
1
0
Fork 0
mirror of https://github.com/minio/docs.git synced 2025-07-28 19:42:10 +03:00
Code Activity

CSS and JS fixups

Browse Source 
Trying a simplified layout + css + js
This commit is contained in:
ravindk89
2020-09-18 21:15:05 -04:00
parent 7a540e11e8
commit 833931246f
5 changed files with 288 additions and 1062 deletions
Download Patch File Download Diff File Expand all files Collapse all files

385
source/_static/css-style.css
View File

@ -8,6 +8,12 @@
:root { :root {
--table-border-color: #e6e6e6; --table-border-color: #e6e6e6;
--minio-red: #c72e49;
--minio-midnight: #012b35;
--minio-nautical: #00303f;
--minio-meridian: #132742;
--minio-glacier: #edf7f7;
} }
body { body {
@ -15,232 +21,237 @@ body {
font-size: 100%; font-size: 100%;
} }
div.body { div.flexwrapper {
min-width: 500px; display: flex;
max-width: 600px; flex-flow: row wrap;
margin: 0 0 0 300px;
position: relative; width: auto;
z-index: 0; height: 100vh;
padding-top: 10px; /* overflow: hidden;
Have to comment this out because clicking anchors breaks layout. */
} }
div.body p { div :target.h1,h2,h3,h4 {
font-size: 90%; scroll-margin-top: 100px;
} }
div.admonition { /* Left Column CSS */
font-family: Mark, Helvetica, sans-serif;
border-left: 5px solid #c72e49;
}
div.admonition p.admonition-title { body div.left {
font-family: Mark, Helvetica, sans-serif; width: 250px;
text-transform: uppercase; /* flex-shrink: 0; */
font-size: 100%;
font-weight: bold;
}
div.body h1,
div.body h2,
div.body h3,
div.body h4,
div.body h5,
div.body h6 {
font-family: Mark, sans-serif;
font-weight: normal;
margin: 30px 0px 10px 0px;
padding: 0;
color: #c72e49;
}
div.sphinxsidebar {
width: 300px;
font-size: 80%;
line-height: 1.5;
box-shadow: 5px 5px 5px #e6e6e6;
height: 100%;
z-index: 1
}
div.sphinxsidebar h3,
div.sphinxsidebar h4 {
font-family: Mark, sans-serif;
font-size: 24px;
font-weight: normal;
margin: 0 0 5px 0;
padding: 0;
}
div.document {
margin: 0 0 0 0;
width: 100%;
position: relative;
top: 75px;
}
div.section code {
color: #c72e49;
}
div.topic {
background-color: #edf7f71A;
}
div.localtoc {
position: fixed; position: fixed;
top: 75px;
right: 0px;
margin-right: 18px;
min-width: 200px;
max-width: 250px;
font-size: 90%;
}
div.localtoc ul {
list-style: none;
margin: 0px 10px;
}
div.localtoc ul li {
transition: all 10ms ease-in-out;
}
/* div.localtoc ul li.active {
color: #c72e49;
list-style: square;
position: relative;
border-left: 5px solid #c72e49;
padding-left: 5px;
margin-left: -10px;
} */
div.localtoc ul li p {
padding-top: 3px;
padding-bottom: 3px;
}
div.localtoc ul li p.active-p {
position: relative;
border-left: 5px solid #c72e49;
padding-left: 5px;
margin-left: -10px;
}
div.body a {
color: #c72e49;
text-decoration: none;
}
div.body :target {
scroll-margin-top: 75px;
}
div.body a.reference.internal code {
color: #c72e49;
}
div.sphinxsidebar a.current.reference.internal {
color: #c72e49;
font-weight: bold;
position: relative;
border-left: 5px solid #c72e49;
padding-left: 5px;
margin-left: -10px;
}
div.contents.local.topic a{
border-bottom: none;
}
div.sphinxsidebar a.reference.internal {
margin: 10px 0px 10px 0px;
display: block; display: block;
border-bottom: 0px; left: 0px;
top: 85px;
color: var(--minio-meridian);
z-index: 5;
} }
div.sphinxsidebar a:hover { body div.left li.toctree-l1 a {
text-decoration: none; color: var(--minio-meridian);
}
body div.left div.sphinxsidebarwrapper {
padding: 0 0 0 5px;
} }
img.logo { body div.left div.sphinxsidebarwrapper ul {
height: 120px; list-style: none;
margin-left: 10px;
} }
div.sphinxsidebar ul ul { body div.left button.sphinxsidebarbutton {
width: 100px;
margin-left: auto;
background: none;
border: none;
margin-bottom: 5px;
}
body div.left div.sphinxsidebarwrapper a.current.reference.internal {
color: var(--minio-red);
font-weight: bold;
position: relative;
border-left: 5px solid var(--minio-red);
padding-left: 5px;
margin-left: -10px;
}
body div.left div.sphinxsidebarwrapper li.toctree-l1 {
margin-top: 10px;
margin-bottom: 10px;
padding-bottom: 5px;
