minio/docs
1
0
Fork 0
mirror of https://github.com/minio/docs.git synced 2025-06-05 19:57:02 +03:00
Code

Final pass on platformization (#555)

Browse Source
This commit is contained in:
Ravind Kumar 2022-09-16 16:40:20 -04:00 committed by GitHub
parent 5efcffbff1
commit d815aa9ce8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
144 changed files with 1510 additions and 1102 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -13,3 +13,4 @@ output.log
source/conf.py
package-lock.json
build.log
*.inv

57
Makefile
View File

@ -31,67 +31,90 @@ stage-%:
python -m http.server --directory $(BUILDDIR)/$(GITDIR)/$*/html/
@echo "Visit http://localhost:8000 to view the staged output"
# Platform build commands
# All platforms follow the same general pattern:
# - Rebuild source/conf.py
# - Synchronize relevant versions
# - If built with make SYNC_SDK=TRUE <platform>, synchronize SDK content from github
# - Compile SCSS
# - Build docs via Sphinx
linux:
ifeq ($(BUILD_DEPENDENCIES),FALSE)
@echo "Skipping Dependencies"
else
@cp source/default-conf.py source/conf.py
@make sync-minio-version
@make sync-kes-version
ifeq ($(SYNC_SDK),TRUE)
@echo "Synchronizing SDK content. Performing this operation too frequently may result in Github limiting API access"
@echo "Omit SYNC_SDK=TRUE to prevent SDK synchronization"
@make sync-sdks
else
@echo "Not synchronizing SDKs, pass SYNC_SDK=TRUE to synchronize SDK content"
endif
@npm run build
@$(SPHINXBUILD) -M html "$(SOURCEDIR)" "$(BUILDDIR)/$(GITDIR)/$@" $(SPHINXOPTS) $(O) -t $@
windows:
ifeq ($(BUILD_DEPENDENCIES),FALSE)
@echo "Skipping Dependencies"
else
@cp source/default-conf.py source/conf.py
@make sync-minio-version
@make sync-kes-version
ifeq ($(SYNC_SDK),TRUE)
@echo "Synchronizing SDK content. Performing this operation too frequently may result in Github limiting API access"
@echo "Omit SYNC_SDK=TRUE to prevent SDK synchronization"
@make sync-sdks
else
@echo "Not synchronizing SDKs, pass SYNC_SDK=TRUE to synchronize SDK content"
endif
@npm run build
@$(SPHINXBUILD) -M html "$(SOURCEDIR)" "$(BUILDDIR)/$(GITDIR)/$@" $(SPHINXOPTS) $(O) -t $@
macos:
ifeq ($(BUILD_DEPENDENCIES),FALSE)
@echo "Skipping Dependencies"
else
@cp source/default-conf.py source/conf.py
@make sync-minio-version
@make sync-kes-version
ifeq ($(SYNC_SDK),TRUE)
@echo "Synchronizing SDK content. Performing this operation too frequently may result in Github limiting API access"
@echo "Omit SYNC_SDK=TRUE to prevent SDK synchronization"
@make sync-sdks
else
@echo "Not synchronizing SDKs, pass SYNC_SDK=TRUE to synchronize SDK content"
endif
@npm run build
@$(SPHINXBUILD) -M html "$(SOURCEDIR)" "$(BUILDDIR)/$(GITDIR)/$@" $(SPHINXOPTS) $(O) -t $@
k8s:
ifeq ($(BUILD_DEPENDENCIES),FALSE)
@echo "Skipping Dependencies"
else
@cp source/default-conf.py source/conf.py
@make sync-operator-version
@make sync-minio-version
@make sync-kes-version
ifeq ($(SYNC_SDK),TRUE)
@echo "Synchronizing SDK content. Performing this operation too frequently may result in Github limiting API access"
@echo "Omit SYNC_SDK=TRUE to prevent SDK synchronization"
@make sync-sdks
else
@echo "Not synchronizing SDKs, pass SYNC_SDK=TRUE to synchronize SDK content"
endif
@npm run build
@$(SPHINXBUILD) -M html "$(SOURCEDIR)" "$(BUILDDIR)/$(GITDIR)/$@" $(SPHINXOPTS) $(O) -t $@
container:
ifeq ($(BUILD_DEPENDENCIES),FALSE)
@echo "Skipping Dependencies"
else
@cp source/default-conf.py source/conf.py
@make sync-minio-version
@make sync-kes-version
ifeq ($(SYNC_SDK),TRUE)
@echo "Synchronizing SDK content. Performing this operation too frequently may result in Github limiting API access"
@echo "Omit SYNC_SDK=TRUE to prevent SDK synchronization"
@make sync-sdks
else
@echo "Not synchronizing SDKs, pass SYNC_SDK=TRUE to synchronize SDK content"
endif
@npm run build
@$(SPHINXBUILD) -M html "$(SOURCEDIR)" "$(BUILDDIR)/$(GITDIR)/$@" $(SPHINXOPTS) $(O) -t $@
# Synchronization targets
# Note that the @case statements are required to account for differences between Linux and MacOS binaries
# Specifically, MacOS does not use GNU utils, so syntax is slightly different for things like sed
# Annoying but necessary
sync-operator-version:
@echo "Retrieving latest Operator version"
@$(eval OPERATOR = $(shell curl --retry 10 -Ls -o /dev/null -w "%{url_effective}" https://github.com/minio/operator/releases/latest | sed "s/https:\/\/github.com\/minio\/operator\/releases\/tag\///"))
@ -294,6 +317,8 @@ sync-rust-docs:
;; \
esac
# This results in a lot of API operations to GitHub. You might hit request limits if you aren't careful.
sync-sdks:
# C++ and Rust repos do not have any releases yet.
# @make sync-cpp-docs
@ -305,6 +330,8 @@ sync-sdks:
@make sync-python-docs
# @make sync-rust-docs
# Can probably safely remove this at some point
sync-deps:
# C++ and Rust repos do not have any releases yet.
@echo "Synchronizing all external dependencies"

8
source/administration/bucket-replication.rst
View File

@ -26,7 +26,7 @@ and destination buckets.
Client-side Bucket Replication
Use The command process to synchronize objects between buckets
within the same S3-compatible cluster *or* between two independent
S3-compatible clusters. Client-side replication using :mc-cmd:`mc mirror`
S3-compatible clusters. Client-side replication using :mc:`mc mirror`
supports MinIO-to-S3 and similar replication configurations.
.. admonition:: Bucket vs Site Replication
@ -84,8 +84,8 @@ Resynchronization (Disaster Recovery)
Resynchronization primarily supports recovery after partial or total loss of the
data on a MinIO deployment using a healthy deployment in the replica
configuration. Use the :mc-cmd:`mc replicate resync` command completely
resynchronize the remote target (:mc-cmd:`mc admin bucket remote`) using the
configuration. Use the :mc:`mc replicate resync` command completely
resynchronize the remote target (:mc:`mc admin bucket remote`) using the
specified source bucket.
The resynchronization process checks all objects in the source bucket against
@ -99,7 +99,7 @@ MinIO skips synchronizing those objects whose remote copy exactly match the
source, including object metadata. MinIO otherwise does not prioritize or modify
the queue with regards to the existing contents of the target.
:mc-cmd:`mc replicate resync` operates at the bucket level and does
:mc:`mc replicate resync` operates at the bucket level and does
*not* support prefix-level granularity. Initiating resynchronization on a large
bucket may result in a significant increase in replication-related load
and traffic. Use this command with caution and only when necessary.

12
source/administration/bucket-replication/enable-server-side-multi-site-bucket-replication.rst
View File

@ -18,7 +18,7 @@ The procedure on this page configures automatic server-side bucket replication b
:alt: Active-Active Replication synchronizes data between multiple remote deployments.
:align: center
- To configure replication between arbitrary S3-compatible services, use :mc-cmd:`mc mirror`.
- To configure replication between arbitrary S3-compatible services, use :mc:`mc mirror`.
- To configure one-way "active-active" replication between two MinIO deployments, see :ref:`minio-bucket-replication-serverside-twoway`.
@ -28,11 +28,11 @@ Multi-Site Active-Active replication configurations can span multiple racks, dat
.. seealso::
- Use the :mc-cmd:`mc replicate edit` command to modify an existing replication rule.
- Use the :mc:`mc replicate edit` command to modify an existing replication rule.
- Use the :mc-cmd:`mc replicate edit` command with the :mc-cmd:`--state "disable" <mc replicate edit --state>` flag to disable an existing replication rule.
- Use the :mc:`mc replicate edit` command with the :mc-cmd:`--state "disable" <mc replicate edit --state>` flag to disable an existing replication rule.
- Use the :mc-cmd:`mc replicate rm` command to remove an existing replication rule.
- Use the :mc:`mc replicate rm` command to remove an existing replication rule.
.. _minio-bucket-replication-serverside-multi-requirements:
@ -154,7 +154,7 @@ Configure Multi-Site Bucket Replication Using the Command Line (:mc:`mc`)
This procedure uses the placeholder ``ALIAS`` to reference the :ref:`alias <alias>` each MinIO deployment being configured for replication. Replace these values with the appropriate alias for each MinIO deployment.
This procedure assumes each alias corresponds to a user with the :ref:`necessary replication permissions <minio-bucket-replication-serverside-multi-permissions>`.
This procedure assumes each alias corresponds to a user with the :ref:`necessary replication permissions <minio-bucket-replication-requirements>`.
.. _minio-bucket-replication-multi-site-minio-cli-create-remote-targets:
@ -210,4 +210,4 @@ Specifically, in this scenario, perform this step twice on each deployment:
Repeat this test on each deployment by copying a new unique file and checking that the file replicates to each of the other deployments.
You can also use :mc-cmd:`mc stat` to check the file to check the current :ref:`replication stage <minio-replication-process>` of the object.
You can also use :mc:`mc stat` to check the file to check the current :ref:`replication stage <minio-replication-process>` of the object.

8
source/administration/bucket-replication/enable-server-side-one-way-bucket-replication.rst
View File

@ -25,7 +25,7 @@ The buckets can be on the same MinIO deployment or on separate MinIO deployments
.. note::
To configure replication between arbitrary S3-compatible services (not necessarily MinIO), use :mc-cmd:`mc mirror`.
To configure replication between arbitrary S3-compatible services (not necessarily MinIO), use :mc:`mc mirror`.
Requirements
@ -150,8 +150,8 @@ This procedure assumes each alias corresponds to a user with the :ref:`necessary
.. seealso::
- Use the :mc-cmd:`mc replicate edit` command to modify an existing replication rule.
- Use the :mc:`mc replicate edit` command to modify an existing replication rule.
- Use the :mc-cmd:`mc replicate edit` command with the :mc-cmd:`--state "disable" <mc replicate edit --state>` flag to disable an existing replication rule.
- Use the :mc:`mc replicate edit` command with the :mc-cmd:`--state "disable" <mc replicate edit --state>` flag to disable an existing replication rule.
- Use the :mc-cmd:`mc replicate rm` command to remove an existing replication rule.
- Use the :mc:`mc replicate rm` command to remove an existing replication rule.

10
source/administration/bucket-replication/enable-server-side-two-way-bucket-replication.rst
View File

@ -17,7 +17,7 @@ The procedure on this page creates a new bucket replication rule for two-way "ac
:alt: Active-Active Replication synchronizes data between two remote clusters.
:align: center
- To configure replication between arbitrary S3-compatible services, use :mc-cmd:`mc mirror`.
- To configure replication between arbitrary S3-compatible services, use :mc:`mc mirror`.
- To configure one-way "active-passive" replication between MinIO clusters, see :ref:`minio-bucket-replication-serverside-oneway`.
@ -185,7 +185,7 @@ Change the alias for the different origin.
Change the ARN to the ARN generated on the second deployment for the desired bucket.
You should have two replication rules configured at the conclusion of this step - one created on each deployment that points to the bucket on the other deployment.
Use the :mc-cmd:`mc replicate ls` command to verify the created replication rules.
Use the :mc:`mc replicate ls` command to verify the created replication rules.
.. _minio-bucket-replication-two-way-minio-cli-verify-replication-config:
@ -202,9 +202,9 @@ Once both objects exist on both deployments, you have successfully set up two-wa
.. seealso::
- Use the :mc-cmd:`mc replicate edit` command to modify an existing
- Use the :mc:`mc replicate edit` command to modify an existing
replication rule.
- Use the :mc-cmd:`mc replicate edit` command with the :mc-cmd:`--state "disable" <mc replicate edit --state>` flag to disable an existing replication rule.
- Use the :mc:`mc replicate edit` command with the :mc-cmd:`--state "disable" <mc replicate edit --state>` flag to disable an existing replication rule.
- Use the :mc-cmd:`mc replicate rm` command to remove an existing replication rule.
- Use the :mc:`mc replicate rm` command to remove an existing replication rule.

6
source/administration/bucket-replication/server-side-replication-resynchronize-remote.rst
View File

@ -49,7 +49,7 @@ Resynchronization Requires Existing Replication Configuration
Resynchronization requires the healthy source deployment have an existing replication configuration for the unhealthy target bucket. Additionally, resynchronization only applies to those replication rules created with the :ref:`existing object replication <minio-replication-behavior-existing-objects>` option.
- Use :mc-cmd:`mc admin bucket remote ls` to review the configured remote targets on the healthy source bucket.
- Use :mc-cmd:`mc replicate ls` to review the configured replication rules on the healthy source bucket.
- Use :mc:`mc replicate ls` to review the configured replication rules on the healthy source bucket.
Replication Requires Matching Object Encryption Settings
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@ -91,7 +91,7 @@ MinIO recommends configuring load balancers or proxies to direct traffic only to
- :mc-cmd:`mc replicate resync status` on the source to track the resynchronization progress.
- :mc-cmd:`mc replicate status` on the source and remote to track normal replication data.
- :mc:`mc replicate status` on the source and remote to track normal replication data.
- Run ``mc ls -r --versions ALIAS/BUCKET | wc -l`` against both source and remote to validate the total number of objects and object versions on each.
@ -177,6 +177,6 @@ process completes.
- If the ``TARGET`` bucket damage extends to replication rules, you must recreate those rules to match the previous replication configuration. See :ref:`minio-bucket-replication-serverside-twoway` for additional guidance.
- Perform basic validation that all buckets in the replication configuration show similar results for commands such as :mc-cmd:`mc ls` and :mc-cmd:`mc stat`.
- Perform basic validation that all buckets in the replication configuration show similar results for commands such as :mc:`mc ls` and :mc:`mc stat`.
- After restoring any replication rules and verifying replication between sites, you can configure the reverse proxy, load balancer, or other network control plane managing connections to resume sending traffic to the resynchronized deployment.

2
source/administration/identity-access-management/minio-group-management.rst
View File

@ -54,7 +54,7 @@ users with common access patterns and workloads. Client's *cannot* authenticate
to a MinIO deployment using a group as an identity.
The :mc-cmd:`mc admin group` command supports the creation and management of
The :mc:`mc admin group` command supports the creation and management of
groups on the MinIO deployment. See the command reference for examples of
usage.

2
source/administration/identity-access-management/minio-identity-management.rst
View File

@ -19,7 +19,7 @@ key (password). Clients must authenticate their identity by specifying both
a valid access key (username) and the corresponding secret key (password) of
an existing MinIO user.
Administrators use the :mc-cmd:`mc admin user` command to create and manage
Administrators use the :mc:`mc admin user` command to create and manage
MinIO users. The :minio-git:`MinIO Console <console>` provides a graphical
interface for creating users.

4
source/administration/identity-access-management/minio-user-management.rst
View File

@ -130,7 +130,7 @@ MinIO deployment:
mc admin user add ALIAS ACCESSKEY SECRETKEY
- Replace :mc-cmd:`ALIAS <mc admin user add TARGET>` with the
:mc-cmd:`alias <mc alias>` of the MinIO deployment.
:mc:`alias <mc alias>` of the MinIO deployment.
- Replace :mc-cmd:`ACCESSKEY <mc admin user add ACCESSKEY>` with the
access key for the user. MinIO allows retrieving the access key after
@ -167,7 +167,7 @@ MinIO deployment:
mc admin user remove ALIAS USERNAME
- Replace :mc-cmd:`ALIAS <mc admin user remove TARGET>` with the
:mc-cmd:`alias <mc alias>` of the MinIO deployment.
:mc:`alias <mc alias>` of the MinIO deployment.
- Replace :mc-cmd:`USERNAME <mc admin user remove USERNAME>` with the name of
the user to remove.

2
source/administration/identity-access-management/oidc-access-management.rst
View File

@ -77,6 +77,6 @@ Defer to the documentation for your preferred OIDC provider for instructions on
Creating Policies to Match Claims
---------------------------------
Use either the MinIO Console *or* the :mc-cmd:`mc admin policy` command to create policies that match one or more claim values:
Use either the MinIO Console *or* the :mc:`mc admin policy` command to create policies that match one or more claim values:
.. todo - instructions

20
source/administration/identity-access-management/policy-based-access-control.rst
View File

@ -25,7 +25,7 @@ behavior. The MinIO documentation makes a best-effort to cover IAM-specific
behavior and functionality. Consider deferring to the :iam-docs:`IAM
documentation <>` for more complete documentation on AWS IAM-specific topics.
The :mc-cmd:`mc admin policy` command supports creation and management of
The :mc:`mc admin policy` command supports creation and management of
policies on the MinIO deployment. See the command reference for examples of
usage.
@ -58,10 +58,10 @@ MinIO provides the following built-in policies for assigning to
For example, this policy specifically supports GET operations on objects at a
specific path (e.g. ``GET play/mybucket/object.file``), such as:
- :mc-cmd:`mc cp`
- :mc-cmd:`mc stat`
- :mc-cmd:`mc head`
- :mc-cmd:`mc cat`
- :mc:`mc cp`
- :mc:`mc stat`
- :mc:`mc head`
- :mc:`mc cat`
The exclusion of listing permissions is intentional, as typical use cases
do not intend for a "read-only" role to have complete discoverability
@ -124,7 +124,7 @@ as that user:
* - ``Admin``
- :policy-action:`admin:*`
- All :mc-cmd:`mc admin` commands.
- All :mc:`mc admin` commands.
Each user can access only those resources and operations which are *explicitly*
granted by the built-in role. MinIO denies access to any other resource or
@ -574,7 +574,7 @@ actions:
-------------------------------
MinIO supports the following actions for use with defining policies
for :mc-cmd:`mc admin` operations. These actions are *only* valid for
for :mc:`mc admin` operations. These actions are *only* valid for
MinIO deployments and are *not* intended for use with other S3-compatible
services:
@ -745,12 +745,12 @@ services:
.. policy-action:: admin:SetTier
Allows creating and modifying remote storage tiers using the
:mc-cmd:`mc admin tier` command.
:mc:`mc admin tier` command.
.. policy-action:: admin:ListTier
Allows listing configured remote storage tiers using the
:mc-cmd:`mc admin tier` command.
:mc:`mc admin tier` command.
.. policy-action:: admin:BandwidthMonitor
@ -765,7 +765,7 @@ services:
----------------------------------
MinIO supports the following conditions for use with defining policies for
:mc-cmd:`mc admin` :ref:`actions <minio-policy-mc-admin-actions>`.
:mc:`mc admin` :ref:`actions <minio-policy-mc-admin-actions>`.
- ``aws:Referer``
- ``aws:SourceIp``

1
source/administration/monitoring.rst
View File

@ -44,7 +44,6 @@ Server Logs
MinIO provides the following interfaces for remotely reading server logs:
- The MinIO Console provides a server log viewer at <details>
- The :mc:`mc admin console` command returns the specified server's console output.
- MinIO supports pushing server logs to an HTTP webhook for further ingestion.
See :ref:`minio-logging-publish-server-logs` for more information.

