minio/docs
1
0
Fork 0
mirror of https://github.com/minio/docs.git synced 2025-07-28 19:42:10 +03:00
Code Activity

Console updates for 0.22.2 and 0.22.3 (#712)

Browse Source 
Several updates for the MinIO Console docs related to 
[v0.22.2](https://github.com/minio/console/releases/tag/v0.22.2) and
[v0.22.3](https://github.com/minio/console/releases/tag/v0.22.3).

Also takes the opportunity to break up the Console doc and remove
screenshots.

- Splits MinIO Console doc into three separate pages
- Removes screenshots from console pages
- Adds toctree to MinIO Console page and references to new pages

Closes #709

- Adds OIDC and LDAP sections to console

Closes #683

- Adds details on object browser (now separated out from bucket browser)

Closes #686
This commit is contained in:
Daryl White
2023-01-20 14:25:33 -06:00
committed by GitHub
parent 878e85d2db
commit b3b90caabe
25 changed files with 532 additions and 427 deletions
Download Patch File Download Diff File Expand all files Collapse all files

135
source/administration/console/managing-deployment.rst Normal file
View File

@ -0,0 +1,135 @@
.. _minio-console-managing-deployment:
========================
Managing Your Deployment
========================
.. default-domain:: minio
.. contents:: Table of Contents
:local:
:depth: 2
You can use the MinIO Console to perform many of the deployment monitoring and management functions available in MinIO, such as:
- :ref:`Monitor <minio-console-monitoring>` the deployment activity and health by viewing a dashboard of metrics, server or audit logs, trace history, S3 events, or drive health.
- Configure alerts by adding or managing a :ref:`notification target <minio-console-notifications>`.
- Set up :ref:`site replication <minio-console-site-replication>` to synchronize datacenters for timely access across geographically dispersed workforces or for disaster preparedness.
- Configure deployment :ref:`settings <minio-console-settings>`.
.. _minio-console-monitoring:
Monitoring
----------
The :guilabel:`Monitoring` section provides an interface for monitoring the MinIO deployment.
The section contains the following subsections:
Some subsections may not be visible if the authenticated user does not have the :ref:`required administrative permissions <minio-policy-mc-admin-actions>`.
Metrics
~~~~~~~
The Console :guilabel:`Dashboard` section displays metrics for the MinIO deployment.
The default view provides a high-level overview of the deployment status, including the uptime and availability of individual servers and drives.
The Console also supports displaying time-series and historical data by querying a :prometheus-docs:`Prometheus <prometheus/latest/getting_started/>` service configured to scrape data from the MinIO deployment.
Specifically, the MinIO Console uses :prometheus-docs:`Prometheus query API <prometheus/latest/querying/api/>` to retrieve stored metrics data and display historical metrics:
See :ref:`minio-console-metrics` for more information on the historical metric visualization.
Logs
~~~~
The Console :guilabel:`Logs` section displays :ref:`server logs <minio-logging>` generated by the MinIO Deployment.
- Use the :guilabel:`Nodes` dropdown to filter logs to a subset of server nodes in the MinIO deployment.
- Use the :guilabel:`Log Types` dropdown to filter logs to a subset of log types.
- Use the :guilabel:`Filter` to apply text filters to the log results
Select the :guilabel:`Start Logs` button to begin collecting logs using the selected filters and settings.
Audit
~~~~~
The Audit Log section provides an interface for viewing :ref:`audit logs <minio-logging>` collected by a configured PostgreSQL service.
The Audit Logging feature is configured and enabled automatically for MinIO deployments created using the :ref:`MinIO Operator Console <minio-operator-console>`.
Trace
~~~~~
The :guilabel:`Trace` section provides HTTP trace functionality for a bucket or buckets on the deployment.
This section provides similar functionality to :mc:`mc admin trace`.
You can modify the trace to show only specific trace calls.
The default is to show only :guilabel:`S3` related HTTP traces.
Select :guilabel:`Filters` to open additional filters to apply to trace output, such as restricting the :guilabel:`Path` on which the trace applies to a specific bucket or bucket prefix.
Watch
~~~~~
The :guilabel:`Watch` section displays S3 events as they occur on the selected bucket.
This section provides similar functionality to :mc:`mc watch`.
Drives
~~~~~~
The :guilabel:`Drives` section displays the healing status for a bucket.
MinIO automatically heals objects and drives when it detects problems, such as drive-level corruption or a replacement drive.
.. important::
MinIO does not recommend performing manual healing unless explicitly directed by support.
.. _minio-console-notifications:
Notifications
-------------
The :guilabel:`Notifications` section provides an interface to view, add, or remove :ref:`Bucket Notification <minio-bucket-notifications>` targets.
You can use this screen configure MinIO to push notification events to the one or more target destinations, including Redis, MySQL, Kafka, PostgreSQL, AMQP, MQTT, Elastic Search, NATS, NSQ, or a Webhook.
Select the :guilabel:`Add Notification Target +` button to add a new target to the deployment.
You can select an existing notification target from the list to view its details or delete the target.
.. _minio-console-site-replication:
Site Replication
----------------
The :guilabel:`Site Replication` section provides an interface for adding and managing the :ref:`site replication <minio-site-replication-overview>` configuration for the deployment.
Configuring site replication requires that only a single site have existing buckets or objects (if any).
.. _minio-console-settings:
Settings
--------
The :guilabel:`Settings` section provides an interface for viewing and retrieving :ref:`configuration settings <minio-server-configuration-settings>` for all MinIO Servers in the deployment.
This section contains the following subsections.
- Region
- Compression
- API
- Heal
- Scanner
- Etcd
- Logger Webhook
- Audit Webhook
Some subsections may not be visible if the authenticated user does not have the :ref:`required administrative permissions <minio-policy-mc-admin-actions>`.
The interface functionality mimics that of using :mc-cmd:`mc admin config get` or :mc-cmd:`mc admin config set`.
Refer to those commands for details on how to define the many options.
Some configuration settings may require restarting the MinIO deployment to apply changes.

