From d674b2ea9027b0b24e5d9fd77e07dd7450a59aa9 Mon Sep 17 00:00:00 2001 From: Ravind Kumar Date: Mon, 7 Aug 2023 12:33:09 -0400 Subject: [PATCH] DOCS-872: Update condition key list (#935) Closes #872 --------- Co-authored-by: Andrea Longo --- .../policy-based-access-control.rst | 426 +++++++++++------- source/operations/concepts/erasure-coding.rst | 1 + .../reference/minio-server/minio-server.rst | 1 + 3 files changed, 255 insertions(+), 173 deletions(-) diff --git a/source/administration/identity-access-management/policy-based-access-control.rst b/source/administration/identity-access-management/policy-based-access-control.rst index c5c379bf..6d31136b 100644 --- a/source/administration/identity-access-management/policy-based-access-control.rst +++ b/source/administration/identity-access-management/policy-based-access-control.rst @@ -199,17 +199,16 @@ The maximum size for a policy document is 2048 characters. Supported S3 Policy Actions --------------------------- -MinIO policy documents support a subset of IAM -:iam-docs:`S3 Action keys `. +MinIO policy documents support a subset of IAM :iam-docs:`S3 Action keys `. +This section also includes any :ref:`condition keys ` supported by a specific action beyond the common set of supported keys. -The following actions control access to common S3 operations. The remaining -subsections document actions for more advanced S3 operations: +The following actions control access to common S3 operations. +The remaining subsections document actions for more advanced S3 operations: .. policy-action:: s3:* - Selector for *all* MinIO S3 operations. Applying this action to a given - resource allows the user to perform *any* S3 operation against that - resource. + Selector for *all* MinIO S3 operations. + Applying this action to a given resource allows the user to perform *any* S3 operation against that resource. .. policy-action:: s3:CreateBucket @@ -229,55 +228,102 @@ subsections document actions for more advanced S3 operations: .. policy-action:: s3:GetBucketLocation - Controls access to the :s3-api:`GetBucketLocation - ` S3 API operation. + Controls access to the :s3-api:`GetBucketLocation ` S3 API operation. .. policy-action:: s3:ListAllMyBuckets - Controls access to the :s3-api:`ListBuckets ` - S3 API operation. + Controls access to the :s3-api:`ListBuckets ` S3 API operation. .. policy-action:: s3:DeleteObject - Controls access to the :s3-api:`DeleteObject ` S3 API - operation. + Controls access to the :s3-api:`DeleteObject ` S3 API operation. .. policy-action:: s3:GetObject - Controls access to the :s3-api:`GetObject ` S3 API - operation. + Controls access to the :s3-api:`GetObject ` S3 API operation. + + Supports the following additional :ref:`condition keys `: + + .. code-block:: shell + + s3:x-amz-server-side-encryption + s3:x-amz-server-side-encryption-customer-algorithm + s3:ExistingObjectTag/ + s3:versionid .. policy-action:: s3:ListBucket - Controls access to the :s3-api:`ListObjectsV2 ` S3 API - operation. + Controls access to the :s3-api:`ListObjectsV2 ` S3 API operation. + + Supports the following additional :ref:`condition keys `: + + .. code-block:: shell + + s3:prefix + s3:delimiter + s3:max-keys .. policy-action:: s3:PutObject - Controls access to the :s3-api:`PutObject ` S3 API - operation. + Controls access to the :s3-api:`PutObject ` S3 API operation. + + Supports the following additional :ref:`condition keys `: + + .. code-block:: shell + + s3:x-amz-copy-source + s3:x-amz-server-side-encryption + s3:x-amz-server-side-encryption-customer-algorithm + s3:x-amz-metadata-directive + s3:x-amz-storage-class + s3:versionid + s3:object-lock-retain-until-date + s3:object-lock-mode + s3:object-lock-legal-hold + s3:RequestObjectTagKeys + s3:RequestObjectTag/ .. policy-action:: s3:PutObjectTagging - Controls access to the :s3-api:`PutObjectTagging ` - S3 API operation. + Controls access to the :s3-api:`PutObjectTagging ` S3 API operation. + + Supports the following additional :ref:`condition keys `: + + .. code-block:: shell + + s3:versionid + s3:ExistingObjectTag/ + s3:RequestObjectTagKeys + s3:RequestObjectTag/ .. policy-action:: s3:GetObjectTagging - Controls access to the :s3-api:`GetObjectTagging ` - S3 API operation. + Controls access to the :s3-api:`GetObjectTagging ` S3 API operation. + + Supports the following additional :ref:`condition keys `: + + .. code-block:: shell + + s3:versionid + s3:ExistingObjectTag/ .. policy-action:: s3:DeleteObjectTagging Controls access to the :s3-api:`DeleteObjectTagging ` S3 API operation. + Supports the following additional :ref:`condition keys `: + + .. code-block:: shell + + s3:versionid + s3:ExistingObjectTag/ + Bucket Configuration ~~~~~~~~~~~~~~~~~~~~ .. policy-action:: s3:GetBucketPolicy - Controls access to the :s3-api:`GetBucketPolicy ` - S3 API operation. + Controls access to the :s3-api:`GetBucketPolicy ` S3 API operation. .. policy-action:: s3:PutBucketPolicy @@ -286,8 +332,7 @@ Bucket Configuration .. policy-action:: s3:DeleteBucketPolicy - Controls access to the :s3-api:`DeleteBucketPolicy - ` S3 API operation. + Controls access to the :s3-api:`DeleteBucketPolicy ` S3 API operation. .. policy-action:: s3:GetBucketTagging @@ -299,13 +344,19 @@ Bucket Configuration Controls access to the :s3-api:`PutBucketTagging ` S3 API operation. + Supports the following additional :ref:`condition keys `: + + .. code-block:: shell + + s3:RequestObjectTagKeys + s3:RequestObjectTag/ + Multipart Upload ~~~~~~~~~~~~~~~~ .. policy-action:: s3:AbortMultipartUpload - Controls access to the :s3-api:`AbortMultipartUpload - ` S3 API operation. + Controls access to the :s3-api:`AbortMultipartUpload ` S3 API operation. .. policy-action:: s3:ListMultipartUploadParts @@ -314,117 +365,193 @@ Multipart Upload .. policy-action:: s3:ListBucketMultipartUploads - Controls access to the :s3-api:`ListMultipartUploads - ` S3 API operation. + Controls access to the :s3-api:`ListMultipartUploads ` S3 API operation. Versioning and Retention ~~~~~~~~~~~~~~~~~~~~~~~~ .. policy-action:: s3:PutBucketVersioning - Controls access to the :s3-api:`PutBucketVersioning - ` S3 API operation. + Controls access to the :s3-api:`PutBucketVersioning ` S3 API operation. .. policy-action:: s3:GetBucketVersioning - Controls access to the :s3-api:`GetBucketVersioning - ` S3 API operation. + Controls access to the :s3-api:`GetBucketVersioning ` S3 API operation. .. policy-action:: s3:DeleteObjectVersion - Controls access to the :s3-api:`DeleteObjectVersion - ` S3 API operation. + Controls access to the :s3-api:`DeleteObjectVersion ` S3 API operation. + + Supports the following additional :ref:`condition keys `: + + .. code-block:: shell + + s3:versionid + s3:ExistingObjectTag/ + + +.. policy-action:: s3:ListBucketVersions + + Controls access to the :s3-api:`ListBucketVersions ` S3 API operation. + + Supports the following additional :ref:`condition keys `: + + .. code-block:: shell + + s3:prefix + s3:delimiter + s3:max-keys + +.. policy-action:: s3:PutObjectVersionTagging + + Controls access to the :s3-api:`PutObjectVersionTagging ` S3 API operation. + + Supports the following additional :ref:`condition keys `: + + .. code-block:: shell + + s3:versionid + s3:ExistingObjectTag/ + s3:RequestObjectTagKeys + s3:RequestObjectTag/ + +.. policy-action:: s3:GetObjectVersionTagging + + Controls access to the :s3-api:`GetObjectVersionTagging ` S3 API operation. + + Supports the following additional :ref:`condition keys `: + + .. code-block:: shell + + s3:versionid + s3:ExistingObjectTag/ .. policy-action:: s3:DeleteObjectVersionTagging - Controls access to the :s3-api:`DeleteObjectVersionTagging - ` S3 API operation. + Controls access to the :s3-api:`DeleteObjectVersionTagging ` S3 API operation. + + Supports the following additional :ref:`condition keys `: + + .. code-block:: shell + + s3:versionid + s3:ExistingObjectTag/ + .. policy-action:: s3:GetObjectVersion - Controls access to the :s3-api:`GetObjectVersion - ` S3 API operation. + Controls access to the :s3-api:`GetObjectVersion ` S3 API operation. + + + Supports