8
source/administration/monitoring/publish-events-to-amqp.rst
View File

@ -191,7 +191,7 @@ the associated AMQP deployment as a target.
3) Configure Bucket Notifications using the AMQP Endpoint as a Target
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Use the :mc-cmd:`mc event add` command to add a new bucket notification
Use the :mc:`mc event add` command to add a new bucket notification
event with the configured AMQP service as a target:
.. code-block:: shell
@ -206,7 +206,7 @@ event with the configured AMQP service as a target:
- Replace ``EVENTS`` with a comma-separated list of :ref:`events
<mc-event-supported-events>` for which MinIO triggers notifications.
Use :mc-cmd:`mc event list` to view all configured bucket events for
Use :mc:`mc event list` to view all configured bucket events for
a given notification target:
.. code-block:: shell
@ -224,7 +224,7 @@ when configuring the bucket notification.
For example, if the bucket notification configuration includes the
``s3:ObjectCreated:Put`` event, you can use the
:mc-cmd:`mc cp` command to create a new object in the bucket and trigger
:mc:`mc cp` command to create a new object in the bucket and trigger
a notification.
.. code-block:: shell
@ -353,7 +353,7 @@ specified when configuring the bucket notification.
For example, if the bucket notification configuration includes the
``s3:ObjectCreated:Put`` event, you can use the
:mc-cmd:`mc cp` command to create a new object in the bucket and trigger
:mc:`mc cp` command to create a new object in the bucket and trigger
a notification.
.. code-block:: shell

8
source/administration/monitoring/publish-events-to-elasticsearch.rst
View File

@ -183,7 +183,7 @@ the associated Elasticsearch deployment as a target.
3) Configure Bucket Notifications using the Elasticsearch Endpoint as a Target
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Use the :mc-cmd:`mc event add` command to add a new bucket notification
Use the :mc:`mc event add` command to add a new bucket notification
event with the configured Elasticsearch service as a target:
.. code-block:: shell
@ -198,7 +198,7 @@ event with the configured Elasticsearch service as a target:
- Replace ``EVENTS`` with a comma-separated list of :ref:`events
<mc-event-supported-events>` for which MinIO triggers notifications.
Use :mc-cmd:`mc event list` to view all configured bucket events for
Use :mc:`mc event list` to view all configured bucket events for
a given notification target:
.. code-block:: shell
@ -216,7 +216,7 @@ when configuring the bucket notification.
For example, if the bucket notification configuration includes the
``s3:ObjectCreated:Put`` event, you can use the
:mc-cmd:`mc cp` command to create a new object in the bucket and trigger
:mc:`mc cp` command to create a new object in the bucket and trigger
a notification.
.. code-block:: shell
@ -335,7 +335,7 @@ notification.
For example, if the bucket notification configuration includes the
``s3:ObjectCreated:Put`` event, you can use the
:mc-cmd:`mc cp` command to create a new object in the bucket and trigger
:mc:`mc cp` command to create a new object in the bucket and trigger
a notification.
.. code-block:: shell

8
source/administration/monitoring/publish-events-to-kafka.rst
View File

@ -190,7 +190,7 @@ the associated Kafka deployment as a target.
3) Configure Bucket Notifications using the Kafka Endpoint as a Target
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Use the :mc-cmd:`mc event add` command to add a new bucket notification
Use the :mc:`mc event add` command to add a new bucket notification
event with the configured Kafka service as a target:
.. code-block:: shell
@ -205,7 +205,7 @@ event with the configured Kafka service as a target:
- Replace ``EVENTS`` with a comma-separated list of :ref:`events
<mc-event-supported-events>` for which MinIO triggers notifications.
Use :mc-cmd:`mc event list` to view all configured bucket events for
Use :mc:`mc event list` to view all configured bucket events for
a given notification target:
.. code-block:: shell
@ -223,7 +223,7 @@ when configuring the bucket notification.
For example, if the bucket notification configuration includes the
``s3:ObjectCreated:Put`` event, you can use the
:mc-cmd:`mc cp` command to create a new object in the bucket and trigger
:mc:`mc cp` command to create a new object in the bucket and trigger
a notification.
.. code-block:: shell
@ -347,7 +347,7 @@ specified when configuring the bucket notification.
For example, if the bucket notification configuration includes the
``s3:ObjectCreated:Put`` event, you can use the
:mc-cmd:`mc cp` command to create a new object in the bucket and trigger
:mc:`mc cp` command to create a new object in the bucket and trigger
a notification.
.. code-block:: shell

8
source/administration/monitoring/publish-events-to-mqtt.rst
View File

@ -194,7 +194,7 @@ the associated MQTT deployment as a target.
1) Configure Bucket Notifications using the MQTT Endpoint as a Target
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Use the :mc-cmd:`mc event add` command to add a new bucket notification
Use the :mc:`mc event add` command to add a new bucket notification
event with the configured MQTT service as a target:
.. code-block:: shell
@ -209,7 +209,7 @@ event with the configured MQTT service as a target:
- Replace ``EVENTS`` with a comma-separated list of :ref:`events
<mc-event-supported-events>` for which MinIO triggers notifications.
Use :mc-cmd:`mc event list` to view all configured bucket events for
Use :mc:`mc event list` to view all configured bucket events for
a given notification target:
.. code-block:: shell
@ -227,7 +227,7 @@ when configuring the bucket notification.
For example, if the bucket notification configuration includes the
``s3:ObjectCreated:Put`` event, you can use the
:mc-cmd:`mc cp` command to create a new object in the bucket and trigger
:mc:`mc cp` command to create a new object in the bucket and trigger
a notification.
.. code-block:: shell
@ -360,7 +360,7 @@ specified when configuring the bucket notification.
For example, if the bucket notification configuration includes the
``s3:ObjectCreated:Put`` event, you can use the
:mc-cmd:`mc cp` command to create a new object in the bucket and trigger
:mc:`mc cp` command to create a new object in the bucket and trigger
a notification.
.. code-block:: shell

8
source/administration/monitoring/publish-events-to-mysql.rst
View File

@ -181,7 +181,7 @@ the associated MySQL deployment as a target.
3) Configure Bucket Notifications using the MySQL Endpoint as a Target
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Use the :mc-cmd:`mc event add` command to add a new bucket notification
Use the :mc:`mc event add` command to add a new bucket notification
event with the configured MySQL service as a target:
.. code-block:: shell
@ -196,7 +196,7 @@ event with the configured MySQL service as a target:
- Replace ``EVENTS`` with a comma-separated list of :ref:`events
<mc-event-supported-events>` for which MinIO triggers notifications.
Use :mc-cmd:`mc event list` to view all configured bucket events for
Use :mc:`mc event list` to view all configured bucket events for
a given notification target:
.. code-block:: shell
@ -214,7 +214,7 @@ when configuring the bucket notification.
For example, if the bucket notification configuration includes the
``s3:ObjectCreated:Put`` event, you can use the
:mc-cmd:`mc cp` command to create a new object in the bucket and trigger
:mc:`mc cp` command to create a new object in the bucket and trigger
a notification.
.. code-block:: shell
@ -333,7 +333,7 @@ specified when configuring the bucket notification.
For example, if the bucket notification configuration includes the
``s3:ObjectCreated:Put`` event, you can use the
:mc-cmd:`mc cp` command to create a new object in the bucket and trigger
:mc:`mc cp` command to create a new object in the bucket and trigger
a notification.
.. code-block:: shell

8
source/administration/monitoring/publish-events-to-nats.rst
View File

@ -181,7 +181,7 @@ the associated NATS deployment as a target.
3) Configure Bucket Notifications using the NATS Endpoint as a Target
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Use the :mc-cmd:`mc event add` command to add a new bucket notification
Use the :mc:`mc event add` command to add a new bucket notification
event with the configured NATS service as a target:
.. code-block:: shell
@ -196,7 +196,7 @@ event with the configured NATS service as a target:
- Replace ``EVENTS`` with a comma-separated list of :ref:`events
<mc-event-supported-events>` for which MinIO triggers notifications.
Use :mc-cmd:`mc event list` to view all configured bucket events for
Use :mc:`mc event list` to view all configured bucket events for
a given notification target:
.. code-block:: shell
@ -214,7 +214,7 @@ when configuring the bucket notification.
For example, if the bucket notification configuration includes the
``s3:ObjectCreated:Put`` event, you can use the
:mc-cmd:`mc cp` command to create a new object in the bucket and trigger
:mc:`mc cp` command to create a new object in the bucket and trigger
a notification.
.. code-block:: shell
@ -333,7 +333,7 @@ specified when configuring the bucket notification.
For example, if the bucket notification configuration includes the
``s3:ObjectCreated:Put`` event, you can use the
:mc-cmd:`mc cp` command to create a new object in the bucket and trigger
:mc:`mc cp` command to create a new object in the bucket and trigger
a notification.
.. code-block:: shell

8
source/administration/monitoring/publish-events-to-nsq.rst
View File

@ -161,7 +161,7 @@ You must specify the ARN resource when configuring bucket notifications with the
3) Configure Bucket Notifications using the NSQ Endpoint as a Target
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Use the :mc-cmd:`mc event add` command to add a new bucket notification event with the configured NSQ service as a target:
Use the :mc:`mc event add` command to add a new bucket notification event with the configured NSQ service as a target:
.. code-block:: shell
:class: copyable
@ -174,7 +174,7 @@ Use the :mc-cmd:`mc event add` command to add a new bucket notification event wi
- Replace ``EVENTS`` with a comma-separated list of :ref:`events
<mc-event-supported-events>` for which MinIO triggers notifications.
Use :mc-cmd:`mc event list` to view all configured bucket events for a given notification target:
Use :mc:`mc event list` to view all configured bucket events for a given notification target:
.. code-block:: shell
:class: copyable
@ -187,7 +187,7 @@ Use :mc-cmd:`mc event list` to view all configured bucket events for a given not
Perform an action on the bucket for which you configured the new event and check the NSQ service for the notification data.
The action required depends on which :mc-cmd:`events <mc event add --event>` were specified when configuring the bucket notification.
For example, if the bucket notification configuration includes the ``s3:ObjectCreated:Put`` event, you can use the :mc-cmd:`mc cp` command to create a new object in the bucket and trigger a notification.
For example, if the bucket notification configuration includes the ``s3:ObjectCreated:Put`` event, you can use the :mc:`mc cp` command to create a new object in the bucket and trigger a notification.
.. code-block:: shell
:class: copyable
@ -280,7 +280,7 @@ The :mc:`minio server` process prints a line on startup for each configured NSQ
Perform an action on a bucket which has an event configuration using the updated NSQ service endpoint and check the NSQ service for the notification data.
The action required depends on which :mc-cmd:`events <mc event add --event>` were specified when configuring the bucket notification.
For example, if the bucket notification configuration includes the ``s3:ObjectCreated:Put`` event, you can use the :mc-cmd:`mc cp` command to create a new object in the bucket and trigger a notification.
For example, if the bucket notification configuration includes the ``s3:ObjectCreated:Put`` event, you can use the :mc:`mc cp` command to create a new object in the bucket and trigger a notification.
.. code-block:: shell
:class: copyable

8
source/administration/monitoring/publish-events-to-postgresql.rst
View File

@ -184,7 +184,7 @@ the associated PostgreSQL deployment as a target.
3) Configure Bucket Notifications using the PostgreSQL Endpoint as a Target
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Use the :mc-cmd:`mc event add` command to add a new bucket notification
Use the :mc:`mc event add` command to add a new bucket notification
event with the configured PostgreSQL service as a target:
.. code-block:: shell
@ -198,7 +198,7 @@ event with the configured PostgreSQL service as a target:
- Replace ``EVENTS`` with a comma-separated list of :ref:`events
<mc-event-supported-events>` for which MinIO triggers notifications.
Use :mc-cmd:`mc event list` to view all configured bucket events for
Use :mc:`mc event list` to view all configured bucket events for
a given notification target:
.. code-block:: shell
@ -216,7 +216,7 @@ when configuring the bucket notification.
For example, if the bucket notification configuration includes the
``s3:ObjectCreated:Put`` event, you can use the
:mc-cmd:`mc cp` command to create a new object in the bucket and trigger
:mc:`mc cp` command to create a new object in the bucket and trigger
a notification.
.. code-block:: shell
@ -337,7 +337,7 @@ specified when configuring the bucket notification.
For example, if the bucket notification configuration includes the
``s3:ObjectCreated:Put`` event, you can use the
:mc-cmd:`mc cp` command to create a new object in the bucket and trigger
:mc:`mc cp` command to create a new object in the bucket and trigger
a notification.
.. code-block:: shell

8
source/administration/monitoring/publish-events-to-redis.rst
View File

@ -164,7 +164,7 @@ the associated Redis deployment as a target.
3) Configure Bucket Notifications using the Redis Endpoint as a Target
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Use the :mc-cmd:`mc event add` command to add a new bucket notification
Use the :mc:`mc event add` command to add a new bucket notification
event with the configured Redis service as a target:
.. code-block:: shell
@ -179,7 +179,7 @@ event with the configured Redis service as a target:
- Replace ``EVENTS`` with a comma-separated list of :ref:`events
<mc-event-supported-events>` for which MinIO triggers notifications.
Use :mc-cmd:`mc event list` to view all configured bucket events for
Use :mc:`mc event list` to view all configured bucket events for
a given notification target:
.. code-block:: shell
@ -197,7 +197,7 @@ when configuring the bucket notification.
For example, if the bucket notification configuration includes the
``s3:ObjectCreated:Put`` event, you can use the
:mc-cmd:`mc cp` command to create a new object in the bucket and trigger
:mc:`mc cp` command to create a new object in the bucket and trigger
a notification.
.. code-block:: shell
@ -306,7 +306,7 @@ specified when configuring the bucket notification.
For example, if the bucket notification configuration includes the
``s3:ObjectCreated:Put`` event, you can use the
:mc-cmd:`mc cp` command to create a new object in the bucket and trigger
:mc:`mc cp` command to create a new object in the bucket and trigger
a notification.
.. code-block:: shell

8
source/administration/monitoring/publish-events-to-webhook.rst
View File

@ -162,7 +162,7 @@ the associated Webhook deployment as a target.
3) Configure Bucket Notifications using the Webhook Endpoint as a Target
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Use the :mc-cmd:`mc event add` command to add a new bucket notification
Use the :mc:`mc event add` command to add a new bucket notification
event with the configured Webhook service as a target:
.. code-block:: shell
@ -177,7 +177,7 @@ event with the configured Webhook service as a target:
- Replace ``EVENTS`` with a comma-separated list of :ref:`events
<mc-event-supported-events>` for which MinIO triggers notifications.
Use :mc-cmd:`mc event list` to view all configured bucket events for
Use :mc:`mc event list` to view all configured bucket events for
a given notification target:
.. code-block:: shell
@ -195,7 +195,7 @@ when configuring the bucket notification.
For example, if the bucket notification configuration includes the
``s3:ObjectCreated:Put`` event, you can use the
:mc-cmd:`mc cp` command to create a new object in the bucket and trigger
:mc:`mc cp` command to create a new object in the bucket and trigger
a notification.
.. code-block:: shell
@ -304,7 +304,7 @@ were specified when configuring the bucket notification.
For example, if the bucket notification configuration includes the
``s3:ObjectCreated:Put`` event, you can use the
:mc-cmd:`mc cp` command to create a new object in the bucket and trigger
:mc:`mc cp` command to create a new object in the bucket and trigger
a notification.
.. code-block:: shell

4
source/administration/object-management/create-lifecycle-management-expiration-rule.rst
View File

@ -62,7 +62,7 @@ transition lifecycle management rules on any bucket in the cluster:.
Expire Objects after Number of Days
-----------------------------------
Use :mc-cmd:`mc ilm add` with :mc-cmd:`~mc ilm add --expiry-days` to
Use :mc:`mc ilm add` with :mc-cmd:`~mc ilm add --expiry-days` to
expire bucket contents a number of days after object creation:
.. code-block:: shell
@ -83,7 +83,7 @@ expire bucket contents a number of days after object creation:
Expire Versioned Objects
------------------------
Use :mc-cmd:`mc ilm add` to expiring noncurrent object versions and object
Use :mc:`mc ilm add` to expiring noncurrent object versions and object
delete markers:
- To expire noncurrent object versions after a specific duration in days,

2
source/administration/object-management/object-lifecycle-management.rst
View File

@ -41,7 +41,7 @@ clusters in private or public cloud infrastructure to low-cost private or public
cloud storage solutions. MinIO manages retrieving tiered objects on-the-fly
without any additional application-side logic.
Use the :mc-cmd:`mc admin tier` command to create a remote target for tiering
Use the :mc:`mc admin tier` command to create a remote target for tiering
data to a supported Cloud Service Provider object storage. You can then use the
:mc-cmd:`mc ilm add --transition-days` command to transition objects to the
remote tier after a specified number of calendar days.

6
source/administration/object-management/object-retention.rst
View File

@ -217,7 +217,7 @@ the MinIO :mc:`mc` CLI, or using an S3-compatible SDK.
.. tab-item:: MinIO CLI
:sync: cli
Use the :mc-cmd:`mc mb` command with the :mc-cmd:`~mc mb --with-lock`
Use the :mc:`mc mb` command with the :mc-cmd:`~mc mb --with-lock`
option to create a bucket with object locking enabled:
.. code-block:: shell
@ -229,7 +229,7 @@ the MinIO :mc:`mc` CLI, or using an S3-compatible SDK.
MinIO deployment.
- Replace ``BUCKET`` with the
:mc:`name <mc version ALIAS>` of the bucket to create.
:mc-cmd:`name <mc version ALIAS>` of the bucket to create.
Configure Bucket-Default Object Retention
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@ -275,7 +275,7 @@ preferred SDK.
.. tab-item:: MinIO CLI
:sync: cli
Use the :mc-cmd:`mc retention set` command with the
Use the :mc:`mc retention set` command with the
:mc-cmd:`--recursive <mc retention set --recursive>` and
:mc-cmd:`--default <mc retention set --default>` options to set the
default retention mode for a bucket:

4
source/administration/object-management/object-versioning.rst
View File

@ -248,7 +248,7 @@ enable versioning on only a prefix or subset of objects in a bucket.
MinIO deployment.
- Replace ``BUCKET`` with the
:mc:`target bucket <mc version ALIAS>` on which to enable
:mc-cmd:`target bucket <mc version ALIAS>` on which to enable
versioning.
Objects created prior to enabling versioning have a
@ -297,7 +297,7 @@ MinIO :mc:`mc` CLI, or using an S3-compatible SDK.
MinIO deployment.
- Replace ``BUCKET`` with the
:mc:`target bucket <mc version ALIAS>` on which to disable
:mc-cmd:`target bucket <mc version ALIAS>` on which to disable
versioning.
Objects created while versioning is suspended are assigned a ``null`` :ref:`version ID <minio-bucket-versioning-id>`.

2
source/administration/object-management/transition-objects-to-azure.rst
View File

@ -198,7 +198,7 @@ The example above uses the following arguments:
4) Verify the Transition Rule
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Use the :mc-cmd:`mc ilm ls` command to review the configured transition
Use the :mc:`mc ilm ls` command to review the configured transition
rules:
.. code-block:: shell

2
source/administration/object-management/transition-objects-to-gcs.rst
View File

@ -192,7 +192,7 @@ The example above uses the following arguments:
4) Verify the Transition Rule
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Use the :mc-cmd:`mc ilm ls` command to review the configured transition
Use the :mc:`mc ilm ls` command to review the configured transition
rules:
.. code-block:: shell

2
source/administration/object-management/transition-objects-to-s3.rst
View File

@ -210,7 +210,7 @@ The example above uses the following arguments:
4) Verify the Transition Rule
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Use the :mc-cmd:`mc ilm ls` command to review the configured transition
Use the :mc:`mc ilm ls` command to review the configured transition
rules:
.. code-block:: shell

6
source/administration/server-side-encryption/server-side-encryption-sse-kms.rst
View File

@ -36,7 +36,7 @@ only decrypt an object if it can access both the KMS *and* the |EK| used to
encrypt that object.
You can enable bucket-default SSE-KMS encryption using the
:mc-cmd:`mc encrypt set` command:
:mc:`mc encrypt set` command:
.. code-block:: shell
:class: copyable
@ -46,7 +46,7 @@ You can enable bucket-default SSE-KMS encryption using the
- Replace ``EXTERNALKEY`` with the name of the |EK| to use for encrypting
objects in the bucket.
- Replace ``play/mybucket`` with the :mc-cmd:`alias <mc alias>` and bucket
- Replace ``play/mybucket`` with the :mc:`alias <mc alias>` and bucket
on which you want to enable automatic SSE-KMS encryption.
MinIO SSE-KMS is functionally compatible with AWS S3
@ -210,7 +210,7 @@ restart.
4) Configure Automatic Bucket Encryption
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Use the :mc-cmd:`mc encrypt set` command to enable automatic SSE-KMS protection
Use the :mc:`mc encrypt set` command to enable automatic SSE-KMS protection
of all objects written to a specific bucket.
.. code-block:: shell

6
source/administration/server-side-encryption/server-side-encryption-sse-s3.rst
View File

@ -35,14 +35,14 @@ Key Management System (KMS). You must specify the |EK| using the
MinIO server. MinIO uses the same EK for *all* SSE-S3 cryptographic operations.
You can enable bucket-default SSE-S3 encryption using the
:mc-cmd:`mc encrypt set` command:
:mc:`mc encrypt set` command:
.. code-block:: shell
:class: copyable
mc encrypt set sse-s3 play/mybucket
- Replace ``play/mybucket`` with the :mc-cmd:`alias <mc alias>` and bucket
- Replace ``play/mybucket`` with the :mc:`alias <mc alias>` and bucket
on which you want to enable automatic SSE-KMS encryption.
MinIO SSE-S3 is functionally compatible with AWS S3
@ -210,7 +210,7 @@ restart.
You can skip this step if you intend to use only client-driven SSE-S3.
Use the :mc-cmd:`mc encrypt set` command to enable automatic SSE-S3 protection
Use the :mc:`mc encrypt set` command to enable automatic SSE-S3 protection
of all objects written to a specific bucket.
.. code-block:: shell