113
source/administration/console/managing-objects.rst Normal file
View File

@ -0,0 +1,113 @@
.. _minio-console-managing-objects:
================
Managing Objects
================
.. default-domain:: minio
.. contents:: Table of Contents
:local:
:depth: 2
You can use the MinIO Console to perform several of the bucket and object management and interaction functions available in MinIO.
Depending on the permissions and IAM policies for the authenticated user, you can:
- :ref:`Browse, upload, revert, manage, and interact with objects <minio-console-object-browser>`.
- :ref:`Browse, create, and manage buckets <minio-console-buckets>`.
- :ref:`Create or monitor remote tiers <minio-console-tiers>` for object transition rules.
.. _minio-console-object-browser:
Object Browser
--------------
The Object Browser lists the buckets and objects the authenticated user has access to on the deployment.
After logging in or navigating to the tab, the object browser displays a list of the user's buckets, which the user can filter.
Select a bucket to show a list of objects in the bucket.
Select a specific object to display summary information about the object such as name, size, tags, holds, and retention policies that apply.
The console also shows the object's metadata.
The user can perform actions on the bucket's objects, depending on the policies and permissions that apply.
Example actions the user may be able to perform include:
- Rewind to a previous version
- Create prefixes
- View deleted objects
- Download
- Share
- Preview
- Manage legal holds
- Manage retention
- Manage tags
- Inspect
- Display versions
- Delete
.. _minio-console-buckets:
Buckets
-------
The Console's :guilabel:`Bucket` section displays all buckets to which the authenticated user has :ref:`access <minio-policy>`.
Use this section to create or manage these buckets, depending on your user's access.
Creating Buckets
~~~~~~~~~~~~~~~~
Select :guilabel:`Create Bucket` to create a new bucket on the deployment.
MinIO validates bucket names.
To see the rules for bucket names, select :guilabel:`View Bucket Naming Rules`.
MinIO does not limit the total number of buckets allowed on a deployment.
However, MinIO recommends no more than 500,000 buckets per deployment as a general guideline.
While creating a bucket, you can enable :ref:`versioning <minio-bucket-versioning>`, :ref:`object locking <minio-object-locking>`, bucket size (quota) limits, and :ref:`retention rules <minio-object-locking-retention-modes>` (which require versioning).
You **must** configure replication, locking, and versioning options at the time of bucket creation.
You cannot change these settings for the bucket later.
Managing Buckets
~~~~~~~~~~~~~~~~
Use the :guilabel:`Search` bar to filter for specific buckets.
Select the row for the bucket to display summary information about the bucket.
Form the summary screen, select any of the available tabs to further manage the bucket.
.. note::
Some management features may not be available if the authenticated user does not have the :ref:`required administrative permissions <minio-policy-mc-admin-actions>`.
When managing a bucket, your access settings may allow you to view or change any of the following:
- The :guilabel:`Summary` section displays a summary of the bucket's configuration.
Use this section to view and modify the bucket's policy, encryption, quota, and tags.
- Configure alerts in the :guilabel:`Events` section to trigger :ref:`notification events <minio-bucket-notifications>` when a user uploads, accesses, or deletes matching objects.
- Copy objects to remote locations in the :guilabel:`Replication` section with :ref:`Server Side Bucket Replication Rules <minio-bucket-replication-serverside>`.
- Expire or transition objects in the bucket from the :guilabel:`Lifecycle` section by setting up :ref:`Object Lifecycle Management Rules <minio-lifecycle-management>`.
- Review security in the :guilabel:`Access` section by listing the :ref:`policies <minio-policy>` and :ref:`users <minio-users>` with access to that bucket.
- Properly secure unauthenticated access with the :guilabel:`Anonymous` section by managing rules for prefixes that unauthenticated users can use to read or write objects.
.. _minio-console-tiers:
Tiers
-----
The :guilabel:`Tiers` section provides an interface for adding and managing :ref:`remote tiers <minio-lifecycle-management-tiering>` to support lifecycle management transition rules.
MinIO tiering supports moving objects from the deployment to the remote storage, but does not support automatically restoring them to the deployment.
The tiering tab allows users with the appropriate permissions to:
- Review the status and summary information for all configured remote tiers.
- Create a tier for a new remote target to storage on another MinIO deployment, Google Cloud Storage, Amazon's AWS S3, or Azure.
- Cycle the access credentials for any of the configured tiers with the tier's :octicon:`pencil` icon.

