The MinIO service provided by DCE 5.0 comes with a web console (Web Console). Understanding MinIO's identity management (identity management) helps to quickly understand how to manage sub-accounts safely and effectively within MinIO.
This article briefly introduces MinIO's identity management rules. For more details, please refer to MinIO's official documentation.
A user consists of a username and password pair. In the context of MinIO, username is also called access key (note that it is distinguished from the access key at the service account level later), and password is also called secret key .
When starting MinIO, you can set the account password of the root user in the MinIO cluster through environment variables, which are the following two variables:
MINIO_ROOT_USER
MINIO_ROOT_PASSWORD
The root user has all operation permissions on all resources.
Note: If you want to change the root user, you need to restart all nodes in the MinIO cluster.
On the MinIO instance details page of DCE 5.0, click the access address, and use the username and password on the right to log in to the console of the instance.
After logging in to the Console console, create a user according to the figure below.
If you install MinIO through cr, you can also specify the secret of a common user through the users field:
typeTenantSpecstruct{............// *Optional* +//// An array of https://kubernetes.io/docs/concepts/configuration/secret/[Kubernetes opaque secrets] to use for generating MinIO users during tenant provisioning. +//// Each element in the array is an object consisting of a key-value pair __name: <string>__ , where the __<string>__ references an opaque Kubernetes secret. +//// Each referenced Kubernetes secret must include the following fields: +//// * __CONSOLE_ACCESS_KEY__ - The "Username" for the MinIO user +//// * __CONSOLE_SECRET_KEY__ - The "Password" for the MinIO user +//// The Operator creates each user with the __consoleAdmin__ policy by default. You can change the assigned policy after the Tenant starts. +// +optionalUsers[]*corev1.LocalObjectReference__json:"users,omitempty"__............}
The service account (Service Account) usually uses the user to log in to the console or manage MinIO through the mc command. But if the application needs to access MinIO, it usually uses a Service Account (this is a more formal name, and it is also called an access key in some contexts).
A user can create multiple Service Accounts.
Note: MinIO console cannot be logged in through Service Account, which is the biggest difference between it and users.
A group, as the name implies, is a collection of multiple users. By combining groups with authorization policies, the permissions of a group of users can be managed in batches. Authorization policies can be used to assign resource permissions to groups, and users in this group will inherit the resource permissions of the group.
The permissions of MinIO users are divided into two parts: the original permissions of the user + the permissions inherited from the group. In the context of MinIO, users only have the authorizations they are explicitly granted or inherited from usergroups. If a user has not been explicitly granted (either directly granted or inherited) permissions to a resource, they cannot access that resource.
For details about MinIO groups, please refer to Group Management
MinIO uses policy-based access control (PBAC) to manage which permissions users have on which resources. Each policy limits the permissions that users and groups have by specifying some actions or conditions.
MinIO has four built-in policies that can be directly assigned to users or groups. When authorizing users/groups, you need to use the mc admin policy set command. For details, please refer to mc admin policy
readonly: read-only permission to all buckets and storage objects in the MinIO replica
readwrite: Read and write permissions on all buckets and storage objects in the MinIO replica
diagnostics: Diagnostics permissions on the MinIO copy
writeonly: have write-only permissions to all buckets and storage objects in MinIO replicas