62
source/default-conf.py
View File

@ -84,9 +84,8 @@ extlinks = {
suppress_warnings = [
'toc.excluded',
'ref.myst',
'myst.header',
'myst'
'ref.myst'
]
# Add any paths that contain templates here, relative to this directory.
@ -140,19 +139,10 @@ elif tags.has("macos"):
'operations/install-deploy-manage/delete-minio-tenant.rst',
'operations/install-deploy-manage/minio-operator-console.rst',
'operations/deploy-manage-tenants.rst',
'reference/kubectl-minio-plugin.rst',
'reference/kubectl-minio-plugin/kubectl-minio-delete.rst',
'reference/kubectl-minio-plugin/kubectl-minio-init.rst',
'reference/kubectl-minio-plugin/kubectl-minio-proxy.rst',
'reference/kubectl-minio-plugin/kubectl-minio-tenant-create.rst',
'reference/kubectl-minio-plugin/kubectl-minio-tenant-delete.rst',
'reference/kubectl-minio-plugin/kubectl-minio-tenant-expand.rst',
'reference/kubectl-minio-plugin/kubectl-minio-tenant-info.rst',
'reference/kubectl-minio-plugin/kubectl-minio-tenant-list.rst',
'reference/kubectl-minio-plugin/kubectl-minio-tenant-report.rst',
'reference/kubectl-minio-plugin/kubectl-minio-tenant-upgrade.rst',
'reference/kubectl-minio-plugin/kubectl-minio-tenant.rst',
'reference/kubectl-minio-plugin/kubectl-minio-version.rst',
'reference/kubectl-minio-plugin*',
'reference/minio-server*',
'reference/minio-mc*',
'developers/*'
]
elif tags.has("windows"):
# html_baseurl is used for generating the sitemap.xml for each platform. These are combined in a sitemapindex.xml.
@ -166,19 +156,10 @@ elif tags.has("windows"):
'operations/install-deploy-manage/delete-minio-tenant.rst',
'operations/install-deploy-manage/minio-operator-console.rst',
'operations/deploy-manage-tenants.rst',
'reference/kubectl-minio-plugin.rst',
'reference/kubectl-minio-plugin/kubectl-minio-delete.rst',
'reference/kubectl-minio-plugin/kubectl-minio-init.rst',
'reference/kubectl-minio-plugin/kubectl-minio-proxy.rst',
'reference/kubectl-minio-plugin/kubectl-minio-tenant-create.rst',
'reference/kubectl-minio-plugin/kubectl-minio-tenant-delete.rst',
'reference/kubectl-minio-plugin/kubectl-minio-tenant-expand.rst',
'reference/kubectl-minio-plugin/kubectl-minio-tenant-info.rst',
'reference/kubectl-minio-plugin/kubectl-minio-tenant-list.rst',
'reference/kubectl-minio-plugin/kubectl-minio-tenant-report.rst',
'reference/kubectl-minio-plugin/kubectl-minio-tenant-upgrade.rst',
'reference/kubectl-minio-plugin/kubectl-minio-tenant.rst',
'reference/kubectl-minio-plugin/kubectl-minio-version.rst',
'reference/kubectl-minio-plugin*',
'reference/minio-server*',
'reference/minio-mc*',
'developers/*'
]
elif tags.has("container"):
html_baseurl = 'https://min.io/docs/minio/container/'
@ -193,19 +174,10 @@ elif tags.has("container"):
'operations/install-deploy-manage/deploy-minio-multi-node-multi-drive.rst',
'operations/install-deploy-manage/multi-site-replication.rst',
'operations/deploy-manage-tenants.rst',
'reference/kubectl-minio-plugin.rst',
'reference/kubectl-minio-plugin/kubectl-minio-delete.rst',
'reference/kubectl-minio-plugin/kubectl-minio-init.rst',
'reference/kubectl-minio-plugin/kubectl-minio-proxy.rst',
'reference/kubectl-minio-plugin/kubectl-minio-tenant-create.rst',
'reference/kubectl-minio-plugin/kubectl-minio-tenant-delete.rst',
'reference/kubectl-minio-plugin/kubectl-minio-tenant-expand.rst',
'reference/kubectl-minio-plugin/kubectl-minio-tenant-info.rst',
'reference/kubectl-minio-plugin/kubectl-minio-tenant-list.rst',
'reference/kubectl-minio-plugin/kubectl-minio-tenant-report.rst',
'reference/kubectl-minio-plugin/kubectl-minio-tenant-upgrade.rst',
'reference/kubectl-minio-plugin/kubectl-minio-tenant.rst',
'reference/kubectl-minio-plugin/kubectl-minio-version.rst',
'reference/kubectl-minio-plugin*',
'reference/minio-server*',
'reference/minio-mc*',
'developers/*'
]
elif tags.has("k8s"):
html_baseurl = 'https://min.io/docs/minio/kubernetes/upstream/'
@ -217,7 +189,9 @@ elif tags.has("k8s"):
'operations/install-deploy-manage/expand-minio-deployment.rst',
'operations/install-deploy-manage/decommission-server-pool.rst',
'operations/manage-existing-deployments.rst',
'reference/minio-server*'
'reference/minio-server*',
'reference/minio-mc*',
'developers/*'
]
else:
@ -287,8 +261,8 @@ sphinx_tabs_disable_css_loading = True
# k8s is temporary until integrating the references here
intersphinx_mapping = {
'linux': ('https://www.min.io/docs/minio/linux/', None),
'kubernetes': ('https://www.min.io/docs/minio/kubernetes/upstream/', None),
'linux' : ('https://min.io/docs/minio/linux/', None),
'kubernetes' : ('https://min.io/docs/minio/kubernetes/upstream/',None)
}
rst_prolog = """

2
source/includes/common-minio-tiering.rst
View File

@ -1,6 +1,6 @@
.. start-create-transition-rule-desc
Use the :mc-cmd:`mc ilm add` command to create a new transition rule
Use the :mc:`mc ilm add` command to create a new transition rule
for the bucket. The following example configures transition after the
specified number of calendar days:

4
source/includes/common-replication.rst
View File

@ -19,7 +19,7 @@ MinIO does *not* support replicating client-side encrypted objects (SSE-C).
MinIO server-side replication only works between MinIO deployments.
Both the source and destination deployments *must* run MinIO.
To configure replication between arbitrary S3-compatible services, use :mc-cmd:`mc mirror`.
To configure replication between arbitrary S3-compatible services, use :mc:`mc mirror`.
.. end-replication-minio-only
@ -115,7 +115,7 @@ Each MinIO deployment ("peer site") synchronizes the following changes across th
- Bucket and Object Configurations
- :ref:`Policies <minio-policy>`
- :mc-cmd:`mc tag set`
- :mc:`mc tag set`
- :ref:`Locks <minio-object-locking>`, including retention and legal hold configurations
- :ref:`Encryption settings <minio-encryption-overview>`

8
source/includes/common/bucket-replication.rst
View File

@ -121,7 +121,7 @@ F) Select :guilabel:`Save` to finish adding the replication rule
.. start-create-bucket-replication-rule-cli-desc
Use the :mc-cmd:`mc replicate add` command to add a new replication rule to each MinIO deployment.
Use the :mc:`mc replicate add` command to add a new replication rule to each MinIO deployment.
.. code-block:: shell
:class: copyable
@ -147,7 +147,7 @@ Use the :mc-cmd:`mc replicate add` command to add a new replication rule to each
See :mc-cmd:`mc replicate add --replicate` for more complete documentation.
Omit any field to disable replication of that component.
Specify any other supported optional arguments for :mc-cmd:`mc replicate add`.
Specify any other supported optional arguments for :mc:`mc replicate add`.
.. end-create-bucket-replication-rule-cli-desc
@ -175,14 +175,14 @@ F) Go to the other deployment's console and select the destination bucket define
.. start-validate-bucket-replication-cli-desc
Use :mc-cmd:`mc cp` to copy a new object to the replicated bucket on one of the deployments.
Use :mc:`mc cp` to copy a new object to the replicated bucket on one of the deployments.
.. code-block:: shell
:class: copyable
mc cp ~/foo.txt ALIAS/BUCKET
Use :mc-cmd:`mc ls` to verify the object exists on the destination bucket:
Use :mc:`mc ls` to verify the object exists on the destination bucket:
.. code-block:: shell
:class: copyable

2
source/includes/common/common-deploy.rst
View File

@ -91,7 +91,7 @@ Include any other environment variables as required for your local deployment.
You can access the MinIO deployment over a Terminal or Shell using the :ref:`MinIO Client <minio-client>` (:mc:`mc`).
See :ref:`MinIO Client Installation Quickstart <mc-install>` for instructions on installing :mc:`mc`.
Create a new :mc-cmd:`alias <mc alias set>` corresponding to the MinIO deployment.
Create a new :mc:`alias <mc alias set>` corresponding to the MinIO deployment.
Specify any of the hostnames or IP addresses from the MinIO Server ``API`` block, such as http://localhost:9000.
.. code-block:: shell

2
source/includes/common/common-minio-kes.rst
View File

@ -109,7 +109,7 @@ If you run |KES| without tying it to the current shell session (e.g. with ``nohu
.. start-kes-generate-key-desc
MinIO requires that the |EK| exist on the root KMS *before* performing |SSE| operations using that key.
Use ``kes key create`` *or* :mc:`mc admin kms key create` to add a new |EK| for use with |SSE|.
Use ``kes key create`` *or* :mc-cmd:`mc admin kms key create` to add a new |EK| for use with |SSE|.
The following command uses the ``kes key create`` command to add a new External Key (EK) stored on the root KMS server for use with encrypting the MinIO backend.

2
source/includes/container/common-deploy.rst
View File

@ -90,7 +90,7 @@ The instructions include examples for both quay.io and DockerHub:
You can access the MinIO deployment over a Terminal or Shell using the :ref:`MinIO Client <minio-client>` (:mc:`mc`).
See :ref:`MinIO Client Installation Quickstart <mc-install>` for instructions on installing :mc:`mc`.
Create a new :mc-cmd:`alias <mc alias set>` corresponding to the MinIO deployment.
Create a new :mc:`alias <mc alias set>` corresponding to the MinIO deployment.
Use a hostname or IP address for your local machine along with the S3 API port ``9000`` to access the MinIO deployment.
Any traffic to that port on the local host redirects to the container.

2
source/includes/container/common-minio-kes.rst
View File

@ -125,7 +125,7 @@ KES automatically creates this key if it does not already exist on the root KMS.
MinIO requires that the |EK| exist on the root KMS *before* performing
|SSE| operations using that key. Use ``kes key create`` *or*
:mc:`mc admin kms key create` to create a new |EK| for use with |SSE|.
:mc-cmd:`mc admin kms key create` to create a new |EK| for use with |SSE|.
The following command uses the ``kes key create`` command to add a new
External Key (EK) stored on the root KMS server for use with encrypting

14
source/includes/container/quickstart.rst
View File

@ -253,8 +253,8 @@ Procedure
chmod +x mc
sudo mv mc /usr/local/bin/mc
Use :mc-cmd:`mc alias set` to create a new alias associated to your local deployment.
You can run :mc-cmd:`mc` commands against this alias:
Use :mc:`mc alias set` to create a new alias associated to your local deployment.
You can run :mc:`mc` commands against this alias:
.. code-block:: shell
:class: copyable
@ -264,7 +264,7 @@ Procedure
Replace ``{MINIO_ROOT_USER}`` and ``{MINIO_ROOT_PASSWORD}`` with the credentials you defined for the container with the ``-e`` flags.
The :mc-cmd:`mc alias set` takes four arguments:
The :mc:`mc alias set` takes four arguments:
- The name of the alias
- The hostname or IP address and port of the MinIO server
@ -310,7 +310,7 @@ Procedure
chmod +x mc
sudo mv mc /usr/local/bin/mc
Use :mc-cmd:`mc alias set` to quickly authenticate and connect to the MinIO deployment.
Use :mc:`mc alias set` to quickly authenticate and connect to the MinIO deployment.
.. code-block:: shell
:class: copyable
@ -320,7 +320,7 @@ Procedure
Replace ``{MINIO_ROOT_USER}`` and ``{MINIO_ROOT_PASSWORD}`` with the credentials you defined for the container with the ``-e`` flags.
The :mc-cmd:`mc alias set` takes four arguments:
The :mc:`mc alias set` takes four arguments:
- The name of the alias
- The hostname or IP address and port of the MinIO server
@ -343,7 +343,7 @@ Procedure
\path\to\mc.exe --help
Use :mc-cmd:`mc alias set` to quickly authenticate and connect to the MinIO deployment.
Use :mc:`mc alias set` to quickly authenticate and connect to the MinIO deployment.
.. code-block:: shell
:class: copyable
@ -353,7 +353,7 @@ Procedure
Replace ``{MINIO_ROOT_USER}`` and ``{MINIO_ROOT_PASSWORD}`` with the credentials you defined for the container with the ``-e`` flags.
The :mc-cmd:`mc alias set` takes four arguments:
The :mc:`mc alias set` takes four arguments:
- The name of the alias
- The hostname or IP address and port of the MinIO server

2
source/includes/container/steps-deploy-minio-single-node-multi-drive.rst
View File

@ -116,7 +116,7 @@ The following table describes each line of the command and provides additional c
* - ``minio server --console-address ":9090"``
- Starts the MinIO server using the ``minio:minio`` image pulled from an earlier step.
The :mc:`minio server --console-address ":9090" <minio server --console-address>` option directs the server to set a static port for the MinIO Console Web Interface.
The :mc-cmd:`minio server --console-address ":9090" <minio server --console-address>` option directs the server to set a static port for the MinIO Console Web Interface.
This option is *required* for containerized environments.
If you modify this value, ensure you set the proper port mapping using the ``-p`` flag to Podman/Docker to ensure traffic forwarding between the local host and the container.

2
source/includes/container/steps-deploy-minio-single-node-single-drive.rst
View File

@ -107,7 +107,7 @@ The following table describes each line of the command and provides additional c
* - ``minio server --console-address ":9090"``
- Starts the MinIO server using the ``minio:minio`` image pulled from an earlier step.
The :mc:`minio server --console-address ":9090" <minio server --console-address>` option directs the server to set a static port for the MinIO Console Web Interface.
The :mc-cmd:`minio server --console-address ":9090" <minio server --console-address>` option directs the server to set a static port for the MinIO Console Web Interface.
This option is *required* for containerized environments.
If you modify this value, ensure you set the proper port mapping using the ``-p`` flag to Podman/Docker to ensure traffic forwarding between the local host and the container.

2
source/includes/facts-mc-admin.rst
View File

@ -1,6 +1,6 @@
.. start-minio-only
MinIO does not support using :mc-cmd:`mc admin` commands with other
MinIO does not support using :mc:`mc admin` commands with other
S3-compatible services, regardless of their claimed compatibility with MinIO
deployments.

6
source/includes/facts-versioning.rst
View File

@ -11,7 +11,7 @@ existed at specified point-in-time.
|rewind| requires that the specified |alias| be an S3-compatible service
that supports :ref:`minio-bucket-versioning`. For MinIO deployments, use
:mc-cmd:`mc version` to enable or disable bucket versioning.
:mc:`mc version` to enable or disable bucket versioning.
.. end-rewind-desc
@ -22,7 +22,7 @@ bucket.
|versions| requires that the specified |alias| be an S3-compatible service
that supports :ref:`minio-bucket-versioning`. For MinIO deployments, use
:mc-cmd:`mc version` to enable or disable bucket versioning.
:mc:`mc version` to enable or disable bucket versioning.
.. end-versions-desc
@ -32,7 +32,7 @@ that supports :ref:`minio-bucket-versioning`. For MinIO deployments, use
|versionid| requires that the specified |alias| be an S3-compatible service
that supports :ref:`minio-bucket-versioning`. For MinIO deployments, use
:mc-cmd:`mc version` to enable or disable bucket versioning.
:mc:`mc version` to enable or disable bucket versioning.
.. end-version-id-desc

5
source/includes/k8s/common-minio-kes.rst
View File

@ -4,7 +4,8 @@ This procedure assumes an existing `Hashicorp Vault <https://www.vaultproject.io
- For Vault deployments within the same Kubernetes cluster as the MinIO Tenant, you can use Kubernetes service names to allow the MinIO Tenant to establish connectivity to the Vault service.
- For Vault deployments external to the Kubernetes cluster, you must configure Ingress or a similar network control plane component to allow the MinIO Tenant to establish connectivity to Vault.
- For Vault deployments external to the Kubernetes cluster, you must ensure the cluster supports routing communications between Kubernetes services and pods and the external network.
This may require configuration or deployment of additional Kubernetes network components and/or enabling access to the public internet.
Defer to the `Vault Documentation <https://learn.hashicorp.com/vault>`__ for guidance on deployment and configuration.
@ -80,7 +81,7 @@ You can use either the MinIO Tenant Console or the MinIO :mc:`mc` CLI to enable
.. start-kes-generate-key-desc
MinIO requires that the |EK| for a given bucket or object exist on the root KMS *before* performing |SSE| operations using that key.
You can use the :mc:`mc admin kms key create` command against the MinIO Tenant.
You can use the :mc-cmd:`mc admin kms key create` command against the MinIO Tenant.
You must ensure your local host can access the MinIO Tenant pods and services before using :mc:`mc` to manage the Tenant.
You can manually :ref:`port forward <create-tenant-operator-forward-ports>` the ``minio`` service for temporary access via the local host.

10
source/includes/k8s/common-operator.rst Normal file
View File

@ -0,0 +1,10 @@
.. start-requires-operator-plugin
Ensure your target Kubernetes cluster has a valid and working installation of the MinIO Kubernetes Operator.
The host machine from which you perform the procedure should have a matching installation of the MinIO Kubernetes Plugin
This documentation assumes the latest stable Operator and Plugin version |operator-version-stable|.
.. end-requires-operator-plugin

2
source/includes/k8s/quickstart.rst
View File

@ -144,7 +144,7 @@ Procedure
#. **(Optional) Connect the MinIO Client**
If your local machine has :mc:`mc` :ref:`installed <mc-install>`, use the :mc-cmd:`mc alias set` command to authenticate and connect to the MinIO deployment:
If your local machine has :mc:`mc` :ref:`installed <mc-install>`, use the :mc:`mc alias set` command to authenticate and connect to the MinIO deployment:
.. code-block:: shell
:class: copyable

141
source/includes/k8s/steps-configure-ad-ldap-external-identity-management.rst Normal file
View File

@ -0,0 +1,141 @@
Deploy MinIO Tenant with Active Directory / LDAP Identity Management
--------------------------------------------------------------------
1) Access the Operator Console
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Use the :mc-cmd:`kubectl minio proxy` command to temporarily forward traffic between the local host machine and the MinIO Operator Console:
.. code-block:: shell
:class: copyable
kubectl minio proxy
The command returns output similar to the following:
.. code-block:: shell
Starting port forward of the Console UI.
To connect open a browser and go to http://localhost:9090
Current JWT to login: TOKEN
Open your browser to the specified URL and enter the JWT Token into the login page.
You should see the :guilabel:`Tenants` page:
.. image:: /images/k8s/operator-dashboard.png
:align: center
:width: 70%
:class: no-scaled-link
:alt: MinIO Operator Console
Click the :guilabel:`+ Create Tenant` to start creating a MinIO Tenant.
If you are modifying an existing Tenant, select that Tenant from the list.
The following steps reference the necessary sections and configuration settings for existing Tenants.
2) Complete the :guilabel:`Identity Provider` Section
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To enable external identity management with an Active Directory / LDAP provider, select the :guilabel:`Identity Provider` section.
You can then change the radio button to :guilabel:`Active Directory` to display the configuration settings.
.. image:: /images/k8s/operator-create-tenant-identity-provider-adldap.png
:align: center
:width: 70%
:class: no-scaled-link
:alt: MinIO Operator Console - Create a Tenant - External Identity Provider Section - Active Directory / LDAP
An asterisk ``*`` marks required fields.
The following table provides general guidance for those fields:
.. list-table::
:header-rows: 1
:widths: 40 60
:width: 100%
* - Field
- Description
* - LDAP Server Address
- The hostname of the Active Directory or LDAP server.
* - Lookup Bind DN
- The Distinguished Name MinIO uses to authenticate and query the AD/LDAP server.
See :ref:`minio-external-identity-management-ad-ldap-lookup-bind` for more information.
* - List of user DNs (Distinguished Names) to be Tenant Administrators
- Specify a user :abbr:`DNs (Distinguished Names)` which MinIO assigns a :ref:`policy <minio-policy>` with administrative permissions for the Tenant.
You can specify multiple :abbr:`DNs (Distinguished Names)` by selecting the plus :octicon:`plus-circle` icon.
You can delete a DN by selecting the trash can :octicon:`trash` icon for that DN.
Once you complete the section, you can finish any other required sections of :ref:`Tenant Deployment <minio-k8s-deploy-minio-tenant>`.
3) Assign Policies to AD/LDAP Users
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
MinIO by default assigns no :ref:`policies <minio-policy>` to AD/LDAP users or groups.
You must explicitly assign MinIO policies to a given user or group Distinguished Name (DN) to grant that user or group access to the MinIO deployment.
The following example assumes an existing :ref:`alias <alias>` configured for the MinIO Tenant.
See the :ref:`Deploy MinIO Tenant: Forward Ports <create-tenant-cli-forward-ports>` procedure for a basic example of granting network access to the MinIO tenant from your local host machine.
Use the :mc-cmd:`mc admin policy set` command to assign a user or group DN to an existing MinIO Policy:
.. code-block:: shell
:class: copyable
mc admin policy set minio-tenant POLICY user='uid=primary,cn=applications,dc=domain,dc=com'
mc admin policy set minio-tenant policy group='cn=applications,ou=groups,dc=domain,dc=com'
Replace ``POLICY`` with the name of the MinIO policy to assign to the user or group DN.
See :ref:`minio-external-identity-management-ad-ldap-access-control` for more information on access control with AD/LDAP users and groups.
4) Use the MinIO Tenant Console to Log In with AD/LDAP Credentials
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The MinIO Console supports the full workflow of authenticating to the AD/LDAP provider, generating temporary credentials using the MinIO :ref:`minio-sts-assumerolewithldapidentity` Security Token Service (STS) endpoint, and logging the user into the MinIO deployment.
See the :ref:`Deploy MinIO Tenant: Access the Tenant's MinIO Console <create-tenant-cli-access-tenant-console>` for instructions on accessing the Tenant Console.
If the AD/LDAP configuration succeeded, the Console displays a button to login with AD/LDAP credentials.
Enter the user's AD/LDAP credentials and log in to access the Console.
Once logged in, you can perform any action for which the authenticated user is :ref:`authorized <minio-external-identity-management-ad-ldap-access-control>`.
You can also create :ref:`service accounts <minio-idp-service-account>` for supporting applications which must perform operations on MinIO.
Service accounts are long-lived credentials which inherit their privileges from the parent user.
The parent user can further restrict those privileges while creating the service account.
5) Generate S3-Compatible Temporary Credentials using AD/LDAP Credentials
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Applications can use an AD/LDAP user credential to generate temporary S3-compatible credentials as-needed using the :ref:`minio-sts-assumerolewithldapidentity` Security Token Service (STS) API endpoint.
MinIO provides an example Go application :minio-git:`ldap.go <minio/blob/master/docs/sts/ldap.go>` with an example of managing this workflow.
.. code-block:: shell
POST https://minio.example.net?Action=AssumeRoleWithLDAPIdentity
&LDAPUsername=USERNAME
&LDAPPassword=PASSWORD
&Version=2011-06-15
&Policy={}
- Replace ``minio.example.net`` with the hostname or URL for the MinIO Tenant service.
- Replace the ``LDAPUsername`` with the username of the AD/LDAP user.
- Replace the ``LDAPPassword`` with the password of the AD/LDAP user.
- Replace the ``Policy`` with an inline URL-encoded JSON :ref:`policy <minio-policy>` that further restricts the permissions associated to the temporary credentials.
Omit to use the :ref:`policy whose name matches <minio-external-identity-management-ad-ldap-access-control>` the Distinguished Name (DN) of the AD/LDAP user.
The API response consists of an XML document containing the access key, secret key, session token, and expiration date.
Applications can use the access key and secret key to access and perform operations on MinIO.
See the :ref:`minio-sts-assumerolewithldapidentity` for reference documentation.

