minio/docs/multi-user/README.md

# Minio Multi-user Quickstart Guide [![Slack](https://slack.minio.io/slack?type=svg)](https://slack.minio.io)
Minio supports multiple long term users in addition to default user created during server startup. New users can be added after server starts up, and server can be configured to deny or allow access to buckets and resources to each of these users. This document explains how to add/remove users and modify their access rights.


## Get started
In this document we will explain in detail on how to configure multiple users.

### 1. Prerequisites
- Install mc - [Minio Client Quickstart Guide](https://docs.minio.io/docs/minio-client-quickstart-guide.html)
- Install Minio - [Minio Quickstart Guide](https://docs.minio.io/docs/minio-quickstart-guide)

### 2. Create a new user with canned policy
Use [`mc admin policies`](https://docs.minio.io/docs/minio-admin-complete-guide.html#policies) to create canned policies. Server provides a default set of canned policies namely `writeonly`, `readonly` and `readwrite` *(these policies apply to all resources on the server)*. These can be overridden by custom policies using `mc admin policies` command.

Create new canned policy file `getonly.json`. This policy enables users to download all objects under `my-bucketname`.
```json
cat > getonly.json << EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::my-bucketname/*"
      ],
      "Sid": ""
    }
  ]
}
EOF
```

Create new canned policy by name `getonly` using `getonly.json` policy file.
```
mc admin policies add myminio getonly getonly.json
```

Create a new user `newuser` on Minio use `mc admin users`, specify `getonly` canned policy for this `newuser`.
```
mc admin users add myminio newuser newuser123 getonly
```

### 3. Disable user
Disable user `newuser`.
```
mc admin users disable myminio newuser
```

### 4. Remove user
Remove the user `newuser`.
```
mc admin users remove myminio newuser
```

### 5. Change user policy
Change the policy for user `newuser` to `putonly` canned policy.
```
mc admin users policy myminio newuser putonly
```

### 5. List all users
List all enabled and disabled users.
```
mc admin users list myminio
```

## Explore Further
- [Minio STS Quickstart Guide](https://docs.minio.io/docs/minio-sts-quickstart-guide)
- [Minio Admin Complete Guide](https://docs.minio.io/docs/minio-admin-complete-guide.html)
- [The Minio documentation website](https://docs.minio.io)
Fix multi-user doc (#6662) 6 years ago			`# Minio Multi-user Quickstart Guide [![Slack](https://slack.minio.io/slack?type=svg)](https://slack.minio.io)`
			`Minio supports multiple long term users in addition to default user created during server startup. New users can be added after server starts up, and server can be configured to deny or allow access to buckets and resources to each of these users. This document explains how to add/remove users and modify their access rights.`

Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks 6 years ago
			`## Get started`
			`In this document we will explain in detail on how to configure multiple users.`

			`### 1. Prerequisites`
			`- Install mc - [Minio Client Quickstart Guide](https://docs.minio.io/docs/minio-client-quickstart-guide.html)`
			`- Install Minio - [Minio Quickstart Guide](https://docs.minio.io/docs/minio-quickstart-guide)`

Fix multi-user doc (#6662) 6 years ago			`### 2. Create a new user with canned policy`
Add default canned policies (#6690) 6 years ago			Use [`mc admin policies`](https://docs.minio.io/docs/minio-admin-complete-guide.html#policies) to create canned policies. Server provides a default set of canned policies namely `writeonly`, `readonly` and `readwrite` (these policies apply to all resources on the server). These can be overridden by custom policies using `mc admin policies` command.
Fix multi-user doc (#6662) 6 years ago
			Create new canned policy file `getonly.json`. This policy enables users to download all objects under `my-bucketname`.
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks 6 years ago			```json
Add canned policy support (#6637) This PR adds an additional API where we can create a new set of canned policies which can be used with one or many users. 6 years ago			`cat > getonly.json << EOF`
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks 6 years ago			`{`
			`"Version": "2012-10-17",`
			`"Statement": [`
			`{`
			`"Action": [`
			`"s3:GetObject"`
			`],`
			`"Effect": "Allow",`
			`"Resource": [`
			`"arn:aws:s3:::my-bucketname/*"`
			`],`
			`"Sid": ""`
			`}`
			`]`
			`}`
Add canned policy support (#6637) This PR adds an additional API where we can create a new set of canned policies which can be used with one or many users. 6 years ago			`EOF`
Fix multi-user doc (#6662) 6 years ago			```
Add canned policy support (#6637) This PR adds an additional API where we can create a new set of canned policies which can be used with one or many users. 6 years ago
Fix multi-user doc (#6662) 6 years ago			Create new canned policy by name `getonly` using `getonly.json` policy file.
			```
Add canned policy support (#6637) This PR adds an additional API where we can create a new set of canned policies which can be used with one or many users. 6 years ago			`mc admin policies add myminio getonly getonly.json`
			```

Fix multi-user doc (#6662) 6 years ago			Create a new user `newuser` on Minio use `mc admin users`, specify `getonly` canned policy for this `newuser`.
Add canned policy support (#6637) This PR adds an additional API where we can create a new set of canned policies which can be used with one or many users. 6 years ago			```
			`mc admin users add myminio newuser newuser123 getonly`
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks 6 years ago			```

Fix a typo in multi-user doc (#6643) 6 years ago			`### 3. Disable user`
			Disable user `newuser`.
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks 6 years ago			```
Fix a typo in multi-user doc (#6643) 6 years ago			`mc admin users disable myminio newuser`
Introduce STS client grants API and OPA policy integration (#6168) This PR introduces two new features - AWS STS compatible STS API named AssumeRoleWithClientGrants ``` POST /?Action=AssumeRoleWithClientGrants&Token=<jwt> ``` This API endpoint returns temporary access credentials, access tokens signature types supported by this API - RSA keys - ECDSA keys Fetches the required public key from the JWKS endpoints, provides them as rsa or ecdsa public keys. - External policy engine support, in this case OPA policy engine - Credentials are stored on disks 6 years ago			```

			`### 4. Remove user`
			Remove the user `newuser`.
			```
			`mc admin users remove myminio newuser`
			```
Fix a typo in multi-user doc (#6643) 6 years ago
Fix multi-user doc (#6662) 6 years ago			`### 5. Change user policy`
			Change the policy for user `newuser` to `putonly` canned policy.
			```
			`mc admin users policy myminio newuser putonly`
			```

Fix a typo in multi-user doc (#6643) 6 years ago			`### 5. List all users`
			`List all enabled and disabled users.`
			```
			`mc admin users list myminio`
			```

			`## Explore Further`
			`- [Minio STS Quickstart Guide](https://docs.minio.io/docs/minio-sts-quickstart-guide)`
			`- [Minio Admin Complete Guide](https://docs.minio.io/docs/minio-admin-complete-guide.html)`
			`- [The Minio documentation website](https://docs.minio.io)`