2020-07-24 17:38:54 -07:00
# MinIO Console
2020-04-01 18:18:57 -07:00
2021-01-19 23:41:52 -08:00
 
2020-04-06 12:07:40 -07:00
A graphical user interface for [MinIO ](https://github.com/minio/minio )
2020-04-01 18:18:57 -07:00
2023-01-12 10:36:27 -08:00
| Object Browser | Dashboard | Creating a bucket |
|------------------------------------|-------------------------------|-------------------------------|
|  |  |  |
2020-05-21 12:55:30 -07:00
2021-01-19 23:52:08 -08:00
<!-- markdown-toc start - Don't edit this section. Run M-x markdown-toc-refresh-toc -->
**Table of Contents**
- [MinIO Console ](#minio-console )
2021-02-04 23:49:07 -08:00
- [Install ](#install )
- [Binary Releases ](#binary-releases )
- [Docker ](#docker )
- [Build from source ](#build-from-source )
- [Setup ](#setup )
2021-01-19 23:52:08 -08:00
- [1. Create a user `console` using `mc` ](#1-create-a-user-console-using-mc )
- [2. Create a policy for `console` with admin access to all resources (for testing) ](#2-create-a-policy-for-console-with-admin-access-to-all-resources-for-testing )
- [3. Set the policy for the new `console` user ](#3-set-the-policy-for-the-new-console-user )
- [Start Console service: ](#start-console-service )
- [Start Console service with TLS: ](#start-console-service-with-tls )
- [Connect Console to a Minio using TLS and a self-signed certificate ](#connect-console-to-a-minio-using-tls-and-a-self-signed-certificate )
- [Contribute to console Project ](#contribute-to-console-project )
<!-- markdown-toc end -->
2021-02-04 23:49:07 -08:00
## Install
### Binary Releases
2023-01-04 13:43:13 -08:00
| OS | ARCH | Binary |
2021-02-04 23:49:07 -08:00
|:-------:|:-------:|:----------------------------------------------------------------------------------------------------:|
2023-01-04 13:43:13 -08:00
| Linux | amd64 | [linux-amd64 ](https://github.com/minio/console/releases/latest/download/console-linux-amd64 ) |
| Linux | arm64 | [linux-arm64 ](https://github.com/minio/console/releases/latest/download/console-linux-arm64 ) |
| Linux | ppc64le | [linux-ppc64le ](https://github.com/minio/console/releases/latest/download/console-linux-ppc64le ) |
| Linux | s390x | [linux-s390x ](https://github.com/minio/console/releases/latest/download/console-linux-s390x ) |
| Apple | amd64 | [darwin-amd64 ](https://github.com/minio/console/releases/latest/download/console-darwin-amd64 ) |
| Windows | amd64 | [windows-amd64 ](https://github.com/minio/console/releases/latest/download/console-windows-amd64.exe ) |
You can also verify the binary with [minisign ](https://jedisct1.github.io/minisign/ ) by downloading the
corresponding [`.minisig` ](https://github.com/minio/console/releases/latest ) signature file. Then run:
2021-02-04 23:49:07 -08:00
```
minisign -Vm console-<OS>-<ARCH> -P RWTx5Zr1tiHQLwG9keckT0c45M3AGeHD6IvimQHpyRywVWGbP1aVSGav
```
### Docker
Pull the latest release via:
2023-01-04 13:43:13 -08:00
2021-02-04 23:49:07 -08:00
```
docker pull minio/console
```
### Build from source
2023-01-04 13:43:13 -08:00
2021-11-30 11:00:46 -08:00
> You will need a working Go environment. Therefore, please follow [How to install Go](https://golang.org/doc/install).
2023-01-04 13:43:13 -08:00
> Minimum version required is go1.19
2021-02-04 23:49:07 -08:00
```
2021-11-30 11:00:46 -08:00
go install github.com/minio/console/cmd/console@latest
2021-02-04 23:49:07 -08:00
```
## Setup
2020-04-01 18:18:57 -07:00
2020-07-26 00:34:17 -07:00
All `console` needs is a MinIO user with admin privileges and URL pointing to your MinIO deployment.
