Login/Register
Minio: How's bucket policy related to anonymous/authorized access?
Asked Answered
Solved minio
G

2

27

Minio has policies for each bucket. Which contains:

  • ReadOnly
  • WriteOnly
  • Read+Write
  • None

How are these related to the anonymous/authorized access to the folders?
Like say I want to make a bunch of files available as read-only to users without credentials (access key and secret key). How can I do it?

Gainsay answered 6/3, 2017 at 2:17 Comment(1)
One step further, I want to create bucket without authenticating. Is there a way?Mend
G
23

Bucket policies provided by Minio client side are an abstracted version of the same bucket policies AWS S3 provides.

Client constructs a policy JSON based on the input string of bucket and prefix.

  • ReadOnly means - anonymous download access is allowed includes being able to list objects on the desired prefix
  • WriteOnly means - anonymous uploads are allowed includes being able to list incomplete uploads on the desired prefix
  • Read-Write - anonymous access to upload and download all objects. This also means full public access.
  • None - is default (no policy) it means that all operations need to be authenticated towards desired bucket and prefix.

A bunch of files should reside under a particular prefix can be made available for read only access. Lets say your prefix is 'my-prefix/read-only/downloads' then if you are using

import java.io.IOException;
import java.security.NoSuchAlgorithmException;
import java.security.InvalidKeyException;

import org.xmlpull.v1.XmlPullParserException;

import io.minio.MinioClient;
import io.minio.policy.PolicyType;
import io.minio.errors.MinioException;

public class SetBucketPolicy {
  /**
   * MinioClient.setBucketPolicy() example.
   */
  public static void main(String[] args)
    throws IOException, NoSuchAlgorithmException, InvalidKeyException, XmlPullParserException {
    try {
      /* play.minio.io for test and development. */
      MinioClient minioClient = new MinioClient("https://play.minio.io:9000", "Q3AM3UQ867SPQQA43P2F",
                                                "zuf+tfteSlswRu7BJ86wekitnifILbZam1KYY3TG");

      /* Amazon S3: */
      // MinioClient minioClient = new MinioClient("https://s3.amazonaws.com", "YOUR-ACCESSKEYID",
      //                                           "YOUR-SECRETACCESSKEY");

      minioClient.setBucketPolicy("my-bucketname", "my-prefix/read-only/downloads", PolicyType.READ_ONLY);
    } catch (MinioException e) {
      System.out.println("Error occurred: " + e);
    }
  }
}

Once your call is successful, all the objects inside 'my-prefix/read-only/downloads' are publicly readable i.e without access/secret key.

Gabrielegabriell answered 6/3, 2017 at 2:30 Comment(4)
Thanks for the clarification. How can I make some files private? Like no anonymous (read) access?Gainsay
By default all your files are private, there is no special call to make them private.Gabrielegabriell
just to be clear (so you can test from curl), the URL you would actually access a file is https://play.minio.io:9000/my-bucketname/<path>, where <path> in the above example is my_prefix/read-only/downloads, presumably you've created this path. If you just have a file file.jpg in the bucket, you'd have a prefix of `` in the above call and the url would be https://play.minio.io:9000/my-bucketname/file.jpg I found it confusing if I couldn't make a specific working example, so here it is.Waldrup
Is there a way to create bucket programatically on Minio without authenticating, i.e policy global to Minio, not limited to operations on a bucket. I need it to run an integration test, which will do following 1. Run Minio in docker. 2. Run AWS SAM to create bucket, upload object 3. SAM processes the objects as per the production code.Mend
F
12

'public' is valid policy...

You can change this policy: install mc (minio client) and then:

# list default hosts after install: 
mc config host ls

# remove all hosts: mc config host rm {hostName}
mc config host rm local

# add your host: mc config host add {hostName} {url} {apiKey} {apiSecret}
mc config host add local http://127.0.0.1:9000 ClientIdASSDSD ClientSecretASASASdsasdasdasdasd

# create bucket: mc mb {host}/{bucket}
mc mb local/mybucket

# change bucket policy: mc policy set {policy} {host}/{bucket}
mc policy set public local/mybucket
Flipper answered 2/11, 2017 at 11:37 Comment(1)
mc policy set public local/mybucket is now the command to set the policyHak

© 2022 - 2024 — McMap. All rights reserved.