2020-07-24 17:38:54 -07:00
# MinIO Console
2020-04-01 18:18:57 -07:00
2020-04-06 12:07:40 -07:00
A graphical user interface for [MinIO ](https://github.com/minio/minio )
2020-04-01 18:18:57 -07:00
2020-05-21 12:55:30 -07:00
2020-12-11 19:22:02 -08:00
| Dashboard | Creating a bucket |
2020-05-21 12:55:30 -07:00
| ------------- | ------------- |
|  |  |
2020-04-01 18:18:57 -07:00
## Setup
2020-07-26 00:34:17 -07:00
All `console` needs is a MinIO user with admin privileges and URL pointing to your MinIO deployment.
2020-04-01 18:18:57 -07:00
> Note: We don't recommend using MinIO's Operator Credentials
2020-07-26 00:34:17 -07:00
1. Create a user for `console` using `mc` .
2020-12-04 23:17:30 +01:00
```bash
2020-04-01 18:18:57 -07:00
$ set +o history
2020-07-26 00:34:17 -07:00
$ mc admin user add myminio console YOURCONSOLESECRET
2020-04-01 18:18:57 -07:00
$ set -o history
```
2020-07-26 00:34:17 -07:00
2. Create a policy for `console` with access to everything (for testing and debugging)
2020-04-01 18:18:57 -07:00
2020-12-04 23:17:30 +01:00
```json
2020-07-26 00:34:17 -07:00
$ cat > consoleAdmin.json << EOF
2020-04-01 18:18:57 -07:00
{
ACL for mcs (#123)
This PR sets the initial version of the ACL for mcs, the idea behind
this is to start using the principle of least privileges when assigning
policies to users when creating users through mcs, currently mcsAdmin policy uses admin:*
and s3:* and by default a user with that policy will have access to everything, if want to limit
that we can create a policy with least privileges.
We need to start validating explicitly if users has acccess to an
specific endpoint based on IAM policy actions.
In this first version every endpoint (you can see it as a page to),
defines a set of well defined admin/s3 actions to work properly, ie:
```
// corresponds to /groups endpoint used by the groups page
var groupsActionSet = iampolicy.NewActionSet(
iampolicy.ListGroupsAdminAction,
iampolicy.AddUserToGroupAdminAction,
//iampolicy.GetGroupAdminAction,
iampolicy.EnableGroupAdminAction,
iampolicy.DisableGroupAdminAction,
)
// corresponds to /policies endpoint used by the policies page
var iamPoliciesActionSet = iampolicy.NewActionSet(
iampolicy.GetPolicyAdminAction,
iampolicy.DeletePolicyAdminAction,
iampolicy.CreatePolicyAdminAction,
iampolicy.AttachPolicyAdminAction,
iampolicy.ListUserPoliciesAdminAction,
)
```
With that said, for this initial version, now the sessions endpoint will
return a list of authorized pages to be render on the UI, on subsequent
prs we will add this verification of authorization via a server
middleware.
2020-05-18 18:03:06 -07:00
"Version": "2012-10-17",
"Statement": [{
"Action": [
"admin:*"
],
"Effect": "Allow",
"Sid": ""
},
{
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
],
"Sid": ""
}
]
2020-04-01 18:18:57 -07:00
}
EOF
2020-07-26 00:34:17 -07:00
$ mc admin policy add myminio consoleAdmin consoleAdmin.json
2020-04-01 18:18:57 -07:00
```
2020-07-26 00:34:17 -07:00
3. Set the policy for the new `console` user
2020-04-01 18:18:57 -07:00
```
2020-07-26 00:34:17 -07:00
$ mc admin policy set myminio consoleAdmin user=console
2020-04-01 18:18:57 -07:00
```
ACL for mcs (#123)
This PR sets the initial version of the ACL for mcs, the idea behind
this is to start using the principle of least privileges when assigning
policies to users when creating users through mcs, currently mcsAdmin policy uses admin:*
and s3:* and by default a user with that policy will have access to everything, if want to limit
that we can create a policy with least privileges.