2
source/includes/k8s/steps-configure-minio-kes-aws.rst
View File

@ -35,8 +35,6 @@ Click the :guilabel:`+ Create Tenant` to start creating a MinIO Tenant.
2) Complete the :guilabel:`Encryption` Section
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Reference the :ref:`Deploy a MinIO Tenant <minio-k8s-deploy-minio-tenant>` procedure for complete documentation of other Tenant settings.
To enable |SSE| with AWS Key Management Service during Tenant deployment, select the :guilabel:`Encryption` section and toggle the switch to :guilabel:`Enabled`.
You can then change the :guilabel:`Vault` Radio button to :guilabel:`AWS` to display the configuration settings.

163
source/includes/k8s/steps-configure-openid-external-identity-management.rst Normal file
View File

@ -0,0 +1,163 @@
Deploy MinIO Tenant with OpenID Connect Identity Management
-----------------------------------------------------------
1) Access the Operator Console
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Use the :mc-cmd:`kubectl minio proxy` command to temporarily forward traffic between the local host machine and the MinIO Operator Console:
.. code-block:: shell
:class: copyable
kubectl minio proxy
The command returns output similar to the following:
.. code-block:: shell
Starting port forward of the Console UI.
To connect open a browser and go to http://localhost:9090
Current JWT to login: TOKEN
Open your browser to the specified URL and enter the JWT Token into the login page.
You should see the :guilabel:`Tenants` page:
.. image:: /images/k8s/operator-dashboard.png
:align: center
:width: 70%
:class: no-scaled-link
:alt: MinIO Operator Console
Click the :guilabel:`+ Create Tenant` to start creating a MinIO Tenant.
If you are modifying an existing Tenant, select that Tenant from the list.
The following steps reference the necessary sections and configuration settings for existing Tenants.
2) Complete the :guilabel:`Identity Provider` Section
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To enable external identity management with an OIDC select the :guilabel:`Identity Provider` section.
You can then change the radio button to :guilabel:`OIDC` to display the configuration settings.
.. image:: /images/k8s/operator-create-tenant-identity-provider-openid.png
:align: center
:width: 70%
:class: no-scaled-link
:alt: MinIO Operator Console - Create a Tenant - External Identity Provider Section - OpenID
An asterisk ``*`` marks required fields.
The following table provides general guidance for those fields:
.. list-table::
:header-rows: 1
:widths: 40 60
:width: 100%
* - Field
- Description
* - Configuration URL
- The hostname of the OpenID ``.well-known/openid-configuration`` file.
* - | Client ID
| Secret ID
- The Client and Secret ID MinIO uses when authenticating OIDC user credentials against OIDC service.
* - Claim Name
- The OIDC Claim MinIO uses for identifying the :ref:`policies <minio-policy>` to attach to the authenticated user.
Once you complete the section, you can finish any other required sections of :ref:`Tenant Deployment <minio-k8s-deploy-minio-tenant>`.
3) Assign Policies to OIDC Users
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
MinIO by default assigns no :ref:`policies <minio-policy>` to OIDC users.
MinIO uses the specified user Claim to identify one or more policies to attach to the authenticated user.
If the Claim is empty or specifies policies which do not exist on the deployment, the authenticated user has no permissions on the Tenant.
The following example assumes an existing :ref:`alias <alias>` configured for the MinIO Tenant.
See the :ref:`Deploy MinIO Tenant: Forward Ports <create-tenant-cli-forward-ports>` procedure for a basic example of granting network access to the MinIO tenant from your local host machine.
Consider the following example policy that grants general S3 API access on only the ``data`` bucket:
.. code-block:: json
:class: copyable
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::data",
"arn:aws:s3:::data/*"
]
}
]
}
Use the :mc-cmd:`mc admin policy add` command to create a policy for use by an OIDC user:
.. code-block:: shell
:class: copyable
mc admin policy add minio-tenant datareadonly /path/to/datareadonly.json
MinIO attaches the ``datareadonly`` policy to any authenticated OIDC user with ``datareadonly`` included in the configured claim.
See :ref:`minio-external-identity-management-openid-access-control` for more information on access control with OIDC users and groups.
4) Use the MinIO Tenant Console to Log In with OIDC Credentials
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The MinIO Console supports the full workflow of authenticating to the OIDC provider, generating temporary credentials using the MinIO :ref:`minio-sts-assumerolewithldapidentity` Security Token Service (STS) endpoint, and logging the user into the MinIO deployment.
See the :ref:`Deploy MinIO Tenant: Access the Tenant's MinIO Console <create-tenant-cli-access-tenant-console>` for instructions on accessing the Tenant Console.
If the OIDC configuration succeeded, the Console displays a button to login with OIDC credentials.
Enter the user's OIDC credentials and log in to access the Console.
Once logged in, you can perform any action for which the authenticated user is :ref:`authorized <minio-external-identity-management-openid-access-control>`.
You can also create :ref:`service accounts <minio-idp-service-account>` for supporting applications which must perform operations on MinIO.
Service accounts are long-lived credentials which inherit their privileges from the parent user.
The parent user can further restrict those privileges while creating the service account.
5) Generate S3-Compatible Temporary Credentials using OIDC Credentials
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Applications can generate temporary access credentials as-needed using the :ref:`minio-sts-assumerolewithwebidentity` Security Token Service (STS) API endpoint and the JSON Web Token (JWT) returned by the :abbr:`OIDC (OpenID Connect)` provider.
The application must provide a workflow for logging into the :abbr:`OIDC (OpenID Connect)` provider and retrieving the JSON Web Token (JWT) associated to the authentication session.
Defer to the provider documentation for obtaining and parsing the JWT token after successful authentication.
MinIO provides an example Go application :minio-git:`web-identity.go <minio/blob/master/docs/sts/web-identity.go>` with an example of managing this workflow.
Once the application retrieves the JWT token, use the ``AssumeRoleWithWebIdentity`` endpoint to generate the temporary credentials:
.. code-block:: shell
:class: copyable
POST https://minio.example.net?Action=AssumeRoleWithWebIdentity
&WebIdentityToken=TOKEN
&Version=2011-06-15
&DurationSeconds=86400
&Policy=Policy
- Replace ``minio.example.net`` with the hostname or URL of the MinIO Tenant service.
- Replace the ``TOKEN`` with the JWT token returned in the previous step.
- Replace the ``DurationSeconds`` with the duration in seconds until the temporary credentials expire. The example above specifies a period of ``86400`` seconds, or 24 hours.
- Replace the ``Policy`` with an inline URL-encoded JSON :ref:`policy <minio-policy>` that further restricts the permissions associated to the temporary credentials.
Omit to use the policy associated to the OpenID user :ref:`policy claim <minio-external-identity-management-openid-access-control>`.
The API response consists of an XML document containing the access key, secret key, session token, and expiration date.
Applications can use the access key and secret key to access and perform operations on MinIO.
See the :ref:`minio-sts-assumerolewithwebidentity` for reference documentation.

2
source/includes/linux/common-minio-kes.rst
View File

@ -156,7 +156,7 @@ They do not otherwise enable TLS for other client connections to MinIO.
.. start-kes-generate-key-desc
MinIO requires that the |EK| exist on the root KMS *before* performing |SSE| operations using that key.
Use ``kes key create`` *or* :mc:`mc admin kms key create` to add a new |EK| for use with |SSE|.
Use ``kes key create`` *or* :mc-cmd:`mc admin kms key create` to add a new |EK| for use with |SSE|.
The following command uses the ``kes key create`` command to add a new External Key (EK) stored on the root KMS server for use with encrypting the MinIO backend.

4
source/includes/linux/quickstart.rst
View File

@ -103,7 +103,7 @@ Procedure
chmod +x mc
sudo mv mc /usr/local/bin/mc
Use :mc-cmd:`mc alias set` to create a new alias associated to your local deployment.
Use :mc:`mc alias set` to create a new alias associated to your local deployment.
You can run :mc-cmd:`mc` commands against this alias:
.. code-block:: shell
@ -112,7 +112,7 @@ Procedure
mc alias set local http://127.0.0.1:9000 minioadmin minioadmin
mc admin info local
The :mc-cmd:`mc alias set` takes four arguments:
The :mc:`mc alias set` takes four arguments:
- The name of the alias
- The hostname or IP address and port of the MinIO server

4
source/includes/macos/quickstart.rst
View File

@ -114,7 +114,7 @@ Procedure
mc {command} {flag}
Use :mc-cmd:`mc alias set` to quickly authenticate and connect to the MinIO deployment.
Use :mc:`mc alias set` to quickly authenticate and connect to the MinIO deployment.
.. code-block:: shell
:class: copyable
@ -122,7 +122,7 @@ Procedure
mc alias set local http://127.0.0.1:9000 minioadmin minioadmin
mc admin info local
The :mc-cmd:`mc alias set` takes four arguments:
The :mc:`mc alias set` takes four arguments:
- The name of the alias
- The hostname or IP address and port of the MinIO server

2
source/includes/minio-mc-installation.rst
View File

@ -76,6 +76,6 @@
make
To update a source-based installation, use ``go get -u``.
:mc-cmd:`mc update` does not support source-based installations.
:mc:`mc update` does not support source-based installations.

6
source/includes/play-alias-available.rst
View File

@ -4,7 +4,7 @@ The following example assumes that the ``play`` alias exists in the
:mc-cmd:`mc` :ref:`configuration file <mc-configuration>`. You can
replace ``play`` with the alias for your preferred S3-compatible deployment.
See :mc-cmd:`mc alias` for more information on aliases.
See :mc:`mc alias` for more information on aliases.
end-play-alias-only
@ -16,7 +16,7 @@ The following example assumes that the ``play`` and ``s3`` aliases exist in the
``play`` and ``s3`` with the aliases for your preferred S3-compatible
deployments.
See :mc-cmd:`mc alias` for more information on aliases.
See :mc:`mc alias` for more information on aliases.
end-play-s3-alias
@ -27,6 +27,6 @@ alias points to a local ``minio`` server running on port ``9000``. See
<installation instructions> for more information on installing and running
a local ``minio`` server instance.
See :mc-cmd:`mc alias` for more information on aliases.
See :mc:`mc alias` for more information on aliases.
end-myminio-alias

2
source/includes/windows/common-minio-kes.rst
View File

@ -88,7 +88,7 @@ Run the following command in a terminal or shell to start the MinIO server as a
.. start-kes-generate-key-desc
MinIO requires that the |EK| exist on the root KMS *before* performing |SSE| operations using that key.
Use ``kes key create`` *or* :mc:`mc admin kms key create` to create a new |EK| for use with |SSE|.
Use ``kes key create`` *or* :mc-cmd:`mc admin kms key create` to create a new |EK| for use with |SSE|.
The following command uses the ``kes key create`` command to create a new External Key (EK) stored on the root KMS server for use with encrypting the MinIO backend.

4
source/includes/windows/quickstart.rst
View File

@ -109,7 +109,7 @@ Procedure
\path\to\mc.exe --help
Use :mc-cmd:`mc.exe alias set <mc alias set>` to quickly authenticate and connect to the MinIO deployment.
Use :mc:`mc.exe alias set <mc alias set>` to quickly authenticate and connect to the MinIO deployment.
.. code-block:: shell
:class: copyable
@ -117,7 +117,7 @@ Procedure
mc.exe alias set local http://127.0.0.1:9000 minioadmin minioadmin
mc.exe admin info local
The :mc-cmd:`mc.exe alias set <mc alias set>` takes four arguments:
The :mc:`mc.exe alias set <mc alias set>` takes four arguments:
- The name of the alias
- The hostname or IP address and port of the MinIO server

38
source/index.rst
View File

@ -108,12 +108,7 @@ without validating their usage do so at their own risk.
/administration/server-side-encryption
/administration/bucket-replication
/administration/concepts
/developers/minio-drivers
/developers/security-token-service
/reference/minio-mc
/reference/minio-mc-admin
/reference/kubectl-minio-plugin
/glossary
.. cond:: linux or macos or windows or container
@ -138,9 +133,40 @@ without validating their usage do so at their own risk.
/administration/server-side-encryption
/administration/bucket-replication
/administration/concepts
.. cond:: k8s or container or macos or windows
.. toctree::
:titlesonly:
:hidden:
Software Development Kits (SDK) <https://min.io/docs/minio/linux/developers/minio-drivers.html>
Security Token Service (STS) <https://min.io/docs/minio/linux/developers/security-token-service.html>
MinIO Client <https://min.io/docs/minio/linux/reference/minio-mc.html>
MinIO Admin Client <https://min.io/docs/minio/linux/reference/minio-mc-admin.html>
.. cond:: linux
.. toctree::
:titlesonly:
:hidden:
/developers/minio-drivers
/developers/security-token-service
/reference/minio-mc
/reference/minio-mc-admin
/reference/minio-server/minio-server
.. cond:: k8s
.. toctree::
:titlesonly:
:hidden:
/reference/kubectl-minio-plugin
.. toctree::
:titlesonly:
:hidden:
/glossary