border-bottom: 1px solid var(--table-border-color);
list-style: none; list-style: none;
} }
dt { body div.left a.reference {
font-weight: bold; text-decoration: none;
border: none;
} }
div.body table.docutils {
border-color: var(--table-border-color);
} /* Center Column CSS */
div.body div.alert-info { div.body div.alert-info {
background-color:#c72e491a;
padding-left: 5px; padding-left: 5px;
padding-right: 5px; padding-right: 5px;
border: 2px #c72e49 solid; border: 2px var(--minio-red) solid;
border-radius: 10px; border-radius: 10px;
} }
div.body div.alert-info p { body div.center {
text-align: center; flex: 9;
} overflow-y: auto;
overflow-x: hidden;
div.body table.docutils th { flex-grow: 9;
border-top: 1px solid var(--table-border-color); flex-shrink: 4;
border-bottom: 1px solid var(--table-border-color); z-index: 0;
border-left: none; margin-left: 250px;
border-right: none; margin-top: 85px;
} scroll-margin-top: 85px;
div.body table.docutils td {
border-top: 1px solid var(--table-border-color);
border-bottom: 1px solid var(--table-border-color);
border-left: none;
border-right: none;
}
div.header {
background-color: #01262e;
height: 75px;
width: 100%;
position: fixed;
z-index: 2;
top: 0px;
}
div.header img.logo {
height: 100%; height: 100%;
padding-top: 28.5px;
padding-left: 10px; padding-left: 10px;
}
div.header div.navbar {
float: right;
text-align: center;
padding-right: 10px; padding-right: 10px;
} }
div.header img.logo { body div.center div.admonition p.admonition-title {
height: 18px; font-family: Mark, Helvetica, sans-serif;
font-size: 110%;
} }
div.footer { body div.center h1,
width: 100%; body div.center h2,
text-align: center; body div.center h3,
body div.center h4,
body div.center h5,
body div.center h6 {
font-family: Mark, sans-serif;
font-weight: normal;
margin: 30px 0px 10px 0px;
padding: 0;
} }
dl.minio { body #toc-backref {
color: var(--minio-meridian);
}
body div.center a.reference.internal {
color: var(--minio-red);
text-decoration: none;
}
body div.center a.reference.internal code {
color: var(--minio-red);
}
body div.center a.toc-backref {
text-decoration: none;
color: var(--minio-meridian);
}
body div.center dl.minio {
border-bottom: 1px solid #01262e2a; border-bottom: 1px solid #01262e2a;
border-top: 1px solid #01262e2a; border-top: 1px solid #01262e2a;
padding-top: 10px; padding-top: 10px;
padding-bottom: 10px; padding-bottom: 10px;
} }
body div.center code.descclassname {
font-weight: bold;
}
body div.center table.docutils {
border: 1px solid var(--table-border-color);
}
body div.center table.docutils th {
border-top: 1px solid var(--table-border-color);
border-bottom: 1px solid var(--table-border-color);
border-left: none;
border-right: none;
}
body div.center table.docutils td {
border-top: 1px solid var(--table-border-color);
border-bottom: 1px solid var(--table-border-color);
border-left: none;
border-right: none;
}
body div.center p {
padding-left: 10px;
}
/* Right-Column CSS */
body div.right {
flex: 3;
flex-shrink: 0;
margin-left: 10px;
margin-top: 85px;
}
body div.right div.topic {
background-color: #fff;
border-style: none;
}
body div.right ul.simple {
margin-left: 5px;
}
body div.right ul {
list-style: none;
}
body div.right a.reference.internal {
color: var(--minio-meridian);
text-decoration: none;
border-bottom: none;
}
body div.right p.active-p {
border-left: 5px solid var(--minio-red);
padding-left: 5px;
margin-left: -10px;
}
/* Collapse CSS */
body div.left.collapsed {
left: -300px;
}
body div.left button.sphinxsidebarbutton.collapsed {
left: 0px;
position: fixed;
}
body div.column.collapsed {
margin-left: 50px;
}
/* Navigation CSS */
nav.navigation img.logo {
height: 18px;
padding-top: 28.5px;
padding-left: 10px;
}
nav.navigation {
position: fixed;
background-color: black;
width: 100%;
height: 75px;
top: 0px;
z-index: 1;
}
/* Admonition CSS TODO*/

24
source/_static/js/main.js
View File

@ -18,15 +18,13 @@ window.addEventListener('DOMContentLoaded', (event) => {
// how to resolve that. // how to resolve that.
