mc admin user
Table of Contents
Description
The mc admin user
command manages users on a MinIO deployment. Clients
must authenticate to the MinIO deployment with the access key and secret key
associated to a user on the deployment. MinIO users constitute a key component in
MinIO Identity and Access Management.
Use mc admin
on MinIO Deployments Only
MinIO does not support using mc admin
commands with other
S3-compatible services, regardless of their claimed compatibility with MinIO
deployments.
Users and Policy-Based Access Control
MinIO uses Policy-Based Access Control (PBAC) to support authorization of users who have successfully authenticated to the deployment. Each policy includes rules that dictate the allowed or denied actions/resources on the deployment. You can assign one or more policies to a User. Users also inherit the policies of any groups of which they are members. A user’s total set of permissions includes their explicitly assigned policies and any policies inherited via group membership.
Newly created users have no policies by default and therefore cannot perform any operations on the MinIO deployment. To configure a user’s assigned policies, you can do either or both of the following:
Use
mc admin policy set
to associate one or more policies to the user.Use
mc admin group add
to associate the user to the group. Users inherit any policies assigned to the group.
Each user’s total set of permissions consists of their explicitly assigned permission and the inherited permissions from each of their assigned groups.
For more information on MinIO users and groups, see User Management and Group Management. For more information on MinIO policies, see MinIO Policy Based Access Control.
Deny
overrides Allow
MinIO follows the IAM standard where a Deny
rule overrides Allow
rule
on the same action or resource. For example, if a user has an explicitly
assigned policy with an Allow
rule for an action/resource while one of
its groups has an assigned policy with a Deny
rule for that
action/resource, MinIO would apply only the Deny
rule.
For more information on IAM policy evaluation logic, see the IAM documentation on Determining Whether a Request is Allowed or Denied Within an Account.
Examples
Create a New User
Use mc admin user add
to create a user on an S3-compatible host:
mc admin user add ALIAS ACCESSKEY SECRETKEY
Replace
ACCESSKEY
with the access key for the user. MinIO allows retrieving the access key after user creation through themc admin user info
command.Replace
SECRETKEY
with the secret key for the user. MinIO does not provide any method for retrieving the secret key once set.
Specify a unique, random, and long string for both the ACCESSKEY
and
SECRETKEY
. Your organization may have specific internal or regulatory
requirements around generating values for use with access or secret keys.
List Available Users
Use mc admin user list
to list all users on an S3-compatible host:
mc admin user list ALIAS
mc admin user list
does not return the access key or secret key
associated to a user. Use mc admin user info
to retrieve detailed
user information, including the user access key.
View User Details
Use mc admin user info
to view detailed user information on an
S3-compatible host:
mc admin user info ALIAS USERNAME
Remove a User
Use mc admin user remove
to remove a user from an S3-compatible host:
mc admin user remove ALIAS USERNAME
Disable a User
Use mc admin user disable
to disable a user on an S3-compatible host.
Disabling a user prevents clients from authenticating to the S3 host with that
user’s credentials, but does not remove that user from the S3 host.
Use mc admin user enable
to enable a disabled user on an S3-compatible
host.
mc admin user disable ALIAS USERNAME
Enable a User
Use mc admin user enable
to enable a user on an S3-compatible
host.
mc admin user enable ALIAS USERNAME
Syntax
- mc admin user add
Adds new user to the target MinIO deployment. The command has the following syntax:
mc admin user add TARGET ACCESSKEY SECRETKEY
The command accepts the following arguments:
- TARGET
The
alias
of a configured MinIO deployment on which the command creates the new user.
- mc admin user list
Lists all users on the target MinIO deployment. The command has the following syntax:
mc admin user list TARGET
The command accepts the following argument:
- TARGET
The
alias
of a configured MinIO deployment from which the command lists users.
- mc admin user info
Returns detailed information of a user on the target MinIO deployment. The command has the following syntax:
mc admin user info TARGET USERNAME
The command accepts the following arguments:
- TARGET
The
alias
of a configured MinIO deployment from which the command retrieves the specified user information.
- remove
Removes a user from the target MinIO deployment. The command has the following syntax:
mc admin user remove TARGET USERNAME
The command supports the following arguments:
- TARGET
The
alias
of a configured MinIO deployment on which the command removes the specified user.
- mc admin user disable
Disables a user on the target MinIO deployment. Clients cannot use the user credentials to authenticate to the MinIO deployment. Disabling a user does not remove that user from the deployment.
The command has the following syntax:
mc admin user disable TARGET USERNAME
The command supports the following arguments:
- TARGET
The
alias
of a configured MinIO deployment on which the command disables the specified user.
- mc admin user enable
Enables a user on the target deployment. Clients can only use enabled users to authenticate to the MinIO deployment. Users created using
mc admin user add
are enabled by default.The command has the following syntax:
mc admin user enable TARGET USERNAME
The command supports the following arguments:
- TARGET
The
alias
of a configured MinIO deployment on which the command enables the specified user.