A small collection, because reasons.
To apply these:
- Download the file.
mcli admin policy add MYMINIO NAME NAME.json
(replace MYMINIO with your configured instance and NAME with the filename).mcli admin policy set MYMINIO NAME user=USER
(same as above, replace USER with the user you want to configure).
This grants the user in question access to ONLY the bucket that matches that user's name. For example, the user "foo" will have access ONLY to the "foo" bucket, and no others. If they run a listing, they will only see their own bucket.
This grants the user in question access to ANY bucket that matches the user's name as a prefix. For example, the user "foo" will have access to the bucket "foo" and "foobar", but not "barfoo". They will be able to list any buckets they have access to, but no others.
To apply these:
- Download the file.
- EDIT the file - replace BUCKETNAME with the name of the bucket you want to apply these to.
mcli policy set-json ./FILE.json MYMINIO/BUCKETNAME
(where FILE.json is the EDITED file, MYMINIO is your configured instance and BUCKETNAME is the name of the bucket you want to apply this to).- Repeat 2-3 for every bucket you want to modify.
This policy is similar to ReadOnly in that it allows fetching any object in the bucket. However, it does NOT allow listing objects in that bucket. This can be useful to make a computation attack more expensive when sharing files in a federated fashion.