Is it possible to define group-based access to a minio bucket? #64
-
Hi, great project! Let's say I defined an additional bucket I also have a group of users called Can I set some value so that the users of the group Unless I'm missing something about minio policies, this cannot be done through |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
@Diddy42 First, I want to say that the embedded MinIO is NOT currently intended for production usage, it's meant to allow users to test deployKF anywhere, before they connect to a more robust S3-like object store. (That is NOT to say you can't set up your own MinIO Object Store, and connect deployKF with it) While it's a bit dangerous to encourage usage of the embedded MinIO, I am open to accepting a contribution that lets you define For example, we could add a value like deploykf_opt:
deploykf_minio:
## a list of extra policy statements to add to the default policy
## generated for each user in `deploykf_core.deploykf_profiles_generator.users`
extraPolicyStatements:
## additional policy statements for 'user-1'
- user: user-1
statements:
## allow 'user-1' to see MY_BUCKET_NAME
- Effect: Allow
Action:
- s3:GetBucketLocation
- s3:ListBucket
Resource:
- arn:aws:s3:::MY_BUCKET_NAME
## additional policy statements for each member of 'team-1' group
- group: team-1
statements:
## allow members of 'team-1' to see MY_BUCKET_NAME
- Effect: Allow
Action:
- s3:GetBucketLocation
- s3:ListBucket
Resource:
- arn:aws:s3:::MY_BUCKET_NAME
## allow members of 'team-1' to read/write under MY_BUCKET_NAME/some-prefix/*
- Effect: Allow
Action:
- s3:GetObject
- s3:PutObject
- s3:DeleteObject
Resource:
- arn:aws:s3:::MY_BUCKET_NAME/some-prefix/* The way this would be implemented would be by extending the automatically generated Some of the important templates which are called in the above section are:
You would also need to use the |
Beta Was this translation helpful? Give feedback.
@Diddy42 First, I want to say that the embedded MinIO is NOT currently intended for production usage, it's meant to allow users to test deployKF anywhere, before they connect to a more robust S3-like object store.
(That is NOT to say you can't set up your own MinIO Object Store, and connect deployKF with it)
While it's a bit dangerous to encourage usage of the embedded MinIO, I am open to accepting a contribution that lets you define
extraPolicyStatements
, as we don't currently provide a way to extend the policies we automatically generate for each user defined indeploykf_core.deploykf_profiles_generator.users
.For example, we could add a value like
deploykf_opt.deploykf_minio.extraPoli…