mirror of
https://github.com/minio/docs.git
synced 2025-08-08 01:43:18 +03:00
170 lines
7.3 KiB
ReStructuredText
170 lines
7.3 KiB
ReStructuredText
====================================
|
|
MinIO Identity and Access Management
|
|
====================================
|
|
|
|
.. default-domain:: minio
|
|
|
|
.. contents:: Table of Contents
|
|
:local:
|
|
:depth: 2
|
|
|
|
Overview
|
|
--------
|
|
|
|
MinIO provides an internal Identity and Access Management subsystem that
|
|
supports the creation of user identities, groups, and policies in support of
|
|
authentication and authorization of client operations.
|
|
|
|
*Authentication* is the process of verifying the identity of a connecting
|
|
client. MinIO requires clients authenticate using :s3-api:`AWS Signature Version
|
|
4 protocol <sig-v4-authenticating-requests.html>` with support for the
|
|
deprecated Signature Version 2 protocol. Specifically, clients must present a
|
|
valid access key and secret key to access any S3 or MinIO administrative API,
|
|
such as ``PUT``, ``GET``, and ``DELETE`` operations. MinIO provides
|
|
a built-in :ref:`IDentity Provider (IDP) <minio-internal-idp>` for creating and
|
|
managing user identities in support of client authentication.
|
|
|
|
*Authorization* is the process of restricting the actions and resources the
|
|
authenticated client can perform on the deployment. MinIO uses Policy-Based
|
|
Access Control (PBAC), where each policy describes one or more rules that
|
|
outline the permissions of a user or group of users. MinIO supports a subset of
|
|
:ref:`actions <minio-policy-actions>` and
|
|
:ref:`conditions <minio-policy-conditions>` when creating policies.
|
|
By default, MinIO *denies* access to actions or resources not explicitly
|
|
referenced in a user's assigned or inherited policies.
|
|
|
|
.. _minio-internal-idp:
|
|
|
|
Identity Management
|
|
-------------------
|
|
|
|
MinIO includes a built-in IDentity Provider (IDP) that provides core identity
|
|
management functionality. The MinIO IDP supports creating an arbitrary number of
|
|
long-lived users on the deployment for supporting client authentication.
|
|
|
|
Each user consists of a unique access key (username) and corresponding secret
|
|
key (password). Clients must authenticate their identity by specifying both
|
|
a valid access key (username) and the corresponding secret key (password) of
|
|
an existing MinIO user.
|
|
|
|
Administrators use the :mc-cmd:`mc admin user` command to create and manage
|
|
MinIO users. The :minio-git:`MinIO Console <console>` provides a graphical
|
|
interface for creating users.
|
|
|
|
MinIO also supports creating :ref:`service accounts
|
|
<minio-idp-service-account>`. Service accounts are child identities of an
|
|
authenticated parent user and inherit their permissions from the parent.
|
|
|
|
MinIO by default denies access to all actions or resources not explicitly
|
|
allowed by a user's assigned or inherited :ref:`policies <minio-policy>`. You
|
|
must either explicitly assign a :ref:`policy <minio-policy>` describing the
|
|
user's authorized actions and resources *or* assign the user to :ref:`groups
|
|
<minio-groups>` which have associated policies. See
|
|
:ref:`minio-access-management` for more information.
|
|
|
|
.. admonition:: External Identity Management
|
|
:class: dropdown, note
|
|
|
|
MinIO supports external management of identities using either an
|
|
OpenID Connect (OIDC) or Active Directory/LDAP IDentity Provider (IDP).
|
|
For more information, see:
|
|
|
|
- :ref:`minio-external-identity-management-openid`
|
|
- :ref:`minio-external-identity-management-ad-ldap`
|
|
|
|
Enabling external identity management disables the MinIO internal IDP, with
|
|
the exception of creating :ref:`service accounts
|
|
<minio-idp-service-account>`.
|
|
|
|
.. _minio-access-management:
|
|
|
|
Access Management
|
|
-----------------
|
|
|
|
MinIO uses Policy-Based Access Control (PBAC) to define the authorized actions
|
|
and resources to which an authenticated user has access. Each policy describes
|
|
one or more :ref:`actions <minio-policy-actions>` and :ref:`conditions
|
|
<minio-policy-conditions>` that outline the permissions of a
|
|
:ref:`user <minio-users>` or :ref:`group <minio-groups>` of
|
|
users.