the following additional :ref:`condition keys `: + + .. code-block:: shell + + s3:versionid + s3:ExistingObjectTag/ .. policy-action:: s3:BypassGovernanceRetention - Controls access to the following S3 API operations on objects - locked under :mc-cmd:`GOVERNANCE ` - retention mode: + Controls access to the following S3 API operations on objects locked under :mc-cmd:`GOVERNANCE ` retention mode: - - ``PutObjectRetention`` - - ``PutObject`` - - ``DeleteObject`` + - ``s3:PutObjectRetention`` + - ``s3:PutObject`` + - ``s3:DeleteObject`` + + See the S3 documentation on :s3-docs:`s3:BypassGovernanceRetention ` for more information. - See the S3 documentation on :s3-docs:`s3:BypassGovernanceRetention - ` for more - information. + Supports the following additional :ref:`condition keys `: + + .. code-block:: shell + + s3:versionid + s3:object-lock-remaining-retention-days + s3:object-lock-retain-until-date + s3:object-lock-mode + s3:object-lock-legal-hold + s3:RequestObjectTagKeys + s3:RequestObjectTag/ .. policy-action:: s3:PutObjectRetention - Controls access to the :s3-api:`PutObjectRetention - ` S3 API operation. + Controls access to the :s3-api:`PutObjectRetention ` S3 API operation. - Required for any ``PutObject`` operation that specifies - :ref:`retention metadata `. + Required for any ``PutObject`` operation that specifies :ref:`retention metadata `. + + Supports the following additional :ref:`condition keys `: + + .. code-block:: shell + + s3:x-amz-server-side-encryption + s3:x-amz-server-side-encryption-customer-algorithm + s3:x-amz-object-lock-remaining-retention-days + s3:x-amz-object-lock-retain-until-date + s3:x-amz-object-lock-mode + s3:versionid .. policy-action:: s3:GetObjectRetention - Controls access to the :s3-api:`GetObjectRetention - ` S3 API operation. + Controls access to the :s3-api:`GetObjectRetention ` S3 API operation. - Required for including :ref:`object locking metadata ` - as part of the response to a ``GetObject`` or ``HeadObject`` operation. + Required for including :ref:`object locking metadata ` as part of the response to a ``GetObject`` or ``HeadObject`` operation. + + Supports the following additional :ref:`condition keys `: + + .. code-block:: shell + + s3:x-amz-server-side-encryption + s3:x-amz-server-side-encryption-customer-algorithm + s3:versionid .. policy-action:: s3:GetObjectLegalHold - Controls access to the :s3-api:`GetObjectLegalHold - ` S3 API operation. + Controls access to the :s3-api:`GetObjectLegalHold ` S3 API operation. - Required for including :ref:`object locking metadata ` - as part of the response to a ``GetObject`` or ``HeadObject`` operation. + Required for including :ref:`object locking metadata ` as part of the response to a ``GetObject`` or ``HeadObject`` operation. .. policy-action:: s3:PutObjectLegalHold - Controls access to the :s3-api:`PutObjectLegalHold - ` S3 API operation. + Controls access to the :s3-api:`PutObjectLegalHold ` S3 API operation. - Required for any ``PutObject`` operation that specifies - :ref:`legal hold metadata `. + Required for any ``PutObject`` operation that specifies :ref:`legal hold metadata `. + + Supports the following additional :ref:`condition keys `: + + .. code-block:: shell + + s3:x-amz-server-side-encryption + s3:x-amz-server-side-encryption-customer-algorithm + s3:object-lock-legal-hold + s3:versionid .. policy-action:: s3:GetBucketObjectLockConfiguration - Controls access to the :s3-api:`GetObjectLockConfiguration - ` S3 API operation. + Controls access to the :s3-api:`GetObjectLockConfiguration ` S3 API operation. .. policy-action:: s3:PutBucketObjectLockConfiguration - Controls access to the :s3-api:`PutObjectLockConfiguration - ` S3 API operation. + Controls access to the :s3-api:`PutObjectLockConfiguration ` S3 API operation. Bucket Notifications ~~~~~~~~~~~~~~~~~~~~ .. policy-action:: s3:GetBucketNotification - Controls access to the :s3-api:`GetBucketNotification - ` S3 API operation. + Controls access to the :s3-api:`GetBucketNotification ` S3 API