Minio is a simple, fast, and AWS S3 compatible object store. Minio is designed to host unstructured data such as photos, videos, log files, backups. minio also supports distributed mode, which provides the ability to connect multiple disks to a single object storage server, including those located on different machines.
The purpose of this post is to set up minio so that each user can only work with their own bucket.
In general, Minio is suitable for the following cases:
- non-replication storage on top of a secure file system with S3 access (small and medium storage hosted on NAS and SAN);
- storage without replication over an unreliable file system with access over S3 (for development and testing);
- storage with replication on a small group of servers in one rack with access via the S3 protocol (failover storage with a fault domain equal to the rack).
On RedHat systems, we connect the unofficial Minio repository.
yum -y install yum-plugin-copr
yum copr enable -y lkiesow/minio
yum install -y minio minio-mcWe generate and add to MINIO_ACCESS_KEY and MINIO_SECRET_KEY in /etc/minio/minio.conf.
# Custom username or access key of minimum 3 characters in length.
MINIO_ACCESS_KEY=
# Custom password or secret key of minimum 8 characters in length.
MINIO_SECRET_KEY=If you won't be using nginx before Minio then you need to change.
--address 127.0.0.1:9000on
--address 0.0.0.0:9000We start Minio.
systemctl start minioWe create a connection to Minio called myminio.
minio-mc config host add myminio http://localhost:9000 MINIO_ACCESS_KEY
MINIO_SECRET_KEYCreate bucket user1bucket.
minio-mc mb myminio/user1bucketCreate bucket user2bucket.
minio-mc mb myminio/user2bucketCreate a policy file user1-policy.json.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:PutBucketPolicy",
"s3:GetBucketPolicy",
"s3:DeleteBucketPolicy",
"s3:ListAllMyBuckets",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::user1bucket"
],
"Sid": ""
},
{
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:GetObject",
"s3:ListMultipartUploadParts",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::user1bucket/*"
],
"Sid": ""
}
]
}Create a policy file user2-policy.json.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:PutBucketPolicy",
"s3:GetBucketPolicy",
"s3:DeleteBucketPolicy",
"s3:ListAllMyBuckets",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::user2bucket"
],
"Sid": ""
},
{
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:GetObject",
"s3:ListMultipartUploadParts",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::user2bucket/*"
],
"Sid": ""
}
]
}Create user user1 with password test12345.
minio-mc admin user add myminio user1 test12345Create user user2 with password test54321.
minio-mc admin user add myminio user2 test54321Create a policy in Minio called user1-policy from the user1-policy.json file.
minio-mc admin policy add myminio user1-policy user1-policy.jsonCreate a policy in Minio called user2-policy from the user2-policy.json file.
minio-mc admin policy add myminio user2-policy user2-policy.jsonWe apply the policy user1-policy to the user user1.
minio-mc admin policy set myminio user1-policy user=user1We apply the policy user2-policy to the user user2.
minio-mc admin policy set myminio user2-policy user=user2Checking the connection of policies to users
minio-mc admin user list myminioChecking the connection of policies to users will be something like this
enabled user1 user1-policy
enabled user2 user2-policyFor clarity, we go through the browser at the address
We see that we have connected to Minio under MINIO_ACCESS_KEY=user1. Bucket user1bucket is available for us.
It will not work to create a bucket, since there is no corresponding Action in the policy.
Let's create a file in bucket user1bucket.
Connect to Minio under MINIO_ACCESS_KEY=user2. Bucket user2bucket is available for us.
And we do not see either user1bucket or files from user1bucket.
Created Telegram chat by Minio
Source: habr.com