157
source/administration/console/security-and-access.rst Normal file
View File

@ -0,0 +1,157 @@
.. _minio-console-security-access:
===================
Security and Access
===================
.. default-domain:: minio
.. contents:: Table of Contents
:local:
:depth: 2
You can use the MinIO Console to perform several of the identity and access management functions available in MinIO, such as:
- Create child :ref:`access keys <minio-console-user-access-keys>` that inherit the parent's permissions.
- View, manage, and create access :ref:`policies <minio-console-admin-policies>`.
- Create and manage :ref:`user credentials <minio-console-admin-identity>` or groups with the built-in MinIO IDP, connect to one or more OIDC provider, or add an AD/LDAP provider for SSO.
.. _minio-console-user-access-keys:
Access Keys
-----------
The :guilabel:`Access Keys` section displays all :ref:`minio-id-access-keys` associated to the authenticated user.
Access Keys support providing applications authentication credentials which inherit permissions from the "parent" user.
For deployments using an external identity manager such as Active Directory or an OIDC-compatible provider, access keys provide a way for users to create long-lived credentials.
- You can select the access key row to view its custom policy, if one exists.
You can create or modify the policy from this screen.
Access key policies cannot exceed the permissions granted to the parent user.
- You can create a new access key by selecting :guilabel:`Create access key`.
The Console auto-generates an access key and password.
You can select the eye :octicon:`eye` icon on the password field to reveal the value.
You can override these values as needed.
You can set a custom policy for the access key that further restricts the permissions granted to users authenticating with that key.
Select :guilabel:`Restrict beyond user policy` to open the policy editor and modify as necessary.
Ensure you have saved the access key password to a secure location before selecting :guilabel:`Create` to create the access key.
You cannot retrieve or reset the password value after creating the access key.
To rotate credentials for an application, create a new access key and delete the old one once the application updates to using the new credentials.
.. _minio-console-admin-policies:
Policies
--------
The :guilabel:`Policies` section displays all :ref:`policies <minio-policy>` on the MinIO deployment.
The Policies section allows you to create, modify, or delete policies.
:ref:`Policies <minio-policy>` define the authorized actions and resources to which an authenticated user has access.
Each policy describes one or more actions a user, group of users, or access key can perform or conditions they must meet.
The policies are JSON formatted text files compatible with Amazon AWS Identity and Access Management policy syntax, structure, and behavior.
Refer to :ref:`Policy Based Action Control <minio-policy>` for details on managing access in MinIO with policies.
This section or its contents may not be visible if the authenticated user does not have the :ref:`required administrative permissions <minio-policy-mc-admin-actions>`.
- Select :guilabel:`+ Create Policy` to create a new MinIO Policy.
- Select the policy row to manage the policy details.
The :guilabel:`Summary` view displays a summary of the policy.
The :guilabel:`Users` view displays all users assigned to the policy.
The :guilabel:`Groups` view displays all groups assigned to the policy.
The :guilabel:`Raw Policy` view displays the raw JSON policy.
Use the :guilabel:`Users` and :guilabel:`Groups` views to assign a created policy to users and groups, respectively.
.. _minio-console-admin-identity:
Identity
--------
The :guilabel:`Identity` section provides a management interface for :ref:`MinIO-Managed users <minio-users>`.
The section contains the following subsections.
Some subsections may not be visible if the authenticated user does not have the :ref:`required administrative permissions <minio-policy-mc-admin-actions>`.
Users
~~~~~
The :guilabel:`Users` section displays all MinIO-managed :ref:`users <minio-users>` on the deployment.
This section is not visible for deployments using an external identity manager such as Active Directory or an OIDC-compatible provider.
- Select :guilabel:`Create User` to create a new MinIO-managed user.
You can assign :ref:`groups <minio-groups>` and :ref:`policies <minio-policy>` to the user during creation.
- Select a user's row to view details for that user.
You can view and modify the user's assigned :ref:`groups <minio-groups>` and :ref:`policies <minio-policy>`.
You can also view and manage any :ref:`Access Keys <minio-idp-service-account>` associated to the user.
Groups
~~~~~~
The :guilabel:`Groups` section displays all :ref:`groups <minio-groups>` on the MinIO deployment.
This section is not visible for deployments using an external identity manager such as Active Directory or an OIDC-compatible provider.
- Select :guilabel:`Create Group` to create a new MinIO Group.
You can assign new users to the group during creation.
You can assign policies to the group after creation.
- Select the group row to open the details for that group.
You can modify the group membership from the :guilabel:`Members` view.
You can modify the group's assigned policies from the :guilabel:`Policies` view.
Changing a user's group membership modifies the policies that user inherits. See :ref:`minio-access-management` for more information.
OpenID
~~~~~~
MinIO supports using an :ref:`OpenID Connect (OIDC) compatible IDentity Provider (IDP) <minio-external-identity-management-openid>` for external management of user identities.
Examples of OpenID providers include:
- Okta
- KeyCloak
- Dex
- Google
- Facebook
Configuring an external IDP enables Single-Sign On workflows, where applications authenticate against the external IDP before accessing MinIO.
Use the the screens in this section to view, add, or edit OIDC configurations for the deployment.
MinIO supports any number of active OIDC configurations.
LDAP
~~~~
MinIO supports using an :ref:`Active Directory or LDAP (AD/LDAP) <minio-external-identity-management-ad-ldap>` service for external management of user identities.
Configuring an external IDentity Provider (IDP) enables Single-Sign On (SSO) workflows, where applications authenticate against the external IDP before accessing MinIO.
Use the the screens in this section to view, add, or edit an LDAP configuration for the deployment.
MinIO only supports one active LDAP configuration.
MinIO queries the active Active Directory / LDAP server to verify the credentials specified by the application and optionally return a list of groups in which the user has membership.

