Product
Overview
What is AIStor?
Features
Replication Replication Console Console Cache Cache Encryption Encryption Versioning Versioning Observability Observability Object Immutability Object Immutability Key Management Server Key Management Server S3 Compatibility S3 Compatibility Identity + Access Mgt Identity + Access Mgt Catalog Catalog Object Prompt Object Prompt Lifecycle Lifecycle Firewall Firewall AIHub AIHub
Tools
Erasure Code Calculator Erasure Code Calculator Determine your raw and usable capacity across a range of erasure coding settings. Reference Hardware Reference Hardware MinIO’s recommended Configuration and reference hardware for building large scale data infrastructure.
Solutions
AI Storage Learn how MinIO is leading the AI storage market from its exclusive features to performance at scale. HDFS Migration Modernize and simplify your big data storage infrastructure with cloud native storage with AIStor. Snowflake Learn how to leverage Snowflake external tables to query data without having to move it.
Integrations Integrations with MinIO Browse our expansive list of
integrations with links to the relevant
documentation.
Veeam Learn how MinIO and Veeam have partnered deliver superior RTO and RPO. Modern Datalakes Learn how modern, multi-engine data lakeshouses depend on MinIO's AIStor. Equinix Repatriate your data onto the cloud you control with MinIO and Equinix. SQL Server Learn how to leverage SQL Server 2022 with MinIO to run queries on your data without having to move it. Commvault Learn how Commvault and MinIO are partnered to deliver performance at scale for mission critical backup and restore workloads. Hybrid Cloud Learn how enterprises use MinIO to build AI data infrastructure that runs on any cloud - public, private or colo. Splunk Find out how MinIO is delivering performance at scale for Splunk SmartStores. VMware Discover how MinIO integrates with VMware across the portfolio from the Persistent Data platform to TKG and how we support their Kubernetes ambitions.
Open Source
Github Community Explore, experiment, ask questions and contribute. Docs Development guides. Slack Channel Open Forum for discussing topics related to MinIO.
Download MinIO Object Store Get MinIO's open source server, client, and SDK.
Resources
Resources Home Browse our library of white papers, solution briefs, benchmarks and videos. Blog Product updates, company news, and educational content. Training Learn the MinIO Way and Become a Data Infrastructure Expert.
Events Join us to take advantage to meet with MinIO partners, employees, and subject-matter experts.
Partner Pricing Login Download

Documentation

MinIO Object Storage for Kubernetes

Identity and Access Management

MinIO requires the client perform both authentication and authorization for each new operation.

Authentication

The process of verifying the identity of a connecting client. MinIO requires clients authenticate using AWS Signature Version 4 protocol with support for the deprecated Signature Version 2 protocol. Specifically, clients must present a valid access key and secret key to access any S3 or MinIO administrative API, such as PUT, GET, and DELETE operations.

Authorization

The process of restricting the actions and resources the authenticated client can perform on the deployment. MinIO uses Policy-Based Access Control (PBAC), where each policy describes one or more rules that outline the permissions of a user or group of users. MinIO supports S3-specific actions and conditions when creating policies. By default, MinIO denies access to actions or resources not explicitly referenced in a user’s assigned or inherited policies.

Identity Management

MinIO supports both internal and external identity management:

IDentity Provider (IDP)

Description

MinIO Internal IDP

Provides built-in identity management functionality.

OpenID

Supports managing identities through an OpenID Connect (OIDC) compatible service.

MinIO Authentation Plugin

Supports a custom external identity manager using the MinIO Authentication Plugin extension.

Active Directory / LDAP

Supports managing identities through an Active Directory or LDAP service.

Access Management Plugin

Supports a custom external access manager using the MinIO Access Management Plugin extension.

Once authenticated, MinIO either allows or rejects the client request depending on whether or not the authenticated identity is authorized to perform the operation on the specified resource.

Access Management

MinIO uses Policy-Based Access Control (PBAC) to define the authorized actions and resources to which an authenticated user has access. Each policy describes one or more actions and conditions that outline the permissions of a user or group of users.

MinIO manages the creation and storage of policies. The process for assigning a policy to a user or group depends on the configured IDentity Provider (IDP).

MinIO deployments using the MinIO Internal IDP require explicitly associating a user to a policy or policies using the mc admin policy attach command. A user can also inherit the policies attached to the groups in which they have membership.

By default, MinIO denies access to actions or resources not explicitly allowed by an attached or inherited policy. A user with no explicitly assigned or inherited policies cannot perform any S3 or MinIO administrative API operations.

For MinIO deployments using an External IDP, policy assignment depends on the choice of IDP:

OpenID Connect (OIDC)

MinIO checks for a JSON Web Token (JWT) claim (policy by default) containing the name of the policy or policies to attach to the authenticated user. If the policies do not exist, the user cannot perform any action on the MinIO deployment.

MinIO does not support assigning OIDC user identities to groups. The IDP administrator must instead assign all necessary policies to the user’s policy claim.

See Access Control for Externally Managed Identities for more information.

Active Directory / LDAP (AD/LDAP)

MinIO checks for a policy whose name matches the Distinguished Name (DN) of the authenticated AD/LDAP user.

MinIO also supports querying for the authenticated AD/LDAP user’s group memberships. MinIO assigns any policy whose name matches the DN for each returned group.

If no policies match either the user DN or any of the user’s group DNs, the user cannot perform any action on the MinIO deployment.

See Access Control for Externally Managed Identities for more information.

MinIO PBAC is built for compatibility with AWS IAM policy syntax, structure, and behavior. The MinIO documentation makes a best-effort to cover IAM-specific behavior and functionality. Consider deferring to the IAM documentation for more complete documentation on IAM, IAM policies, or IAM JSON syntax.

Deny overrides Allow

MinIO follows AWS IAM policy evaluation rules where a Deny rule overrides Allow rule on the same action/resource. For example, if a user has an explicitly assigned policy with an Allow rule for an action/resource while one of its groups has an assigned policy with a Deny rule for that action/resource, MinIO would apply only the Deny rule.

For more information on IAM policy evaluation logic, see the IAM documentation on Determining Whether a Request is Allowed or Denied Within an Account.

This work is licensed under a Creative Commons Attribution 4.0 International License. 2020-Present, MinIO, Inc. Creative Commons License