operation. .. policy-action:: s3:PutBucketNotification - Controls access to the :s3-api:`PutBucketNotification - ` S3 API operation. + Controls access to the :s3-api:`PutBucketNotification ` S3 API operation. .. policy-action:: s3:ListenNotification - MinIO Extension for controlling API operations related to MinIO Bucket - Notifications. + MinIO Extension for controlling API operations related to MinIO Bucket Notifications. This action is **not** intended for use with other S3-compatible services. .. policy-action:: s3:ListenBucketNotification - MinIO Extension for controlling API operations related to MinIO Bucket - Notifications. + MinIO Extension for controlling API operations related to MinIO Bucket Notifications. This action is **not** intended for use with other S3-compatible services. @@ -433,83 +560,96 @@ Object Lifecycle Management .. policy-action:: s3:PutLifecycleConfiguration - Controls access to the :s3-api:`PutLifecycleConfiguration - ` S3 API operation. + Controls access to the :s3-api:`PutLifecycleConfiguration ` S3 API operation. .. policy-action:: s3:GetLifecycleConfiguration - Controls access to the :s3-api:`GetLifecycleConfiguration - ` S3 API operation. + Controls access to the :s3-api:`GetLifecycleConfiguration ` S3 API operation. Object Encryption ~~~~~~~~~~~~~~~~~ .. policy-action:: s3:PutEncryptionConfiguration - Controls access to the :s3-api:`PutEncryptionConfiguration - ` S3 API operation. + Controls access to the :s3-api:`PutEncryptionConfiguration ` S3 API operation. .. policy-action:: s3:GetEncryptionConfiguration - Controls access to the :s3-api:`GetEncryptionConfiguration - ` S3 API operation. + Controls access to the :s3-api:`GetEncryptionConfiguration ` S3 API operation. Bucket Replication ~~~~~~~~~~~~~~~~~~ .. policy-action:: s3:GetReplicationConfiguration - Controls access to the :s3-api:`GetBucketReplication - ` S3 API operation. + Controls access to the :s3-api:`GetBucketReplication ` S3 API operation. .. policy-action:: s3:PutReplicationConfiguration - Controls access to the :s3-api:`PutBucketReplication - ` S3 API operation. + Controls access to the :s3-api:`PutBucketReplication ` S3 API operation. .. policy-action:: s3:ReplicateObject - MinIO Extension for controlling API operations related to - :ref:`Server-Side Bucket Replication `. + MinIO Extension for controlling API operations related to :ref:`Server-Side Bucket Replication `. - Required for server-side replication. + Required for MinIO server-side replication. + + Supports the following additional :ref:`condition keys `: + + .. code-block:: shell + + s3:versionid + s3:ExistingObjectTag/ .. policy-action:: s3:ReplicateDelete - MinIO Extension for controlling API operations related to - :ref:`Server-Side Bucket Replication `. + MinIO Extension for controlling API operations related to :ref:`Server-Side Bucket Replication `. - Required for synchronizing delete operations as part of server-side - replication. + Required for synchronizing delete operations as part of MinIO server-side replication. + Supports the following additional :ref:`condition keys `: + + .. code-block:: shell + + s3:versionid + s3:ExistingObjectTag/ + .. policy-action:: s3:ReplicateTags - MinIO Extension for controlling API operations related to - :ref:`Server-Side Bucket Replication `. + MinIO Extension for controlling API operations related to :ref:`Server-Side Bucket Replication `. - Required for server-side replication. + Required for MinIO server-side replication. + Supports the following additional :ref:`condition keys `: + + .. code-block:: shell + + s3:versionid + s3:ExistingObjectTag/ + .. policy-action:: s3:GetObjectVersionForReplication - MinIO Extension for controlling API operations related to - :ref:`Server-Side Bucket Replication `. + MinIO Extension for controlling API operations related to :ref:`Server-Side Bucket Replication `. - Required for server-side replication. + Required for MinIO server-side replication. + Supports the following additional :ref:`condition keys `: + + .. code-block:: shell + + s3:versionid + s3:ExistingObjectTag/ + .. _minio-policy-conditions: +.. _minio-selected-conditional-actions: Supported S3 Policy Condition Keys ---------------------------------- -MinIO policy documents support IAM -:iam-docs:`conditional statements `. +MinIO policy documents support IAM :iam-docs:`conditional statements `. -Each condition element consists of -:iam-docs:`operators ` -and condition keys. MinIO supports a subset of IAM condition keys. For complete -information on any listed condition key, see the -:iam-docs:`IAM Condition Element Documentation -` +Each condition element consists of :iam-docs:`operators ` and condition keys. MinIO supports a subset of IAM condition keys. +For complete information on any listed condition key, see the :iam-docs:`IAM Condition Element Documentation ` MinIO supports the following condition keys for all supported :ref:`actions `: @@ -532,66 +672,7 @@ MinIO supports the following condition keys for all supported **Never** use these three keys to grant access by themselves. -.. _minio-selected-conditional-actions: - -The following table lists additional supported condition keys for specific -actions: - -.. list-table:: - :header-rows: 1 - :widths: 30 70 - :width: 100% - - * - Action Key - - Condition Keys - - * - :policy-action:`s3:GetObject` - - | ``x-amz-server-side-encryption`` - | ``x-amz-server-side-encryption-customer-algorithm`` - | ``s3:ExistingObjectTag/`` - - * - :policy-action:`s3:ListBucket` - - | ``prefix`` - | ``delimiter`` - | ``max-keys`` - - * - :policy-action:`s3:PutObject` - - | ``x-amz-copy-source`` - | ``x-amz-server-side-encryption`` - | ``x-amz-server-side-encryption-customer-algorithm`` - | ``x-amz-metadata-directive`` - | ``x-amz-storage-class`` - | ``object-lock-retain-until-date`` - | ``object-lock-mode`` - | ``object-lock-legal-hold`` - | ``s3:ExistingObjectTag/`` - - * - :policy-action:`s3:PutObjectRetention` - - | ``x-amz-object-lock-remaining-retention-days`` - | ``x-amz-object-lock-retain-until-date`` - | ``x-amz-object-lock-mode`` - - * - :policy-action:`s3:PutObjectLegalHold` - - ``object-lock-legal-hold`` - - * - :policy-action:`s3:BypassGovernanceRetention` - - | ``object-lock-remaining-retention-days`` - | ``object-lock-retain-until-date`` - | ``object-lock-mode`` - | ``object-lock-legal-hold`` - - * - :policy-action:`s3:GetObjectVersion` - - ``versionid`` - - * - :policy-action:`s3:DeleteObjectVersion` - - ``versionid`` - - * - :policy-action:`s3:PutObjectTagging` - - ``s3:ExistingObjectTag/`` - - * - :policy-action:`s3:DeleteObjectTagging` - - ``s3:ExistingObjectTag/`` - +For additional keys supported by a specific S3 action, see the reference documentation for that action. .. _minio-policy-mc-admin-actions: @@ -815,8 +896,7 @@ MinIO supports the following conditions for use with defining policies for - ``aws:CurrentTime`` - ``aws:EpochTime`` -For complete information on any listed condition key, see the :iam-docs:`IAM -Condition Element Documentation ` +For complete information on any listed condition key, see the :iam-docs:`IAM Condition Element Documentation `. Policy Variables ---------------- diff --git a/source/operations/concepts/erasure-coding.rst b/source/operations/concepts/erasure-coding.rst index 6c1077e7..8f427266 100644 --- a/source/operations/concepts/erasure-coding.rst +++ b/source/operations/concepts/erasure-coding.rst @@ -27,6 +27,7 @@ See :ref:`minio-availability-resiliency` and :ref:`minio-architecture` for more .. _minio-ec-basics: .. _minio-ec-erasure-set: +.. _minio-read-quorum: Erasure Coding Basics --------------------- diff --git a/source/reference/minio-server/minio-server.rst b/source/reference/minio-server/minio-server.rst index 8cc72faf..ad759093 100644 --- a/source/reference/minio-server/minio-server.rst +++ b/source/reference/minio-server/minio-server.rst @@ -524,6 +524,7 @@ Key Management Service and Encryption For a stateful KES server, this results in using the default enclave. .. _minio-server-envvar-storage-class: +.. _minio-ec-storage-class: Storage Class ~~~~~~~~~~~~~