85
source/administration/console/subnet-registration.rst Normal file
View File

@ -0,0 +1,85 @@
.. _minio-console-subscription:
===============================
SUBNET Registration and Support
===============================
.. default-domain:: minio
.. contents:: Table of Contents
:local:
:depth: 2
You can use the MinIO Console to perform several of the license and subscription related functions available in MinIO, such as:
- View the license you are currently using for your MinIO deployment.
- Subscribe to |SUBNET|.
- Manage the deployment's SUBNET license.
- Access Support tools for sharing with MinIO Engineering.
License
-------
MinIO offers two licensing options:
#. Open source with the :minio-git:`GNU AGPLv3 license <mc/blob/master/LICENSE>`
#. Paid commercial license with included support direct from MinIO Engineers
This page shows the current license status of the deployment.
You can also begin the registration process to sign up for a paid subscription or add the deployment to an existing subscription.
Deployments licensed under AGPLv3 must comply to the terms of the license.
MinIO cannot make the determination as to whether your application's usage of MinIO is in compliance with the AGPLv3 license requirements.
You should instead rely on your own legal counsel or licensing specialists to audit and ensure your application is in compliance with the licenses of MinIO and all other open-source projects with which your application integrates or interacts.
MinIO Commercial Licensing is the best option for applications which trigger AGPLv3 obligations (for example, open sourcing your application).
Applications using MinIO — or any other OSS-licensed code — without validating their usage do so at their own risk.
Support
-------
Proprietary application stacks that register for a commerical license choose engineering support under either the :guilabel:`Standard` or :guilabel:`Enterprise` License and Support plans.
Both support plans share the same commercial license to MinIO.
The :guilabel:`Support` section provides an interface for generating health and performance reports.
Support functionality requires registering your deployment with |subnet|.
Unregistered deployments display a :guilabel:`Register Your Cluster` button to register with your |subnet| account.
See the :guilabel:`License` section in the Console or visit the `MinIO SUBNET <https://min.io/pricing?jmp=docs>` website for more information on registration.
This section contains several subsections.
Health
~~~~~~
The :guilabel:`Health` section provides an interface for running a health diagnostic for the MinIO Deployment.
The resulting health report is intended for use by MinIO Engineering via |subnet| and may contain internal or private data points such as hostnames.
Exercise caution before sending a health report to a third party or posting the health report in a public forum.
Performance
~~~~~~~~~~~
The :guilabel:`Performance` section provides an interface for running a performance test of the deployment.
The resulting test can provide a general guideline of deployment performance under S3 ``GET`` and ``PUT`` requests.
For more complete performance testing, consider using a combination of load-testing using your staging application environments and the MinIO :minio-git:`WARP <warp>` tool.
Profile
~~~~~~~
The :guilabel:`Profile` section provides an interface for running system profiling of the deployment.
The results can provide insight into the MinIO server process running on a given node.
The resulting report is intended for use by MinIO Engineering via |subnet|.
Independent or third-party use of these profiles for diagnostics and remediation is done at your own risk.
Inspect
~~~~~~~
The :guilabel:`Inspect` section provides an interface for capturing the erasure-coded metadata associated to an object or objects.
MinIO Engineering may request this output as part of diagnostics in |subnet|.
The resulting object may be read using MinIO's :minio-git:`debugging tool <minio/tree/master/docs/debugging#decoding-metadata>`.
Independent or third-party use of the output for diagnostics or remediation is done at your own risk.
You can optionally encrypt the object such that it can only be read if the generated encryption key is included as part of the debugging toolchain.