let options = { let options = {
root: document.querySelector('#scrollArea'), root: document.querySelector('div.center'),
rootMargin: '-150px 0px -300px 0px' rootMargin: '-150px 0px -300px 0px'
} }
const observer = new IntersectionObserver(entries => { const observer = new IntersectionObserver(entries => {
entries.forEach(entry => { entries.forEach(entry => {
const id = entry.target.getAttribute('id'); const id = entry.target.getAttribute('id');
console.log("entry is " + id + " Ratio is " + entry.intersectionRatio)
console.log(entry.rootBounds)
if (id == document.querySelector('.section[id]').getAttribute('id')) if (id == document.querySelector('.section[id]').getAttribute('id'))
return 0 return 0
@ -60,6 +58,26 @@ window.addEventListener('DOMContentLoaded', (event) => {
observer.observe(section); observer.observe(section);
}); });
const leftcolumn = document.querySelector('.left');
const centercolumn = document.querySelector('.center');
const rightcolumn = document.querySelector('.right');
const button = document.querySelector('.sphinxsidebarbutton');
const sidebarwrapper = document.querySelector('.sphinxsidebarwrapper');
function expando() {
button.classList.toggle('collapsed');
leftcolumn.classList.toggle('collapsed');
centercolumn.classList.toggle('collapsed');
sidebarwrapper.classList.toggle('collapsed');
if (button.textContent == "[x] Collapse") {
button.textContent = "[x] Expand";
}
else {
button.textContent = "[x] Collapse";
}
}
button.addEventListener( "click", expando );
}); });

60
source/_templates/layout.html
View File

@ -5,21 +5,60 @@
{# Override content block #} {# Override content block #}
{%- macro miniosidebar() %}
{%- if render_sidebar %}
<div class="sphinxsidebarwrapper" role="navigation">
{%- block sidebarlogo %}
{%- if logo %}
<p class="logo"><a href="{{ pathto(master_doc)|e }}">
<img class="logo" src="{{ pathto('_static/' + logo, 1)|e }}" alt="Logo"/>
</a></p>
{%- endif %}
{%- endblock %}
{%- if sidebars != None %}
{#- new style sidebar: explicitly include/exclude templates #}
{%- for sidebartemplate in sidebars %}
{%- include sidebartemplate %}
{%- endfor %}
{%- else %}
{#- old style sidebars: using blocks -- should be deprecated #}
{%- block sidebartoc %}
{%- include "localtoc.html" %}
{%- endblock %}
{%- block sidebarrel %}
{%- include "relations.html" %}
{%- endblock %}
{%- block sidebarsourcelink %}
{%- include "sourcelink.html" %}
{%- endblock %}
{%- if customsidebar %}
{%- include customsidebar %}
{%- endif %}
{%- block sidebarsearch %}
{%- include "searchbox.html" %}
{%- endblock %}
{%- endif %}
</div>
{%- endif %}
{%- endmacro %}
{%- block header %} {%- block header %}
<div class="header"> <nav class="navigation">
<a href="https://min.io"> <a href="https://min.io">
<img class="logo" src="{{ pathto('_static/docs-logo.svg',1) }}" alt="Logo"/> <img class="logo" src="{{ pathto('_static/docs-logo.svg',1) }}" alt="Logo"/>
</a> </a>
<div class="navbar"> </nav>
<p style="color: white">This will someday contain a header</p>
</div>
</div>
{%- endblock %} {%- endblock %}
{%- block content %} {%- block content %}
<div class="document">
{{ sidebar() }} <div class="left column">
<div class=body> <button class="sphinxsidebarbutton button-collapse">[x] Collapse</button>
{{ miniosidebar() }}
</div>
<div class="flexwrapper">
<div class="center column">
<div class="body">
{% block alertbar -%} {% block alertbar -%}
<div class="alert alert-info"> <div class="alert alert-info">
<span class="alert-message"> <span class="alert-message">
@ -36,8 +75,11 @@
&copy;{{ copyright }} &copy;{{ copyright }}
</div> </div>
</div> </div>
<div id=localtoc class=localtoc>
</div> </div>
<div class="right column">
<div id=localtoc class=localtoc></div>
</div>
</div> </div>
{%- endblock %} {%- endblock %}

836
source/security/minio-authentication-authorization-review.rst
View File

@ -1,836 +0,0 @@
================================
Authentication and Authorization
================================
.. default-domain:: minio
.. contents:: On This Page
:local:
:depth: 2
Overview
--------
*Authentication* is the process of verifying the identity of a connecting
client. MinIO authentication requires providing user credentials in the form of
an access key (username) and corresponding secret key (password). The MinIO
deployment only grants access *if*:
- The access key corresponds to a user on the deployment, *and*
- The secret key corresponds to the specified access key.
*Authorization* is the process of restricting the actions and resources the
authenticated client can perform on the deployment. MinIO uses Policy-Based
Access Control (PBAC), where each policy describes one or more rules that
outline the permissions of a user or group of users. MinIO supports a subset of
:iam-docs:`IAM actions and conditions
<reference_policies_actions-resources-contextkeys.html>` when creating policies.
By default, MinIO *denies* access to actions or resources not explicitly
referenced in a user's assigned or inherited policies.
- For more information on MinIO user management, see
:ref:`minio-auth-authz-users`.
- For more information on MinIO group management, see
:ref:`minio-auth-authz-groups`.
- For more information on MinIO policy creation, see
:ref:`minio-auth-authz-pbac-policies`.
.. _minio-auth-authz-users:
Users
-----
A *user* is an identity with associated privileges on a MinIO deployment. Each
user consists of a unique access key (username) and corresponding secret key
(password). The access key and secret key support *authentication* on the MinIO
deployment, similar to a username and password. Clients must specify both a
valid access key (username) and the corresponding secret key (password) to
access the MinIO deployment.
