github.com/minio/minio@v0.0.0-20240328213742-3f72439b8a27/docs/multi-user/admin/README.md (about)

     1  # MinIO Admin Multi-user Quickstart Guide [![Slack](https://slack.min.io/slack?type=svg)](https://slack.min.io)
     2  
     3  MinIO supports multiple admin users in addition to default operator credential created during server startup. New admins can be added after server starts up, and server can be configured to deny or allow access to different admin operations for these users. This document explains how to add/remove admin users and modify their access rights.
     4  
     5  ## Get started
     6  
     7  In this document we will explain in detail on how to configure admin users.
     8  
     9  ### 1. Prerequisites
    10  
    11  - Install mc - [MinIO Client Quickstart Guide](https://min.io/docs/minio/linux/reference/minio-mc.html#quickstart)
    12  - Install MinIO - [MinIO Quickstart Guide](https://min.io/docs/minio/linux/index.html#quickstart-for-linux)
    13  
    14  ### 2. Create a new admin user with CreateUser, DeleteUser and ConfigUpdate permissions
    15  
    16  Use [`mc admin policy`](https://min.io/docs/minio/linux/reference/minio-mc-admin/mc-admin-policy.html#command-mc.admin.policy) to create custom admin policies.
    17  
    18  Create new canned policy file `adminManageUser.json`. This policy enables admin user to
    19  manage other users.
    20  
    21  ```json
    22  cat > adminManageUser.json << EOF
    23  {
    24    "Version": "2012-10-17",
    25    "Statement": [
    26      {
    27        "Action": [
    28          "admin:CreateUser",
    29          "admin:DeleteUser",
    30          "admin:ConfigUpdate"
    31        ],
    32        "Effect": "Allow",
    33        "Sid": ""
    34      },
    35      {
    36        "Action": [
    37          "s3:*"
    38        ],
    39        "Effect": "Allow",
    40        "Resource": [
    41          "arn:aws:s3:::*"
    42        ],
    43        "Sid": ""
    44      }
    45    ]
    46  }
    47  EOF
    48  ```
    49  
    50  Create new canned policy by name `userManager` using `userManager.json` policy file.
    51  
    52  ```
    53  mc admin policy attach myminio userManager adminManageUser.json
    54  ```
    55  
    56  Create a new admin user `admin1` on MinIO use `mc admin user`.
    57  
    58  ```
    59  mc admin user add myminio admin1 admin123
    60  ```
    61  
    62  Once the user is successfully created you can now apply the `userManage` policy for this user.
    63  
    64  ```
    65  mc admin policy attach myminio userManager --user=admin1
    66  ```
    67  
    68  This admin user will then be allowed to perform create/delete user operations via `mc admin user`
    69  
    70  ### 3. Configure `mc` and create another user user1 with attached policy user1policy
    71  
    72  ```
    73  mc alias set myminio-admin1 http://localhost:9000 admin1 admin123 --api s3v4
    74  
    75  mc admin user add myminio-admin1 user1 user123
    76  mc admin policy attach myminio-admin1 user1policy ~/user1policy.json
    77  mc admin policy attach myminio-admin1 user1policy --user=user1
    78  ```
    79  
    80  ### 4. List of permissions defined for admin operations
    81  
    82  #### Config management permissions
    83  
    84  - admin:ConfigUpdate
    85  
    86  #### User management permissions
    87  
    88  - admin:CreateUser
    89  - admin:DeleteUser
    90  - admin:ListUsers
    91  - admin:EnableUser
    92  - admin:DisableUser
    93  - admin:GetUser
    94  
    95  #### Service management permissions
    96  
    97  - admin:ServerInfo
    98  - admin:ServerUpdate
    99  - admin:StorageInfo
   100  - admin:DataUsageInfo
   101  - admin:TopLocks
   102  - admin:OBDInfo
   103  - admin:Profiling,
   104  - admin:ServerTrace
   105  - admin:ConsoleLog
   106  - admin:KMSKeyStatus
   107  - admin:KMSCreateKey
   108  - admin:ServiceRestart
   109  - admin:ServiceStop
   110  - admin:Prometheus
   111  - admin:ForceUnlock
   112  - admin:TopLocksInfo
   113  - admin:BandwidthMonitor
   114  
   115  #### User/Group management permissions
   116  
   117  - admin:AddUserToGroup
   118  - admin:RemoveUserFromGroup
   119  - admin:GetGroup
   120  - admin:ListGroups
   121  - admin:EnableGroup
   122  - admin:DisableGroup
   123  
   124  #### Policy management permissions
   125  
   126  - admin:CreatePolicy
   127  - admin:DeletePolicy
   128  - admin:GetPolicy
   129  - admin:AttachUserOrGroupPolicy
   130  - admin:ListUserPolicies
   131  
   132  #### Heal management permissions
   133  
   134  - admin:Heal
   135  
   136  #### Service account management permissions
   137  
   138  - admin:CreateServiceAccount
   139  - admin:UpdateServiceAccount
   140  - admin:RemoveServiceAccount
   141  - admin:ListServiceAccounts
   142  
   143  #### Bucket quota management permissions
   144  
   145  - admin:SetBucketQuota
   146  - admin:GetBucketQuota
   147  
   148  #### Bucket target management permissions
   149  
   150  - admin:SetBucketTarget
   151  - admin:GetBucketTarget
   152  
   153  #### Remote tier management permissions
   154  
   155  - admin:SetTier
   156  - admin:ListTier
   157  
   158  #### Give full admin permissions
   159  
   160  - admin:*
   161  
   162  ### 5. Using an external IDP for admin users
   163  
   164  Admin users can also be externally managed by an IDP by configuring admin policy with
   165  special permissions listed above. Follow [MinIO STS Quickstart Guide](https://min.io/docs/minio/linux/developers/security-token-service.html) to manage users with an IDP.
   166  
   167  ## Explore Further
   168  
   169  - [MinIO Client Complete Guide](https://min.io/docs/minio/linux/reference/minio-mc.html)
   170  - [MinIO STS Quickstart Guide](https://min.io/docs/minio/linux/developers/security-token-service.html)
   171  - [MinIO Admin Complete Guide](https://min.io/docs/minio/linux/reference/minio-mc-admin.html)
   172  - [The MinIO documentation website](https://min.io/docs/minio/linux/index.html)