前言
通常我们在使用 minio 的时候,需要添加用户,并且给用户授予相应桶的权限。本地主要介绍单独给桶设置 policy 的相关权限(读写,只读,只写),同时给用户赋予相应的 Policy。最终达到给用户赋予某个桶独立的读写、只读、只写权限。
群辉下安装 Minio,可以参考我上一篇文章。
> [群晖 Docker 安装 minio](https://www.khalidlife.com/posts/us3238vf4hl204ty.html)
## 创建
Policy
添加 Policy
- 选择
Administrator
-> Policy
- 选择创建 Policy
- 输入 Policy 的名称
- 命名格式
- 读写:readwrite_桶名(或组名)
- 只读:readonly_桶名(或组名)
- 只写:writeonly_桶名(或组名)
- 输入 Policy 的内容


单个桶读写(readwrite)示例
需要修改成自己的桶名,例子中的桶名字为bucket-xxx
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52
| { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": [ "*" ] }, "Action": [ "s3:GetBucketLocation", "s3:ListBucketMultipartUploads" ], "Resource": [ "arn:aws:s3:::bucket-xxx" ] }, { "Effect": "Allow", "Principal": { "AWS": [ "*" ] }, "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::bucket-xxx" ] }, { "Effect": "Allow", "Principal": { "AWS": [ "*" ] }, "Action": [ "s3:GetObject", "s3:ListMultipartUploadParts", "s3:PutObject", "s3:AbortMultipartUpload", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::bucket-xxx/**" ] } ] }
|
单个桶只读(readonly)示例
需要修改成自己的桶名,例子中的桶名字为bucket-xxx
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47
| { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": [ "*" ] }, "Action": [ "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::bucket-xxx" ] }, { "Effect": "Allow", "Principal": { "AWS": [ "*" ] }, "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::bucket-xxx" ] }, { "Effect": "Allow", "Principal": { "AWS": [ "*" ] }, "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::bucket-xxx/**" ] } ] }
|
单个桶只写(writeonly)示例
需要修改成自己的桶名,例子中的桶名字为bucket-xxx
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37
| { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": [ "*" ] }, "Action": [ "s3:GetBucketLocation", "s3:ListBucketMultipartUploads" ], "Resource": [ "arn:aws:s3:::bucket-xxx" ] }, { "Effect": "Allow", "Principal": { "AWS": [ "*" ] }, "Action": [ "s3:AbortMultipartUpload", "s3:DeleteObject", "s3:ListMultipartUploadParts", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::bucket-xxx/**" ] } ] }
|
多桶
单桶单独添加
单桶桶名相关的地方都是数组格式的,直接加另外的桶即可
1 2 3 4 5
| "Resource": [ "arn:aws:s3:::bucket-xxx/**", "arn:aws:s3:::bucket-xxx1/**", "arn:aws:s3:::bucket-xxx2/**" ]
|
前缀添加
此项需要桶名符合固定格式
1 2 3 4 5
| "Resource": [ "arn:aws:s3:::bucket-xxx/**", "arn:aws:s3:::bucket-xxx1/**", "arn:aws:s3:::bucket-xxx2/**" ]
|
添加 Groups
- 命名规范:group_组名

- 设置 Policy

添加 Users
- 命名规范:bu_用户名(请使用 32 位数据)

- 选择组
