7.3 KiB
MinIO Identity and Access Management
minio
Table of Contents
Overview
MinIO provides an internal Identity and Access Management subsystem that supports the creation of user identities, groups, and policies in support of authentication and authorization of client operations.
Authentication is the process of verifying the identity of a
connecting client. MinIO requires clients authenticate using AWS Signature Version
4 protocol <sig-v4-authenticating-requests.html> with
support for the deprecated Signature Version 2 protocol. Specifically,
clients must present a valid access key and secret key to access any S3
or MinIO administrative API, such as PUT, GET,
and DELETE operations. MinIO provides a built-in IDentity Provider (IDP) <minio-internal-idp> for
creating and managing user identities in support of client
authentication.
Authorization is the process of restricting the actions and
resources the authenticated client can perform on the deployment. MinIO
uses Policy-Based Access Control (PBAC), where each policy describes one
or more rules that outline the permissions of a user or group of users.
MinIO supports a subset of actions <minio-policy-actions> and conditions <minio-policy-conditions> when
creating policies. By default, MinIO denies access to actions
or resources not explicitly referenced in a user's assigned or inherited
policies.
Identity Management
MinIO includes a built-in IDentity Provider (IDP) that provides core identity management functionality. The MinIO IDP supports creating an arbitrary number of long-lived users on the deployment for supporting client authentication.
Each user consists of a unique access key (username) and corresponding secret key (password). Clients must authenticate their identity by specifying both a valid access key (username) and the corresponding secret key (password) of an existing MinIO user.
Administrators use the mc admin user command to create and manage MinIO
users. The MinIO Console <console> provides a
graphical interface for creating users.
MinIO also supports creating service accounts
<minio-idp-service-account>. Service accounts are child
identities of an authenticated parent user and inherit their permissions
from the parent.
MinIO by default denies access to all actions or resources not
explicitly allowed by a user's assigned or inherited policies <minio-policy>. You must either
explicitly assign a policy <minio-policy> describing the user's
authorized actions and resources or assign the user to groups
<minio-groups> which have associated policies. See minio-access-management for
more information.
External Identity Management
MinIO supports external management of identities using either an OpenID Connect (OIDC) or Active Directory/LDAP IDentity Provider (IDP). For more information, see:
minio-external-identity-management-openidminio-external-identity-management-ad-ldap
Enabling external identity management disables the MinIO internal
IDP, with the exception of creating service accounts
<minio-idp-service-account>.
Access Management
MinIO uses Policy-Based Access Control (PBAC) to define the
authorized actions and resources to which an authenticated user has
access. Each policy describes one or more actions <minio-policy-actions> and conditions
<minio-policy-conditions> that outline the permissions of a
user <minio-users> or group <minio-groups> of
users.
MinIO manages the creation and storage of policies. The process for
assigning a policy to a user or group depends on the configured IDentity Provider (IDP) <minio-authentication-and-identity-management>.
MinIO deployments using the MinIO Internal IDP <minio-internal-idp> require
explicitly associating a user to a policy or policies using the mc admin policy set
command. A user can also inherit the policies attached to the groups <minio-groups>
in which they have membership.
By default, MinIO denies access to actions or resources not explicitly allowed by an attached or inherited policy. A user with no explicitly assigned or inherited policies cannot perform any S3 or MinIO administrative API operations.
For MinIO deployments using an External IDP, policy assignment depends on the choice of IDP:
|
MinIO checks for a JSON Web Token (JWT) claim
( MinIO does not support assigning OIDC user identities to See |
|
MinIO checks for a policy whose name matches the Distinguished Name (DN) of the authenticated AD/LDAP user. MinIO also supports querying for the authenticated AD/LDAP user's group memberships. MinIO assigns any policy whose name matches the DN for each returned group. If no policies match either the user DN or any of the user's group DNs, the user cannot perform any action on the MinIO deployment. See |
MinIO PBAC is built for compatibility with AWS IAM policy syntax,
structure, and behavior. The MinIO documentation makes a best-effort to
cover IAM-specific behavior and functionality. Consider deferring to the
IAM
documentation <> for more complete documentation on IAM,
IAM policies, or IAM JSON syntax.
Deny overrides Allow
MinIO follows AWS IAM policy evaluation rules where a
Deny rule overrides Allow rule on the same
action/resource. For example, if a user has an explicitly assigned
policy with an Allow rule for an action/resource while one
of its groups has an assigned policy with a Deny rule for
that action/resource, MinIO would apply only the Deny
rule.
For more information on IAM policy evaluation logic, see the IAM
documentation on Determining Whether a Request is Allowed or Denied Within an Account
<reference_policies_evaluation-logic.html#policy-eval-denyallow>.
/security/minio-identity-management/user-management /security/minio-identity-management/group-management /security/minio-identity-management/policy-based-access-control