Each user can have one or more assigned :ref:`policies
<minio-auth-authz-pbac-policies>` that explicitly list the actions and resources
to which the user is allowed or denied access. Policies support *authorization*
of operations on the MinIO deployment, such that clients can only perform
an operation if the user's assigned policies allow access to both the operation
*action* and the target *resources*.
For example, consider the following table of users. Each user is assigned
a :ref:`built-in policy <minio-auth-authz-pbac-built-in>` or
a supported :ref:`action <minio-auth-authz-pbac-actions>`. The table
describes a subset of operations a client could perform if authenticated
as that user:
.. list-table::
:header-rows: 1
:widths: 20 40 40
:width: 100%
* - User
- Policy
- Operations
* - ``Operations``
- | :userpolicy:`readwrite` on ``finance`` bucket
| :userpolicy:`readonly` on ``audit`` bucket
- | ``PUT`` and ``GET`` on ``finance`` bucket.
| ``PUT`` on ``audit`` bucket
* - ``Auditing``
- | :userpolicy:`readonly` on ``audit`` bucket
- ``GET`` on ``audit`` bucket
* - ``Admin``
- :policy-action:`admin:*`
- All :mc-cmd:`mc admin` commands.
Users also inherit permissions from their assigned :ref:`groups
<minio-auth-authz-groups>`. A user's total set of permissions consists of their
explicitly assigned permissions *and* the inherited permissions from each of
their assigned groups.
.. admonition:: ``Deny`` overrides ``Allow``
:class: note
MinIO follows the IAM policy evaluation rules where a ``Deny`` rule overrides
``Allow`` rule on the same action/resource. For example, if a user has an
explicitly assigned policy with an ``Allow`` rule for an action/resource
while one of its groups has an assigned policy with a ``Deny`` rule for that
action/resource, MinIO would apply only the ``Deny`` rule.
For more information on IAM policy evaluation logic, see the IAM
documentation on
:iam-docs:`Determining Whether a Request is Allowed or Denied Within an Account
<reference_policies_evaluation-logic.html#policy-eval-denyallow>`.
``root`` User
~~~~~~~~~~~~~
By default, MinIO deployments provide ``root`` user with access to all actions
and resources on the deployment. The ``root`` user credentials are set when
starting the ``minio`` server. When specifying the ``root`` access key and
secret key, consider using *long, unique, and random* strings. Exercise all
possible precautions in storing the access key and secret key, such that only
known and trusted individuals who *require* superuser access to the deployment
can retrieve the ``root`` credentials.
- MinIO *strongly discourages* using the ``root`` user for regular client access
regardless of the environment (development, staging, or production).
- MinIO *strongly recommends* creating users such that each client has access to
the minimal set of actions and resources required to perform their assigned
workloads.
.. _minio-auth-authz-groups:
Groups
------
A *group* is a collection of :ref:`users <minio-auth-authz-users>`. Each group
can have one or more assigned :ref:`policies <minio-auth-authz-pbac-policies>`
that explicitly list the actions and resources to which group members are
allowed or denied access.
For example, consider the following groups. Each group is assigned a
:ref:`built-in policy <minio-auth-authz-pbac-built-in>` or supported
:ref:`policy action <minio-auth-authz-pbac-actions>`. Each group also has one or
more assigned users. Each user's total set of permissions consists of their
explicitly assigned permission *and* the inherited permissions from each of
their assigned groups.
.. list-table::
:header-rows: 1
:widths: 20 40 40
:width: 100%
* - Group
- Policy
- Members
* - ``Operations``
- | :userpolicy:`readwrite` on ``finance`` bucket
| :userpolicy:`readonly` on ``audit`` bucket
- ``john.doe``, ``jane.doe``
* - ``Auditing``
- | :userpolicy:`readonly` on ``audit`` bucket
- ``jen.doe``, ``joe.doe``
* - ``Admin``
- :policy-action:`admin:*`
- ``greg.doe``, ``jen.doe``
Groups provide a simplified method for managing shared permissions among
users with common access patterns and workloads. Client's *cannot* authenticate
to a MinIO deployment using a group as an identity.
.. admonition:: ``Deny`` overrides ``Allow``
:class: note
MinIO follows the IAM standard where a ``Deny`` rule overrides ``Allow`` rule
on the same action or resource. For example, if a user has an explicitly
assigned policy with an ``Allow`` rule for an action/resource while one of
its groups has an assigned policy with a ``Deny`` rule for that
action/resource, MinIO would apply only the ``Deny`` rule.
For more information on IAM policy evaluation logic, see the IAM
documentation on
:iam-docs:`Determining Whether a Request is Allowed or Denied Within an Account
<reference_policies_evaluation-logic.html#policy-eval-denyallow>`.
.. _minio-auth-authz-pbac-policies:
Policies
--------
MinIO uses Policy-Based Access Control (PBAC) for supporting *authorization* of
users who have successfully *authenticated* to the deployment. Each policy
describes one or more rules that outline the permissions of a user or group of
users. MinIO PBAC follows the guidelines and standards set by AWS Identity and
Access Management (IAM). MinIO supports a subset of :iam-docs:`IAM actions and
conditions <reference_policies_actions-resources-contextkeys.html>` when
creating policies. By default, MinIO *denies* access to actions or resources not
explicitly referenced in a user's assigned or inherited policies.