|
|
|
|
MinIO manages the creation and storage of policies. The process for
|
|
assigning a policy to a user or group depends on the configured
|
|
:ref:`IDentity Provider (IDP) <minio-authentication-and-identity-management>`.
|
|
|
|
MinIO deployments using the :ref:`MinIO Internal IDP <minio-internal-idp>`
|
|
require explicitly associating a user to a policy or policies using the
|
|
:mc-cmd:`mc admin policy set` command. A user can also inherit the policies
|
|
attached to the :ref:`groups <minio-groups>` in which they have membership.
|
|
|
|
By default, MinIO *denies* access to actions or resources not explicitly allowed
|
|
by an attached or inherited policy. A user with no explicitly assigned or
|
|
inherited policies cannot perform any S3 or MinIO administrative API operations.
|
|
|
|
For MinIO deployments using an External IDP, policy assignment depends on the
|
|
choice of IDP:
|
|
|
|
.. list-table::
|
|
:stub-columns: 1
|
|
:widths: 30 70
|
|
:width: 100%
|
|
|
|
* - :ref:`OpenID Connect (OIDC) <minio-external-identity-management-openid>`
|
|
- MinIO checks for a JSON Web Token (JWT) claim (``policy`` by default)
|
|
containing the name of the policy or policies to attach to the
|
|
authenticated user. If the policies do not exist, the user cannot
|
|
perform any action on the MinIO deployment.
|
|
|
|
MinIO does not support assigning OIDC user identities to
|
|
:ref:`groups <minio-groups>`. The IDP administrator must instead
|
|
assign all necessary policies to the user's policy claim.
|
|
|
|
See :ref:`Access Control for Externally Managed Identities
|
|
<minio-external-identity-management-openid-access-control>` for
|
|
more information.
|
|
|
|
* - :ref:`Active Directory / LDAP (AD/LDAP)
|
|
<minio-external-identity-management-ad-ldap>`
|
|
- MinIO checks for a policy whose name matches the Distinguished Name (DN)
|
|
of the authenticated AD/LDAP user.
|
|
|
|
MinIO also supports querying for the authenticated AD/LDAP user's
|
|
group memberships. MinIO assigns any policy whose name matches the
|
|
DN for each returned group.
|
|
|
|
If no policies match either the user DN *or* any of the user's group DNs,
|
|
the user cannot perform any action on the MinIO deployment.
|
|
|
|
See :ref:`Access Control for Externally Managed Identities
|
|
<minio-external-identity-management-ad-ldap-access-control>` for more
|
|
information.
|
|
|
|
MinIO PBAC is built for compatibility with AWS IAM policy syntax, structure, and
|
|
behavior. The MinIO documentation makes a best-effort to cover IAM-specific
|
|
behavior and functionality. Consider deferring to the :iam-docs:`IAM
|
|
documentation <>` for more complete documentation on IAM, IAM policies, or IAM
|
|
JSON syntax.
|
|
|
|
.. admonition:: ``Deny`` overrides ``Allow``
|
|
:class: note
|
|
|
|
MinIO follows AWS IAM policy evaluation rules where a ``Deny`` rule overrides
|
|
``Allow`` rule on the same action/resource. For example, if a user has an
|
|
explicitly assigned policy with an ``Allow`` rule for an action/resource
|
|
while one of its groups has an assigned policy with a ``Deny`` rule for that
|
|
action/resource, MinIO would apply only the ``Deny`` rule.
|
|
|
|
For more information on IAM policy evaluation logic, see the IAM
|
|
documentation on
|
|
:iam-docs:`Determining Whether a Request is Allowed or Denied Within an Account
|
|
<reference_policies_evaluation-logic.html#policy-eval-denyallow>`.
|
|
|
|
.. toctree::
|
|
:titlesonly:
|
|
:hidden:
|
|
|
|
/security/minio-identity-management/user-management
|
|
/security/minio-identity-management/group-management
|
|
/security/minio-identity-management/policy-based-access-control
|
|
|