2021-01-19 23:41:52 -08:00
2020-04-01 18:18:57 -07:00
> Note: We don't recommend using MinIO's Operator Credentials
2021-02-04 23:49:07 -08:00
### 1. Create a user `console` using `mc`
2021-01-19 10:39:20 -08:00
2020-12-04 23:17:30 +01:00
```bash
2021-01-19 10:39:20 -08:00
mc admin user add myminio/
Enter Access Key: console
Enter Secret Key: xxxxxxxx
2020-04-01 18:18:57 -07:00
```
2021-02-04 23:49:07 -08:00
### 2. Create a policy for `console` with admin access to all resources (for testing)
2020-04-01 18:18:57 -07:00
2021-01-19 10:39:20 -08:00
```sh
cat > admin.json << EOF
2020-04-01 18:18:57 -07:00
{
ACL for mcs (#123)
This PR sets the initial version of the ACL for mcs, the idea behind
this is to start using the principle of least privileges when assigning
policies to users when creating users through mcs, currently mcsAdmin policy uses admin:*
and s3:* and by default a user with that policy will have access to everything, if want to limit
that we can create a policy with least privileges.
We need to start validating explicitly if users has acccess to an
specific endpoint based on IAM policy actions.
In this first version every endpoint (you can see it as a page to),
defines a set of well defined admin/s3 actions to work properly, ie:
```
// corresponds to /groups endpoint used by the groups page
var groupsActionSet = iampolicy.NewActionSet(
iampolicy.ListGroupsAdminAction,
iampolicy.AddUserToGroupAdminAction,
//iampolicy.GetGroupAdminAction,
iampolicy.EnableGroupAdminAction,
iampolicy.DisableGroupAdminAction,
)
// corresponds to /policies endpoint used by the policies page
var iamPoliciesActionSet = iampolicy.NewActionSet(
iampolicy.GetPolicyAdminAction,
iampolicy.DeletePolicyAdminAction,
iampolicy.CreatePolicyAdminAction,
iampolicy.AttachPolicyAdminAction,
iampolicy.ListUserPoliciesAdminAction,
)
```
With that said, for this initial version, now the sessions endpoint will
return a list of authorized pages to be render on the UI, on subsequent
prs we will add this verification of authorization via a server
middleware.
2020-05-18 18:03:06 -07:00
"Version": "2012-10-17",
"Statement": [{
"Action": [
"admin:*"
],
"Effect": "Allow",
"Sid": ""
},
{
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
],
"Sid": ""
}
]
2020-04-01 18:18:57 -07:00
}
EOF
```
2021-01-19 10:39:20 -08:00
```sh
2023-03-27 14:30:52 -07:00
mc admin policy create myminio/ consoleAdmin admin.json
2020-04-01 18:18:57 -07:00
```
2021-01-19 10:39:20 -08:00
2021-02-04 23:49:07 -08:00
### 3. Set the policy for the new `console` user
2021-01-19 10:39:20 -08:00
```sh
2023-03-27 14:30:52 -07:00
mc admin policy attach myminio consoleAdmin --user=console
2020-04-01 18:18:57 -07:00
```
2023-01-04 13:43:13 -08:00
> NOTE: Additionally, you can create policies to limit the privileges for other `console` users, for example, if you
2023-01-12 10:36:27 -08:00
> want the user to only have access to dashboard, buckets, notifications and watch page, the policy should look like
> this:
ACL for mcs (#123)
This PR sets the initial version of the ACL for mcs, the idea behind
this is to start using the principle of least privileges when assigning
policies to users when creating users through mcs, currently mcsAdmin policy uses admin:*
and s3:* and by default a user with that policy will have access to everything, if want to limit
that we can create a policy with least privileges.
We need to start validating explicitly if users has acccess to an
specific endpoint based on IAM policy actions.