This section focuses on MinIO's implementation and extensions of IAM policies
and access management. A complete description of IAM or IAM policies is out
of scope of this documentation. Consider deferring to the
:iam-docs:`IAM documentation <>` for more complete documentation on the
IAM service.
.. _minio-auth-authz-pbac-built-in:
Built-In Policies
~~~~~~~~~~~~~~~~~
MinIO provides the following built-in policies for assigning to users
and groups:
.. userpolicy:: readonly
Grants read-only permissions for all buckets and objects on the MinIO server.
.. userpolicy:: readwrite
Grants read and write permissions for all buckets and objects on the
MinnIO server.
.. userpolicy:: diagnostics
Grants permission to perform diagnostic actions on the MinIO server.
.. userpolicy:: writeonly
Grants write-only permissions for all buckets and objects on the MinIO
server.
.. _minio-auth-authz-pbac-document:
Policy Document Structure
~~~~~~~~~~~~~~~~~~~~~~~~~
MinIO policy documents use the same schema as
:aws-docs:`AWS IAM Policy <IAM/latest/UserGuide/access.html>` documents.
The following sample document provides a general schema for creating custom
policies for use with a MinIO deployment. For more complete documentation on IAM
policy elements, see the :aws-docs:`IAM JSON Policy Elements Reference
<IAM/latest/UserGuide/reference_policies_elements.html>`.
.. code-block:: javascript
:class: copyable
{
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Action" : [ "s3:<ActionName>", ... ],
"Resource" : "arn:minio:s3:::*",
"Condition" : { ... }
},
{
"Effect" : "Deny",
"Action" : [ "s3:<ActionName>", ... ],
"Resource" : "arn:minio:s3:::*",
"Condition" : { ... }
}
]
}
- For the ``Statement.Action`` array, specify one or more
:ref:`supported S3 actions <minio-auth-authz-pbac-actions>`. MinIO deployments
supports a subset of AWS S3 actions.
- For the ``Statement.Resource`` key, you can replace the ``*`` with
the specific bucket to which the policy statement should apply.
Using ``*`` applies the statement to all resources on the MinIO deployment.
- For the ``Statement.Condition`` key, you can specify one or more
:ref:`supported Conditions <minio-auth-authz-pbac-conditions>`. MinIO
deployments supports a subset of AWS S3 conditions.
.. _minio-auth-authz-pbac-actions:
Supported Policy Actions
~~~~~~~~~~~~~~~~~~~~~~~~
MinIO policy documents support a subset of IAM
:iam-docs:`S3 Action keys <list_amazons3.html#amazons3-actions-as-permissions>`.
The following table lists the MinIO-supported policy action keys.
.. policy-action:: s3:*
Selector for all supported S3 actions.
.. policy-action:: s3:AbortMultipartUpload
Corresponds to the :s3-api:`s3:AbortMultipartUpload
<API_AbortMultipartUpload.html>` IAM action.
.. policy-action:: s3:CreateBucket
Corresponds to the :s3-api:`s3:CreateBucket <API_CreateBucket.html>` IAM
action.
.. policy-action:: s3:DeleteBucket
Corresponds to the :s3-api:`s3:DeleteBucket <API_DeleteBucket.html>` IAM
action.
.. policy-action:: s3:ForceDeleteBucket
Corresponds to the :s3-api:`s3:DeleteBucket <API_ForceDeleteBucket.html>`
IAM action for operations with the ``x-minio-force-delete`` flag.
.. policy-action:: s3:DeleteBucketPolicy
Corresponds to the :s3-api:`s3:DeleteBucketPolicy
<API_DeleteBucketPolicy.html>` IAM action.
.. policy-action:: s3:DeleteObject
Corresponds to the :s3-api:`s3:DeleteObject <API_DeleteObject.html>` IAM
action.
.. policy-action:: s3:GetBucketLocation
Corresponds to the :s3-api:`s3:GetBucketLocation
<API_GetBucketLocation.html>` IAM action.
.. policy-action:: s3:GetBucketNotification
Corresponds to the :s3-api:`s3:GetBucketNotification
<API_GetBucketNotification.html>` IAM action.
.. policy-action:: s3:GetBucketPolicy
Corresponds to the :s3-api:`s3:GetBucketPolicy <API_GetBucketPolicy.html>`
IAM action.
.. policy-action:: s3:GetObject
Corresponds to the :s3-api:`s3:GetObject <API_GetObject.html>` IAM action.
.. policy-action:: s3:HeadBucket
Corresponds to the :s3-api:`s3:HeadBucket <API_HeadBucket.html>` IAM action.
*This action is unused in MinIO.*
.. policy-action:: s3:ListAllMyBuckets
Corresponds to the :s3-api:`s3:ListAllMyBuckets <API_ListAllMyBuckets.html>`
IAM action.
.. policy-action:: s3:ListBucket
Corresponds to the :s3-api:`s3:ListBucket <API_ListBucket.html>` IAM action.
.. policy-action:: s3:ListMultipartUploads
Corresponds to the :s3-api:`s3:ListMultipartUploads
<API_ListMultipartUploads.html>` IAM action.
