minio/docs
1
0
Fork 0
mirror of https://github.com/minio/docs.git synced 2025-04-24 06:05:11 +03:00
Code
docs/source/administration/identity-access-management/policy-based-access-control.rst
Daryl White 2f8c5a94f6
Release updates mc RELEASE.2022-11-07T23-47-39Z (#640) 
Changes to the docs related to mc
[RELEASE.2022-11-07T23-47-39Z](https://github.com/minio/mc/releases/tag/RELEASE.2022-11-07T23-47-39Z)

- Replaces `mc replicate edit` with `mc replicate update`
- Adds `mc admin idp oidc | ldap` commands
- Update to `mc support inspect` format
- Adds `mc admin rebalance` command
- Updates mc replicate edit references throughout docs to point to mc
replicate update.
- Adds a rebalance pools section to the expand deployment doc.
- Clarifies precedence for environment variables vs config settings.

Closes #636
Closes #632
2022-11-18 12:31:11 -06:00

22 KiB
Raw Blame History

Access Management

minio

Table of Contents

Overview

MinIO uses Policy-Based Access Control (PBAC) to define the authorized actions and resources to which an authenticated user has access. Each policy describes one or more actions <minio-policy-actions> and conditions <minio-policy-conditions> that outline the permissions of a user <minio-users> or group <minio-groups> of users.

MinIO PBAC is built for compatibility with AWS IAM policy syntax, structure, and behavior. The MinIO documentation makes a best-effort to cover IAM-specific behavior and functionality. Consider deferring to the IAM documentation <> for more complete documentation on AWS IAM-specific topics.

The mc admin policy command supports creation and management of policies on the MinIO deployment. See the command reference for examples of usage.

Built-In Policies

MinIO provides the following built-in policies for assigning to users <minio-users> or groups <minio-groups>:

consoleAdmin

Grants complete access to all S3 and administrative API operations against all resources on the MinIO deployment. Equivalent to the following set of actions:

  • s3:*
  • admin:*

readonly

Grants read-only permissions on any object on the MinIO deployment. The GET action must apply to a specific object without requiring any listing. Equivalent to the following set of actions:

  • s3:GetBucketLocation
  • s3:GetObject

For example, this policy specifically supports GET operations on objects at a specific path (e.g. GET play/mybucket/object.file), such as:

  • mc cp
  • mc stat
  • mc head
  • mc cat

The exclusion of listing permissions is intentional, as typical use cases do not intend for a "read-only" role to have complete discoverability (listing all buckets and objects) on the object storage resource.

readwrite

Grants read and write permissions for all buckets and objects on the MinIO server. Equivalent to s3:*.

diagnostics

Grants permission to perform diagnostic actions on the MinIO deployment. Specifically includes the following actions:

  • admin:ServerTrace
  • admin:Profiling
  • admin:ConsoleLog
  • admin:ServerInfo
  • admin:TopLocksInfo
  • admin:OBDInfo
  • admin:BandwidthMonitor
  • admin:Prometheus

writeonly

Grants write-only permissions to any namespace (bucket and path to object) the MinIO deployment. The PUT action must apply to a specific object location without requiring any listing. Equivalent to the s3:PutObject action.

Use mc admin policy set to associate a policy to a user or group on a MinIO deployment.

For example, consider the following table of users. Each user is assigned a built-in policy <minio-policy-built-in> or a supported action <minio-policy-actions>. The table describes a subset of operations a client could perform if authenticated as that user:

User Policy Operations
Operations
readwrite on finance bucket
readonly on audit bucket
PUT and GET on finance bucket.
PUT on audit bucket
Auditing
readonly on audit bucket
 GET on audit bucket
Admin admin:* All mc admin commands.

Each user can access only those resources and operations which are explicitly granted by the built-in role. MinIO denies access to any other resource or action by default.

Deny overrides Allow

MinIO follows the IAM policy evaluation rules where a Deny rule overrides Allow rule on the same action/resource. For example, if a user has an explicitly assigned policy with an Allow rule for an action/resource while one of its groups has an assigned policy with a Deny rule for that action/resource, MinIO would apply only the Deny rule.

For more information on IAM policy evaluation logic, see the IAM documentation on Determining Whether a Request is Allowed or Denied Within an Account <reference_policies_evaluation-logic.html#policy-eval-denyallow>.

Policy Document Structure

MinIO policy documents use the same schema as AWS IAM Policy <IAM/latest/UserGuide/access.html> documents.