228
source/operations/checklists/hardware.rst
View File

@ -21,10 +21,13 @@ When selecting hardware for your MinIO implementation, take into account the fol
- Average retention time of data in years
- Number of sites to be deployed
Hardware Requirements
---------------------
.. _deploy-minio-distributed-recommendations:
Production Hardware Requirements
--------------------------------
The following checklist provides a minimum hardware specification for production MinIO deployments.
MinIO takes full advantage of the modern hardware improvements such as AVX-512 SIMD acceleration, 100GbE networking, and NVMe SSDs, when available.
While MinIO can run on commodity or "budget" hardware, we strongly recommend using this table as guidance for best results in production environments.
.. note::
@ -38,47 +41,222 @@ While MinIO can run on commodity or "budget" hardware, we strongly recommend usi
:width: 100%
* - :octicon:`circle`
- | Sufficient CPU cores to achieve performance goals for hashing (for example, for healing) and encryption
| MinIO recommends Dual Intel® Xeon® Scalable Gold CPUs (minimum 8 cores per socket) or any CPU with AVX512 instructions
- Sufficient CPU cores to achieve performance goals for hashing (for example, for healing) and encryption
MinIO recommends Dual Intel® Xeon® Scalable Gold CPUs (minimum 8 cores per socket) or any CPU with AVX512 instructions
* - :octicon:`circle`
- | Sufficient RAM to achieve performance goals based on the number of drives and anticipated concurrent requests (see the :ref:`formula and reference table <minio-requests-per-node>`)
| Refer to the information on :ref:`memory allocation <minio-k8s-production-considerations-memory>` for recommended RAM amounts
- Sufficient RAM to achieve performance goals based on the number of drives and anticipated concurrent requests (see the :ref:`formula and reference table <minio-hardware-checklist-memory>`).
MinIO recommends a minimum of 128GB of memory per node for best performance.
* - :octicon:`circle`
- | Four nodes or servers
| For containers or Kubernetes in virtualized environments, MinIO requires four distinct physical nodes.
- Minimum of four nodes dedicated to object storage.
For containers or Kubernetes in virtualized environments, MinIO requires four distinct physical nodes.
Colocating multiple high-performance softwares on the same nodes can result in resource contention and reduced overall performance.
* - :octicon:`circle`
- | SATA/SAS drives for capacity and NVMe SSDs for high-performance
| MinIO recommends a minimum of 8 drives per server
- | SATA/SAS drives for balanced capacity-to-performance
| NVMe SSDs for high-performance.
| MinIO recommends a minimum of 8 drives per server.
Use the same type of drive (NVMe, SSD, or HDD) with the same capacity across all nodes in the deployment.
* - :octicon:`circle`
- | 25GbE network for capacity
| 100GbE Network interface cards for high performance
- | 25GbE Network as a baseline
| 100GbE Network for high performance
.. important::
The following areas have the greatest impact on MinIO performance, listed in order of importance:
- Network infrastructure (insufficient or limited throughput)
- Storage controller (old firmware; limited throughput)
- Storage (old firmware; slow, aged, or failing drives)
.. list-table::
:stub-columns: 1
:widths: auto
:width: 100%
Prioritize upgrading these areas before focusing on compute-related performance constraints.
* - Network Infrastructure
- Insufficient or limited throughput constrains performance
For example:
* - Storage Controller
- Old firmware, limited throughput, or failing hardware constrains performance and affects reliability
The following examples of network throughput constraints assume spinning disks with ~100MB/S sustained I/O
* - Storage (Drive)
- Old firmware, or slow/aging/failing hardware constrains performance and affects reliability
- 1GbE network link can support up to 125MB/s, or one spinning disk
- 10GbE network can support approximately 1.25GB/s, potentially supporting 10-12 spinning disk
- 25GbE network can support approximately 3.125GB/s, potentially supporting ~30 disks
Prioritize securing the necessary components for each of these areas before focusing on other hardware resources, such as compute-related constraints.
The recommended minimum MinIO cluster of 4 nodes with 4 drives each (16 total disks) requires a 25GbE network to support the total potential aggregate throughput.
For best performance, have a minimum of eight drives per node.
Minimum Nodes per Deployment
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
MinIO takes full advantage of the modern hardware improvements such as AVX-512 SIMD acceleration, 100GbE networking, and NVMe SSDs, when available.
.. cond:: k8s
MinIO requires a *minimum* of 4 worker nodes per MinIO Tenant with 4 drives per node.
Each drive must consist of a Persistent Volume associated to a storage resource.
.. cond:: linux or container or macos or windows
MinIO recommends a *minimum* of 4 host servers per deployment with 4 locally attached drives per server.
The "4x4" topology provides a baseline of performance with tolerance for the loss of up to 4 drives *or* one node while maintaining read and write operations.
You can increase the :ref:`erasure code parity <minio-erasure-coding>` of the deployment to improve resiliency at the cost of available storage.
The minimum recommendation reflects MinIO's experience with assisting enterprise customers in deploying on a variety of IT infrastructures while maintaining the desired SLA/SLO.
While MinIO may run on less than the minimum recommended topology, any potential cost savings come at the risk of decreased reliability.
Networking
~~~~~~~~~~
MinIO recommends high speed networking to support the maximum possible throughput of the attached storage (aggregated drives, storage controllers, and PCIe busses). The following table provides a general guideline for the maximum storage throughput supported by a given physical or virtual network interface.
This table assumes all network infrastructure components, such as routers, switches, and physical cabling, also supports the NIC bandwidth.
.. list-table::
:widths: auto
:width: 100%
* - NIC Bandwidth (Gbps)
- Estimated Aggregated Storage Throughput (GBps)
* - 10GbE
- 1.25GBps
* - 25GbE
- 3.125GBps
* - 50GbE
- 6.25GBps
* - 100GbE
- 12.5GBps
Networking has the greatest impact on MinIO performance, where low per-host bandwidth artificially constrains the potential performance of the storage.
The following examples of network throughput constraints assume spinning disks with ~100MB/S sustained I/O
- 1GbE network link can support up to 125MB/s, or one spinning disk
- 10GbE network can support approximately 1.25GB/s, potentially supporting 10-12 spinning disk
- 25GbE network can support approximately 3.125GB/s, potentially supporting ~30 disks
The recommended minimum MinIO cluster of 4 nodes with 4 drives each (16 total disks) requires a 25GbE network to support the total potential aggregate throughput.
.. _minio-hardware-checklist-memory:
Memory
~~~~~~
Memory primarily constrains the number of concurrent simultaneous connections per node.
You can calculate the maximum number of concurrent requests per node with this formula:
:math:`totalRam / ramPerRequest`
To calculate the amount of RAM used for each request, use this formula:
:math:`((2MiB + 128KiB) * driveCount) + (2 * 10MiB) + (2 * 1 MiB)`
10MiB is the default erasure block size v1.
1 MiB is the default erasure block size v2.
The following table lists the maximum concurrent requests on a node based on the number of host drives and the *free* system RAM:
.. list-table::
:header-rows: 1
:width: 100%
* - Number of Drives
- 32 GiB of RAM
- 64 GiB of RAM
- 128 GiB of RAM
- 256 GiB of RAM
- 512 GiB of RAM
* - 4 Drives
- 1,074
- 2,149
- 4,297
- 8,595
- 17,190
* - 8 Drives
- 840
- 1,680
- 3,361
- 6,722
- 13,443
* - 16 Drives
- 585
- 1,170
- 2.341
- 4,681
- 9,362
The following table provides general guidelines for allocating memory for use by MinIO based on the total amount of local storage on the node:
.. list-table::
:header-rows: 1
:width: 100%
:widths: 40 60
* - Total Host Storage
- Recommended Host Memory
* - Up to 1 Tebibyte (Ti)
- 8GiB
* - Up to 10 Tebibyte (Ti)
- 16GiB
* - Up to 100 Tebibyte (Ti)
- 32GiB
* - Up to 1 Pebibyte (Pi)
- 64GiB
* - More than 1 Pebibyte (Pi)
- 128GiB
Storage
~~~~~~~
MinIO recommends selecting the type of drive based on your performance objectives.
The following table highlights the general use case for each drive type based on cost and performance:
NVMe/SSD - Hot Tier
HDD - Warm
.. list-table::
:header-rows: 1
:widths: auto
:width: 100%
* - Type
- Cost
- Performance
- Tier
* - NVMe
- High
- High
- Hot
* - SSD
- Balanced
- Balanced
- Hot/Warm
* - HDD
- Low
- Low
- Cold/Archival
Use the same type of disk (NVME, SSD, HDD) with the same capacity across all nodes in a MinIO deployment.
MinIO does not distinguish drive types when using the underlying storage and does not benefit from mixed storage types.
Use the same capacity of disk across all nodes in the MinIO :ref:`server pool <minio-intro-server-pool>`.
MinIO limits the maximum usable size per disk to the smallest size in the deployment.
For example, if a deployment has 15 10TB disks and 1 1TB disk, MinIO limits the per-disk capacity to 1TB.
Recommended Hardware Tests
--------------------------
@ -94,7 +272,7 @@ If you have access to :ref:`SUBNET <minio-docs-subnet>`, you can upload the resu
mc support diag ALIAS --airgap
Replace ALIAS with the :mc-cmd:`~mc alias` defined for the deployment.
Replace ALIAS with the :mc:`~mc alias` defined for the deployment.
MinIO Support Diagnostic Tools
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

14
source/operations/checklists/software.rst
View File

@ -40,7 +40,19 @@ MinIO Pre-requisites
MinIO Install
-------------
See the :ref:`Multi Node Multi Drive deployment guide <deploy-minio-distributed>` and the :ref:`Minio Tenant deployment guide <minio-k8s-deploy-minio-tenant>`.
Install the MinIO server binary across all nodes, ensuring that each node uses the same version of that binary.
.. cond:: linux
See the :ref:`Multi Node Multi Drive deployment guide <minio-mnmd>` for more information.
.. cond:: container or macos or windows
See the :ref:`Single Node Single Drive deployment guide <minio-snsd>` for more information.
.. cond:: k8s
See the :ref:`Deploy MinIO Operator <minio-operator-installation>` and :ref:`Minio Tenant deployment guide <minio-k8s-deploy-minio-tenant>` for more information.
Post Install Tasks

31
source/operations/concepts.rst
View File

@ -30,13 +30,20 @@ MinIO can deploy to three types of topologies:
#. :ref:`Single Node Single Drive <minio-snsd>`, one MinIO server with a single drive or folder for data
For example, testing on a local PC using a folder on the computer's hard drive.
#. :ref:`Single Node Multi Drive <minio-snmd>`, one MinIO server with multiple mounted drives or folders for data
For example, a single container with two or more mounted volumes.
#. :ref:`Multi Node Multi Drive <minio-mnmd>`, multiple MinIO servers with multiple mounted drives or volumes for data
For example, a production deployment using Kubernetes to manage and deploy pods with multiple persistent volume claims.
.. cond:: linux
For example, a production deployment using Ansible, Terraform, or manual processes
.. cond:: k8s
For example, a production deployment using Kubernetes to manage and deploy pods and their associated persistent volume claims.
How does a distributed MinIO deployment work?
---------------------------------------------
@ -93,23 +100,29 @@ MinIO strongly recommends production clusters consist of a *minimum* of 4 :mc:`m
Can I change the size of an existing MinIO deployment?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
You can move objects from an existing server pool on to other server pools on the deployment to reduce the size of a deployment by decommissioning a server pool.
Likewise, you can add on a new server pool to an existing deployment to expand the total size of a deployment with a horizontal expansion.
MinIO :ref:`distributed deployments <minio-mnmd>` support expansion and decommissioning as functions to increase or decrease the available storage.
When the time comes to retire or replace a server pool, :ref:`decommissioning <minio-decommissioning>` is the process of draining the objects of a pool to other active pools on the deployment.
MinIO rewrites objects from the decommissioned pool and does not allow additional writes to the pool while it is in decommissioning.
Expansion consists of adding one or more :ref:`server pools <minio-intro-server-pool>` to an existing deployment.
Each server pool consists of dedicated nodes and storage that contribute to the overall capacity of the deployment.
.. cond:: linux
See :ref:`Expand a MinIO deployment <expand-minio-distributed>` for more information
.. cond:: k8s
See :ref:`Expand a MinIO Tenant <minio-k8s-expand-minio-tenant>` for more information.
For deployments which have multiple server pools, you can :ref:`decommission <minio-decommissioning>` the older pools and migrate that data to the newer pools in the deployment.
Once started, decommissioning cannot be stopped.
In a distributed MinIO deployment, you can upgrade the total available size of a :ref:`deployment <expand-minio-distributed>` or :ref:`cluster <minio-k8s-expand-minio-tenant>` by adding one or more additional server pools.
The addition of a server pool is an expansion.
MinIO intends decommissioning for use with removing older pools with aged hardware, and not as an operation performed regularly within any deployment.
How do I manage one or more MinIO instances or clusters?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
There are several options to manage your MinIO deployments and clusters:
- Use the command line with :mc-cmd:`mc` and :mc-cmd:`mc admin`
- Use the command line with :mc:`mc` and :mc:`mc admin`
- The :ref:`MinIO Console <minio-console>` graphical user interface for individual instances
- In Kubernetes, with the :ref:`MinIO Operator Console <minio-operator-console>`

4
source/operations/data-recovery/recover-after-drive-failure.rst
View File

@ -103,12 +103,12 @@ The command should result in remounting of all of the replaced drives.
5) Monitor MinIO for Drive Detection and Healing Status
-------------------------------------------------------
Use :mc-cmd:`mc admin console` command *or* ``journalctl -u minio`` for
Use :mc:`mc admin console` command *or* ``journalctl -u minio`` for
``systemd``-managed installations to monitor the server log output after
remounting drives. The output should include messages identifying each formatted
and empty drive.
Use :mc-cmd:`mc admin heal` to monitor the overall healing status on the
Use :mc:`mc admin heal` to monitor the overall healing status on the
deployment. MinIO aggressively heals replaced drive(s) to ensure rapid recovery
from the degraded state.

4
source/operations/data-recovery/recover-after-node-failure.rst
View File

@ -70,13 +70,13 @@ in the deployment.
------------------------------------
Start the MinIO server process on the node and monitor the process output
using :mc-cmd:`mc admin console` or by monitoring the MinIO service logs
using :mc:`mc admin console` or by monitoring the MinIO service logs
using ``journalctl -u minio`` for ``systemd`` managed installations.
The server output should indicate that it has detected the other nodes
in the deployment and begun healing operations.
Use :mc-cmd:`mc admin heal` to monitor overall healing status on the
Use :mc:`mc admin heal` to monitor overall healing status on the
deployment. MinIO aggressively heals the node to ensure rapid recovery
from the degraded state.

146
source/operations/external-iam.rst
View File

@ -15,68 +15,45 @@ MinIO supports offloading identity management onto one of the following supporte
- :ref:`OpenID Connect <minio-external-iam-oidc>`
- :ref:`Active Directory / LDAP <minio-external-iam-ad-ldap>`
.. admonition:: MinIO Supports At Most One Configured IDentity Provider
:class: important
Configuring an external IDP disables the :ref:`MinIO internal IDP
<minio-internal-idp>` and prevents the configuration of any other
external IDP.
The external :abbr:`IDP (IDentity Provider)` must have *at least* one
configured user identity with the required :ref:`policy claims
<minio-external-identity-management-ad-ldap-access-control>`. If no such user
exists, the MinIO server is effectively inaccessible outside of using the
:ref:`root <minio-users-root>` user.
The external :abbr:`IDP (IDentity Provider)` must have *at least* one configured user identity with the required :ref:`policy claims <minio-external-identity-management-ad-ldap-access-control>`.
If no such user exists, the MinIO server is effectively inaccessible outside of using the :ref:`root <minio-users-root>` user.
.. _minio-external-iam-oidc:
OpenID Connect (OIDC)
---------------------
MinIO supports using an OpenID Connect (OIDC) compatible IDentity Provider (IDP)
such as Okta, KeyCloak, Dex, Google, or Facebook for external management of user
identities. Configuring an external :abbr:`IDP (IDentity Provider)` enables
Single-Sign On workflows, where applications authenticate against the external
:abbr:`IDP (IDentity Provider)` before accessing MinIO.
MinIO supports using an OpenID Connect (OIDC) compatible IDentity Provider (IDP) such as Okta, KeyCloak, Dex, Google, or Facebook for external management of user identities.
Configuring an external :abbr:`IDP (IDentity Provider)` enables Single-Sign On workflows, where applications authenticate against the external :abbr:`IDP (IDentity Provider)` before accessing MinIO.
MinIO uses :ref:`Policy Based Access Control (PBAC) <minio-access-management>`
to define the actions and resources to which an authenticated user has access.
MinIO supports creating and managing :ref:`policies <minio-policy>` which an
externally managed user can claim.
MinIO uses :ref:`Policy Based Access Control (PBAC) <minio-access-management>` to define the actions and resources to which an authenticated user has access.
MinIO supports creating and managing :ref:`policies <minio-policy>` which an externally managed user can claim.
For identities managed by the external OpenID Connect (OIDC) compatible
provider, MinIO uses a `JSON Web Token claim
<https://datatracker.ietf.org/doc/html/rfc7519#section-4>`__ to identify the
:ref:`policy <minio-policy>` to assign to the authenticated user.
For identities managed by the external OpenID Connect (OIDC) compatible provider, MinIO uses a `JSON Web Token claim <https://datatracker.ietf.org/doc/html/rfc7519#section-4>`__ to identify the :ref:`policy <minio-policy>` to assign to the authenticated user.
See :ref:`minio-external-identity-management-openid-access-control` for more information on mapping MinIO policies to an OIDC-managed identity.
MinIO by default looks for a ``policy`` claim and reads a list of one or more
policies to assign. MinIO attempts to match existing policies to those
specified in the JWT claim. If none of the specified policies exist on the MinIO
deployment, MinIO denies authorization for any and all operations issued
by that user. For example, consider a claim with the following key-value
assignment:
MinIO by default looks for a ``policy`` claim and reads a list of one or more policies to assign. MinIO attempts to match existing policies to those specified in the JWT claim.
If none of the specified policies exist on the MinIO deployment, MinIO denies authorization for any and all operations issued by that user.
For example, consider a claim with the following key-value assignment:
.. code-block:: shell
policy="readwrite_data,read_analytics,read_logs"
The specified policy claim directs MinIO to attach the policies with names
matching ``readwrite_data``, ``read_analytics``, and ``read_logs`` to the
authenticated user.
The specified policy claim directs MinIO to attach the policies with names matching ``readwrite_data``, ``read_analytics``, and ``read_logs`` to the authenticated user.
You can set a custom policy claim using the
:envvar:`MINIO_IDENTITY_OPENID_CLAIM_NAME` environment variable
*or* by using :mc-cmd:`mc admin config set` to set the
:mc-conf:`identity_openid claim_name <identity_openid.claim_name>` setting.
.. cond:: linux or container or macos or windows
You can use a `JWT Debugging tool <https://jwt.io/>`__ to decode the returned
JWT token and validate that the user attributes include the specified claim. See
`RFC 7519: JWT Claim
<https://datatracker.ietf.org/doc/html/rfc7519#section-4>`__ for more
information on JWT claims. Defer to the documentation for your preferred OIDC
provider for instructions on configuring user claims.
You can set a custom policy claim using the
:envvar:`MINIO_IDENTITY_OPENID_CLAIM_NAME` environment variable
*or* by using :mc-cmd:`mc admin config set` to set the
:mc-conf:`identity_openid claim_name <identity_openid.claim_name>` setting.
See :ref:`minio-external-identity-management-openid-access-control` for more information on mapping MinIO policies to an OIDC-managed identity.
You can use a `JWT Debugging tool <https://jwt.io/>`__ to decode the returned JWT token and validate that the user attributes include the specified claim.
See `RFC 7519: JWT Claim <https://datatracker.ietf.org/doc/html/rfc7519#section-4>`__ for more information on JWT claims.
Defer to the documentation for your preferred OIDC provider for instructions on configuring user claims.
.. _minio-external-iam-ad-ldap:
@ -111,14 +88,14 @@ for backwards compatibility only.
Lookup-Bind Mode
++++++++++++++++
In Lookup-Bind mode, MinIO uses a read-only AD/LDAP account with the minimum
privileges required to authenticate to the AD/LDAP server and perform user and
group lookups.
In Lookup-Bind mode, MinIO uses a read-only AD/LDAP account with the minimum privileges required to authenticate to the AD/LDAP server and perform user and group lookups.
The following tabs provide a reference of the environment variables and
configuration settings required for enabling Lookup-Bind mode.
.. cond:: linux or container or macos or windows
.. tab-set::
The following tabs provide a reference of the environment variables and
configuration settings required for enabling Lookup-Bind mode.
.. tab-set::
.. tab-item:: Environment Variable
@ -152,17 +129,22 @@ Lookup-Bind is incompatible and mutually exclusive with
Username-Bind Mode
++++++++++++++++++
In Username-Bind mode, MinIO uses the AD/LDAP credentials provided by the client
attempting authentication to login to the AD/LDAP server and perform and group
lookups.
In Username-Bind mode, MinIO uses the AD/LDAP credentials provided by the client attempting authentication to login to the AD/LDAP server and perform and group lookups.
Username-Bind mode is preserved for compatibility only. MinIO recommends
using :ref:`minio-external-identity-management-ad-ldap-lookup-bind` wherever possible.
.. cond:: k8s
The following tabs provide a reference of the environment variables and
configuration settings required for enabling Username-Bind mode.
The MinIO Operator Console does not support enabling Username-Bind mode.
MinIO generally discourages using Username-Bind over :ref:`minio-external-identity-management-ad-ldap-lookup-bind`.
.. tab-set::
.. cond:: linux or container or macos or windows
Username-Bind mode is preserved for compatibility only.
MinIO recommends using :ref:`minio-external-identity-management-ad-ldap-lookup-bind` wherever possible.
The following tabs provide a reference of the environment variables and
configuration settings required for enabling Username-Bind mode.
.. tab-set::
.. tab-item:: Environment Variable
@ -186,42 +168,39 @@ Username-bind is incompatible and mutually exclusive with
Access Control for AD/LDAP-Managed Identities
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
MinIO uses :ref:`Policy Based Access Control (PBAC) <minio-access-management>`
to define the actions and resources to which an authenticated user has access.
When using an Active Directory/LDAP server for identity management
(authentication), MinIO maintains control over access (authorization)
through PBAC.
MinIO uses :ref:`Policy Based Access Control (PBAC) <minio-access-management>` to define the actions and resources to which an authenticated user has access.
When using an Active Directory/LDAP server for identity management (authentication), MinIO maintains control over access (authorization) through PBAC.
When a user successfully authenticates to MinIO using their AD/LDAP
credentials, MinIO searches for all :ref:`policies <minio-policy>` which
are explicitly associated to that user's Distinguished Name (DN).
Specifically, the policy must be assigned to a user with a matching DN
using the :mc-cmd:`mc admin policy set` command.
When a user successfully authenticates to MinIO using their AD/LDAP credentials, MinIO searches for all :ref:`policies <minio-policy>` which are explicitly associated to that user's Distinguished Name (DN).
Specifically, the policy must be assigned to a user with a matching DN using the :mc-cmd:`mc admin policy set` command.
MinIO also supports querying for the user's AD/LDAP group membership. MinIO
attempts to match existing policies to the DN for each of the user's groups. The
authenticated users complete set of permissions consists of its explicitly
assigned and group-inherited policies. See
:ref:`minio-external-identity-management-ad-ldap-access-control-group-lookup`
for more information.
MinIO also supports querying for the user's AD/LDAP group membership.
MinIO attempts to match existing policies to the DN for each of the user's groups.
The authenticated users complete set of permissions consists of its explicitly assigned and group-inherited policies.
See :ref:`minio-external-identity-management-ad-ldap-access-control-group-lookup` for more information.
MinIO uses deny-by-default behavior where a user with no explicitly assigned or
group-inherited policies cannot access any resource on the MinIO deployment.
MinIO uses deny-by-default behavior where a user with no explicitly assigned or group-inherited policies cannot access any resource on the MinIO deployment.
MinIO provides :ref:`built-in policies <minio-policy-built-in>` for basic access
control. You can create new policies using the :mc:`mc admin policy` command.
MinIO provides :ref:`built-in policies <minio-policy-built-in>` for basic access control.
You can create new policies using the :mc:`mc admin policy` command.
.. _minio-external-identity-management-ad-ldap-access-control-group-lookup:
Group Lookup
++++++++++++
MinIO supports querying the Active Directory / LDAP server for a list of groups in which the authenticated user has membership. MinIO attempts to match existing :ref:`policies <minio-policy>` to each group DN and assigns each matching policy to the authenticated user.
MinIO supports querying the Active Directory / LDAP server for a list of groups in which the authenticated user has membership.
MinIO attempts to match existing :ref:`policies <minio-policy>` to each group DN and assigns each matching policy to the authenticated user.
The following tabs provide a reference of the environment variables and
configuration settings required for enabling group lookups:
.. cond:: k8s
.. tab-set::
The MinIO Operator Console provides the necessary fields for configuring Group Lookup as part of configuring AD/LDAP identity management for new or existing MinIO Tenants.
.. cond:: linux or container or macos or windows
The following tabs provide a reference of the environment variables and configuration settings required for enabling group lookups:
.. tab-set::
.. tab-item:: Environment Variable
@ -246,5 +225,6 @@ configuration settings required for enabling group lookups:
.. toctree::
:glob:
:hidden:
/operations/external-iam/*

226
source/operations/external-iam/configure-ad-ldap-external-identity-management.rst
View File

@ -13,71 +13,111 @@ Configure MinIO for Authentication using Active Directory / LDAP
Overview
--------
MinIO supports using an Active Directory / LDAP Connect for external management of user
identities. The procedure on this page provides instructions for:
MinIO supports using an Active Directory / LDAP Connect for external management of user identities.
The procedure on this page provides instructions for:
- Configuring a MinIO cluster for an external AD/LDAP provider.
- Logging into the cluster using the MinIO Console and AD/LDAP credentials.
- Using the MinIO ``AssumeRoleWithLDAPIdentity`` Security Token Service (STS)
API to generate temporary credentials for use by applications.
.. cond:: k8s
This procedure is generic for AD/LDAP services. Defer to the documentation for
the AD/LDAP provider of your choice for specific instructions or procedures on
configuration of user identities.
- Configuring a MinIO Tenant to use an external AD/LDAP provider
- Accessing the Tenant Console using AD/LDAP Credentials.
- Using the MinIO ``AssumeRoleWithLDAPIdentity`` Security Token Service (STS) API to generate temporary credentials for use by applications.
.. cond:: linux or macos or container or windows
- Configuring a MinIO cluster for an external AD/LDAP provider.
- Accessing the MinIO Console using AD/LDAP credentials.
- Using the MinIO ``AssumeRoleWithLDAPIdentity`` Security Token Service (STS) API to generate temporary credentials for use by applications.
This procedure is generic for AD/LDAP services. Defer to the documentation for the AD/LDAP provider of your choice for specific instructions or procedures on configuration of user identities.
Prerequisites
-------------
.. cond:: k8s
MinIO Kubernetes Operator and Plugin
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/k8s/common-operator.rst
:start-after: start-requires-operator-plugin
:end-before: end-requires-operator-plugin
Active Directory / LDAP Compatible IDentity Provider
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This procedure assumes an existing Active Directory or LDAP service.
Instructions on configuring AD/LDAP are out of scope for this procedure.
MinIO requires a read-only service account with which it
:ref:`binds <minio-external-identity-management-ad-ldap-lookup-bind>` to perform
authenticated user and group queries.
.. cond:: k8s
Ensure each AD/LDAP user and group intended for use with MinIO has a
corresponding :ref:`policy
<minio-external-identity-management-ad-ldap-access-control>` on the MinIO
deployment. An AD/LDAP user with no assigned policy *and* with membership in
groups with no assigned policy has no permission to access any action or
resource on the MinIO cluster.
- For AD/LDAP deployments within the same Kubernetes cluster as the MinIO Tenant, you can use Kubernetes service names to allow the MinIO Tenant to establish connectivity to the AD/LDAP service.
MinIO Cluster
~~~~~~~~~~~~~
- For AD/LDAP deployments external to the Kubernetes cluster, you must ensure the cluster supports routing communications between Kubernetes services and pods and the external network.
This may require configuration or deployment of additional Kubernetes network components and/or enabling access to the public internet.
This procedure assumes an existing MinIO cluster running the
:minio-git:`latest stable MinIO version <minio/releases/latest>`.
This procedure *may* work as expected for older versions of MinIO.
MinIO requires a read-only service account with which it :ref:`binds <minio-external-identity-management-ad-ldap-lookup-bind>` to perform authenticated user and group queries.
Install and Configure ``mc`` with Access to the MinIO Cluster
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Ensure each AD/LDAP user and group intended for use with MinIO has a corresponding :ref:`policy <minio-external-identity-management-ad-ldap-access-control>` on the MinIO deployment.
An AD/LDAP user with no assigned policy *and* with membership in groups with no assigned policy has no permission to access any action or resource on the MinIO cluster.
This procedure uses :mc:`mc` for performing operations on the
MinIO cluster. Install ``mc`` on a machine with network access to the cluster.
See the ``mc`` :ref:`Installation Quickstart <mc-install>` for instructions on
downloading and installing ``mc``.
.. cond:: k8s
This procedure assumes a configured :mc:`alias <mc alias>` for the MinIO
cluster.
MinIO Tenant
~~~~~~~~~~~~
.. _minio-external-identity-management-ad-ldap-configure:
This procedure assumes your Kubernetes cluster has sufficient resources to :ref:`deploy a new MinIO Tenant <minio-k8s-deploy-minio-tenant>`.
Procedure
---------
You can also use this procedure as guidance for modifying an existing MinIO Tenant to enable AD/LDAP Identity Management.
1) Set the Active Directory / LDAP Configuration Settings
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. cond:: linux or container or macos or windows
You can configure the AD/LDAP provider using either
environment variables *or* server runtime configuration settings. Both
methods require starting/restarting the MinIO deployment to apply changes. The
following tabs provide a quick reference of all required and optional
environment variables and configuration settings respectively:
MinIO Deployment
~~~~~~~~~~~~~~~~
.. tab-set::
This procedure assumes an existing MinIO cluster running the :minio-git:`latest stable MinIO version <minio/releases/latest>`.
Defer to the :ref:`minio-installation` for more complete documentation on new MinIO deployments.
This procedure *may* work as expected for older versions of MinIO.
.. cond:: linux or container or macos or windows
Install and Configure ``mc`` with Access to the MinIO Cluster
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This procedure uses :mc:`mc` for performing operations on the MinIO cluster.
Install ``mc`` on a machine with network access to the cluster.
See the ``mc`` :ref:`Installation Quickstart <mc-install>` for instructions on downloading and installing ``mc``.
This procedure assumes a configured :mc:`alias <mc alias>` for the MinIO cluster.
.. Lightly modeled after the SSE tutorials
.. cond:: k8s
.. _minio-external-identity-management-ad-ldap-configure:
.. include:: /includes/k8s/steps-configure-ad-ldap-external-identity-management.rst
.. Doing this the quick and dirty way. Need to revise later to be proper full includes via stepfiles
.. cond:: linux or container or macos or windows
.. _minio-external-identity-management-ad-ldap-configure:
Procedure
---------
1) Set the Active Directory / LDAP Configuration Settings
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
You can configure the AD/LDAP provider using either
environment variables *or* server runtime configuration settings. Both
methods require starting/restarting the MinIO deployment to apply changes. The
following tabs provide a quick reference of all required and optional
environment variables and configuration settings respectively:
.. tab-set::
.. tab-item:: Environment Variables
@ -117,7 +157,7 @@ environment variables and configuration settings respectively:
MinIO supports specifying the AD/LDAP provider
settings using :mc-conf:`configuration settings <identity_ldap>`. The
:mc:`minio server` process applies the specified settings on its next
startup. For distributed deployments, the :mc-cmd:`mc admin config`
startup. For distributed deployments, the :mc:`mc admin config`
command applies the configuration to all nodes in the deployment.
The following example code sets *all* configuration settings related to
@ -149,61 +189,61 @@ environment variables and configuration settings respectively:
For more complete documentation on these settings, see
:mc-conf:`identity_ldap`.
2) Restart the MinIO Deployment
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2) Restart the MinIO Deployment
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
You must restart the MinIO deployment to apply the configuration changes.
Use the :mc-cmd:`mc admin service restart` command to restart the deployment.
You must restart the MinIO deployment to apply the configuration changes.
Use the :mc-cmd:`mc admin service restart` command to restart the deployment.
.. code-block:: shell
.. code-block:: shell
:class: copyable
mc admin service restart ALIAS
Replace ``ALIAS`` with the :ref:`alias <alias>` of the deployment to
restart.
Replace ``ALIAS`` with the :ref:`alias <alias>` of the deployment to
restart.
3) Use the MinIO Console to Log In with AD/LDAP Credentials
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
3) Use the MinIO Console to Log In with AD/LDAP Credentials
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The MinIO Console supports the full workflow of authenticating to the
AD/LDAP provider, generating temporary credentials using
the MinIO :ref:`minio-sts-assumerolewithldapidentity` Security Token Service
(STS) endpoint, and logging the user into the MinIO deployment.
The MinIO Console supports the full workflow of authenticating to the
AD/LDAP provider, generating temporary credentials using
the MinIO :ref:`minio-sts-assumerolewithldapidentity` Security Token Service
(STS) endpoint, and logging the user into the MinIO deployment.
Starting in :minio-release:`RELEASE.2021-07-08T01-15-01Z`, the MinIO Console is
embedded in the MinIO server. You can access the Console by opening the root URL
for the MinIO cluster. For example, ``https://minio.example.net:9000``.
Starting in :minio-release:`RELEASE.2021-07-08T01-15-01Z`, the MinIO Console is
embedded in the MinIO server. You can access the Console by opening the root URL
for the MinIO cluster. For example, ``https://minio.example.net:9000``.
From the Console, click :guilabel:`BUTTON` to begin the Active Directory / LDAP
authentication flow.
From the Console, click :guilabel:`BUTTON` to begin the Active Directory / LDAP
authentication flow.
Once logged in, you can perform any action for which the authenticated
user is :ref:`authorized
<minio-external-identity-management-ad-ldap-access-control>`.
Once logged in, you can perform any action for which the authenticated
user is :ref:`authorized
<minio-external-identity-management-ad-ldap-access-control>`.
You can also create :ref:`service accounts <minio-idp-service-account>` for
supporting applications which must perform operations on MinIO. Service accounts
are long-lived credentials which inherit their privileges from the parent user.
The parent user can further restrict those privileges while creating the service
account.
You can also create :ref:`service accounts <minio-idp-service-account>` for
supporting applications which must perform operations on MinIO. Service accounts
are long-lived credentials which inherit their privileges from the parent user.
The parent user can further restrict those privileges while creating the service
account.
4) Generate S3-Compatible Temporary Credentials using AD/LDAP Credentials
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
4) Generate S3-Compatible Temporary Credentials using AD/LDAP Credentials
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
MinIO requires clients authenticate using :s3-api:`AWS Signature Version 4
protocol <sig-v4-authenticating-requests.html>` with support for the deprecated
Signature Version 2 protocol. Specifically, clients must present a valid access
key and secret key to access any S3 or MinIO administrative API, such as
``PUT``, ``GET``, and ``DELETE`` operations.
MinIO requires clients authenticate using :s3-api:`AWS Signature Version 4
protocol <sig-v4-authenticating-requests.html>` with support for the deprecated
Signature Version 2 protocol. Specifically, clients must present a valid access
key and secret key to access any S3 or MinIO administrative API, such as
``PUT``, ``GET``, and ``DELETE`` operations.
Applications can generate temporary access credentials as-needed using the
:ref:`minio-sts-assumerolewithldapidentity` Security Token Service (STS) API
endpoint and AD/LDAP user credentials. MinIO provides an example Go application
:minio-git:`ldap.go <minio/blob/master/docs/sts/ldap.go>` with an example of
managing this workflow.
Applications can generate temporary access credentials as-needed using the
:ref:`minio-sts-assumerolewithldapidentity` Security Token Service (STS) API
endpoint and AD/LDAP user credentials. MinIO provides an example Go application
:minio-git:`ldap.go <minio/blob/master/docs/sts/ldap.go>` with an example of
managing this workflow.
.. code-block:: shell
.. code-block:: shell
POST https://minio.example.net?Action=AssumeRoleWithLDAPIdentity
&LDAPUsername=USERNAME
@ -211,19 +251,17 @@ managing this workflow.
&Version=2011-06-15
&Policy={}
- Replace the ``LDAPUsername`` with the username of the AD/LDAP user.
- Replace the ``LDAPUsername`` with the username of the AD/LDAP user.
- Replace the ``LDAPPassword`` with the password of the AD/LDAP user.
- Replace the ``LDAPPassword`` with the password of the AD/LDAP user.
- Replace the ``Policy`` with an inline URL-encoded JSON
:ref:`policy <minio-policy>` that further restricts the permissions associated
to the temporary credentials. Omit to use the
:ref:`policy whose name matches <minio-external-identity-management-ad-ldap-access-control>`
the Distinguished Name (DN) of the AD/LDAP user.
- Replace the ``Policy`` with an inline URL-encoded JSON :ref:`policy <minio-policy>` that further restricts the permissions associated to the temporary credentials.
The API response consists of an XML document containing the
access key, secret key, session token, and expiration date. Applications
can use the access key and secret key to access and perform operations on
MinIO.
Omit to use the :ref:`policy whose name matches <minio-external-identity-management-ad-ldap-access-control>` the Distinguished Name (DN) of the AD/LDAP user.
See the :ref:`minio-sts-assumerolewithldapidentity` for reference documentation.
The API response consists of an XML document containing the
access key, secret key, session token, and expiration date. Applications
can use the access key and secret key to access and perform operations on
MinIO.
See the :ref:`minio-sts-assumerolewithldapidentity` for reference documentation.

