Fix incorrect AD/LDAP group-policy assignment

Update source/security/ad-ldap-external-identity-management/external-authentication-with-ad-ldap-identity-provider.rst Co-authored-by: Aditya Manthramurthy <donatello@users.noreply.github.com>
2025-08-09 13:02:53 +03:00 · 2021-10-21 19:30:46 -04:00
parent ef1048c621
commit df711f163f
2 changed files with 77 additions and 24 deletions
--- a/source/security/ad-ldap-external-identity-management/external-authentication-with-ad-ldap-identity-provider.rst
+++ b/source/security/ad-ldap-external-identity-management/external-authentication-with-ad-ldap-identity-provider.rst
@@ -177,32 +177,45 @@ Access Control for Externally Managed Identities
 MinIO uses :ref:`Policy Based Access Control (PBAC) <minio-access-management>`
 to define the actions and resources to which an authenticated user has access.
-MinIO supports creating and managing :ref:`policies <minio-policy>` which an
+When using an Active Directory/LDAP server for identity management
-externally managed user can claim. 
+(authentication), MinIO maintains control over access (authorization) 
 through PBAC. 
-For identities managed by the external Active Directory / LDAP server, 
+When a user successfully authenticates to MinIO using their AD/LDAP
-MinIO attempts to match existing policies to the authenticated user's 
+credentials, MinIO searches for all :ref:`policies <minio-policy>` which
-Distinguished Name (DN). 
+are explicitly associated to that user's Distinguished Name (DN). 
 Specifically, the policy must be assigned to a user with a matching DN
 using the :mc-cmd:`mc admin policy set` command. 
-MinIO also supports querying for the user's AD/LDAP group membership. MinIO
+For example, consider the following policy assignments:
 attempts to match existing policies to the DN for each of the user's groups. See
 :ref:`minio-external-identity-management-ad-ldap-access-control-group-lookup`
 for more information.
 For example, consider the following user and group DNs:
 .. code-block:: shell
-   cn=applicationUser,cn=users,dc=example,dc=com
+   mc admin policy set consoleAdmin user='cn=sisko,cn=users,dc=example,dc=com'
-   cn=applicationGroup,cn=groups,dc=example,dc=com
+   mc admin policy set readWrite user='cn=dax,cn=users,dc=example,dc=com'
   mc admin policy set diagnostics user='cn=dax,cn=users,dc=example,dc=com'
-MinIO attaches the policies with names matching the *full* DN for the user and
+- MinIO would assign an authenticated user with DN matching 
-group to the authenticated user.
+  ``cn=sisko,cn=users,dc=example,dc=com`` the :userpolicy:`consoleAdmin`
  policy, granting complete access to the MinIO server.
-The authenticated users complete set of permissions consists of its
+- MinIO would assign an authenticated user with DN matching
-explicitly assigned and inherited policies. If the user DN and group DNs
+  ``cn=dax,cn=users,dc=example,dc=com`` both the :userpolicy:`readwrite` and
-do not match any policies on the MinIO deployment, MinIO denies authorization
+  :userpolicy:`diagnostics` policies, granting general read/write access to the
-for any and all operations issued by that user.
+  MinIO server *and* access to diagnostic administrative operations.
 - MinIO would assign no policies to an authenticated user with DN matching 
  ``cn=quark,cn=users,dc=example,dc=com`` and deny all access to API operations.
 MinIO also supports querying for the user's AD/LDAP group membership. MinIO
 attempts to match existing policies to the DN for each of the user's groups. The
 authenticated users complete set of permissions consists of its explicitly
 assigned and group-inherited policies. See
 :ref:`minio-external-identity-management-ad-ldap-access-control-group-lookup`
 for more information.
 MinIO uses deny-by-default behavior where a user with no explicitly assigned or
 group-inherited policies cannot access any resource on the MinIO deployment.
 MinIO provides :ref:`built-in policies <minio-policy-built-in>` for basic access
 control. You can create new policies using the :mc:`mc admin policy` command.
@@ -219,6 +232,23 @@ groups in which the authenticated user has membership. MinIO
 attempts to match existing :ref:`policies <minio-policy>` to each group
 DN and assigns each matching policy to the authenticated user.
 For example, consider the following policy assignments:
 .. code-block:: shell
   mc admin policy set consoleAdmin group='cn=ops,cn=groups,dc=example,dc=com'
   mc admin policy set diagnostics group='cn=engineering,cn=groups,dc=example,dc=com'
 - MinIO would assign any authenticating user with membership in the
  ``cn=ops,cn=groups,dc=example,dc=com`` AD/LDAP group the
  :userpolicy:`consoleAdmin` policy, granting complete access to the MinIO
  server.
 - MinIO would assign any authenticating user with membership in the
  ``cn=engineering,cn=groups,dc=example,dc=com`` AD/LDAP group the
  :userpolicy:`diagnostics` policy, granting access to diagnostic administrative
  operations.
 The following tabs provide a reference of the environment variables and
 configuration settings required for enabling group lookups:
@@ -231,7 +261,7 @@ configuration settings required for enabling group lookups:
      See the :ref:`minio-server-envvar-external-identity-management-ad-ldap`
      reference documentation for more information on these variables. The
-      :ref:`minio-authenticate-using-openid-generic` tutorial includes complete
+      :ref:`minio-authenticate-using-ad-ldap-generic` tutorial includes complete
      instructions on setting these values.
   .. tab-item:: Configuration Setting
@@ -242,7 +272,7 @@ configuration settings required for enabling group lookups:
      See the :mc-conf:`identity_ldap` reference documentation for more
      information on these settings. The
-      :ref:`minio-authenticate-using-openid-generic` tutorial includes complete
+      :ref:`minio-authenticate-using-ad-ldap-generic` tutorial includes complete
      instructions on setting these variables.
--- a/source/security/minio-identity-management/policy-based-access-control.rst
+++ b/source/security/minio-identity-management/policy-based-access-control.rst
@@ -37,23 +37,46 @@ Built-In Policies
 MinIO provides the following built-in policies for assigning to 
 :ref:`users <minio-users>` or :ref:`groups <minio-groups>`:
 .. userpolicy:: consoleAdmin
   Grants complete access to all S3 and administrative API operations against
   all resources on the MinIO server. Equivalent to the following set of
   actions:
   - :policy-action:`s3:*`
   - :policy-action:`admin:*`
 .. userpolicy:: readonly
   Grants read-only permissions for all buckets and objects on the MinIO server.
   Equivalent to the following set of actions:
   - :policy-action:`s3:GetBucketLocation`
   - :policy-action:`s3:GetObject`
 .. userpolicy:: readwrite
   Grants read and write permissions for all buckets and objects on the
-   MinnIO server.
+   MinIO server. Equivalent to :policy-action:`s3:*`.
 .. userpolicy:: diagnostics
   Grants permission to perform diagnostic actions on the MinIO server. 
   Specifically includes the following actions:
   - :policy-action:`admin:ServerTrace`
   - :policy-action:`admin:Profiling`
   - :policy-action:`admin:ConsoleLog`
   - :policy-action:`admin:ServerInfo`
   - :policy-action:`admin:TopLocksInfo`
   - :policy-action:`admin:OBDInfo`
   - :policy-action:`admin:BandwidthMonitor`
   - :policy-action:`admin:Prometheus`
 .. userpolicy:: writeonly
   Grants write-only permissions for all buckets and objects on the MinIO 
-   server.
+   server. Equivalent to the :policy-action:`s3:PutObject` action.
 Use :mc-cmd:`mc admin policy set` to associate a policy to a 
 user or group on a MinIO deployment.