.. policy-action:: s3:ListenNotification
MinIO Extension for controlling API operations related to MinIO Bucket
Notifications.
This action is **not** intended for use with other S3-compatible services.
.. policy-action:: s3:ListenBucketNotification
MinIO Extension for controlling API operations related to MinIO Bucket
Notifications.
This action is **not** intended for use with other S3-compatible services.
.. policy-action:: s3:ListParts
Corresponds to the :s3-api:`s3:ListParts <API_ListParts.html>` IAM action.
.. policy-action:: s3:PutBucketLifecycle
Corresponds to the :s3-api:`s3:PutBucketLifecycle
<API_PutBucketLifecycle.html>` IAM action.
.. policy-action:: s3:GetBucketLifecycle
Corresponds to the :s3-api:`s3:GetBucketLifecycle
<API_GetBucketLifecycle.html>` IAM action.
.. policy-action:: s3:PutObjectNotification
Corresponds to the :s3-api:`s3:PutObjectNotification
<API_PutObjectNotification.html>` IAM action.
.. policy-action:: s3:PutBucketPolicy
Corresponds to the :s3-api:`s3:PutBucketPolicy <API_PutBucketPolicy.html>`
IAM action.
.. policy-action:: s3:PutObject
Corresponds to the :s3-api:`s3:PutObject <API_PutObject.html>` IAM action.
.. policy-action:: s3:DeleteObjectVersion
Corresponds to the :s3-api:`s3:DeleteObjectVersion
<API_DeleteObjectVersion.html>` IAM action.
.. policy-action:: s3:DeleteObjectVersionTagging
Corresponds to the :s3-api:`s3:DeleteObjectVersionTagging
<API_DeleteObjectVersionTagging.html>` IAM action.
.. policy-action:: s3:GetObjectVersion
Corresponds to the :s3-api:`s3:GetObjectVersion
<API_GetObjectVersion.html>` IAM action.
.. policy-action:: s3:GetObjectVersionTagging
Corresponds to the :s3-api:`s3:GetObjectVersionTagging
<API_GetObjectVersionTagging.html>` IAM action.
.. policy-action:: s3:PutObjectVersionTagging
Corresponds to the :s3-api:`s3:PutObjectVersionTagging
<API_PutObjectVersionTagging.html>` IAM action.
.. policy-action:: s3:BypassGovernanceRetention
Corresponds to the :s3-docs:`s3:BypassGovernanceRetention
<object-lock-managing.html#object-lock-managing-bypass>` IAM action.
This action applies to the following API operations on objects locked under
:mc-cmd:`GOVERNANCE <mc retention set MODE>` retention mode:
- ``PutObjectRetention``
- ``PutObject``
- ``DeleteObject``
.. policy-action:: s3:PutObjectRetention
Corresponds to the :s3-api:`s3:PutObjectRetention
<API_PutObjectRetention.html>` IAM action.
.. policy-action:: s3:GetObjectRetention
Corresponds to the :s3-api:`s3:GetObjectRetention
<API_GetObjectRetention.html>` IAM action.
This action applies to the following API operations on objects locked under
any retention mode:
- ``GetObject``
- ``HeadObject``
.. policy-action:: s3:GetObjectLegalHold
Corresponds to the :s3-api:`s3:GetObjectLegalHold
<API_GetObjectLegalHold.html>` IAM action.
This action applies to the following API operations on objects locked under
legal hold:
- ``GetObject``
.. policy-action:: s3:PutObjectLegalHold
Corresponds to the :s3-api:`s3:PutObjectLegalHold
<API_PutObjectLegalHold.html>` IAM action.
This action applies to the following API operations on objects locked
under legal hold:
- ``PutObject``
.. policy-action:: s3:GetBucketObjectLockConfiguration
Corresponds to the :s3-api:`s3:GetBucketObjectLockConfiguration
<API_GetBucketObjectLockConfiguration.html>` IAM action.
.. policy-action:: s3:PutBucketObjectLockConfiguration
Corresponds to the :s3-api:`s3:PutBucketObjectLockConfiguration
<API_PutBucketObjectLockConfiguration.html>` IAM action.
.. policy-action:: s3:GetBucketTagging
Corresponds to the :s3-api:`s3:GetBucketTagging <API_GetBucketTagging.html>`
IAM action.
.. policy-action:: s3:PutBucketTagging
Corresponds to the :s3-api:`s3:PutBucketTagging <API_PutBucketTagging.html>`
IAM action.
.. policy-action:: s3:Get
Corresponds to the :s3-api:`s3:Get <API_Get.html>` IAM action.
.. policy-action:: s3:Put
Corresponds to the :s3-api:`s3:Put <API_Put.html>` IAM action.
.. policy-action:: s3:Delete
Corresponds to the :s3-api:`s3:Delete <API_Delete.html>` IAM action.
.. policy-action:: s3:PutBucketEncryption
Corresponds to the :s3-api:`s3:PutBucketEncryption
<API_PutBucketEncryption.html>` IAM action.
.. policy-action:: s3:GetBucketEncryption
Corresponds to the :s3-api:`s3:GetBucketEncryption
<API_GetBucketEncryption.html>` IAM action.