245
source/operations/external-iam/configure-openid-external-identity-management.rst
View File

@ -13,68 +13,110 @@ Configure MinIO for Authentication using OpenID
Overview
--------
MinIO supports using an OpenID Connect (OIDC) compatible IDentity Provider (IDP)
such as Okta, KeyCloak, Dex, Google, or Facebook for external management of user
identities. The procedure on this page provides instructions for:
MinIO supports using an OpenID Connect (OIDC) compatible IDentity Provider (IDP) such as Okta, KeyCloak, Dex, Google, or Facebook for external management of user identities.
The procedure on this page provides instructions for:
- Configuring a MinIO cluster for an external OIDC provider.
- Logging into the cluster using the MinIO Console and OIDC credentials.
- Using the MinIO ``AssumeRoleWithWebIdentity`` Security Token Service (STS)
API to generate temporary credentials for use by applications.
.. cond:: k8s
This procedure is generic for OIDC compatible providers. Defer to
the documentation for the OIDC provider of your choice for specific instructions
or procedures on authentication and JWT retrieval.
- Configuring a MinIO Tenant to use an external OIDC provider.
- Accessing the Tenant Console using AD/LDAP Credentials.
- Using the MinIO ``AssumeRoleWithWebIdentity`` Security Token Service (STS) API to generate temporary credentials for use by applications.
.. cond:: linux or container or macos or windows
- Configuring a MinIO cluster for an external OIDC provider.
- Logging into the cluster using the MinIO Console and OIDC credentials.
- Using the MinIO ``AssumeRoleWithWebIdentity`` Security Token Service (STS) API to generate temporary credentials for use by applications.
This procedure is generic for OIDC compatible providers.
Defer to the documentation for the OIDC provider of your choice for specific instructions or procedures on authentication and JWT retrieval.
Prerequisites
-------------
.. cond:: k8s
MinIO Kubernetes Operator and Plugin
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/k8s/common-operator.rst
:start-after: start-requires-operator-plugin
:end-before: end-requires-operator-plugin
OpenID-Connect (OIDC) Compatible IDentity Provider
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This procedure assumes an existing OIDC provider such as Okta,
KeyCloak, Dex, Google, or Facebook. Instructions on configuring these services
are out of scope for this procedure.
This procedure assumes an existing OIDC provider such as Okta, KeyCloak, Dex, Google, or Facebook.
Instructions on configuring these services are out of scope for this procedure.
Ensure each user identity intended for use with MinIO has the appropriate
:ref:`claim <minio-external-identity-management-openid-access-control>` configured such that
MinIO can associate a :ref:`policy <minio-policy>` to the authenticated user.
An OpenID user with no assigned policy has no permission to access any action
or resource on the MinIO cluster.
.. cond:: k8s
MinIO Cluster
~~~~~~~~~~~~~
- For OIDC services within the same Kubernetes cluster as the MinIO Tenant, you can use Kubernetes service names to allow the MinIO Tenant to establish connectivity to the OIDC service.
This procedure assumes an existing MinIO cluster running the
:minio-git:`latest stable MinIO version <minio/releases/latest>`.
This procedure *may* work as expected for older versions of MinIO.
- For OIDC services external to the Kubernetes cluster, you must ensure the cluster supports routing communications between Kubernetes services and pods and the external network.
This may require configuration or deployment of additional Kubernetes network components and/or enabling access to the public internet.
Install and Configure ``mc`` with Access to the MinIO Cluster
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Ensure each user identity intended for use with MinIO has the appropriate :ref:`claim <minio-external-identity-management-openid-access-control>` configured such that MinIO can associate a :ref:`policy <minio-policy>` to the authenticated user.
An OpenID user with no assigned policy has no permission to access any action or resource on the MinIO cluster.
This procedure uses :mc:`mc` for performing operations on the
MinIO cluster. Install ``mc`` on a machine with network access to the cluster.
See the ``mc`` :ref:`Installation Quickstart <mc-install>` for instructions on
downloading and installing ``mc``.
.. cond:: k8s
This procedure assumes a configured :mc:`alias <mc alias>` for the MinIO
cluster.
MinIO Tenant
~~~~~~~~~~~~
.. _minio-external-identity-management-openid-configure:
This procedure assumes your Kubernetes cluster has sufficient resources to :ref:`deploy a new MinIO Tenant <minio-k8s-deploy-minio-tenant>`.
Procedure
---------
You can also use this procedure as guidance for modifying an existing MinIO Tenant to enable AD/LDAP Identity Management.
1) Set the OpenID Configuration Settings
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. cond:: linux or container or macos or windows
You can configure the :abbr:`OIDC (OpenID Connect)` provider using either
environment variables *or* server runtime configuration settings. Both
methods require starting/restarting the MinIO deployment to apply changes. The
following tabs provide a quick reference of all required and optional
environment variables and configuration settings respectively:
MinIO Deployment
~~~~~~~~~~~~~~~~
.. tab-set::
This procedure assumes an existing MinIO cluster running the :minio-git:`latest stable MinIO version <minio/releases/latest>`.
Defer to the :ref:`minio-installation` for more complete documentation on new MinIO deployments.
This procedure *may* work as expected for older versions of MinIO.
.. cond:: linux or container or macos or windows
Install and Configure ``mc`` with Access to the MinIO Cluster
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This procedure uses :mc:`mc` for performing operations on the MinIO cluster.
Install ``mc`` on a machine with network access to the cluster.
See the ``mc`` :ref:`Installation Quickstart <mc-install>` for instructions on downloading and installing ``mc``.
This procedure assumes a configured :mc:`alias <mc alias>` for the MinIO cluster.
.. Lightly modeled after the SSE tutorials
.. cond:: k8s
.. _minio-external-identity-management-openid-configure:
.. include:: /includes/k8s/steps-configure-openid-external-identity-management.rst
.. Doing this the quick and dirty way. Need to revise later to be proper full includes via stepfiles
.. cond:: linux or container or macos or windows
.. _minio-external-identity-management-openid-configure:
Procedure
---------
1) Set the OpenID Configuration Settings
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
You can configure the :abbr:`OIDC (OpenID Connect)` provider using either
environment variables *or* server runtime configuration settings. Both
methods require starting/restarting the MinIO deployment to apply changes. The
following tabs provide a quick reference of all required and optional
environment variables and configuration settings respectively:
.. tab-set::
.. tab-item:: Environment Variables
@ -113,7 +155,7 @@ environment variables and configuration settings respectively:
MinIO supports specifying the :abbr:`OIDC (OpenID Connect)` provider
settings using :mc-conf:`configuration settings <identity_openid>`. The
:mc:`minio server` process applies the specified settings on its next
startup. For distributed deployments, the :mc-cmd:`mc admin config`
startup. For distributed deployments, the :mc:`mc admin config`
command applies the configuration to all nodes in the deployment.
The following example code sets *all* configuration settings related to
@ -140,71 +182,71 @@ environment variables and configuration settings respectively:
For more complete documentation on these settings, see
:mc-conf:`identity_openid`.
2) Restart the MinIO Deployment
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2) Restart the MinIO Deployment
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
You must restart the MinIO deployment to apply the configuration changes.
Use the :mc-cmd:`mc admin service restart` command to restart the deployment.
You must restart the MinIO deployment to apply the configuration changes.
Use the :mc-cmd:`mc admin service restart` command to restart the deployment.
.. code-block:: shell
.. code-block:: shell
:class: copyable
mc admin service restart ALIAS
Replace ``ALIAS`` with the :ref:`alias <alias>` of the deployment to
restart.
Replace ``ALIAS`` with the :ref:`alias <alias>` of the deployment to
restart.
3) Use the MinIO Console to Log In with OIDC Credentials
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
3) Use the MinIO Console to Log In with OIDC Credentials
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The MinIO Console supports the full workflow of authenticating to the
:abbr:`OIDC (OpenID Connect)` provider, generating temporary credentials using
the MinIO :ref:`minio-sts-assumerolewithwebidentity` Security Token Service
(STS) endpoint, and logging the user into the MinIO deployment.
The MinIO Console supports the full workflow of authenticating to the
:abbr:`OIDC (OpenID Connect)` provider, generating temporary credentials using
the MinIO :ref:`minio-sts-assumerolewithwebidentity` Security Token Service
(STS) endpoint, and logging the user into the MinIO deployment.
Starting in :minio-release:`RELEASE.2021-07-08T01-15-01Z`, the MinIO Console is
embedded in the MinIO server. You can access the Console by opening the root URL
for the MinIO cluster. For example, ``https://minio.example.net:9000``.
Starting in :minio-release:`RELEASE.2021-07-08T01-15-01Z`, the MinIO Console is
embedded in the MinIO server. You can access the Console by opening the root URL
for the MinIO cluster. For example, ``https://minio.example.net:9000``.
From the Console, click :guilabel:`BUTTON` to begin the OpenID authentication
flow.
From the Console, click :guilabel:`BUTTON` to begin the OpenID authentication
flow.
Once logged in, you can perform any action for which the authenticated
user is :ref:`authorized
<minio-external-identity-management-openid-access-control>`.
Once logged in, you can perform any action for which the authenticated
user is :ref:`authorized
<minio-external-identity-management-openid-access-control>`.
You can also create :ref:`service accounts <minio-idp-service-account>` for
supporting applications which must perform operations on MinIO. Service accounts
are long-lived credentials which inherit their privileges from the parent user.
The parent user can further restrict those privileges while creating the service
account.
You can also create :ref:`service accounts <minio-idp-service-account>` for
supporting applications which must perform operations on MinIO. Service accounts
are long-lived credentials which inherit their privileges from the parent user.
The parent user can further restrict those privileges while creating the service
account.
4) Generate S3-Compatible Temporary Credentials using OIDC Credentials
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
4) Generate S3-Compatible Temporary Credentials using OIDC Credentials
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
MinIO requires clients authenticate using :s3-api:`AWS Signature Version 4
protocol <sig-v4-authenticating-requests.html>` with support for the deprecated
Signature Version 2 protocol. Specifically, clients must present a valid access
key and secret key to access any S3 or MinIO administrative API, such as
``PUT``, ``GET``, and ``DELETE`` operations.
MinIO requires clients authenticate using :s3-api:`AWS Signature Version 4
protocol <sig-v4-authenticating-requests.html>` with support for the deprecated
Signature Version 2 protocol. Specifically, clients must present a valid access
key and secret key to access any S3 or MinIO administrative API, such as
``PUT``, ``GET``, and ``DELETE`` operations.
Applications can generate temporary access credentials as-needed using the
:ref:`minio-sts-assumerolewithwebidentity` Security Token Service (STS)
API endpoint and the JSON Web Token (JWT) returned by the
:abbr:`OIDC (OpenID Connect)` provider.
Applications can generate temporary access credentials as-needed using the
:ref:`minio-sts-assumerolewithwebidentity` Security Token Service (STS)
API endpoint and the JSON Web Token (JWT) returned by the
:abbr:`OIDC (OpenID Connect)` provider.
The application must provide a workflow for logging into the
:abbr:`OIDC (OpenID Connect)` provider and retrieving the
JSON Web Token (JWT) associated to the authentication session. Defer to the
provider documentation for obtaining and parsing the JWT token after successful
authentication. MinIO provides an example Go application
:minio-git:`web-identity.go <minio/blob/master/docs/sts/web-identity.go>` with
an example of managing this workflow.
The application must provide a workflow for logging into the
:abbr:`OIDC (OpenID Connect)` provider and retrieving the
JSON Web Token (JWT) associated to the authentication session. Defer to the
provider documentation for obtaining and parsing the JWT token after successful
authentication. MinIO provides an example Go application
:minio-git:`web-identity.go <minio/blob/master/docs/sts/web-identity.go>` with
an example of managing this workflow.
Once the application retrieves the JWT token, use the
``AssumeRoleWithWebIdentity`` endpoint to generate the temporary credentials:
Once the application retrieves the JWT token, use the
``AssumeRoleWithWebIdentity`` endpoint to generate the temporary credentials:
.. code-block:: shell
.. code-block:: shell
:class: copyable
POST https://minio.example.net?Action=AssumeRoleWithWebIdentity
@ -213,18 +255,15 @@ Once the application retrieves the JWT token, use the
&DurationSeconds=86400
&Policy=Policy
- Replace the ``TOKEN`` with the JWT token returned in the previous step.
- Replace the ``DurationSeconds`` with the duration in seconds until the
temporary credentials expire. The example above specifies a period of
``86400`` seconds, or 24 hours.
- Replace the ``Policy`` with an inline URL-encoded JSON
:ref:`policy <minio-policy>` that further restricts the permissions associated
to the temporary credentials. Omit to use the policy associated to the
OpenID user :ref:`policy claim <minio-external-identity-management-openid-access-control>`.
- Replace the ``TOKEN`` with the JWT token returned in the previous step.
- Replace the ``DurationSeconds`` with the duration in seconds until the temporary credentials expire. The example above specifies a period of ``86400`` seconds, or 24 hours.
- Replace the ``Policy`` with an inline URL-encoded JSON :ref:`policy <minio-policy>` that further restricts the permissions associated to the temporary credentials.
The API response consists of an XML document containing the
access key, secret key, session token, and expiration date. Applications
can use the access key and secret key to access and perform operations on
MinIO.
Omit to use the policy associated to the OpenID user :ref:`policy claim <minio-external-identity-management-openid-access-control>`.
See the :ref:`minio-sts-assumerolewithwebidentity` for reference documentation.
The API response consists of an XML document containing the
access key, secret key, session token, and expiration date. Applications
can use the access key and secret key to access and perform operations on
MinIO.
See the :ref:`minio-sts-assumerolewithwebidentity` for reference documentation.

6
source/operations/install-deploy-manage/decommission-server-pool.rst
View File

@ -170,7 +170,7 @@ Decommission a Server Pool
1) Review the MinIO Deployment Topology
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The :mc-cmd:`mc admin decommission` command returns a list of all
The :mc:`mc admin decommission` command returns a list of all
pools in the MinIO deployment:
.. code-block:: shell
@ -280,7 +280,7 @@ the next step once decommissioning is completed.
If :guilabel:`Status` reads as failed, you can re-run the
:mc-cmd:`mc admin decommission start` command to resume the process.
For persistent failures, use :mc-cmd:`mc admin console` or review
For persistent failures, use :mc:`mc admin console` or review
the ``systemd`` logs (e.g. ``journalctl -u minio``) to identify more specific
errors.
@ -340,5 +340,5 @@ to restart the MinIO service:
:start-after: start-nondisruptive-upgrade-desc
:end-before: end-nondisruptive-upgrade-desc
Once the deployment is online, use :mc-cmd:`mc admin info` to confirm the
Once the deployment is online, use :mc:`mc admin info` to confirm the
uptime of all remaining servers in the deployment.

205
source/operations/install-deploy-manage/deploy-minio-multi-node-multi-drive.rst
View File

@ -366,208 +366,3 @@ MinIO service:
- :ref:`Create users and policies to control access to the deployment
<minio-authentication-and-identity-management>`.
.. _deploy-minio-distributed-recommendations:
Deployment Recommendations
--------------------------
Minimum Nodes per Deployment
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
For all production deployments, MinIO recommends a *minimum* of 4 nodes per
:ref:`server pool <minio-intro-server-pool>` with 4 drives per server.
With the default :ref:`erasure code parity <minio-erasure-coding>` setting of
``EC:4``, this topology can continue serving read and write operations
despite the loss of up to 4 drives *or* one node.
The minimum recommendation reflects MinIO's experience with assisting enterprise
customers in deploying on a variety of IT infrastructures while maintaining the
desired SLA/SLO. While MinIO may run on less than the minimum recommended
topology, any potential cost savings come at the risk of decreased reliability.
Server Hardware
~~~~~~~~~~~~~~~
MinIO is hardware agnostic and runs on a variety of hardware architectures
ranging from ARM-based embedded systems to high-end x64 and POWER9 servers.
The following recommendations match MinIO's
`Reference Hardware <https://min.io/product/reference-hardware>`__ for
large-scale data storage:
.. list-table::
:stub-columns: 1
:widths: 20 80
:width: 100%
* - Processor
- Dual Intel Xeon Scalable Gold CPUs with 8 cores per socket.
* - Memory
- 128GB of Memory per pod
* - Network
- Minimum of 25GbE NIC and supporting network infrastructure between nodes.
MinIO can make maximum use of drive throughput, which can fully saturate
network links between MinIO nodes or clients. Large clusters may require
100GbE network infrastructure to fully utilize MinIO's per-node
performance potential.
* - Drives
- SATA/SAS NVMe/SSD with a minimum of 8 drives per server.
Drives should be :abbr:`JBOD (Just a Bunch of Disks)` arrays with
no RAID or similar technologies. MinIO recommends XFS formatting for
best performance.
Use the same type of disk (NVMe, SSD, or HDD) with the same capacity
across all nodes in the deployment. MinIO does not distinguish drive
types when using the underlying storage and does not benefit from mixed
storage types. Additionally. MinIO limits the size used per disk to the
smallest drive in the deployment. For example, if the deployment has 15
10TB disks and 1 1TB disk, MinIO limits the per-disk capacity to 1TB.
Networking
~~~~~~~~~~
MinIO recommends high speed networking to support the maximum possible
throughput of the attached storage (aggregated drives, storage controllers,
and PCIe busses). The following table provides general guidelines for the
maximum storage throughput supported by a given NIC:
.. list-table::
:header-rows: 1
:width: 100%
:widths: 40 60
* - NIC bandwidth (Gbps)
- Estimated Aggregated Storage Throughput (GBps)
* - 10GbE
- 1GBps
* - 25GbE
- 2.5GBps
* - 50GbE
- 5GBps
* - 100GbE
- 10GBps
CPU Allocation
~~~~~~~~~~~~~~
MinIO can perform well with consumer-grade processors. MinIO can take advantage
of CPUs which support AVX-512 SIMD instructions for increased performance of
certain operations.
MinIO benefits from allocating CPU based on the expected per-host network
throughput. The following table provides general guidelines for allocating CPU
for use by based on the total network bandwidth supported by the host:
.. list-table::
:header-rows: 1
:width: 100%
:widths: 40 60
* - Host NIC Bandwidth
- Recommended Pod vCPU
* - 10GbE or less
- 8 vCPU per pod.
* - 25GbE
- 16 vCPU per pod.
* - 50GbE
- 32 vCPU per pod.
* - 100GbE
- 64 vCPU per pod.
.. _minio-k8s-production-considerations-memory:
Memory Allocation
~~~~~~~~~~~~~~~~~
MinIO benefits from allocating memory based on the total storage of each host.
The following table provides general guidelines for allocating memory for use
by MinIO server processes based on the total amount of local storage on the
host:
.. list-table::
:header-rows: 1
:width: 100%
:widths: 40 60
* - Total Host Storage
- Recommended Host Memory
* - Up to 1 Tebibyte (Ti)
- 8GiB
* - Up to 10 Tebibyte (Ti)
- 16GiB
* - Up to 100 Tebibyte (Ti)
- 32GiB
* - Up to 1 Pebibyte (Pi)
- 64GiB
* - More than 1 Pebibyte (Pi)
- 128GiB
.. _minio-requests-per-node:
Requests Per Node
~~~~~~~~~~~~~~~~~
You can calculate the maximum number of concurrent requests per host with this formula:
:math:`totalRam / ramPerRequest`
To calculate the amount of RAM used for each request, use this formula:
:math:`((2MiB + 128KiB) * driveCount) + (2 * 10MiB) + (2 * 1 MiB)`
10MiB is the default erasure block size v1.
1 MiB is the default erasure block size v2.
The following table lists the maximum concurrent requests on a node based on the number of host drives and the *free* system RAM:
.. list-table::
:header-rows: 1
:width: 100%
* - Number of Drives
- 32 GiB of RAM
- 64 GiB of RAM
- 128 GiB of RAM
- 256 GiB of RAM
- 512 GiB of RAM
* - 4 Drives
- 1,074
- 2,149
- 4,297
- 8,595
- 17,190
* - 8 Drives
- 840
- 1,680
- 3,361
- 6,722
- 13,443
* - 16 Drives
- 585
- 1,170
- 2.341
- 4,681
- 9,362