In this first version every endpoint (you can see it as a page to),
defines a set of well defined admin/s3 actions to work properly, ie:
```
// corresponds to /groups endpoint used by the groups page
var groupsActionSet = iampolicy.NewActionSet(
iampolicy.ListGroupsAdminAction,
iampolicy.AddUserToGroupAdminAction,
//iampolicy.GetGroupAdminAction,
iampolicy.EnableGroupAdminAction,
iampolicy.DisableGroupAdminAction,
)
// corresponds to /policies endpoint used by the policies page
var iamPoliciesActionSet = iampolicy.NewActionSet(
iampolicy.GetPolicyAdminAction,
iampolicy.DeletePolicyAdminAction,
iampolicy.CreatePolicyAdminAction,
iampolicy.AttachPolicyAdminAction,
iampolicy.ListUserPoliciesAdminAction,
)
```
With that said, for this initial version, now the sessions endpoint will
return a list of authorized pages to be render on the UI, on subsequent
prs we will add this verification of authorization via a server
middleware.
2020-05-18 18:03:06 -07:00
2020-12-04 23:17:30 +01:00
```json
ACL for mcs (#123)
This PR sets the initial version of the ACL for mcs, the idea behind
this is to start using the principle of least privileges when assigning
policies to users when creating users through mcs, currently mcsAdmin policy uses admin:*
and s3:* and by default a user with that policy will have access to everything, if want to limit
that we can create a policy with least privileges.
We need to start validating explicitly if users has acccess to an
specific endpoint based on IAM policy actions.
In this first version every endpoint (you can see it as a page to),
defines a set of well defined admin/s3 actions to work properly, ie:
```
// corresponds to /groups endpoint used by the groups page
var groupsActionSet = iampolicy.NewActionSet(
iampolicy.ListGroupsAdminAction,
iampolicy.AddUserToGroupAdminAction,
//iampolicy.GetGroupAdminAction,
iampolicy.EnableGroupAdminAction,
iampolicy.DisableGroupAdminAction,
)
// corresponds to /policies endpoint used by the policies page
var iamPoliciesActionSet = iampolicy.NewActionSet(
iampolicy.GetPolicyAdminAction,
iampolicy.DeletePolicyAdminAction,
iampolicy.CreatePolicyAdminAction,
iampolicy.AttachPolicyAdminAction,
iampolicy.ListUserPoliciesAdminAction,
)
```
With that said, for this initial version, now the sessions endpoint will
return a list of authorized pages to be render on the UI, on subsequent
prs we will add this verification of authorization via a server
middleware.
2020-05-18 18:03:06 -07:00
{
2023-01-04 13:43:13 -08:00
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"admin:ServerInfo"
],
"Effect": "Allow",
"Sid": ""
},
{
"Action": [
"s3:ListenBucketNotification",
"s3:PutBucketNotification",
"s3:GetBucketNotification",
"s3:ListMultipartUploadParts",
"s3:ListBucketMultipartUploads",
"s3:ListBucket",
"s3:HeadBucket",
"s3:GetObject",
"s3:GetBucketLocation",
"s3:AbortMultipartUpload",
"s3:CreateBucket",
"s3:PutObject",
"s3:DeleteObject",
"s3:DeleteBucket",
"s3:PutBucketPolicy",
"s3:DeleteBucketPolicy",
"s3:GetBucketPolicy"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
],
"Sid": ""
}
]
ACL for mcs (#123)
This PR sets the initial version of the ACL for mcs, the idea behind
this is to start using the principle of least privileges when assigning
policies to users when creating users through mcs, currently mcsAdmin policy uses admin:*
and s3:* and by default a user with that policy will have access to everything, if want to limit
that we can create a policy with least privileges.
We need to start validating explicitly if users has acccess to an
specific endpoint based on IAM policy actions.
In this first version every endpoint (you can see it as a page to),
defines a set of well defined admin/s3 actions to work properly, ie:
```
// corresponds to /groups endpoint used by the groups page
var groupsActionSet = iampolicy.NewActionSet(
iampolicy.ListGroupsAdminAction,
iampolicy.AddUserToGroupAdminAction,
//iampolicy.GetGroupAdminAction,
iampolicy.EnableGroupAdminAction,
iampolicy.DisableGroupAdminAction,
)
// corresponds to /policies endpoint used by the policies page
var iamPoliciesActionSet = iampolicy.NewActionSet(
iampolicy.GetPolicyAdminAction,
iampolicy.DeletePolicyAdminAction,
iampolicy.CreatePolicyAdminAction,
iampolicy.AttachPolicyAdminAction,
iampolicy.ListUserPoliciesAdminAction,
)
```
With that said, for this initial version, now the sessions endpoint will
return a list of authorized pages to be render on the UI, on subsequent
prs we will add this verification of authorization via a server
middleware.