The following sample document provides a template for creating custom policies for use with a MinIO deployment. For more complete documentation on IAM policy elements, see the IAM JSON Policy Elements Reference <IAM/latest/UserGuide/reference_policies_elements.html>.

{
   "Version" : "2012-10-17",
   "Statement" : [
      {
         "Effect" : "Allow",
         "Action" : [ "s3:<ActionName>", ... ],
         "Resource" : "arn:aws:s3:::*",
         "Condition" : { ... }
      },
      {
         "Effect" : "Deny",
         "Action" : [ "s3:<ActionName>", ... ],
         "Resource" : "arn:aws:s3:::*",
         "Condition" : { ... }
      }
   ]
}
  • For the Statement.Action array, specify one or more supported S3 API operations <minio-policy-actions>. MinIO deployments supports a subset of AWS S3 API operations.
  • For the Statement.Resource key, you can replace the * with the specific bucket to which the policy statement should apply. Using * applies the statement to all resources on the MinIO deployment.
  • For the Statement.Condition key, you can specify one or more supported Conditions <minio-policy-conditions>. MinIO deployments supports a subset of AWS S3 conditions.

Supported S3 Policy Actions

MinIO policy documents support a subset of IAM S3 Action keys <list_amazons3.html#amazons3-actions-as-permissions>.

The following actions control access to common S3 operations. The remaining subsections document actions for more advanced S3 operations:

s3:*

Selector for all MinIO S3 operations. Applying this action to a given resource allows the user to perform any S3 operation against that resource.

s3:CreateBucket

Controls access to the CreateBucket <API_CreateBucket.html> S3 API operation.

s3:DeleteBucket

Controls access to the DeleteBucket <API_DeleteBucket.html> S3 API operation.

s3:ForceDeleteBucket

Controls access to the DeleteBucket <API_DeleteBucket.html> S3 API operation for operations with the x-minio-force-delete flag. Required for removing non-empty buckets.

s3:GetBucketLocation

Controls access to the GetBucketLocation <API_GetBucketLocation.html> S3 API operation.

s3:ListAllMyBuckets

Controls access to the ListBuckets <API_ListBuckets.html> S3 API operation.

s3:DeleteObject

Controls access to the DeleteObject <API_DeleteObject.html> S3 API operation.

s3:GetObject

Controls access to the GetObject <API_GetObject.html> S3 API operation.

s3:ListBucket

Controls access to the ListObjectsV2 <API_ListObjectsV2.html> S3 API operation.

s3:PutObject

Controls access to the PutObject <API_PutObject.html> S3 API operation.

s3:PutObjectTagging

Controls access to the PutObjectTagging <API_PutObjectTagging.html> S3 API operation.

s3:GetObjectTagging

Controls access to the GetObjectTagging <API_GetObjectTagging.html> S3 API operation.

Bucket Configuration

s3:GetBucketPolicy

Controls access to the GetBucketPolicy <API_GetBucketPolicy.html> S3 API operation.

s3:PutBucketPolicy

Controls access to the PutBucketPolicy <API_PutBucketPolicy.html> S3 API operation.

s3:DeleteBucketPolicy

Controls access to the DeleteBucketPolicy <API_DeleteBucketPolicy.html> S3 API operation.

s3:GetBucketTagging

Controls access to the GetBucketTagging <API_GetBucketTagging.html> S3 API operation.

s3:PutBucketTagging

Controls access to the PutBucketTagging <API_PutBucketTagging.html> S3 API operation.

Multipart Upload

s3:AbortMultipartUpload

Controls access to the AbortMultipartUpload <API_AbortMultipartUpload.html> S3 API operation.

s3:ListMultipartUploadParts

Controls access to the ListParts <API_ListParts.html> S3 API operation.

s3:ListBucketMultipartUploads

Controls access to the ListMultipartUploads <API_ListMultipartUploads.html> S3 API operation.

Versioning and Retention

s3:PutBucketVersioning

Controls access to the PutBucketVersioning <API_PutBucketVersioning.html> S3 API operation.

s3:GetBucketVersioning

Controls access to the GetBucketVersioning <API_GetBucketVersioning.html> S3 API operation.

s3:DeleteObjectVersion

Controls access to the DeleteObjectVersion <API_DeleteObjectVersion.html> S3 API operation.

s3:DeleteObjectVersionTagging

Controls access to the DeleteObjectVersionTagging <API_DeleteObjectVersionTagging.html> S3 API operation.

s3:GetObjectVersion

Controls access to the GetObjectVersion <API_GetObjectVersion.html> S3 API operation.

s3:BypassGovernanceRetention

Controls access to the following S3 API operations on objects locked under GOVERNANCE <mc retention set MODE> retention mode:

  • PutObjectRetention
  • PutObject
  • DeleteObject

See the S3 documentation on s3:BypassGovernanceRetention <object-lock-managing.html#object-lock-managing-bypass> for more information.

s3:PutObjectRetention

Controls access to the PutObjectRetention <API_PutObjectRetention.html> S3 API operation.

