Created
January 14, 2020 01:50
-
-
Save CosmicToast/a53e6276cf60e8f40ad6650dc3abb0ae to your computer and use it in GitHub Desktop.
Revisions
-
Chloe Kudryavtsev created this gist
Jan 14, 2020 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,32 @@ # Some useful policies for MinIO A small collection, because reasons. ## User Policies To apply these: 1. Download the file. 2. `mcli admin policy add MYMINIO NAME NAME.json` (replace MYMINIO with your configured instance and NAME with the filename). 3. `mcli admin policy set MYMINIO NAME user=USER` (same as above, replace USER with the user you want to configure). ### UserOnly.json This grants the user in question access to ONLY the bucket that matches that user's name. For example, the user "foo" will have access ONLY to the "foo" bucket, and no others. If they run a listing, they will only see their own bucket. ### UserPrefix.json This grants the user in question access to ANY bucket that matches the user's name as a prefix. For example, the user "foo" will have access to the bucket "foo" and "foobar", but not "barfoo". They will be able to list any buckets they have access to, but no others. ## Bucket Policies To apply these: 1. Download the file. 2. EDIT the file - replace BUCKETNAME with the name of the bucket you want to apply these to. 3. `mcli policy set-json ./FILE.json MYMINIO/BUCKETNAME` (where FILE.json is the EDITED file, MYMINIO is your configured instance and BUCKETNAME is the name of the bucket you want to apply this to). 4. Repeat 2-3 for every bucket you want to modify. ### FetchOnly.json This policy is similar to ReadOnly in that it allows fetching any object in the bucket. However, it does NOT allow listing objects in that bucket. This can be useful to make a computation attack more expensive when sharing files in a federated fashion. This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,15 @@ { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": [ "*" ] }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::BUCKETNAME/*" } ] } This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,15 @@ { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::${aws:username}", "arn:aws:s3:::${aws:username}/*" ] } ] } This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,15 @@ { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::${aws:username}*", "arn:aws:s3:::${aws:username}*/*" ] } ] }
Chloe Kudryavtsev
created
this gist