MinIO Policy 策略自定义
自定义策略仅可作用于用户、组,不能作用于存储桶。但是,可以在resource中指定存储桶。
一、MinIO Policy 结构
Policy 结构范例:
{
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Action" : [ "s3:<ActionName>", ... ],
"Resource" : "arn:aws:s3:::*",
"Condition" : { ... }
},
{
"Effect" : "Deny",
"Action" : [ "s3:<ActionName>", ... ],
"Resource" : "arn:aws:s3:::*",
"Condition" : { ... }
}
]
}
-
Statement.Action指定操作内容,可以是一个或者多个 supported S3 API operations. -
Statement.Resource指定存储桶或者存储桶前缀。可以使用*and?通配符,详情参见 S3 Resource Spec.The
*wildcard may result in unintended application of a policy to multiple buckets or prefixes based on the pattern match. 通配符可能会导致基于模式匹配将策略意外应用于多个存储桶或前缀。比如,arn:aws:s3:::data*将匹配data,data_private, anddata_internal存储桶。 Specifying only*as the resource key applies the policy to all buckets and prefixes on the deployment.仅指定作为资源键将策略应用于部署中的所有存储桶和前缀。 -
Statement.Condition指定一个或多个条件 supported Conditions.
二、自定义 Policy
MinIO - access-management
AWS IAM - policies 参考
MinIO PBAC 设计上兼容 AWS IAM policy的语法、结构、行为。参考 IAM documentation 获取关于 IAM, IAM policies, or IAM JSON syntax的更多资料。
DenyoverridesAllow
MinIO follows AWS IAM policy evaluation rules where aDenyrule overridesAllowrule on the same action/resource. For example, if a user has an explicitly assigned policy with anAllowrule for an action/resource while one of its groups has an assigned policy with aDenyrule for that action/resource, MinIO would apply only theDenyrule.
For more information on IAM policy evaluation logic, see the IAM documentation on Determining Whether a Request is Allowed or Denied Within an Account.
- 自定义 Write Policy 的主体结构
{
"Version": "2012-10-17",
"Statement": [
]
}
基础元素 Version 、Statement 。
Version 元素支持设置两个值: 2012-10-17, 当前版本;2008-10-17, 较老版本。
Statement 是策略的主体元素,必需元素。 可以包含一个,或一组 statements。每个独立的 statement 块需要以 { } 包含,多个 statements 需要以 [ ] 包含,如:"Statement": [{...},{...},{...}]
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::testbucket/*"
]
]
}
Action 语法参考
常见 S3 ,及支持的 MinIO S3 Policy Actions
| S3 操作 | 说明 |
|---|---|
| s3:* | |
| s3:CreateBucket | |
| s3:DeleteBucket | |
| s3:ForceDeleteBucket | |
| s3:GetBucketLocation | |
| s3:ListAllMyBuckets | |
| s3:DeleteObject | |
| s3:GetObject | |
| s3:ListBucket | |
| s3:PutObject |
"Action": "s3:*"
"Action": "s3:ListBucket"
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
]
Effect 语法参考
Effect 元素支持 Allow 和 Deny 两个值。
Resource 语法参考
arn:partition:service:region:namespace:relative-id
| 标识符 | 描述 |
|---|---|
Partition |
aws 是通用 partition name。对于AWS,如果资源位于 China (Beijing) Region,那么 partition name 就是 aws-cn。 |
Service |
默认 s3。 |
Relative ID |
存储桶名 或 存储桶名/对象名 。可以使用通配符。 |
范例:
arn:aws:s3:::bucket_name/key_name
arn:aws:s3:::examplebucket/developers/design_info.doc
arn:aws:s3:::examplebucket/*
arn:aws:s3:::*
arn:aws:s3:::example?bucket/*
arn:aws:s3:::bucket_name/developers/${aws:username}/
三、MinIO 内置 Policy 范例
consoleadmin
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"admin:*"
]
},
{
"Effect": "Allow",
"Action": [
"kms:*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::*"
]
}
]
}
writeonly
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::*"
]
}
]
}
readonly
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::*"
]
}
]
}
readwrite
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::*"
]
}
]
}
diagnostics
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"admin:Prometheus",
"admin:ServerInfo",
"admin:ServerTrace",
"admin:TopLocksInfo",
"admin:BandwidthMonitor",
"admin:ConsoleLog",
"admin:OBDInfo",
"admin:Profiling"
],
"Resource": [
"arn:aws:s3:::*"
]
}
]
}