Required for any PutObject operation that specifies retention metadata <minio-object-locking>.

s3:GetObjectRetention

Controls access to the GetObjectRetention <API_GetObjectRetention.html> S3 API operation.

Required for including object locking metadata <minio-object-locking> as part of the response to a GetObject or HeadObject operation.

s3:GetObjectLegalHold

Controls access to the GetObjectLegalHold <API_GetObjectLegalHold.html> S3 API operation.

Required for including object locking metadata <minio-object-locking> as part of the response to a GetObject or HeadObject operation.

s3:PutObjectLegalHold

Controls access to the PutObjectLegalHold <API_PutObjectLegalHold.html> S3 API operation.

Required for any PutObject operation that specifies legal hold metadata <minio-object-locking>.

s3:GetBucketObjectLockConfiguration

Controls access to the GetObjectLockConfiguration <API_GetObjectLockConfiguration.html> S3 API operation.

s3:PutBucketObjectLockConfiguration

Controls access to the PutObjectLockConfiguration <API_PutObjectLockConfiguration.html> S3 API operation.

Bucket Notifications

s3:GetBucketNotification

Controls access to the GetBucketNotification <API_GetBucketNotification.html> S3 API operation.

s3:PutBucketNotification

Controls access to the PutBucketNotification <API_PutBucketNotification.html> S3 API operation.

s3:ListenNotification

MinIO Extension for controlling API operations related to MinIO Bucket Notifications.

This action is not intended for use with other S3-compatible services.

s3:ListenBucketNotification

MinIO Extension for controlling API operations related to MinIO Bucket Notifications.

This action is not intended for use with other S3-compatible services.

Object Lifecycle Management

s3:PutLifecycleConfiguration

Controls access to the PutLifecycleConfiguration <API_PutBucketLifecycleConfiguration.html> S3 API operation.

s3:GetLifecycleConfiguration

Controls access to the GetLifecycleConfiguration <API_GetBucketLifecycleConfiguration.html> S3 API operation.

Object Encryption

s3:PutEncryptionConfiguration

Controls access to the PutEncryptionConfiguration <API_PutBucketEncryption.html> S3 API operation.

s3:GetEncryptionConfiguration

Controls access to the GetEncryptionConfiguration <API_GetBucketEncryption.html> S3 API operation.

Bucket Replication

s3:GetReplicationConfiguration

Controls access to the GetBucketReplication <API_GetBucketReplication.html> S3 API operation.

s3:PutReplicationConfiguration

Controls access to the PutBucketReplication <PutBucketReplication.html> S3 API operation.

s3:ReplicateObject

MinIO Extension for controlling API operations related to Server-Side Bucket Replication <minio-bucket-replication-serverside>.

Required for server-side replication.

s3:ReplicateDelete

MinIO Extension for controlling API operations related to Server-Side Bucket Replication <minio-bucket-replication-serverside>.

Required for synchronizing delete operations as part of server-side replication.

s3:ReplicateTags

MinIO Extension for controlling API operations related to Server-Side Bucket Replication <minio-bucket-replication-serverside>.

Required for server-side replication.

s3:GetObjectVersionForReplication

MinIO Extension for controlling API operations related to Server-Side Bucket Replication <minio-bucket-replication-serverside>.

Required for server-side replication.

Supported S3 Policy Condition Keys

MinIO policy documents support IAM conditional statements <reference_policies_elements_condition.html>.