13
source/operations/install-deploy-manage/deploy-minio-tenant.rst
View File

@ -1,6 +1,12 @@
.. The following label handles links from content to distributed MinIO in K8s context
.. _deploy-minio-distributed:
.. Redirect all references to tenant topologies here
.. _minio-snsd:
.. _minio-snmd:
.. _minio-mnmd:
.. _minio-k8s-deploy-minio-tenant:
=====================
@ -21,6 +27,9 @@ This procedure documents deploying a MinIO Tenant using the MinIO Operator Conso
:class: no-scaled-link
:alt: MinIO Operator Console
The MinIO Operator supports only the Distributed (Multi-Node Multi-Drive) MinIO topology.
You can use basic Kubernetes YAML resource definitions to deploy Single-Node Single-Drive and Single-Node Multi-Drive topologies for local testing and evaluation as necessary.
The Operator Console provides a rich user interface for deploying and managing MinIO Tenants on Kubernetes infrastructure.
Installing the MinIO :ref:`Kubernetes Operator <deploy-operator-kubernetes>` automatically installs and configures the Operator Console.
@ -228,7 +237,7 @@ Settings marked with an asterisk :guilabel:`*` are *required*:
* - :guilabel:`Memory per Node [Gi]`
- Specify the total amount of memory (RAM) to allocate per MinIO server pod.
See :ref:`minio-k8s-production-considerations-memory` for guidance on setting this value.
See :ref:`minio-hardware-checklist-memory` for guidance on setting this value.
The Kubernetes cluster *must* have worker nodes with sufficient free RAM to match the pod request.
@ -374,7 +383,7 @@ This includes configuring an external IDP such as :ref:`OpenID <minio-external-i
- Configure additional internal MinIO users for the Operator to create as part of deploying the Tenant.
* - :guilabel:`OpenID`
- Configure an OpenID Connect-compatible servce as an external Identity Provider (e.g. Keycloak, Okta, Google, Facebook, Dex) to manage MinIO users.
- Configure an OpenID Connect-compatible service as an external Identity Provider (e.g. Keycloak, Okta, Google, Facebook, Dex) to manage MinIO users.
* - :guilabel:`Active Directory`
- Configure an Active Directory or OpenLDAP service as the external Identity Provider to manage MinIO users.

8
source/operations/install-deploy-manage/multi-site-replication.rst
View File

@ -152,7 +152,7 @@ Configure Site Replication
To add additional sites beyond two, select the ``+`` button to the side of one of the Site entries.
To remove a site previously added, select the ``-`` button to the side of the site.
Site replication adds a :mc-cmd:`~mc admin user svcacct` under the ``root`` user to perform replication activities.
Site replication adds a :mc:`~mc admin user svcacct` under the ``root`` user to perform replication activities.
#. Select **Save**
@ -178,7 +178,7 @@ Configure Site Replication
For example, for three MinIO sites, you might create aliases ``minio1``, ``minio2``, and ``minio3``.
Use :mc-cmd:`mc alias set`
Use :mc:`mc alias set`
.. code-block:: shell
@ -300,11 +300,11 @@ The new site must meet the following requirements:
#. Configure an alias for each site
To check the existing aliases, use :mc-cmd:`mc alias list`.
To check the existing aliases, use :mc:`mc alias list`.
For example, for three MinIO sites, you might create aliases ``minio1``, ``minio2``, and ``minio3``.
Use :mc-cmd:`mc alias set`
Use :mc:`mc alias set`
.. code-block:: shell

4
source/operations/install-deploy-manage/upgrade-minio-deployment.rst
View File

@ -84,7 +84,7 @@ Use these steps to upgrade a MinIO deployment where the MinIO server process is
3. Validate the Upgrade
Use the :mc-cmd:`mc admin info` command to check that all MinIO servers are online, operational, and reflect the installed MinIO version.
Use the :mc:`mc admin info` command to check that all MinIO servers are online, operational, and reflect the installed MinIO version.
4. Update MinIO Client
@ -104,7 +104,7 @@ Update Non-System Managed MinIO Deployments
Use these steps to upgrade a MinIO deployment where the MinIO server process is managed outside of the system (``systemd``, ``systemctl``), such as by a user, an automated script, or some other process management tool.
This procedure only works for systems where the user running the MinIO process has write permissions for the path to the MinIO binary.
The :mc-cmd:`mc admin update` command updates all MinIO server binaries in the target MinIO deployment before restarting all nodes simultaneously.
The :mc:`mc admin update` command updates all MinIO server binaries in the target MinIO deployment before restarting all nodes simultaneously.
The restart process typically completes within a few seconds and is *non-disruptive* to ongoing operations.
- For deployments managed using ``systemctl``, see

9
source/operations/server-side-encryption/configure-minio-kes-hashicorp.rst
View File

@ -89,7 +89,7 @@ The root KMS provides stateful and secured storage of External Keys (EK) while |
#. Create a new |EK| on Vault for use with |SSE|.
#. Configure automatic bucket-default :ref:`SSE-KMS <minio-encryption-sse-kms>`.
For productoin baremetal environments, see the MinIO on Linux documentation for tutorials on configuring MinIO with KES and Hashicorp Vault.
For production baremetal environments, see the MinIO on Linux documentation for tutorials on configuring MinIO with KES and Hashicorp Vault.
.. important::
@ -105,10 +105,9 @@ Prerequisites
MinIO Kubernetes Operator and Plugin
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The procedures on this page *requires* a valid installation of the MinIO
Kubernetes Operator and assumes the local host has a matching installation of
the MinIO Kubernetes Operator. This procedure assumes the latest stable Operator
and Plugin version |operator-version-stable|.
.. include:: /includes/k8s/common-operator.rst
:start-after: start-requires-operator-plugin
:end-before: end-requires-operator-plugin
See :ref:`deploy-operator-kubernetes` for complete documentation on deploying the MinIO Operator.

10
source/operations/troubleshooting.rst
View File

@ -69,9 +69,9 @@ Registering Your MinIO Deployment with SUBNET
You can register for SUBNET from the command line.
Refer to :mc-cmd:`mc support register` for instructions.
Refer to :mc:`mc support register` for instructions.
For clusters without direct Internet access, refer to the instructions in the :ref:`airgap example <minio-support-register-airgap>` of the :mc-cmd:`mc support register` documentation.
For clusters without direct Internet access, refer to the instructions in the :ref:`airgap example <minio-support-register-airgap>` of the :mc:`mc support register` documentation.
SUBNET Issues
@ -115,7 +115,7 @@ Deployment Health
~~~~~~~~~~~~~~~~~
The deployment's details include a summary of the deployment's configuration and the number of checks run and failed.
You can select :guilabel:`Upload` to add diagnostic health data obtained from the :mc-cmd:`mc support diagnostics` command or the MinIO Console's Support > Health page.
You can select :guilabel:`Upload` to add diagnostic health data obtained from the :mc:`mc support diagnostics` command or the MinIO Console's Support > Health page.
If you need support from MinIO Engineering, you can create a :guilabel:`New Issue` for the deployment.
@ -145,7 +145,7 @@ If you registered the cluster with SUBNET, Performance and Inspection files can
For clusters with an airgap, firewall, or otherwise blocked from SUBNET directly, you can manually upload files to SUBNET after logging in.
#. Generate the file(s) to upload from the command line with :mc-cmd:`mc support diagnostics` or :mc-cmd:`mc support inspect`
#. Generate the file(s) to upload from the command line with :mc:`mc support diagnostics` or :mc:`mc support inspect`
#. Sign in to `SUBNET <https://subnet.min.io>`_
#. Select :guilabel:`Deployments`
#. Select :guilabel:`Diagnostics`
@ -155,7 +155,7 @@ For clusters with an airgap, firewall, or otherwise blocked from SUBNET directly
Encrypting Data
~~~~~~~~~~~~~~~
Data from the Inspect tool in :ref:`Console <minio-console>` or the :mc-cmd:`mc support inspect` command can be encrypted.
Data from the Inspect tool in :ref:`Console <minio-console>` or the :mc:`mc support inspect` command can be encrypted.
For more details about encrypting or decrypting such files, see :ref:`Encrypting Files <minio-support-encryption>`.

4
source/operations/troubleshooting/encrypting-files.rst
View File

@ -13,7 +13,7 @@ Encrypting Files
Description
-----------
You can encrypt the output of the :mc-cmd:`mc support inspect` command for enhanced security when transmitting the files to |SUBNET|.
You can encrypt the output of the :mc:`mc support inspect` command for enhanced security when transmitting the files to |SUBNET|.
Encryption
----------
@ -41,7 +41,7 @@ As the output says, MinIO only displays the encryption key this one time, and it
Decryption
----------
MinIO provides a decryption tool to use on the files generated by :mc-cmd:`mc support inspect`.
MinIO provides a decryption tool to use on the files generated by :mc:`mc support inspect`.
To install the decryption tool, install `Go <https://golang.org/dl/>`_, then run

47
source/reference/minio-mc-admin.rst
View File

@ -14,9 +14,9 @@ The MinIO Client :mc-cmd:`mc` command line tool provides The command
command for performing administrative tasks on your MinIO deployments.
While :mc-cmd:`mc` supports any S3-compatible service,
:mc-cmd:`mc admin` *only* supports MinIO deployments.
:mc:`mc admin` *only* supports MinIO deployments.
:mc-cmd:`mc admin` has the following syntax:
:mc:`mc admin` has the following syntax:
.. code-block:: shell
@ -25,7 +25,7 @@ While :mc-cmd:`mc` supports any S3-compatible service,
Command Quick reference
-----------------------
The following table lists :mc-cmd:`mc admin` commands:
The following table lists :mc:`mc admin` commands:
.. list-table::
:header-rows: 1
@ -35,17 +35,22 @@ The following table lists :mc-cmd:`mc admin` commands:
* - Command
- Description
* - :mc:`mc admin bucket remote`
* - :mc-cmd:`mc admin bucket remote`
- .. include:: /reference/minio-mc-admin/mc-admin-bucket-remote.rst
:start-after: start-mc-admin-bucket-remote-desc
:end-before: end-mc-admin-bucket-remote-desc
* - :mc:`mc admin bucket quota`
* - :mc-cmd:`mc admin bucket quota`
- .. include:: /reference/minio-mc-admin/mc-admin-bucket-quota.rst
:start-after: start-mc-admin-bucket-quota-desc
:end-before: end-mc-admin-bucket-quota-desc
* - :mc:`mc admin decommission`
* - :mc-cmd:`mc admin console`
- .. include:: /reference/minio-mc-admin/mc-admin-console.rst
:start-after: start-mc-admin-console-desc
:end-before: end-mc-admin-console-desc
* - :mc-cmd:`mc admin decommission`
- .. include:: /reference/minio-mc-admin/mc-admin-decommission.rst
:start-after: start-mc-admin-decommission-desc
:end-before: end-mc-admin-decommission-desc
@ -55,22 +60,22 @@ The following table lists :mc-cmd:`mc admin` commands:
:start-after: start-mc-admin-group-desc
:end-before: end-mc-admin-group-desc
* - :mc:`mc admin heal`
* - :mc-cmd:`mc admin heal`
- .. include:: /reference/minio-mc-admin/mc-admin-heal.rst
:start-after: start-mc-admin-heal-desc
:end-before: end-mc-admin-heal-desc
* - :mc:`mc admin info`
* - :mc-cmd:`mc admin info`
- .. include:: /reference/minio-mc-admin/mc-admin-info.rst
:start-after: start-mc-admin-info-desc
:end-before: end-mc-admin-info-desc
* - :mc:`mc admin kms key`
* - :mc-cmd:`mc admin kms key`
- .. include:: /reference/minio-mc-admin/mc-admin-kms-key.rst
:start-after: start-mc-admin-kms-key-desc
:end-before: end-mc-admin-kms-key-desc
* - :mc:`mc admin obd`
* - :mc-cmd:`mc admin obd`
- .. include:: /reference/minio-mc-admin/mc-admin-obd.rst
:start-after: start-mc-admin-obd-desc
:end-before: end-mc-admin-obd-desc
@ -80,27 +85,27 @@ The following table lists :mc-cmd:`mc admin` commands:
:start-after: start-mc-admin-policy-desc
:end-before: end-mc-admin-policy-desc
* - :mc:`mc admin profile`
* - :mc-cmd:`mc admin profile`
- .. include:: /reference/minio-mc-admin/mc-admin-profile.rst
:start-after: start-mc-admin-profile-desc
:end-before: end-mc-admin-profile-desc
* - :mc:`mc admin prometheus`
* - :mc-cmd:`mc admin prometheus`
- .. include:: /reference/minio-mc-admin/mc-admin-prometheus.rst
:start-after: start-mc-admin-prometheus-desc
:end-before: end-mc-admin-prometheus-desc
* - :mc:`mc admin replicate`
* - :mc-cmd:`mc admin replicate`
- .. include:: /reference/minio-mc-admin/mc-admin-replicate.rst
:start-after: start-mc-admin-replicate-desc
:end-before: end-mc-admin-replicate-desc
* - :mc:`mc admin service`
* - :mc-cmd:`mc admin service`
- .. include:: /reference/minio-mc-admin/mc-admin-service.rst
:start-after: start-mc-admin-service-desc
:end-before: end-mc-admin-service-desc
* - :mc:`mc admin speedtest`
* - :mc-cmd:`mc admin speedtest`
- .. include:: /reference/minio-mc-admin/mc-admin-speedtest.rst
:start-after: start-mc-admin-speedtest-desc
:end-before: end-mc-admin-speedtest-desc
@ -110,17 +115,17 @@ The following table lists :mc-cmd:`mc admin` commands:
:start-after: start-mc-admin-tier-desc
:end-before: end-mc-admin-tier-desc
* - :mc:`mc admin top`
* - :mc-cmd:`mc admin top`
- .. include:: /reference/minio-mc-admin/mc-admin-top.rst
:start-after: start-mc-admin-top-desc
:end-before: end-mc-admin-top-desc
* - :mc:`mc admin trace`
* - :mc-cmd:`mc admin trace`
- .. include:: /reference/minio-mc-admin/mc-admin-trace.rst
:start-after: start-mc-admin-trace-desc
:end-before: end-mc-admin-trace-desc
* - :mc:`mc admin update`
* - :mc-cmd:`mc admin update`
- .. include:: /reference/minio-mc-admin/mc-admin-update.rst
:start-after: start-mc-admin-update-desc
:end-before: end-mc-admin-update-desc
@ -130,7 +135,7 @@ The following table lists :mc-cmd:`mc admin` commands:
:start-after: start-mc-admin-user-desc
:end-before: end-mc-admin-user-desc
* - :mc:`mc admin user`
* - :mc:`mc admin user svcacct`
- .. include:: /reference/minio-mc-admin/mc-admin-user-svcacct.rst
:start-after: start-mc-admin-user-svcacct-desc
:end-before: end-mc-admin-user-svcacct-desc
@ -156,7 +161,7 @@ Ensure that the host machine has :mc:`mc`
security best practices for your operating system for inputting sensitive
information on the command line.
Use the :mc-cmd:`mc alias set` command to add the
Use the :mc:`mc alias set` command to add the
deployment to the :program:`mc` configuration.
.. code-block:: shell
@ -181,7 +186,7 @@ the newly added MinIO deployment:
Global Options
--------------
:mc-cmd:`mc admin` supports the same global options as
:mc:`mc admin` supports the same global options as
:mc-cmd:`mc`. See :ref:`minio-mc-global-options`.
.. toctree::

6
source/reference/minio-mc-admin/mc-admin-bucket-quota.rst
View File

@ -76,7 +76,7 @@ Examples
Configure a Hard Quota on a Bucket
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Use :mc:`mc admin bucket quota` with the
Use :mc-cmd:`mc admin bucket quota` with the
:mc-cmd:`~mc admin bucket quota --hard` flag to specify a hard quota
on a bucket. Hard quotas prevent the bucket size from growing past the specified
limit.
@ -97,7 +97,7 @@ limit.
Retrieve Bucket Quota Configuration
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Use :mc:`mc admin bucket quota` to retrieve the current quota configuration
Use :mc-cmd:`mc admin bucket quota` to retrieve the current quota configuration
for a bucket:
.. code-block:: shell
@ -112,7 +112,7 @@ retrieve the quota.
Clear Configured Bucket Quota
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Use :mc:`mc admin bucket quota` with the
Use :mc-cmd:`mc admin bucket quota` with the
:mc-cmd:`~mc admin bucket quota --clear` flag to clear all quotas from
a bucket.