We need to start validating explicitly if users has acccess to an
specific endpoint based on IAM policy actions.
In this first version every endpoint (you can see it as a page to),
defines a set of well defined admin/s3 actions to work properly, ie:
```
// corresponds to /groups endpoint used by the groups page
var groupsActionSet = iampolicy.NewActionSet(
iampolicy.ListGroupsAdminAction,
iampolicy.AddUserToGroupAdminAction,
//iampolicy.GetGroupAdminAction,
iampolicy.EnableGroupAdminAction,
iampolicy.DisableGroupAdminAction,
)
// corresponds to /policies endpoint used by the policies page
var iamPoliciesActionSet = iampolicy.NewActionSet(
iampolicy.GetPolicyAdminAction,
iampolicy.DeletePolicyAdminAction,
iampolicy.CreatePolicyAdminAction,
iampolicy.AttachPolicyAdminAction,
iampolicy.ListUserPoliciesAdminAction,
)
```
With that said, for this initial version, now the sessions endpoint will
return a list of authorized pages to be render on the UI, on subsequent
prs we will add this verification of authorization via a server
middleware.
2020-05-18 18:03:06 -07:00
### Note
2020-07-26 00:34:17 -07:00
Additionally, you can create policies to limit the privileges for `console` users, for example, if you want the user to only have access to dashboard, buckets, notifications and watch page, the policy should look like this:
2020-12-04 23:17:30 +01:00
```json
ACL for mcs (#123)
This PR sets the initial version of the ACL for mcs, the idea behind
this is to start using the principle of least privileges when assigning
policies to users when creating users through mcs, currently mcsAdmin policy uses admin:*
and s3:* and by default a user with that policy will have access to everything, if want to limit
that we can create a policy with least privileges.
We need to start validating explicitly if users has acccess to an
specific endpoint based on IAM policy actions.
In this first version every endpoint (you can see it as a page to),
defines a set of well defined admin/s3 actions to work properly, ie:
```
// corresponds to /groups endpoint used by the groups page
var groupsActionSet = iampolicy.NewActionSet(
iampolicy.ListGroupsAdminAction,
iampolicy.AddUserToGroupAdminAction,
//iampolicy.GetGroupAdminAction,
iampolicy.EnableGroupAdminAction,
iampolicy.DisableGroupAdminAction,
)
// corresponds to /policies endpoint used by the policies page
var iamPoliciesActionSet = iampolicy.NewActionSet(
iampolicy.GetPolicyAdminAction,
iampolicy.DeletePolicyAdminAction,
iampolicy.CreatePolicyAdminAction,
iampolicy.AttachPolicyAdminAction,
iampolicy.ListUserPoliciesAdminAction,
)
```
With that said, for this initial version, now the sessions endpoint will
return a list of authorized pages to be render on the UI, on subsequent
prs we will add this verification of authorization via a server
middleware.
2020-05-18 18:03:06 -07:00
{
"Version": "2012-10-17",
"Statement": [{
"Action": [
2020-06-09 04:24:51 +02:00
"admin:ServerInfo"
ACL for mcs (#123)
This PR sets the initial version of the ACL for mcs, the idea behind
this is to start using the principle of least privileges when assigning
policies to users when creating users through mcs, currently mcsAdmin policy uses admin:*
and s3:* and by default a user with that policy will have access to everything, if want to limit
that we can create a policy with least privileges.
We need to start validating explicitly if users has acccess to an
specific endpoint based on IAM policy actions.