.. policy-action:: s3:PutBucketVersioning
Corresponds to the :s3-api:`s3:PutBucketVersioning
<API_PutBucketVersioning.html>` IAM action.
.. policy-action:: s3:GetBucketVersioning
Corresponds to the :s3-api:`s3:GetBucketVersioning
<API_GetBucketVersioning.html>` IAM action.
.. policy-action:: s3:GetReplicationConfiguration
Corresponds to the :s3-api:`s3:GetReplicationConfiguration
<API_GetReplicationConfiguration.html>` IAM action.
.. policy-action:: s3:PutReplicationConfiguration
Corresponds to the :s3-api:`s3:PutReplicationConfiguration
<PutReplicationConfiguration.html>` IAM action.
.. policy-action:: s3:ReplicateObject
Corresponds to the :s3-api:`s3:ReplicateObject <API_ReplicateObject.html>`
IAM action.
.. policy-action:: s3:ReplicateDelete
Corresponds to the :s3-api:`s3:ReplicateDelete <API_ReplicateDelete.html>`
IAM action.
.. policy-action:: s3:ReplicateTags
Corresponds to the :s3-api:`s3:ReplicateTags <API_ReplicateTags.html>` IAM
action.
.. policy-action:: s3:GetObjectVersionForReplication
Corresponds to the :s3-api:`s3:GetObjectVersionForReplication
<API_GetObjectVersionForReplication.html>` IAM action.
.. _minio-auth-authz-pbac-mc-admin-actions:
``mc admin`` Policy Action Keys
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
MinIO supports the following actions for use with defining policies
for :mc-cmd:`mc admin` operations. These actions are *only* valid for
MinIO deployments and are *not* intended for use with other S3-compatible
services:
.. policy-action:: admin:*
Selector for all admin action keys.
.. policy-action:: admin:Heal
Allows heal command
.. policy-action:: admin:StorageInfo
Allows listing server info
.. policy-action:: admin:DataUsageInfo
Allows listing data usage info
.. policy-action:: admin:TopLocksInfo
Allows listing top locks
.. policy-action:: admin:Profiling
Allows profiling
.. policy-action:: admin:ServerTrace
Allows listing server trace
.. policy-action:: admin:ConsoleLog
Allows listing console logs on terminal
.. policy-action:: admin:KMSCreateKey
Allows creating a new KMS master key
.. policy-action:: admin:KMSKeyStatus
Allows getting KMS key status
.. policy-action:: admin:ServerInfo
Allows listing server info
.. policy-action:: admin:OBDInfo
Allows obtaining cluster on-board diagnostics
.. policy-action:: admin:ServerUpdate
Allows MinIO binary update
.. policy-action:: admin:ServiceRestart
Allows restart of MinIO service.
.. policy-action:: admin:ServiceStop
Allows stopping MinIO service.
.. policy-action:: admin:ConfigUpdate
Allows MinIO config management
.. policy-action:: admin:CreateUser
Allows creating MinIO user
.. policy-action:: admin:DeleteUser
Allows deleting MinIO user
.. policy-action:: admin:ListUsers
Allows list users permission
.. policy-action:: admin:EnableUser
Allows enable user permission
.. policy-action:: admin:DisableUser
Allows disable user permission
.. policy-action:: admin:GetUser
Allows GET permission on user info
.. policy-action:: admin:AddUserToGroup
Allows adding user to group permission
.. policy-action:: admin:RemoveUserFromGroup
Allows removing user to group permission
.. policy-action:: admin:GetGroup
Allows getting group info
.. policy-action:: admin:ListGroups
Allows list groups permission
.. policy-action:: admin:EnableGroup
Allows enable group permission
.. policy-action:: admin:DisableGroup
Allows disable group permission
.. policy-action:: admin:CreatePolicy"
Allows create policy permission
.. policy-action:: admin:DeletePolicy
Allows delete policy permission
.. policy-action:: admin:GetPolicy
Allows get policy permission
.. policy-action:: admin:AttachUserOrGroupPolicy
Allows attaching a policy to a user/group
.. policy-action:: admin:ListUserPolicies
Allows listing user policies
.. policy-action:: admin:SetBucketQuota
Allows setting bucket quota
.. policy-action:: admin:GetBucketQuota
Allows getting bucket quota
.. policy-action:: admin:SetBucketTarget
Allows setting bucket target
.. policy-action:: admin:GetBucketTarget
Allows getting bucket targets
.. _minio-auth-authz-pbac-conditions:
Supported Policy Condition Keys
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
MinIO policy documents support IAM
:iam-docs:`conditional statements <reference_policies_elements_condition.html>`.
