前言

通常我们在使用 minio 的时候,需要添加用户,并且给用户授予相应桶的权限。本地主要介绍单独给桶设置 policy 的相关权限(读写,只读,只写),同时给用户赋予相应的 Policy。最终达到给用户赋予某个桶独立的读写、只读、只写权限。

群辉下安装 Minio,可以参考我上一篇文章。 > [群晖 Docker 安装 minio](https://www.khalidlife.com/posts/us3238vf4hl204ty.html) ## 创建Policy

添加 Policy

  1. 选择Administrator -> Policy
  2. 选择创建 Policy
  3. 输入 Policy 的名称
    1. 命名格式
      1. 读写:readwrite_桶名(或组名)
      2. 只读:readonly_桶名(或组名)
      3. 只写:writeonly_桶名(或组名)
  4. 输入 Policy 的内容

单个桶读写(readwrite)示例

需要修改成自己的桶名,例子中的桶名字为bucket-xxx

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Action": [
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads"
],
"Resource": [
"arn:aws:s3:::bucket-xxx"
]
},
{
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::bucket-xxx"
]
},
{
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Action": [
"s3:GetObject",
"s3:ListMultipartUploadParts",
"s3:PutObject",
"s3:AbortMultipartUpload",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::bucket-xxx/**"
]
}
]
}

单个桶只读(readonly)示例

需要修改成自己的桶名,例子中的桶名字为bucket-xxx

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Action": [
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::bucket-xxx"
]
},
{
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::bucket-xxx"
]
},
{
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::bucket-xxx/**"
]
}
]
}

单个桶只写(writeonly)示例

需要修改成自己的桶名,例子中的桶名字为bucket-xxx

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Action": [
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads"
],
"Resource": [
"arn:aws:s3:::bucket-xxx"
]
},
{
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:ListMultipartUploadParts",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::bucket-xxx/**"
]
}
]
}

多桶

单桶单独添加

单桶桶名相关的地方都是数组格式的,直接加另外的桶即可

1
2
3
4
5
"Resource": [
"arn:aws:s3:::bucket-xxx/**",
"arn:aws:s3:::bucket-xxx1/**",
"arn:aws:s3:::bucket-xxx2/**"
]

前缀添加

此项需要桶名符合固定格式

1
2
3
4
5
"Resource": [
"arn:aws:s3:::bucket-xxx/**",
"arn:aws:s3:::bucket-xxx1/**",
"arn:aws:s3:::bucket-xxx2/**"
]

添加 Groups

  1. 命名规范:group_组名

  1. 设置 Policy

添加 Users

  1. 命名规范:bu_用户名(请使用 32 位数据)

  1. 选择组