469
source/administration/minio-console.rst
View File

@ -15,37 +15,19 @@ The MinIO Console is a rich graphical user interface that provides similar funct
.. image:: /images/minio-console/minio-console.png
:width: 600px
:alt: MinIO Console Landing Page provides a view of Buckets on the deployment
:alt: MinIO Console Landing Page provides a view of the Object Browser for the authenticated user
:align: center
This page provides an overview of the MinIO Console and describes configuration options and instructions for logging in.
Overview
--------
You can use the MinIO Console for administration tasks like Identity and Access Management, Metrics and Log Monitoring, or Server Configuration.
The MinIO Console is embedded as part of the MinIO Server.
You can also deploy a standalone MinIO Console using the instructions in the :minio-git:`github repository <console>`.
Logging into the MinIO Console depends on how you configured identity management for the deployment.
- When using the built-in MinIO identity management solution, the sign-in screen displays a standard login screen.
Enter your Username and Password to log in to the MinIO Console.
- If loggin in with a third party application and :ref:`MinIO's Security Token Service (STS) <minio-security-token-service>`, select :guilabel:`Use STS` and enter the Username, Secret, and Token.
- If the deployment uses a single OpenID or Active Directory/LDAP identity provider solution, select the provider's button to proceed to the login screen.
- If the deployment has multiple OpenID and/or Active Directory/LDAP identify management providers configured, the MinIO Console's sign-in screen provides a dropdown list of providers.
Select the provider you wish to use to log in to the MinIO Console, then enter the credentials.
.. admonition:: Try out the Console using MinIO's Play testing environment
:class: note
You can explore the Console using https://play.min.io:9443.
Log in with the following credentials:
- Username: ``Q3AM3UQ867SPQQA43P2F``
- Password: ``zuf+tfteSlswRu7BJ86wekitnifILbZam1KYY3TG``
The Play Console connects to the MinIO Play deployment at https://play.min.io.
You can also access this deployment using :mc:`mc` and using the ``play`` alias.
This page documents the high level configuration settings and features of the MinIO Console.
Configuration
-------------
@ -80,8 +62,7 @@ the MinIO Console:
``API: https://<IP ADDRESS 1> https://<IP ADDRESS 2>``.
The MinIO Console defaults to connecting using ``<IP ADDRESS 1>``.
The MinIO Console may require setting this variable in the following
scenarios:
The MinIO Console may require setting this variable in the following scenarios:
- The MinIO server TLS certificates do not include the local IP address
as a :rfc:`Subject Alternative Name <5280#section-4.2.1.6>` (SAN).
@ -137,416 +118,50 @@ routing rules may require setting a static MinIO Console port. For example,
load balancers, reverse proxies, or Kubernetes ingress may by default block
or exhibit unexpected behavior with the the dynamic redirection behavior.
.. _minio-console-admin-buckets:
Buckets
-------
.. image:: /images/minio-console/console-object-browser.png
:width: 600px
:alt: MinIO Console Object Browser
:align: center
The Console :guilabel:`Object Browser` section displays all buckets and objects to which the authenticated user has :ref:`access <minio-policy>`.
Use the :guilabel:`Search` bar to search for specific buckets or objects.
Select the row for the bucket or object to browse.
Select :guilabel:`Create Bucket` to create a new bucket on the deployment.
MinIO validates bucket names.
To see the rules for bucket names, select :guilabel:`View Bucket Naming Rules`.
While creating a bucket, you can enable :ref:`versioning <minio-bucket-versioning>`, :ref:`object locking <minio-object-locking>`, bucket size (quota) limits, and :ref:`retention rules <minio-object-locking-retention-modes>` (which require versioning).
MinIO does not limit the total number of buckets allowed on a deployment.
However, MinIO recommends no more than 500,000 buckets per deployment as a general guideline.
Each bucket has :guilabel:`Manage` and :guilabel:`Browse` buttons.
- Select :guilabel:`Manage` to open the management interface for the bucket:
Some management features may not be available if the authenticated user does not have the :ref:`required administrative permissions <minio-policy-mc-admin-actions>`.
The :guilabel:`Summary` view displays a summary of the bucket's configuration.
The :guilabel:`Events` view supports configuring :ref:`notification events <minio-bucket-notifications>` using a configured notification target.
The :guilabel:`Replication` view supports creating and managing :ref:`Server Side Bucket Replication Rules <minio-bucket-replication-serverside>`.
The :guilabel:`Lifecycle` view supports creating and managing :ref:`Object Lifecycle Management Rules <minio-lifecycle-management>` for the bucket.
The :guilabel:`Access Audit` view displays all :ref:`policies <minio-policy>` and :ref:`users <minio-users>` with access to that bucket.
The :guilabel:`Access Rules` view supports creating and managing anonymous bucket policies to attach to the bucket or bucket prefix.
Anonymous rules allow clients to access the bucket or prefix without explicitly authenticating with user credentials.
- Select :guilabel:`Browse` to view the contents of the bucket.
You can view and download individual objects, upload new objects, or use the :guilabel:`Rewind` function to view only those :ref:`versions <minio-bucket-versioning>` of an object which existed at the selected timestamp.
.. _minio-console-user-access-keys:
Access Keys
-----------
.. image:: /images/minio-console/console-access-keys.png
:width: 600px
:alt: MinIO Console Access Keys
:align: center
The :guilabel:`Access Keys` section displays all :ref:`minio-id-access-keys` associated to the authenticated user.
Access Keys support providing applications authentication credentials which inherit permissions from the "parent" user.
For deployments using an external identity manager such as Active Directory or an OIDC-compatible provider, access keys provide a way for users to create long-lived credentials.
- You can select the access key row to view its custom policy, if one exists.
You can create or modify the policy from this screen.
Access key policies cannot exceed the permissions granted to the parent user.
- You can create a new access key by selecting :guilabel:`Create access key`.
The Console auto-generates an access key and password.
You can select the eye :octicon:`eye` icon on the password field to reveal the value.
You can override these values as needed.
You can set a custom policy for the access key that further restricts the permissions granted to users authenticating with that key.
Select :guilabel:`Restrict beyond user policy` to open the policy editor and modify as necessary.
Ensure you have saved the access key password to a secure location before selecting :guilabel:`Create` to create the access key.
You cannot retrieve or reset the password value after creating the access key.
To rotate credentials for an application, create a new access key and delete the old one once the application updates to using the new credentials.
Identity
--------
The :guilabel:`Identity` section provides a management interface for :ref:`MinIO-Managed users <minio-users>`.
The section contains the following subsections.
Some subsections may not be visible if the authenticated user does not have the :ref:`required administrative permissions <minio-policy-mc-admin-actions>`.
.. tab-set::
.. tab-item:: Users
.. image:: /images/minio-console/console-users.png
:width: 600px
:alt: MinIO Console Manage Users
:align: center
The :guilabel:`Users` section displays all MinIO-managed :ref:`users <minio-users>` on the deployment.