Each condition element consists of
:iam-docs:`operators <reference_policies_elements_condition_operators.html>`
and condition keys. MinIO supports a subset of IAM condition keys. For complete
information on any listed condition key, see the
:iam-docs:`IAM Condition Element Documentation
<reference_policies_elements_condition.html>`
MinIO supports the following condition keys for all supported
:ref:`actions <minio-auth-authz-pbac-actions>`:
- ``aws:Referer``
- ``aws:SourceIp``
- ``aws:UserAgent``
- ``aws:SecureTransport``
- ``aws:CurrentTime``
- ``aws:EpochTime``
- ``aws:PrincipalType``
- ``aws:userid``
- ``aws:username``
- ``s3:x-amz-content-sha256``
The following table lists additional supported condition keys for specific
actions:
.. list-table::
:header-rows: 1
:widths: 30 70
:width: 100%
* - Action Key
- Condition Keys
* - :policy-action:`s3:GetObject`
- | ``s3:x-amz-server-side-encryption``
| ``s3:x-amz-server-side-encryption-customer-algorithm``
* - :policy-action:`s3:ListBucket`
- | ``s3:prefix``
| ``s3:delimiter``
| ``s3:max-keys``
* - :policy-action:`s3:PutObject`
- | ``s3:x-amz-copy-source``
| ``s3:x-amz-server-side-encryption``
| ``s3:x-amz-server-side-encryption-customer-algorithm``
| ``s3:x-amz-metadata-directive``
| ``s3:x-amz-storage-class``
| ``s3:object-lock-retain-until-date``
| ``s3:object-lock-mode``
| ``s3:object-lock-legal-hold``
* - :policy-action:`s3:PutObjectRetention`
- | ``s3:x-amz-object-lock-remaining-retention-days``
| ``s3:x-amz-object-lock-retain-until-date``
| ``s3:x-amz-object-lock-mode``
* - :policy-action:`s3:PutObjectLegalHold`
- ``s3:object-lock-legal-hold``
* - :policy-action:`s3:BypassGovernanceRetention`
- | ``s3:object-lock-remaining-retention-days``
| ``s3:object-lock-retain-until-date``
| ``s3:object-lock-mode``
| ``s3:object-lock-legal-hold``
* - :policy-action:`s3:GetObjectVersion`
- ``s3:versionid``
* - :policy-action:`s3:GetObjectVersionTagging`
- ``s3:versionid``
* - :policy-action:`s3:DeleteObjectVersion`
- ``s3:versionid``
* - :policy-action:`s3:DeleteObjectVersionTagging`
- ``s3:versionid``
``mc admin`` Policy Condition Keys
``````````````````````````````````
MinIO supports the following conditions for use with defining policies for
:mc-cmd:`mc admin` :ref:`actions <minio-auth-authz-pbac-mc-admin-actions>`.
- ``aws:Referer``
- ``aws:SourceIp``
- ``aws:UserAgent``
- ``aws:SecureTransport``
- ``aws:CurrentTime``
- ``aws:EpochTime``
For complete information on any listed condition key, see the :iam-docs:`IAM
Condition Element Documentation <reference_policies_elements_condition.html>`
Creating Custom Policies
~~~~~~~~~~~~~~~~~~~~~~~~
Use the ``mc admin policy`` command to add a policy to the MinIO
server. The policy *must* be a valid JSON document formatted according to
IAM policy specifications. For example:
.. code-block:: shell
mc config host add myminio http://myminio1.example.net:9000 <access_key> <secret_key>
mc admin policy add myminio/ new_policy new_policy.json
To add this policy to a user or group, use the ``mc admin policy set`` command:
.. code-block:: shell
mc admin policy set myminio/ new_policy user=user_name
mc admin policy set myminio/ new_policy group=group_name

17
source/security/minio-authentication-authorization.rst
View File

@ -13,8 +13,8 @@ Overview
*Authentication* is the process of verifying the identity of a connecting *Authentication* is the process of verifying the identity of a connecting
client. MinIO authentication requires providing user credentials in the form of client. MinIO authentication requires providing user credentials in the form of
an access key and corresponding secret key. The MinIO deployment only grants an access key (username) and corresponding secret key (password). The MinIO
access *if*: deployment only grants access *if*:
- The access key corresponds to a user on the deployment, *and* - The access key corresponds to a user on the deployment, *and*
- The secret key corresponds to the specified access key. - The secret key corresponds to the specified access key.
@ -37,15 +37,6 @@ referenced in a user's assigned or inherited policies.
- For more information on MinIO policy creation, see - For more information on MinIO policy creation, see
:ref:`minio-auth-authz-pbac-policies`. :ref:`minio-auth-authz-pbac-policies`.
MinIO also supports Secure Token Service (STS) authentication, where clients use
a supported OIDC-compliant third-party identity provider to perform
authentication. MinIO uses the security token returned by the provider to
generate a random access key and secret key that the client can use for
authenticating to the deployment. The username specified to the third-party
identity provider *must* match an existing user on the MinIO deployment. MinIO
uses the policies associated to that existing user for authorizing client
operations. For more information, see :ref:`minio-sts-overview`.
.. _minio-auth-authz-users: .. _minio-auth-authz-users:
Users Users
@ -569,8 +560,8 @@ The following table lists the MinIO-supported policy action keys.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
MinIO supports the following actions for use with defining policies MinIO supports the following actions for use with defining policies
for :mc-cmd:`mc admin` operations. These actions are **only** valid for for :mc-cmd:`mc admin` operations. These actions are *only* valid for
MinIO deployments and are **not** intended for use with other S3-compatible MinIO deployments and are *not* intended for use with other S3-compatible
services: services:
.. policy-action:: admin:* .. policy-action:: admin:*