2
source/reference/minio-mc-admin/mc-admin-bucket-remote.rst
View File

@ -34,7 +34,7 @@ Add a New Replication Target
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Use :mc-cmd:`mc admin bucket remote add` to create a new replication target
ARN for use with :mc-cmd:`mc replicate add`:
ARN for use with :mc:`mc replicate add`:
.. code-block:: shell
:class: copyable

2
source/reference/minio-mc-admin/mc-admin-config.rst
View File

@ -17,7 +17,7 @@ Description
.. start-mc-admin-config-desc
The :mc-cmd:`mc admin config` command manages configuration settings for the
The :mc:`mc admin config` command manages configuration settings for the
:mc:`minio` server.
.. end-mc-admin-bucket-remote-desc

6
source/reference/minio-mc-admin/mc-admin-console.rst
View File

@ -15,7 +15,7 @@ Description
.. start-mc-admin-console-desc
The :mc-cmd:`mc admin console` command returns server log entries for each
The :mc:`mc admin console` command returns server log entries for each
MinIO server in the deployment.
.. end-mc-admin-console-desc
@ -31,14 +31,14 @@ MinIO server in the deployment.
Syntax
------
:mc-cmd:`mc admin console` has the following syntax:
:mc:`mc admin console` has the following syntax:
.. code-block:: shell
:class: copyable
mc admin console [FLAGS] TARGET NODENAME
:mc-cmd:`mc admin console` supports the following:
:mc:`mc admin console` supports the following:
.. mc-cmd:: TARGET

2
source/reference/minio-mc-admin/mc-admin-decommission.rst
View File

@ -17,7 +17,7 @@ Syntax
.. start-mc-admin-decommission-desc
The :mc:`mc admin decommission` command starts the decommissioning process for a
The :mc-cmd:`mc admin decommission` command starts the decommissioning process for a
MinIO :ref:`server pools <minio-intro-server-pool>`. Decommissioning is designed
for removing an older server pool whose hardware is no longer sufficient or
performant compared to the pools in the deployment. MinIO automatically migrates

2
source/reference/minio-mc-admin/mc-admin-group.rst
View File

@ -15,7 +15,7 @@ Description
.. start-mc-admin-group-desc
The :mc-cmd:`mc admin group` command manages groups on a MinIO deployment.
The :mc:`mc admin group` command manages groups on a MinIO deployment.
.. end-mc-admin-group-desc

8
source/reference/minio-mc-admin/mc-admin-heal.rst
View File

@ -15,12 +15,12 @@ Description
.. start-mc-admin-heal-desc
The :mc:`mc admin heal` command scans for objects that are damaged or
The :mc-cmd:`mc admin heal` command scans for objects that are damaged or
corrupted and heals those objects.
.. end-mc-admin-heal-desc
:mc:`mc admin heal` is resource intensive and typically not required even
:mc-cmd:`mc admin heal` is resource intensive and typically not required even
after disk failures or corruption events. Instead, MinIO automatically heals
objects damaged by silent bit rot corruption, disk failure, or other issues on
POST/GET. MinIO also performs periodic background object healing.
@ -35,14 +35,14 @@ POST/GET. MinIO also performs periodic background object healing.
Syntax
------
:mc:`mc admin heal` has the following syntax:
:mc-cmd:`mc admin heal` has the following syntax:
.. code-block:: shell
:class: copyable
mc admin heal [FLAGS] TARGET
:mc:`mc admin heal` supports the following arguments:
:mc-cmd:`mc admin heal` supports the following arguments:
.. mc-cmd:: TARGET

4
source/reference/minio-mc-admin/mc-admin-info.rst
View File

@ -15,8 +15,8 @@ Description
.. start-mc-admin-info-desc
The :mc:`mc admin info` command displays information on a MinIO server.
For distributed MinIO deployments, :mc:`mc admin info` displays information
The :mc-cmd:`mc admin info` command displays information on a MinIO server.
For distributed MinIO deployments, :mc-cmd:`mc admin info` displays information
for each MinIO server in the deployment.
.. end-mc-admin-info-desc

10
source/reference/minio-mc-admin/mc-admin-obd.rst
View File

@ -15,23 +15,23 @@ Description
.. start-mc-admin-obd-desc
The :mc:`mc admin obd` command generates detailed diagnostics for the
The :mc-cmd:`mc admin obd` command generates detailed diagnostics for the
target MinIO deployment as a ``GZIP`` compressed ``JSON`` file. MinIO Support
may request the output of :mc:`mc admin obd` as part of troubleshooting
may request the output of :mc-cmd:`mc admin obd` as part of troubleshooting
and diagnostics.
.. end-mc-admin-obd-desc
:mc:`mc admin obd` names the file using the following pattern:
:mc-cmd:`mc admin obd` names the file using the following pattern:
.. code-block:: none
alias-health_YYYYMMDDHHMMSS.json.gzip
The ``alias`` is the :mc-cmd:`~mc admin obd TARGET` MinIO deployment from which
:mc:`mc admin obd` returned the diagnostics.
:mc-cmd:`mc admin obd` returned the diagnostics.
The :mc:`mc admin obd` output may contain sensitive information about your
The :mc-cmd:`mc admin obd` output may contain sensitive information about your
environment. Exercise all possible precautions, such as redacting sensitive
fields, prior to sharing the data on any public forum.

2
source/reference/minio-mc-admin/mc-admin-policy.rst
View File

@ -15,7 +15,7 @@ Description
.. start-mc-admin-policy-desc
The :mc-cmd:`mc admin policy` command manages policies for use with MinIO
The :mc:`mc admin policy` command manages policies for use with MinIO
Policy-Based Access Control (PBAC). MinIO PBAC uses IAM-compatible policy JSON
documents to define rules for accessing resources on a MinIO server.

6
source/reference/minio-mc-admin/mc-admin-replicate.rst
View File

@ -17,7 +17,7 @@ Description
.. start-mc-admin-replicate-desc
The :mc:`mc admin replicate` command creates and manages :ref:`site replication <minio-site-replication-overview>` for a set of MinIO peer sites.
The :mc-cmd:`mc admin replicate` command creates and manages :ref:`site replication <minio-site-replication-overview>` for a set of MinIO peer sites.
Site replication mimics an active-active bucket replication, but for multiple MinIO deployments.
Wherever a change occurs to IAM settings, buckets, or objects across the set of sites, the change replicates across all sites in the site replication group.
@ -26,7 +26,7 @@ Wherever a change occurs to IAM settings, buckets, or objects across the set of
Where :ref:`bucket replication <minio-bucket-replication>` manages the mirroring of particular buckets or objects from one location to another within a deployment or across deployments, site replication continuously mirrors an entire MinIO site to other sites.
:mc:`mc admin replicate` only supports site replication for :ref:`distributed deployments <deploy-minio-distributed>` when configuring site replication.
:mc-cmd:`mc admin replicate` only supports site replication for :ref:`distributed deployments <deploy-minio-distributed>` when configuring site replication.
Only one deployment can have any data when initiating a new site replication configuration.
@ -40,7 +40,7 @@ Site replication enforces :ref:`bucket versioning <minio-bucket-versioning>` on
:end-before: end-minio-only
The :mc:`mc admin replicate` command has the following subcommands:
The :mc-cmd:`mc admin replicate` command has the following subcommands:
.. list-table::
:header-rows: 1

2
source/reference/minio-mc-admin/mc-admin-trace.rst
View File

@ -31,7 +31,7 @@ request against each MinIO server in a deployment.
Example
-------
Use :mc:`mc admin trace` to perform an HTTP trace of each MinIO server in
Use :mc-cmd:`mc admin trace` to perform an HTTP trace of each MinIO server in
the deployment:
.. code-block:: shell

4
source/reference/minio-mc-admin/mc-admin-update.rst
View File

@ -46,7 +46,7 @@ procedures.
Examples
--------
Use :mc:`mc admin update` to update each :mc:`minio` server process in the
Use :mc-cmd:`mc admin update` to update each :mc:`minio` server process in the
MinIO deployment:
.. code-block:: shell
@ -77,7 +77,7 @@ Syntax
deployment, :mc-cmd:`mc admin update` updates *all* MinIO servers
in the deployment at the same time.
Use :mc-cmd:`mc alias list` to review the configured aliases and their
Use :mc:`mc alias list` to review the configured aliases and their
corresponding MinIO deployment endpoints.
.. mc-cmd:: MIRROR_URL

4
source/reference/minio-mc-admin/mc-admin-user.rst
View File

@ -15,9 +15,9 @@ Description
.. start-mc-admin-user-desc
The :mc-cmd:`mc admin user` command manages users on a MinIO deployment. Clients
The :mc:`mc admin user` command manages users on a MinIO deployment. Clients
*must* authenticate to the MinIO deployment with the access key and secret key
associated to a user on the deployment. MinIO users constitue a key component in
associated to a user on the deployment. MinIO users constitute a key component in
MinIO Identity and Access Management.
.. end-mc-admin-user-desc

6
source/reference/minio-mc.rst
View File

@ -63,7 +63,7 @@ the tab that corresponds to the host machine operating system or environment:
security best practices for your operating system for inputting sensitive
information on the command line.
Use the :mc-cmd:`mc alias set` command to add an Amazon S3-compatible service
Use the :mc:`mc alias set` command to add an Amazon S3-compatible service
to the :mc-cmd:`mc` :ref:`configuration <mc-configuration>`.
.. code-block:: shell
@ -297,7 +297,7 @@ The following table lists :mc-cmd:`mc` commands:
* - | :mc:`mc share download`
| :mc:`mc share upload`
| :mc:`mc share list`
- The :mc-cmd:`mc share download` and :mc-cmd:`mc share upload`
- The :mc:`mc share download` and :mc:`mc share upload`
commands generate presigned URLs for downloading and uploading
objects to a MinIO bucket.
@ -348,7 +348,7 @@ The following table lists :mc-cmd:`mc` commands:
:mc-cmd:`mc` also includes an administration extension for managing MinIO
deployments. See :mc-cmd:`mc admin` for more complete documentation.
deployments. See :mc:`mc admin` for more complete documentation.
.. _mc-configuration:

6
source/reference/minio-mc/mc-alias-list.rst
View File

@ -39,7 +39,7 @@ to each alias.
.. tab-item:: SYNTAX
The :mc-cmd:`mc alias list` command has the following syntax:
The :mc:`mc alias list` command has the following syntax:
.. code-block:: shell
@ -73,7 +73,7 @@ List All Configured Aliases
.. tab-item:: Example
The following :mc-cmd:`mc alias list` command lists all configured aliases
The following :mc:`mc alias list` command lists all configured aliases
in the local :program:`mc` configuration.
.. code-block:: shell
@ -95,7 +95,7 @@ List a Specific Alias
.. tab-item:: Example
The following :mc-cmd:`mc alias list` command lists the details of a
The following :mc:`mc alias list` command lists the details of a
specific alias in the local :program:`mc` configuration.
.. code-block:: shell

4
source/reference/minio-mc/mc-alias-remove.rst
View File

@ -36,7 +36,7 @@ The :mc:`mc alias remove` removes an existing alias from the local
.. tab-item:: SYNTAX
The :mc-cmd:`mc alias remove` command has the following syntax:
The :mc:`mc alias remove` command has the following syntax:
.. code-block:: shell
:class: copyable
@ -67,7 +67,7 @@ Examples
Remove an Alias from the ``mc`` Configuration
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Use :mc-cmd:`mc alias remove` to remove an existing alias from the
Use :mc:`mc alias remove` to remove an existing alias from the
:program:`mc` configuration:
.. tab-set::

12
source/reference/minio-mc/mc-alias-set.rst
View File

@ -15,7 +15,7 @@
.. mc:: mc alias
.. mc:: mc alias set
.. |command| replace:: :mc-cmd:`mc alias set`
.. |command| replace:: :mc:`mc alias set`
Syntax
------
@ -46,7 +46,7 @@ The :mc:`mc alias set` command adds or updates an alias to the local
.. tab-item:: SYNTAX
The :mc-cmd:`mc alias set` command has the following syntax:
The :mc:`mc alias set` command has the following syntax:
.. code-block:: shell
:class: copyable
@ -103,7 +103,7 @@ Parameters
AWS Signature V2 is considered
`deprecated <https://aws.amazon.com/blogs/aws/amazon-s3-update-sigv2-deprecation-period-extended-modified/>`__
by AWS. :mc-cmd:`mc alias set` includes this option only for S3 buckets
by AWS. :mc:`mc alias set` includes this option only for S3 buckets
or services still reliant on the Signature V2.
Use ``S3v4`` unless explicitly required by the S3-compatible service.
@ -135,7 +135,7 @@ Examples
Add or Update an Alias for a MinIO Deployment
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Use :mc-cmd:`mc alias set` to add an S3-compatible service for use with
Use :mc:`mc alias set` to add an S3-compatible service for use with
:program:`mc`:
.. tab-set::
@ -153,7 +153,7 @@ Use :mc-cmd:`mc alias set` to add an S3-compatible service for use with
mc alias set myminio https://minio.example.net miniouser miniopassword
If the ``myminio`` alias already exists, the
:mc-cmd:`mc alias set` command overwrites that alias with the specified
:mc:`mc alias set` command overwrites that alias with the specified
arguments.
.. tab-item:: Syntax
@ -186,7 +186,7 @@ S3 Compatibility
Required Credentials and Access Control
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
:mc-cmd:`mc alias set` requires specifying an access key and corresponding
:mc:`mc alias set` requires specifying an access key and corresponding
secret key for the S3-compatible host. :program:`mc` functionality is limited
based on the policies associated to the specified credentials. For example, if
the specified credentials do not have read/write access to a specific bucket,

4
source/reference/minio-mc/mc-cat.rst
View File

@ -14,7 +14,7 @@
.. Replacement substitutions
.. |command| replace:: :mc-cmd:`mc cat`
.. |command| replace:: :mc:`mc cat`
.. |rewind| replace:: :mc-cmd:`~mc cat --rewind`
.. |versionid| replace:: :mc-cmd:`~mc cat --version-id`
.. |alias| replace:: :mc-cmd:`~mc cat ALIAS`
@ -134,7 +134,7 @@ Examples
View an S3 Object
~~~~~~~~~~~~~~~~~
Use :mc-cmd:`mc cat` to return the object:
Use :mc:`mc cat` to return the object:
.. code-block:: shell
:class: copyable

10
source/reference/minio-mc/mc-cp.rst
View File

@ -12,7 +12,7 @@
.. mc:: mc cp
.. |command| replace:: :mc-cmd:`mc cp`
.. |command| replace:: :mc:`mc cp`
.. |rewind| replace:: :mc-cmd:`~mc cp --rewind`
.. |versionid| replace:: :mc-cmd:`~mc cp --version-id`
.. |alias| replace:: :mc-cmd:`~mc cp SOURCE`
@ -89,7 +89,7 @@ Parameters
mc cp play/mybucket/object.txt ~/mydata/object.txt
Specify multiple ``SOURCE`` paths to copy multiple objects to the
specified :mc-cmd:`~mc cp TARGET`. :mc-cmd:`mc cp` treats the
specified :mc-cmd:`~mc cp TARGET`. :mc:`mc cp` treats the
*last* specified alias or filesystem path as the ``TARGET``. For example:
.. code-block:: none
@ -292,7 +292,7 @@ Examples
Copy Object to S3
~~~~~~~~~~~~~~~~~
Use :mc-cmd:`mc cp` to copy an object to an S3-compatible host:
Use :mc:`mc cp` to copy an object to an S3-compatible host:
.. tab-set::
@ -355,7 +355,7 @@ S3-compatible host:
of a configured S3-compatible host.
- Replace :mc-cmd:`PATH <mc cp TARGET>` with the path to the object on
the S3-compatible host. :mc-cmd:`mc cp` uses the ``SOURCE`` filenames
the S3-compatible host. :mc:`mc cp` uses the ``SOURCE`` filenames
when creating the objects on the target host.
.. tab-item:: S3 to S3
@ -375,7 +375,7 @@ S3-compatible host:
:mc:`alias <mc alias>` of a target S3-compatible host.
- Replace :mc-cmd:`TGTPATH <mc cp TARGET>` with the path to the
object on the target S3-compatible host. :mc-cmd:`mc cp` uses the
object on the target S3-compatible host. :mc:`mc cp` uses the
``SRCPATH`` object names when creating objects on the target
host.

2
source/reference/minio-mc/mc-event-add.rst
View File

@ -183,7 +183,7 @@ Behavior
Supported Bucket Events
~~~~~~~~~~~~~~~~~~~~~~~
The following table lists the supported :mc-cmd:`mc event add` values and their
The following table lists the supported :mc:`mc event add` values and their
corresponding :ref:`S3 events <minio-bucket-notifications-event-types>`:
.. list-table::

2
source/reference/minio-mc/mc-find.rst
View File

@ -84,7 +84,7 @@ Parameters
mc find ~/mydata/
Issuing :mc-cmd:`mc find ALIAS` with no other arguments returns a list of
*all* objects or files at the specified path, similar to :mc-cmd:`mc ls`.
*all* objects or files at the specified path, similar to :mc:`mc ls`.
.. mc-cmd:: --exec

4
source/reference/minio-mc/mc-head.rst
View File

@ -13,7 +13,7 @@
.. mc:: mc head
.. |command| replace:: :mc-cmd:`mc head`
.. |command| replace:: :mc:`mc head`
.. |rewind| replace:: :mc-cmd:`~mc head --rewind`
.. |versionid| replace:: :mc-cmd:`~mc head --version-id`
.. |alias| replace:: :mc-cmd:`~mc head ALIAS`
@ -143,7 +143,7 @@ Examples
View Partial Contents of an Object
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Use :mc-cmd:`mc head` to return the first 10 lines of an object:
Use :mc:`mc head` to return the first 10 lines of an object:
.. code-block:: shell
:class: copyable

8
source/reference/minio-mc/mc-ilm-add.rst
View File

@ -167,7 +167,7 @@ Parameters
*Required* The remote storage tier to which MinIO
:ref:`transition objects <minio-lifecycle-management-tiering>`.
Specify a remote storage tier created by :mc-cmd:`mc admin tier`.
Specify a remote storage tier created by :mc:`mc admin tier`.
Required if specifying :mc-cmd:`~mc ilm add --transition-days`.
@ -225,7 +225,7 @@ Parameters
*Optional* The remote storage tier to which MinIO
:ref:`transitions noncurrent objects versions
<minio-lifecycle-management-tiering>`. Specify a remote storage tier created
by :mc-cmd:`mc admin tier`.
by :mc:`mc admin tier`.
Global Flags
@ -241,7 +241,7 @@ Examples
Expire Bucket Contents After Number of Days
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Use :mc-cmd:`mc ilm add` with :mc-cmd:`~mc ilm add --expiry-days` to
Use :mc:`mc ilm add` with :mc-cmd:`~mc ilm add --expiry-days` to
expire bucket contents a number of days after object creation:
.. code-block:: shell
@ -276,7 +276,7 @@ Expiry vs Transition
MinIO supports specifying both expiry and transition rules in the same
bucket or bucket prefix. MinIO can execute an expiration rule on an object
regardless of its transition status. Use
:mc-cmd:`mc ilm ls` to review the currently configured object lifecycle
:mc:`mc ilm ls` to review the currently configured object lifecycle
management rules for any potential interactions between expiry and transition
rules.

Some files were not shown because too many files have changed in this diff Show More