2020-05-18 18:03:06 -07:00
}
```
2021-01-19 10:39:20 -08:00
## Start Console service:
2020-04-01 18:18:57 -07:00
2021-01-19 10:39:20 -08:00
Before running console service, following environment settings must be supplied
2023-01-04 13:43:13 -08:00
2021-01-19 10:39:20 -08:00
```sh
2021-01-07 13:49:56 -06:00
# Salt to encrypt JWT payload
2020-07-26 00:34:17 -07:00
export CONSOLE_PBKDF_PASSPHRASE=SECRET
2020-04-22 23:43:17 -07:00
2021-01-19 10:39:20 -08:00
# Required to encrypt JWT payload
2020-07-26 00:34:17 -07:00
export CONSOLE_PBKDF_SALT=SECRET
2020-04-22 23:43:17 -07:00
2021-01-19 10:39:20 -08:00
# MinIO Endpoint
2020-07-26 00:34:17 -07:00
export CONSOLE_MINIO_SERVER=http://localhost:9000
2021-01-19 10:39:20 -08:00
```
Now start the console service.
2023-01-04 13:43:13 -08:00
2021-01-19 10:39:20 -08:00
```
2020-07-26 00:34:17 -07:00
./console server
2021-01-19 10:39:20 -08:00
2021-01-19 02:36:08.893735 I | 2021/01/19 02:36:08 server.go:129: Serving console at http://localhost:9090
2020-04-01 18:18:57 -07:00
```
2020-04-01 22:02:05 -07:00
2021-01-19 10:39:20 -08:00
By default `console` runs on port `9090` this can be changed with `--port` of your choice.
## Start Console service with TLS:
2020-10-29 22:26:48 -07:00
Copy your `public.crt` and `private.key` to `~/.console/certs` , then:
2021-01-19 10:39:20 -08:00
```sh
2020-10-29 22:26:48 -07:00
./console server
2021-06-18 13:59:00 +08:00
2021-01-19 02:36:08.893735 I | 2021/01/19 02:36:08 server.go:129: Serving console at http://[::]:9090
2021-01-19 02:36:08.893735 I | 2021/01/19 02:36:08 server.go:129: Serving console at https://[::]:9443
2020-10-29 22:26:48 -07:00
```
2021-01-19 10:39:20 -08:00
For advanced users, `console` has support for multiple certificates to service clients through multiple domains.
2020-10-29 22:26:48 -07:00
2021-01-19 10:39:20 -08:00
Following tree structure is expected for supporting multiple domains:
2023-01-04 13:43:13 -08:00
2021-01-19 10:39:20 -08:00
```sh
2020-10-29 22:26:48 -07:00
certs/
│
├─ public.crt
├─ private.key
│
├─ example.com/
│ │
│ ├─ public.crt
│ └─ private.key
└─ foobar.org/
│
├─ public.crt
└─ private.key
...
```
2020-07-26 00:34:17 -07:00
## Connect Console to a Minio using TLS and a self-signed certificate
2020-05-08 17:11:47 -07:00
2020-10-29 22:26:48 -07:00
Copy the MinIO `ca.crt` under `~/.console/certs/CAs` , then:
2021-02-04 23:49:07 -08:00
```sh
2020-07-26 00:34:17 -07:00
export CONSOLE_MINIO_SERVER=https://localhost:9000
./console server
2020-05-08 17:11:47 -07:00
```
2020-04-02 11:31:48 -07:00
You can verify that the apis work by doing the request on `localhost:9090/api/v1/...`
2020-04-01 18:18:57 -07:00
2020-07-26 00:34:17 -07:00
# Contribute to console Project
2023-01-04 13:43:13 -08:00
2020-07-26 00:34:17 -07:00
Please follow console [Contributor's Guide ](https://github.com/minio/console/blob/master/CONTRIBUTING.md )