混合云对象存储
祼机
纠删码计算器
参考硬件
Policy Management¶
Table of Contents
This page documents procedures for managing policies on a MinIO Tenant. MinIO uses Policy-Based Access Control (PBAC) for defining the actions and resources to which a client has access. MinIO policies are JSON documents with IAM-compatible syntax.
Each MinIO user can have one attached policy for defining its scope of access. MinIO also supports creating groups of users, where the users inherit the policy attached to the group. A group can have one attached policy for defining the scope of access of its membership.
A given user’s access therefore consists of the set of both its explicitly attached policy and all inherited policies from its group membership. MinIO only processes the requested operation if the user’s complete set of policies explicitly allow access to both the required actions and resources for that operation.
Create New Policy¶
MinIO Console Connectivity
The following procedure assumes use of a MinIO Console instance deployed as part of the MinIO Tenant. Since Kubernetes restricts external access The procedure therefore assumes that:
The user is accessing the Console from a host inside the Kubernetes cluster,
-or-
The Kubernetes Cluster has an Ingress resource configured to grant external access to the MinIO Tenant and Console.
The following procedure uses the MinIO Console to create a new policy on the MinIO Tenant. You can then attach the new policy to a user or group on the MinIO Tenant.
Required Permissions
The consoleAdmin built-in policy provides the necessary permissions for
performing this procedure. Authenticate as a user that either has that
policy explicitly attached or inherits that policy from its group
membership.
1) Open the Policy Management Interface¶
Open the Console in your browser and log in with your credentials. From the Console, click IAM Policies in the left hand navigation. If the Admin navigation group is collapsed, click on it to expand the section and view the IAM Policies navigation item.
Click the + Create Policy button to open the Create Policy modal.
2) Configure the New Policy¶
The Create Policy modal displays inputs for configuring a new IAM policy:
Policy Name |
The name of the policy. The name must be unique among all other policies on the MinIO Tenant. |
|---|---|
Write Policy |
The JSON document describing the IAM policy. See IAM JSON policy reference for more complete documentation of supported syntax. |
Click Save to save the new policy. You cannot update the policy JSON after saving.
Important
The MinIO Console only validates that the JSON document has valid structure and syntax. The Console does not perform any simulations on the created policy to validate it’s functionality in practice. Consider performing end-to-end testing of the new policy to validate that it supports the access required for the intended workload prior to using the policy in production environments.
3) Attach Policy to User or Group¶
Optional You can skip this step if you do not intend to attach the policy to a user or group immediately.
To attach a policy to a MinIO user, click Users in the left-hand navigation. Click the Flag icon to open the Set Policies modal. Under the Assign Policies section, select the newly created policy. For more complete documentation, see Attach a Policy to a MinIO User.
Users can have at most one attached policy. If the user has an existing attached policy, specifying the newly created policy replaces the previous policy.
To attach a policy to a MinIO group, click Groups in the left-hand navigation. Click the Flag icon to open the Set Policies modal. Under the Assign Policies section, select the newly created policy. For more complete documentation, see Change Attached Group Policy.
Groups can have at most one attached policy. All users with membership in that group inherit the group policy. If the group has an existing attached policy, specifying the newly created policy replaces the previous policy.
Delete Policy¶
MinIO Console Connectivity
The following procedure assumes use of a MinIO Console instance deployed as part of the MinIO Tenant. Since Kubernetes restricts external access The procedure therefore assumes that:
The user is accessing the Console from a host inside the Kubernetes cluster,
-or-
The Kubernetes Cluster has an Ingress resource configured to grant external access to the MinIO Tenant and Console.
The following procedure uses the MinIO Console to delete an existing policy on the MinIO Tenant.
Required Permissions
The consoleAdmin built-in policy provides the necessary permissions for
performing this procedure. Authenticate as a user that either has that
policy explicitly attached or inherits that policy from its group
membership.
1) Open the Policy Management Interface¶
Open the Console in your browser and log in with your credentials. From the Console, click IAM Policies in the left hand navigation. If the Admin navigation group is collapsed, click on it to expand the section and view the IAM Policies navigation item.
2) Back Up the Policy¶
Optional You can skip this step if you do not need to keep a backup copy of the policy to delete.
From the IAM Policies section, click the row for the policy you intend to delete to open the Info modal:
Copy the JSON document to a secure location to back up the policy. You can recreate the policy using the JSON at a later time.
3) Delete the Policy¶
To delete the policy, click the Trash icon to open the Delete Policy modal:
You must confirm policy deletion by clicking Delete from the modal.
