Product
Overview
What is AIStor?
Features
Replication Replication Console Console Cache Cache Encryption Encryption Versioning Versioning Observability Observability Object Immutability Object Immutability Key Management Server Key Management Server S3 Compatibility S3 Compatibility Identity + Access Mgt Identity + Access Mgt Catalog Catalog Object Prompt Object Prompt Lifecycle Lifecycle Firewall Firewall AIHub AIHub
Tools
Erasure Code Calculator Erasure Code Calculator Determine your raw and usable capacity across a range of erasure coding settings. Reference Hardware Reference Hardware MinIO’s recommended Configuration and reference hardware for building large scale data infrastructure.
Solutions
AI Storage Learn how MinIO is leading the AI storage market from its exclusive features to performance at scale. HDFS Migration Modernize and simplify your big data storage infrastructure with cloud native storage with AIStor. Snowflake Learn how to leverage Snowflake external tables to query data without having to move it.
Integrations Integrations with MinIO Browse our expansive list of
integrations with links to the relevant
documentation.
Veeam Learn how MinIO and Veeam have partnered deliver superior RTO and RPO. Modern Datalakes Learn how modern, multi-engine data lakeshouses depend on MinIO's AIStor. Equinix Repatriate your data onto the cloud you control with MinIO and Equinix. SQL Server Learn how to leverage SQL Server 2022 with MinIO to run queries on your data without having to move it. Commvault Learn how Commvault and MinIO are partnered to deliver performance at scale for mission critical backup and restore workloads. Hybrid Cloud Learn how enterprises use MinIO to build AI data infrastructure that runs on any cloud - public, private or colo. Splunk Find out how MinIO is delivering performance at scale for Splunk SmartStores. VMware Discover how MinIO integrates with VMware across the portfolio from the Persistent Data platform to TKG and how we support their Kubernetes ambitions.
Open Source
Github Community Explore, experiment, ask questions and contribute. Docs Development guides. Slack Channel Open Forum for discussing topics related to MinIO.
Download MinIO Object Store Get MinIO's open source server, client, and SDK.
Resources
Resources Home Browse our library of white papers, solution briefs, benchmarks and videos. Blog Product updates, company news, and educational content. Training Learn the MinIO Way and Become a Data Infrastructure Expert.
Events Join us to take advantage to meet with MinIO partners, employees, and subject-matter experts.
Partner Pricing Login Download

Documentation

MinIO Object Storage for OpenShift

User Management

Overview

A MinIO user consists of a unique access key (username) and corresponding secret key (password). Clients must authenticate their identity by specifying both a valid access key (username) and the corresponding secret key (password) of an existing MinIO user.

Each user can have one or more assigned policies that explicitly list the actions and resources to which that user has access. Users can also inherit policies from the groups in which they have membership.

MinIO by default denies access to all actions or resources not explicitly allowed by a user’s assigned or inherited policies. You must either explicitly assign a policy describing the user’s authorized actions and resources or assign the user to groups which have associated policies. See Access Management for more information.

This page documents user management for the MinIO internal IDentity Provider (IDP). MinIO also external management of identities using either an OpenID Connect (OIDC) or Active Directory/LDAP IDentity Provider (IDP). For more information, see:

Enabling external identity management disables the MinIO internal IDP, with the exception of creating access keys.

Access Keys

MinIO Access Keys (formerly “Service Accounts”) are child identities of an authenticated MinIO user, including externally managed identities. Each access key inherits its privileges based on the policies attached to it’s parent user or those groups in which the parent user has membership. Access keys also support an optional inline policy which further restricts access to a subset of actions and resources available to the parent user.

A MinIO user can generate any number of access keys. This allows application owners to generate arbitrary access keys for their applications without requiring action from the MinIO administrators. Since the generated access keys have the same or fewer permissions as the parents, administrators can focus on managing the top-level parent users without micro-managing generated access keys.

You can create access keys using either the MinIO Console or by using the mc admin user svcacct add command. Identities created by these methods do not expire until you remove the access key or the parent account.

You can also create security token service accounts programmatically with the AssumeRole STS API endpoint. STS tokens default to expire in 1 hour, but you set expiration for up to 7 days from creation.

Access Keys are for Programmatic Access

Access Keys support programmatic access by applications. You cannot use an access key to log into the MinIO Console.

MinIO root User

MinIO deployments have a root user with access to all actions and resources on the deployment, regardless of the configured identity manager. When a minio server first starts, it sets the root user credentials by checking the value of the following environment variables:

Rotating the root user credentials requires updating either or both variables for all MinIO servers in the deployment. Specify long, unique, and random strings for root credentials. Exercise all possible precautions in storing the access key and secret key, such that only known and trusted individuals who require superuser access to the deployment can retrieve the root credentials.

  • MinIO strongly discourages using the root user for regular client access regardless of the environment (development, staging, or production).

  • MinIO strongly recommends creating users such that each client has access to the minimal set of actions and resources required to perform their assigned workloads.

If these variables are unset, minio defaults to minioadmin and minioadmin as the access key and secret key respectively. MinIO strongly discourages use of the default credentials regardless of deployment environment.

Deprecation of Legacy Root User Environment Variables

MinIO RELEASE.2021-04-22T15-44-28Z and later deprecates the following variables used for setting or updating root user credentials:

User Management

Create a User

Use the mc admin user add command to create a new user on the MinIO deployment:

mc admin user add ALIAS ACCESSKEY SECRETKEY

  • Replace ALIAS with the alias of the MinIO deployment.

  • Replace ACCESSKEY with the access key for the user. MinIO allows retrieving the access key after user creation through the mc admin user info command.

  • Replace SECRETKEY with the secret key for the user. MinIO does not provide any method for retrieving the secret key once set.

Specify a unique, random, and long string for both the ACCESSKEY and SECRETKEY. Your organization may have specific internal or regulatory requirements around generating values for use with access or secret keys.

After creating the user, use mc admin policy attach to associate a MinIO Policy Based Access Control to the new user. The following command assigns the built-in readwrite policy:

mc admin policy attach ALIAS readwrite --user=USERNAME

Replace USERNAME with the ACCESSKEY created in the previous step.

Delete a User

Use the mc admin user rm command to remove a user on a MinIO deployment:

mc admin user rm ALIAS USERNAME

  • Replace ALIAS with the alias of the MinIO deployment.

  • Replace USERNAME with the name of the user to remove.

This work is licensed under a Creative Commons Attribution 4.0 International License. 2020-Present, MinIO, Inc. Creative Commons License