In this first version every endpoint (you can see it as a page to),
defines a set of well defined admin/s3 actions to work properly, ie:
```
// corresponds to /groups endpoint used by the groups page
var groupsActionSet = iampolicy.NewActionSet(
iampolicy.ListGroupsAdminAction,
iampolicy.AddUserToGroupAdminAction,
//iampolicy.GetGroupAdminAction,
iampolicy.EnableGroupAdminAction,
iampolicy.DisableGroupAdminAction,
)
// corresponds to /policies endpoint used by the policies page
var iamPoliciesActionSet = iampolicy.NewActionSet(
iampolicy.GetPolicyAdminAction,
iampolicy.DeletePolicyAdminAction,
iampolicy.CreatePolicyAdminAction,
iampolicy.AttachPolicyAdminAction,
iampolicy.ListUserPoliciesAdminAction,
)
```
With that said, for this initial version, now the sessions endpoint will
return a list of authorized pages to be render on the UI, on subsequent
prs we will add this verification of authorization via a server
middleware.
2020-05-18 18:03:06 -07:00
],
"Effect": "Allow",
"Sid": ""
},
{
"Action": [
"s3:ListenBucketNotification",
"s3:PutBucketNotification",
"s3:GetBucketNotification",
"s3:ListMultipartUploadParts",
"s3:ListBucketMultipartUploads",
"s3:ListBucket",
"s3:HeadBucket",
"s3:GetObject",
"s3:GetBucketLocation",
"s3:AbortMultipartUpload",
"s3:CreateBucket",
"s3:PutObject",
"s3:DeleteObject",
"s3:DeleteBucket",
"s3:PutBucketPolicy",
"s3:DeleteBucketPolicy",
"s3:GetBucketPolicy"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
],
"Sid": ""
}
]
}
```
2020-07-26 00:34:17 -07:00
## Run Console server
2020-04-01 18:18:57 -07:00
To run the server:
2020-12-04 23:17:30 +01:00
```bash
2020-04-22 23:43:17 -07:00
#required to encrypt jwet payload
2020-07-26 00:34:17 -07:00
export CONSOLE_PBKDF_PASSPHRASE=SECRET
2020-04-22 23:43:17 -07:00
#required to encrypt jwet payload
2020-07-26 00:34:17 -07:00
export CONSOLE_PBKDF_SALT=SECRET
2020-04-22 23:43:17 -07:00
2020-07-26 00:34:17 -07:00
export CONSOLE_ACCESS_KEY=console
export CONSOLE_SECRET_KEY=YOURCONSOLESECRET
export CONSOLE_MINIO_SERVER=http://localhost:9000
./console server
2020-04-01 18:18:57 -07:00
```
2020-04-01 22:02:05 -07:00
2020-10-29 22:26:48 -07:00
## Run Console with TLS enable
Copy your `public.crt` and `private.key` to `~/.console/certs` , then:
```bash
./console server
```
Additionally, `Console` has support for multiple certificates, clients can request them using `SNI` . It expects the following structure:
```bash
certs/
│
├─ public.crt
├─ private.key
│
├─ example.com/
│ │
│ ├─ public.crt
│ └─ private.key
└─ foobar.org/
│
├─ public.crt
└─ private.key
...
```
Therefore, we read all filenames in the cert directory and check
for each directory whether it contains a public.crt and private.key.
2020-07-26 00:34:17 -07:00
## Connect Console to a Minio using TLS and a self-signed certificate
2020-05-08 17:11:47 -07:00
2020-10-29 22:26:48 -07:00
Copy the MinIO `ca.crt` under `~/.console/certs/CAs` , then:
2020-05-08 17:11:47 -07:00
```
2020-07-26 00:34:17 -07:00
export CONSOLE_MINIO_SERVER=https://localhost:9000
./console server
2020-05-08 17:11:47 -07:00
```
2020-04-02 11:31:48 -07:00
You can verify that the apis work by doing the request on `localhost:9090/api/v1/...`
2020-04-01 18:18:57 -07:00
2020-07-26 00:34:17 -07:00
# Contribute to console Project
Please follow console [Contributor's Guide ](https://github.com/minio/console/blob/master/CONTRIBUTING.md )