This section is not visible for deployments using an external identity manager such as Active Directory or an OIDC-compatible provider.
- Select :guilabel:`Create User` to create a new MinIO-managed user.
You can assign :ref:`groups <minio-groups>` and :ref:`policies <minio-policy>` to the user during creation.
- Select a user's row to view details for that user.
You can view and modify the user's assigned :ref:`groups <minio-groups>` and :ref:`policies <minio-policy>`.
You can also view and manage any :ref:`Access Keys <minio-idp-service-account>` associated to the user.
.. tab-item:: Groups
.. image:: /images/minio-console/console-groups.png
:width: 600px
:alt: MinIO Console Manage Groups
:align: center
The :guilabel:`Groups` section displays all :ref:`groups <minio-groups>` on the MinIO deployment.
This section is not visible for deployments using an external identity manager such as Active Directory or an OIDC-compatible provider.
- Select :guilabel:`Create Group` to create a new MinIO Group.
You can assign new users to the group during creation.
You can assign policies to the group after creation.
- Select the group row to open the details for that group.
You can modify the group membership from the :guilabel:`Members` view.
You can modify the group's assigned policies from the :guilabel:`Policies` view.
Changing a user's group membership modifies the policies that user inherits. See :ref:`minio-access-management` for more information.
.. tab-item:: Policies
.. image:: /images/minio-console/console-policies.png
:width: 600px
:alt: MinIO Console Manage Policies
:align: center
The :guilabel:`Policies` section displays all :ref:`policies <minio-policy>` on the MinIO deployment.
The Policies section allows you to create, modify, or delete policies.
:ref:`Policies <minio-policy>` define the authorized actions and resources to which an authenticated user has access.
Each policy describes one or more actions a user, group of users, or access key can perform or conditions they must meet.
The policies are JSON formatted text files compatible with Amazon AWS Identity and Access Management policy syntax, structure, and behavior.
Refer to :ref:`Policy Based Action Control <minio-policy>` for details on managing access in MinIO with policies.
This section or its contents may not be visible if the authenticated user does not have the :ref:`required administrative permissions <minio-policy-mc-admin-actions>`.
- Select :guilabel:`+ Create Policy` to create a new MinIO Policy.
- Select the policy row to manage the policy details.
The :guilabel:`Summary` view displays a summary of the policy.
The :guilabel:`Users` view displays all users assigned to the policy.
The :guilabel:`Groups` view displays all groups assigned to the policy.
The :guilabel:`Raw Policy` view displays the raw JSON policy.
Use the :guilabel:`Users` and :guilabel:`Groups` views to assign a created policy to users and groups, respectively.
.. _minio-console-monitoring:
Monitoring
Logging In
----------
The :guilabel:`Monitoring` section provides an interface for monitoring the MinIO deployment.
Logging into the MinIO Console depends on how you configured identity management for the deployment.
The section contains the following subsections:
Some subsections may not be visible if the authenticated user does not have the :ref:`required administrative permissions <minio-policy-mc-admin-actions>`.
- When using the built-in MinIO identity management solution, the sign-in screen displays a standard login screen.
Enter your Username and Password to log in to the MinIO Console.
- If logging in with a third party application and :ref:`MinIO's Security Token Service (STS) <minio-security-token-service>`, select :guilabel:`Use STS` and enter the Username, Secret, and Token.
- If the deployment uses a single OpenID or Active Directory/LDAP identity provider solution, select the provider's button to proceed to the login screen.
- If the deployment has multiple OpenID and/or Active Directory/LDAP identify management providers configured, the MinIO Console's sign-in screen provides a dropdown list of providers.
Select the provider you wish to use to log in to the MinIO Console, then enter the credentials.
.. tab-set::
.. admonition:: Try out the Console using MinIO's Play testing environment
:class: note
.. tab-item:: Metrics
You can explore the Console using https://play.min.io:9443.
Log in with the following credentials:
.. image:: /images/minio-console/console-metrics-simple.png
:width: 600px
:alt: MinIO Console Metrics displaying point-in-time data
:align: center
- Username: ``Q3AM3UQ867SPQQA43P2F``
- Password: ``zuf+tfteSlswRu7BJ86wekitnifILbZam1KYY3TG``
The Console :guilabel:`Dashboard` section displays metrics for the MinIO deployment.
The default view provides a high-level overview of the deployment status, including the uptime and availability of individual servers and drives.
The Console also supports displaying time-series and historical data by querying a :prometheus-docs:`Prometheus <prometheus/latest/getting_started/>` service configured to scrape data from the MinIO deployment.
Specifically, the MinIO Console uses :prometheus-docs:`Prometheus query API <prometheus/latest/querying/api/>` to retrieve stored metrics data and display historical metrics:
.. image:: /images/minio-console/console-metrics.png
:width: 600px
:alt: MinIO Console Metrics displaying simplified data
:align: center
See :ref:`minio-console-metrics` for more information on the historical metric visualization.
.. tab-item:: Logs
.. image:: /images/minio-console/console-logs.png
:width: 600px
:alt: MinIO Console Logs displaying a list of server logs
:align: center
The Console :guilabel:`Logs` section displays :ref:`server logs <minio-logging>` generated by the MinIO Deployment.
- Use the :guilabel:`Nodes` dropdown to filter logs to a subset of server nodes in the MinIO deployment.
- Use the :guilabel:`Log Types` dropdown to filter logs to a subset of log types.
- Use the :guilabel:`Filter` to apply text filters to the log results
Select the :guilabel:`Start Logs` button to begin collecting logs using the selected filters and settings.
.. tab-item:: Audit
The Audit Log section provides an interface for viewing :ref:`audit logs <minio-logging>` collected by a configured PostgreSQL service.
The Audit Logging feature is configured and enabled automatically for MinIO deployments created using the :ref:`MinIO Operator Console <minio-operator-console>`.
.. tab-item:: Trace
.. image:: /images/minio-console/console-trace.png
:width: 600px
:alt: MinIO Console Trace
:align: center
The :guilabel:`Trace` section provides HTTP trace functionality for a bucket or buckets on the deployment.
This section provides similar functionality to :mc:`mc admin trace`.
You can modify the trace to show only specific trace calls.
The default is to show only :guilabel:`S3` related HTTP traces.
Select :guilabel:`Filters` to open additional filters to apply to trace output, such as restricting the :guilabel:`Path` on which the trace applies to a specific bucket or bucket prefix.
.. tab-item:: Watch
.. image:: /images/minio-console/console-watch.png
:width: 600px
:alt: MinIO Console Watch
:align: center
The :guilabel:`Watch` section displays S3 events as they occur on the selected bucket.
This section provides similar functionality to :mc:`mc watch`.
.. tab-item:: Drives
.. image:: /images/minio-console/console-drives.png
:width: 600px
:alt: MinIO Console Drive Health Status
:align: center
The :guilabel:`Drives` section displays the healing status for a bucket.
MinIO automatically heals objects and drives when it detects problems, such as drive-level corruption or a replacement drive.
.. important::
MinIO does not recommend performing manual healing unless explicitly directed by support.