Each condition element consists of operators <reference_policies_elements_condition_operators.html> and condition keys. MinIO supports a subset of IAM condition keys. For complete information on any listed condition key, see the IAM Condition Element Documentation <reference_policies_elements_condition.html>

MinIO supports the following condition keys for all supported actions <minio-policy-actions>:

  • aws:Referer
  • aws:SourceIp
  • aws:UserAgent
  • aws:SecureTransport
  • aws:CurrentTime
  • aws:EpochTime
  • aws:PrincipalType
  • aws:userid
  • aws:username
  • x-amz-content-sha256

The following table lists additional supported condition keys for specific actions:

Action Key Condition Keys
s3:GetObject
x-amz-server-side-encryption
x-amz-server-side-encryption-customer-algorithm
s3:ListBucket
prefix
delimiter
max-keys
s3:PutObject
x-amz-copy-source
x-amz-server-side-encryption
x-amz-server-side-encryption-customer-algorithm
x-amz-metadata-directive
x-amz-storage-class
object-lock-retain-until-date
object-lock-mode
object-lock-legal-hold
s3:PutObjectRetention
x-amz-object-lock-remaining-retention-days
x-amz-object-lock-retain-until-date
x-amz-object-lock-mode
s3:PutObjectLegalHold object-lock-legal-hold
s3:BypassGovernanceRetention
object-lock-remaining-retention-days
object-lock-retain-until-date
object-lock-mode
object-lock-legal-hold
s3:GetObjectVersion versionid
s3:DeleteObjectVersion versionid

mc admin Policy Action Keys

MinIO supports the following actions for use with defining policies for mc admin operations. These actions are only valid for MinIO deployments and are not intended for use with other S3-compatible services:

admin:*

Selector for all admin action keys.

admin:Heal

Allows heal command

admin:StorageInfo

Allows listing server info

admin:DataUsageInfo

Allows listing data usage info

admin:TopLocksInfo

Allows listing top locks

admin:Profiling

Allows profiling

admin:ServerTrace

Allows listing server trace

admin:ConsoleLog

Allows listing console logs on terminal

admin:KMSCreateKey

Allows creating a new KMS master key

admin:KMSKeyStatus

Allows getting KMS key status

admin:ServerInfo

Allows listing server info

admin:OBDInfo

Allows obtaining cluster on-board diagnostics

admin:ServerUpdate

Allows MinIO binary update

admin:ServiceRestart

Allows restart of MinIO service.

admin:ServiceStop

Allows stopping MinIO service.

admin:ConfigUpdate

Allows MinIO config management

admin:CreateUser

Allows creating MinIO user

admin:DeleteUser

Allows deleting MinIO user

admin:ListUsers

Allows list users permission

admin:EnableUser

Allows enable user permission

admin:DisableUser

Allows disable user permission

admin:GetUser

Allows GET permission on user info

admin:AddUserToGroup

Allows adding user to group permission

admin:RemoveUserFromGroup

Allows removing user to group permission

admin:GetGroup

Allows getting group info

admin:ListGroups

Allows list groups permission

admin:EnableGroup

Allows enable group permission

admin:DisableGroup

Allows disable group permission

admin:CreatePolicy

Allows create policy permission

admin:DeletePolicy

Allows delete policy permission

admin:GetPolicy

Allows get policy permission

admin:AttachUserOrGroupPolicy

Allows attaching a policy to a user/group

admin:ListUserPolicies

Allows listing user policies

admin:CreateServiceAccount

Allows creating MinIO Service Account

admin:UpdateServiceAccount

Allows updating MinIO Service Account

admin:RemoveServiceAccount

Allows deleting MinIO Service Account

admin:ListServiceAccounts

Allows listing MinIO Service Account

admin:SetBucketQuota

Allows setting bucket quota

admin:GetBucketQuota

Allows getting bucket quota

admin:SetBucketTarget

Allows setting bucket target

admin:GetBucketTarget

Allows getting bucket targets

admin:SetTier

Allows creating and modifying remote storage tiers using the mc admin tier command.

admin:ListTier

Allows listing configured remote storage tiers using the mc admin tier command.

admin:BandwidthMonitor

Allows retrieving metrics related to current bandwidth consumption.

admin:Prometheus

Allows access to MinIO metrics <minio-metrics-and-alerts-endpoints>. Only required if MinIO requires authentication for scraping metrics.

admin:ListBatchJobs

Allows access to list the active batch jobs.

admin:DescribeBatchJobs

Allows access to the see the definition details of a running batch job.

admin:StartBatchJob

Allows user to begin a batch job run.

admin:Rebalance

Allows access to start, query, or stop a rebalancing of objects across pools with varying free storage space.

mc admin Policy Condition Keys

MinIO supports the following conditions for use with defining policies for mc admin actions <minio-policy-mc-admin-actions>.

  • aws:Referer
  • aws:SourceIp
  • aws:UserAgent
  • aws:SecureTransport
  • aws:CurrentTime
  • aws:EpochTime

For complete information on any listed condition key, see the IAM Condition Element Documentation <reference_policies_elements_condition.html>