Minio: How's bucket policy related to anonymous/authorized access?

minio
Daniel picture Daniel · Mar 6, 2017 · Viewed 24.7k times · Source

Minio has policies for each bucket. Which contains:

  • ReadOnly
  • WriteOnly
  • Read+Write
  • None

How are these related to the anonymous/authorized access to the folders?
Like say I want to make a bunch of files available as read-only to users without credentials (access key and secret key). How can I do it?

Answer

Harshavardhana picture Harshavardhana · Mar 6, 2017

Bucket policies provided by Minio client side are an abstracted version of the same bucket policies AWS S3 provides.

Client constructs a policy JSON based on the input string of bucket and prefix.

  • ReadOnly means - anonymous download access is allowed includes being able to list objects on the desired prefix
  • WriteOnly means - anonymous uploads are allowed includes being able to list incomplete uploads on the desired prefix
  • Read-Write - anonymous access to upload and download all objects. This also means full public access.
  • None - is default (no policy) it means that all operations need to be authenticated towards desired bucket and prefix.

A bunch of files should reside under a particular prefix can be made available for read only access. Lets say your prefix is 'my-prefix/read-only/downloads' then if you are using

import java.io.IOException;
import java.security.NoSuchAlgorithmException;
import java.security.InvalidKeyException;

import org.xmlpull.v1.XmlPullParserException;

import io.minio.MinioClient;
import io.minio.policy.PolicyType;
import io.minio.errors.MinioException;

public class SetBucketPolicy {
  /**
   * MinioClient.setBucketPolicy() example.
   */
  public static void main(String[] args)
    throws IOException, NoSuchAlgorithmException, InvalidKeyException, XmlPullParserException {
    try {
      /* play.minio.io for test and development. */
      MinioClient minioClient = new MinioClient("https://play.minio.io:9000", "Q3AM3UQ867SPQQA43P2F",
                                                "zuf+tfteSlswRu7BJ86wekitnifILbZam1KYY3TG");

      /* Amazon S3: */
      // MinioClient minioClient = new MinioClient("https://s3.amazonaws.com", "YOUR-ACCESSKEYID",
      //                                           "YOUR-SECRETACCESSKEY");

      minioClient.setBucketPolicy("my-bucketname", "my-prefix/read-only/downloads", PolicyType.READ_ONLY);
    } catch (MinioException e) {
      System.out.println("Error occurred: " + e);
    }
  }
}

Once your call is successful, all the objects inside 'my-prefix/read-only/downloads' are publicly readable i.e without access/secret key.

Related questions

docker-compose: how to use minio in- and outside of the docker network

I have the following docker-compose.yml to run a local environment for my Laravel App. version: '3' services: app: build: context: . dockerfile: .docker/php/Dockerfile ports: - 80:80 - 443:443 volumes: - .:/var/www:delegated environment: AWS_ACCESS_KEY_ID: minio_…

Read More