Minio: How's bucket policy related to anonymous/authorized access?

Bucket policies provided by Minio client side are an abstracted version of the same bucket policies AWS S3 provides.

Client constructs a policy JSON based on the input string of bucket and prefix.

  • ReadOnly means - anonymous download access is allowed includes being able to list objects on the desired prefix
  • WriteOnly means - anonymous uploads are allowed includes being able to list incomplete uploads on the desired prefix
  • Read-Write - anonymous access to upload and download all objects. This also means full public access.
  • None - is default (no policy) it means that all operations need to be authenticated towards desired bucket and prefix.

A bunch of files should reside under a particular prefix can be made available for read only access. Lets say your prefix is 'my-prefix/read-only/downloads' then if you are using

import java.io.IOException;
import java.security.NoSuchAlgorithmException;
import java.security.InvalidKeyException;

import org.xmlpull.v1.XmlPullParserException;

import io.minio.MinioClient;
import io.minio.policy.PolicyType;
import io.minio.errors.MinioException;

public class SetBucketPolicy {
  /**
   * MinioClient.setBucketPolicy() example.
   */
  public static void main(String[] args)
    throws IOException, NoSuchAlgorithmException, InvalidKeyException, XmlPullParserException {
    try {
      /* play.minio.io for test and development. */
      MinioClient minioClient = new MinioClient("https://play.minio.io:9000", "Q3AM3UQ867SPQQA43P2F",
                                                "zuf+tfteSlswRu7BJ86wekitnifILbZam1KYY3TG");

      /* Amazon S3: */
      // MinioClient minioClient = new MinioClient("https://s3.amazonaws.com", "YOUR-ACCESSKEYID",
      //                                           "YOUR-SECRETACCESSKEY");

      minioClient.setBucketPolicy("my-bucketname", "my-prefix/read-only/downloads", PolicyType.READ_ONLY);
    } catch (MinioException e) {
      System.out.println("Error occurred: " + e);
    }
  }
}

Once your call is successful, all the objects inside 'my-prefix/read-only/downloads' are publicly readable i.e without access/secret key.


'public' is valid policy...

You can change this policy: install mc (minio client) and then:

# list default hosts after install: 
mc config host ls

# remove all hosts: mc config host rm {hostName}
mc config host rm local

# add your host: mc config host add {hostName} {url} {apiKey} {apiSecret}
mc config host add local http://127.0.0.1:9000 ClientIdASSDSD ClientSecretASASASdsasdasdasdasd

# create bucket: mc mb {host}/{bucket}
mc mb local/mybucket

# change bucket policy: mc policy {policy} {host}/{bucket}
mc policy public local/mybucket

Tags:

Minio