第九章:策略管理
深入学习 MinIO 的 IAM 策略管理,包括用户管理、组管理、策略创建和权限控制。
最后更新: 2024-01-15
页面目录
第九章:策略管理
9.1 IAM 概述
9.1.1 IAM 组件
IAM 架构
┌─────────────────────────────────────────────────────────┐
│ IAM Service │
├─────────────────────────────────────────────────────────┤
│ │
│ ┌─────────┐ ┌─────────┐ ┌─────────┐ │
│ │ Users │ │ Groups │ │ Policies │ │
│ │ │ │ │ │ │ │
│ │ user1 │◄───│ group1 │◄───│ policy1 │ │
│ │ user2 │ │ members │ │ resources│ │
│ │ user3 │ │ │ │ actions │ │
│ └─────────┘ └─────────┘ └─────────┘ │
│ │
└─────────────────────────────────────────────────────────┘
9.1.2 策略元素
| 元素 | 说明 | 必需 |
|---|---|---|
| Version | 策略版本 | 是 |
| Statement | 权限语句数组 | 是 |
| Sid | 语句 ID | 否 |
| Effect | Allow/Deny | 是 |
| Action | 操作列表 | 是 |
| Resource | 资源 ARN | 是 |
| Principal | 作用对象 | 条件 |
| Condition | 条件表达式 | 否 |
9.2 策略语法
9.2.1 基本策略结构
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::mybucket/*"
}
]
}
9.2.2 完整的策略示例
{
"Version": "2012-10-17",
"Id": "custom-policy-id",
"Statement": [
{
"Sid": "AllowListBucket",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::mybucket"
},
{
"Sid": "AllowAllObjectActions",
"Effect": "Allow",
"Action": "s3:*Object*",
"Resource": "arn:aws:s3:::mybucket/*"
},
{
"Sid": "DenyDeleteActions",
"Effect": "Deny",
"Action": [
"s3:DeleteObject",
"s3:DeleteBucket"
],
"Resource": "*"
}
]
}
9.3 用户管理
9.3.1 创建用户
# 创建用户
mc admin user add myminio newuser password123
# 创建服务账户
mc admin user svc add myminio svc-account key-id secret-key
# 查看用户列表
mc admin user list myminio/
# 示例输出
# AccessKey | Policy | Name | Created
# ---------------------------------------------------
# admin | attached | - | 2024-01-01 00:00:00
# newuser | - | - | 2024-01-15 10:30:00
9.3.2 用户权限
# 查看用户信息
mc admin user info myminio/newuser
# 禁用用户
mc admin user disable myminio/newuser
# 启用用户
mc admin user enable myminio/newuser
# 更新用户密码
mc admin user update myminio/newuser --secret-key newpassword
# 删除用户
mc admin user remove myminio/newuser
9.3.3 服务账户
# 创建服务账户
mc admin user svc add myminio/123456789012 \
svc-account-name \
--access-key svc-access-key \
--secret-key svc-secret-key
# 列出服务账户
mc admin user list myminio/
# 服务账户权限继承
# 服务账户继承其父用户的权限加上自己的内联策略
9.4 组管理
9.4.1 创建组
# 创建组
mc admin group add myminio/developers user1 user2 user3
# 查看组信息
mc admin group info myminio/developers
# 列出所有组
mc admin group list myminio/
# 示例输出
# Group | Members | Policy
# ---------------------------------------------------
# developers | user1,user2| -
# admins | admin | attached
9.4.2 组操作
# 添加成员到组
mc admin group add myminio/developers user4 user5
# 从组中移除成员
mc admin group remove myminio/developers user3
# 为组设置策略
mc admin policy attach myminio/read-only --group developers
# 查看组策略
mc admin group list myminio/
# 删除组
mc admin group remove myminio/developers
9.5 策略管理
9.5.1 创建策略
# 创建只读策略
cat > read-only.json << 'EOF'
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::mybucket"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::mybucket/*"
}
]
}
EOF
mc admin policy create myminio/read-only read-only.json
# 创建读写策略
cat > read-write.json << 'EOF'
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::mybucket",
"arn:aws:s3:::mybucket/*"
]
}
]
}
EOF
mc admin policy create myminio/read-write read-write.json
# 列出策略
mc admin policy list myminio/
# 查看策略详情
mc admin policy info myminio/read-only
# 删除策略
mc admin policy remove myminio/custom-policy
9.5.2 内置策略
# MinIO 内置策略
mc admin policy list myminio/
# 内置策略列表
# consoleAdmin - 控制台完全访问
# diagnostics - 诊断工具访问
# readonly - 只读访问
# readwrite - 读写访问
# writeonly - 只写访问
# 为用户分配内置策略
mc admin policy attach myminio/readonly --user newuser
# 为组分配内置策略
mc admin policy attach myminio/writeonly --group uploaders
9.6 权限附加
9.6.1 附加到用户
# 附加策略到用户
mc admin policy attach myminio/read-only --user newuser
# 附加多个策略到用户
mc admin policy attach myminio/read-only --user newuser
mc admin policy attach myminio/custom-policy --user newuser
# 分离策略
mc admin policy detach myminio/read-only --user newuser
9.6.2 附加到组
# 附加策略到组
mc admin policy attach myminio/read-write --group developers
# 分离策略
mc admin policy detach myminio/read-write --group developers
9.6.3 查看权限继承
# 用户最终权限 = 用户直接策略 + 用户组策略
# 权限评估顺序:
# 1. 显式 Deny 优先
# 2. 显式 Allow 次之
# 3. 隐式 Deny 默认
9.7 条件表达式
9.7.1 常用条件
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": "arn:aws:s3:::mybucket/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "192.168.1.0/24"
}
}
}
]
}
9.7.2 时间条件
{
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": "*",
"Condition": {
"DateGreaterThan": {
"aws:CurrentTime": "2024-01-01T00:00:00Z"
},
"DateLessThan": {
"aws:CurrentTime": "2024-12-31T23:59:59Z"
}
}
}
9.7.3 其他条件
{
"Condition": {
"StringEquals": {
"s3:x-amz-server-side-encryption": "AES256"
},
"Bool": {
"s3:secure-transport": "true"
},
"NumericLessThanEquals": {
"s3:max-keys": 1000
}
}
}
9.8 LDAP 集成
9.8.1 配置 LDAP
# 配置 LDAP
mc admin config set myminio/ \
identity_ldap_server=ldap.example.com:636 \
identity_ldap_usernameDN_template="uid=%s,ou=Users,dc=example,dc=com" \
identity_ldap_group_search_base_dn="ou=Groups,dc=example,dc=com" \
identity_ldap_group_search_filter="(&(objectClass=groupOfNames)(member=%d))"
# 重启生效
mc admin service restart myminio/
9.8.2 LDAP 策略映射
# 创建 LDAP 策略绑定
mc admin policy set myminio/readonly \
ldap_policy="ou=readonly,ou=Groups,dc=example,dc=com"
9.9 OIDC 集成
9.9.1 配置 OIDC
# 配置 OpenID Connect
mc admin config set myminio/ \
identity_openid_config_url=https://your-idp/.well-known/openid-configuration \
identity_openid_client_id=your-client-id \
identity_openid_client_secret=your-client-secret \
identity_openid_claim_name=groups
# 重启生效
mc admin service restart myminio/
9.10 总结
本章深入介绍了 MinIO 的 IAM 策略管理,包括用户、组、策略的管理以及 LDAP/OIDC 集成。合理设计 IAM 策略是保障 MinIO 安全的关键。下一章将学习监控运维。