第八章:存储桶管理
深入学习 MinIO 存储桶的高级管理功能,包括存储桶策略、生命周期、复制和加密配置。
最后更新: 2024-01-15
页面目录
第八章:存储桶管理
8.1 存储桶策略
8.1.1 策略语法
MinIO 使用 AWS S3 兼容的 IAM 策略语法:
{
"Version": "2012-10-17",
"Id": "policy-id",
"Statement": [
{
"Sid": "statement-id",
"Effect": "Allow|Deny",
"Principal": {
"AWS": ["arn:aws:iam::user-id:root"]
},
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::bucket-name/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "192.168.1.0/24"
}
}
}
]
}
8.1.2 设置存储桶策略
# 创建策略文件
cat > bucket-policy.json << 'EOF'
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {"AWS": "*"},
"Action": ["s3:GetObject"],
"Resource": "arn:aws:s3:::public-bucket/*"
},
{
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::user-id:root"},
"Action": ["s3:*"],
"Resource": "arn:aws:s3:::private-bucket/*"
}
]
}
EOF
# 应用策略
mc policy set-json bucket-policy.json myminio/public-bucket
# 设置为公开读取
mc anonymous set download myminio/mybucket
# 查看策略
mc anonymous list myminio/mybucket
# 清除策略
mc anonymous set none myminio/mybucket
8.1.3 常用策略示例
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ReadWriteAccess",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::user-id:user/admin"},
"Action": ["s3:*"],
"Resource": [
"arn:aws:s3:::mybucket",
"arn:aws:s3:::mybucket/*"
]
}
]
}
# 只读访问
mc policy set download myminio/mybucket/user-prefix/
# 只写访问(上传)
mc policy set upload myminio/mybucket/upload-prefix/
# 完全控制
mc policy set public myminio/mybucket/
# 私有
mc policy set none myminio/mybucket/
8.2 存储桶加密
8.2.1 加密类型
| 类型 | 密钥管理 | 适用场景 |
|---|---|---|
| SSE-S3 | MinIO 管理 | 一般场景 |
| SSE-KMS | 外部 KMS | 高安全要求 |
| SSE-C | 客户管理 | 合规要求 |
8.2.2 配置 SSE-S3
# 设置存储桶加密
mc encryption set sse-s3 myminio/mybucket
# 查看加密配置
mc encryption info myminio/mybucket
# 禁用加密
mc encryption set none myminio/mybucket
# API 调用
curl -X PUT "http://localhost:9000/mybucket?encryption" \
-H "Content-Type: application/xml" \
-d '<?xml version="1.0"?>
<ServerSideEncryptionConfiguration>
<Rule>
<ApplyServerSideEncryptionByDefault>
<SSEAlgorithm>AES256</SSEAlgorithm>
</ApplyServerSideEncryptionByDefault>
</Rule>
</ServerSideEncryptionConfiguration>'
8.2.3 配置 SSE-KMS
# 配置 KMS 密钥
mc encryption set sse-kms myminio/mybucket \
--keys my-key-name=key-id:base64-encoded-key
# 使用特定密钥加密
mc cp file.txt myminio/mybucket/ \
--enc-sse-kms=my-key-name
8.3 存储桶复制
8.3.1 跨区域复制(CRR)
┌──────────────────┐ ┌──────────────────┐
│ Source Bucket │ │ Target Bucket │
│ MinIO Site A │ ──────── 复制 ────► │ MinIO Site B │
│ (北京) │ │ (上海) │
└──────────────────┘ └──────────────────┘
8.3.2 配置复制
# 创建复制配置
cat > replication.json << 'EOF'
{
"Role": "arn:aws:iam::user-id:role/service-account-role",
"Rules": [
{
"ID": "replicate-all",
"Status": "Enabled",
"Priority": 1,
"DeleteMarkerReplication": {"Status": "Enabled"},
"DeleteReplication": {"Status": "Enabled"},
"Filter": {"Prefix": ""},
"Destination": {
"Bucket": "arn:aws:s3:::target-bucket",
"StorageClass": "STANDARD",
"EncryptionConfiguration": {
"ReplicaKmsKeyID": ""
}
},
"SourceSelectionCriteria": {
"SseKmsEncryptedObjects": {
"Status": "Enabled"
}
}
}
]
}
EOF
# 应用复制配置
mc replicate add myminio/source-bucket \