Notifications
-------------
The :guilabel:`Notifications` section provides an interface to view, add, or remove :ref:`Bucket Notification <minio-bucket-notifications>` targets.
You can use this screen configure MinIO to push notification events to the one or more target destinations, including Redis, MySQL, Kafka, PostgreSQL, AMQP, MQTT, Elastic Search, NATS, NSQ, or a Webhook.
Select the :guilabel:`Add Notification Target +` button to add a new target to the deployment.
You can select an existing notification target from the list to view its details or delete the target.
.. image:: /images/minio-console/console-add-notification-target.png
:width: 600px
:alt: The MinIO Console's Notification screen after selecting add new target that shows the types of destination targets users can add.
:align: center
Tiers
-----
.. image:: /images/minio-console/console-settings-tiers.png
:width: 600px
:alt: MinIO Console Settings - Tiering
:align: center
The :guilabel:`Tiers` section provides an interface for adding and managing :ref:`remote tiers <minio-lifecycle-management-tiering>` to support lifecycle management transition rules.
Select the :guilabel:`Create Tier +` button to add a new tier to the deployment.
Choose to add a MinIO, Google Cloud Storage, AWS S3, or Azure tier type.
Existing tiers display with details of their configuration and an icon showing their current online or offline status.
You can select an existing tier from the list to view its details or make changes.
Site Replication
----------------
.. image:: /images/minio-console/console-settings-site-replication.png
:width: 600px
:alt: MinIO Console Settings - Site Replication
:align: center
The :guilabel:`Site Replication` section provides an interface for adding and managing the site replication configuration for the deployment.
Configuring site replication requires that only a single site have existing buckets or objects (if any).
Settings
--------
This section contains the following subsections.
Some subsections may not be visible if the authenticated user does not have the :ref:`required administrative permissions <minio-policy-mc-admin-actions>`.
.. image:: /images/minio-console/console-settings-configuration.png
:width: 600px
:alt: MinIO Console Settings - Configuration View
:align: center
The :guilabel:`Settings` section provides an interface for viewing and retrieving :ref:`configuration settings <minio-server-configuration-settings>` for all MinIO Servers in the deployment.
The interface functionality mimics that of using :mc-cmd:`mc admin config get` or :mc-cmd:`mc admin config set`.
Refer to those commands for details on how to define the many options.
Some configuration settings may require restarting the MinIO deployment to apply changes.
Support
-------
The :guilabel:`Support` section provides an interface for generating health and performance reports.
Support functionality requires registering your deployment with |subnet|.
Unregistered deployments display a :guilabel:`Register Your Cluster` button to register with your |subnet| account.
See the :guilabel:`License` section in the Console or visit the `MinIO SUBNET <https://min.io/pricing?jmp=docs>` website for more information on registration.
This section contains the following subsections.
Some subsections may not be visible if the authenticated user does not have the :ref:`required administrative permissions <minio-policy-mc-admin-actions>`.
.. tab-set::
.. tab-item:: Health
.. image:: /images/minio-console/console-health.png
:width: 600px
:alt: MinIO Console - Health Diagnostics
:align: center
The :guilabel:`Health` section provides an interface for running a health diagnostic for the MinIO Deployment.
The resulting health report is intended for use by MinIO Engineering via |subnet| and may contain internal or private data points such as hostnames.
Exercise caution before sending a health report to a third party or posting the health report in a public forum.
.. tab-item:: Performance
.. image:: /images/minio-console/console-performance.png
:width: 600px
:alt: MinIO Console - Performance Tests
:align: center
The :guilabel:`Performance` section provides an interface for running a performance test of the deployment.
The resulting test can provide a general guideline of deployment performance under S3 ``GET`` and ``PUT`` requests.
For more complete performance testing, consider using a combination of load-testing using your staging application environments and the MinIO :minio-git:`WARP <warp>` tool.
.. tab-item:: Profile
.. image:: /images/minio-console/console-profile.png
:width: 600px
:alt: MinIO Console - Profile Tests
:align: center
The :guilabel:`Profile` section provides an interface for running system profiling of the deployment.
The results can provide insight into the MinIO server process running on a given node.
The resulting report is intended for use by MinIO Engineering via |subnet|.
Independent or third-party use of these profiles for diagnostics and remediation is done at your own risk.
.. tab-item:: Inspect
.. image:: /images/minio-console/console-inspect.png
:width: 600px
:alt: MinIO Console - Inspect an Object
:align: center
The :guilabel:`Inspect` section provides an interface for capturing the erasure-coded metadata associated to an object or objects.
MinIO Engineering may request this output as part of diagnostics in |subnet|.
The resulting object may be read using MinIO's :minio-git:`debugging tool <minio/tree/master/docs/debugging#decoding-metadata>`.
Independent or third-party use of the output for diagnostics or remediation is done at your own risk.
You can optionally encrypt the object such that it can only be read if the generated encryption key is included as part of the debugging toolchain.
License
-------
The :guilabel:`License` section displays information on the licensing status of the MinIO deployment.
For deployments not registered via |subnet|, the Console displays a table comparison of MinIO License and Support plans:
.. image:: /images/minio-console/console-license.png
:width: 600px
:alt: MinIO Console - License Plans
:align: center
Existing customers can register the deployment with their |subnet| account by clicking :guilabel:`Register this cluster` in the top-right corner of the screen.
MinIO is Open Source software under the :minio-git:`GNU AGPLv3 license <mc/blob/master/LICENSE>`.
Applications using MinIO should follow local laws and regulations around licensing to ensure compliance with the AGPLv3 license, which may include open sourcing the application stack.
Proprietary application stacks can register for either the SUBNET :guilabel:`Standard` or :guilabel:`Enterprise` License and Support plan to use MinIO under a commercial license.
The Play Console connects to the MinIO Play deployment at https://play.min.io.
You can also access this deployment using :mc:`mc` and using the ``play`` alias.
Documentation
-------------
The :guilabel:`Documentation` tab opens this documentation site in a separate browser window or tab.
Available Tasks
---------------
Once logged in to the MinIO Console, users can perform many kinds of tasks.
- :ref:`Manage objects <minio-console-managing-objects>` by browsing or uploading objects, managing bucket settings, or creating tiers.
- :ref:`Review or modify identity and security <minio-console-security-access>` with access keys, policies, and Identity Provider settings.
- :ref:`Monitor the health and activities <minio-console-managing-deployment>` with metrics, notifications, or site replication
- :ref:`Manage your deployment's license and SUBNET Subscription <minio-console-subscription>`
.. toctree::
:titlesonly:
:hidden:
/administration/console/managing-deployment
/administration/console/managing-objects
/administration/console/security-and-access
/administration/console/subnet-registration