--remote-bucket http://admin:password@target-minio:9000/target-bucket \
--replicate "delete,delete-marker"
# 列出复制配置
mc replicate ls myminio/source-bucket
# 查看复制状态
mc replicate status myminio/source-bucket
8.3.3 同步复制
# 手动同步两个存储桶
mc mirror --overwrite --remove \
myminio/source-bucket/ \
myminio/target-bucket/
# 带过滤器同步
mc mirror --overwrite \
--exclude "*.tmp" \
myminio/source-bucket/ \
myminio/target-bucket/
8.4 存储桶配额
8.4.1 设置配额
# 设置存储桶配额(GB)
mc admin bucket quota myminio/mybucket --hard 100GB
# 设置存储桶配额(对象数量)
mc admin bucket quota myminio/mybucket --hard 10000
# 清除配额
mc admin bucket quota myminio/mybucket --clear
# 查看配额状态
mc admin bucket quota myminio/mybucket
8.4.2 配额配置示例
# 为不同部门设置不同配额
mc admin bucket quota myminio/engineering --hard 500GB
mc admin bucket quota myminio/marketing --hard 200GB
mc admin bucket quota myminio/sales --hard 100GB
8.5 存储桶通知
8.5.1 通知类型
| 类型 | 说明 |
|---|---|
s3:ObjectCreated:* |
对象创建 |
s3:ObjectCreated:Put |
PUT 操作 |
s3:ObjectCreated:Post |
POST 操作 |
s3:ObjectCreated:Copy |
COPY 操作 |
s3:ObjectCreated:CompleteMultipartUpload |
分段上传完成 |
s3:ObjectRemoved:* |
对象删除 |
s3:ObjectRemoved:Delete |
DELETE 操作 |
8.5.2 Webhook 通知
# 添加 webhook 通知
mc event add myminio/mybucket \
"http://webhook.example.com/notify" \
--event put,get,delete
# 查看通知配置
mc event list myminio/mybucket
# 删除通知
mc event remove myminio/mybucket "http://webhook.example.com/notify"
8.5.3 完整通知配置
{
"arn": "minioio:sqs:us-east-1:1:webhook",
"config": {
"endpoint": "http://webhook.example.com/notify",
"authToken": "Bearer TOKEN",
"queue": [
{
"args": {
"queue": [
{
"event": ["s3:ObjectCreated:*", "s3:ObjectRemoved:*"]
}
]
}
}
]
}
}
8.6 存储桶标签
8.6.1 标签操作
# 设置存储桶标签
mc tag set myminio/mybucket "env=production" "team=platform"
# 列出存储桶标签
mc tag list myminio/mybucket
# 删除标签
mc tag remove myminio/mybucket env
# 多标签设置
mc tag set myminio/mybucket \
"project=analytics" \
"cost-center=IT" \
"owner=admin"
8.7 CORS 配置
8.7.1 CORS 规则
{
"CORSRules": [
{
"AllowedOrigins": ["http://example.com"],
"AllowedMethods": ["GET", "PUT", "POST"],
"AllowedHeaders": ["*"],
"ExposeHeaders": ["ETag"],
"MaxAgeSeconds": 3600
}
]
}
8.7.2 设置 CORS
# 创建 CORS 配置
cat > cors.json << 'EOF'
{
"CORSRules": [
{
"AllowedOrigins": ["http://localhost:3000", "https://app.example.com"],
"AllowedMethods": ["GET", "PUT", "POST", "DELETE"],
"AllowedHeaders": ["*"],
"ExposeHeaders": ["ETag", "Content-Length"],
"MaxAgeSeconds": 3600
}
]
}
EOF
# 应用 CORS 配置
mc cors set myminio/mybucket cors.json
# 查看 CORS 配置
mc cors get myminio/mybucket
# 删除 CORS 配置
mc cors rm myminio/mybucket
8.8 存储桶压缩
8.8.1 压缩配置
# 配置透明压缩
mc compression set myminio/mybucket \
--extensions ".txt,.log,.json" \
--mime-types "text/*,application/json"
# 查看压缩配置
mc compression ls myminio/mybucket
# 删除压缩配置
mc compression rm myminio/mybucket
8.9 存储桶审计
8.9.1 审计配置
# 启用审计日志
mc admin config set myminio audit_webhook=endpoint=http://audit-server:8080/audit
# 配置审计过滤
mc admin config set myminio \
audit_webhook/endpoint=http://audit-server:8080/audit \
audit_webhook/auth_token=Bearer_TOKEN
# 重启生效
mc admin service restart myminio
8.10 总结
本章介绍了 MinIO 存储桶的高级管理功能,包括策略配置、加密、复制、配额和通知等。合理使用这些功能可以构建安全、高效的存储解决方案。下一章将学习策略管理的详细内容。