BIN
source/images/minio-console/console-access-keys.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 45 KiB

BIN
source/images/minio-console/console-add-notification-target.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 111 KiB

BIN
source/images/minio-console/console-drives.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 102 KiB

BIN
source/images/minio-console/console-groups.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 62 KiB

BIN
source/images/minio-console/console-health.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 91 KiB

BIN
source/images/minio-console/console-inspect.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 142 KiB

BIN
source/images/minio-console/console-license.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 253 KiB

BIN
source/images/minio-console/console-login.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 125 KiB

After

Width:  |  Height:  |  Size: 28 KiB

BIN
source/images/minio-console/console-logs.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 131 KiB

BIN
source/images/minio-console/console-performance.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 85 KiB

BIN
source/images/minio-console/console-policies.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 59 KiB

BIN
source/images/minio-console/console-profile.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 87 KiB

BIN
source/images/minio-console/console-settings-notifications.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 88 KiB

BIN
source/images/minio-console/console-settings-tiers.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 84 KiB

BIN
source/images/minio-console/console-settings.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 60 KiB

BIN
source/images/minio-console/console-support-notifications.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 94 KiB

BIN
source/images/minio-console/console-trace.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 142 KiB

BIN
source/images/minio-console/console-users.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 50 KiB

BIN
source/images/minio-console/console-watch.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 163 KiB

BIN
source/images/minio-console/minio-console.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 128 KiB

After

Width:  |  Height:  |  Size: 600 KiB