2019-11-19 05:03:18 -05:00
# MinIO Admin Multi-user Quickstart Guide [![Slack](https://slack.min.io/slack?type=svg)](https://slack.min.io)
2022-02-11 19:51:25 -05:00
2019-11-19 05:03:18 -05:00
MinIO supports multiple admin users in addition to default operator credential created during server startup. New admins can be added after server starts up, and server can be configured to deny or allow access to different admin operations for these users. This document explains how to add/remove admin users and modify their access rights.
## Get started
2022-02-11 19:51:25 -05:00
2019-11-19 05:03:18 -05:00
In this document we will explain in detail on how to configure admin users.
### 1. Prerequisites
2022-02-11 19:51:25 -05:00
2022-09-29 00:28:45 -04:00
- Install mc - [MinIO Client Quickstart Guide ](https://min.io/docs/minio/linux/reference/minio-mc.html#quickstart )
- Install MinIO - [MinIO Quickstart Guide ](https://min.io/docs/minio/linux/index.html#quickstart-for-linux )
2019-11-19 05:03:18 -05:00
### 2. Create a new admin user with CreateUser, DeleteUser and ConfigUpdate permissions
2022-02-11 19:51:25 -05:00
2022-09-29 00:28:45 -04:00
Use [`mc admin policy` ](https://min.io/docs/minio/linux/reference/minio-mc-admin/mc-admin-policy.html#command-mc.admin.policy ) to create custom admin policies.
2019-11-19 05:03:18 -05:00
Create new canned policy file `adminManageUser.json` . This policy enables admin user to
manage other users.
2022-02-11 19:51:25 -05:00
2019-11-19 05:03:18 -05:00
```json
cat > adminManageUser.json < < EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"admin:CreateUser",
"admin:DeleteUser",
"admin:ConfigUpdate"
],
"Effect": "Allow",
"Sid": ""
},
{
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
],
"Sid": ""
}
]
}
EOF
```
Create new canned policy by name `userManager` using `userManager.json` policy file.
2022-02-11 19:51:25 -05:00
2019-11-19 05:03:18 -05:00
```
mc admin policy add myminio userManager adminManageUser.json
```
Create a new admin user `admin1` on MinIO use `mc admin user` .
2022-02-11 19:51:25 -05:00
2019-11-19 05:03:18 -05:00
```
mc admin user add myminio admin1 admin123
```
Once the user is successfully created you can now apply the `userManage` policy for this user.
```
mc admin policy set myminio userManager user=admin1
```
This admin user will then be allowed to perform create/delete user operations via `mc admin user`
### 3. Configure `mc` and create another user user1 with attached policy user1policy
2022-02-11 19:51:25 -05:00
2019-11-19 05:03:18 -05:00
```
2020-08-17 20:39:55 -04:00
mc alias set myminio-admin1 http://localhost:9000 admin1 admin123 --api s3v4
2019-11-19 05:03:18 -05:00
mc admin user add myminio-admin1 user1 user123
mc admin policy add myminio-admin1 user1policy ~/user1policy.json
mc admin policy set myminio-admin1 user1policy user=user1
```
### 4. List of permissions defined for admin operations
2022-02-11 19:51:25 -05:00
2019-11-19 05:03:18 -05:00
#### Config management permissions
2022-02-11 19:51:25 -05:00
2019-11-19 05:03:18 -05:00
- admin:ConfigUpdate
#### User management permissions
2022-02-11 19:51:25 -05:00
2019-11-19 05:03:18 -05:00
- admin:CreateUser
- admin:DeleteUser
- admin:ListUsers
- admin:EnableUser
- admin:DisableUser
- admin:GetUser
#### Service management permissions
2022-02-11 19:51:25 -05:00
2020-01-26 21:47:52 -05:00
- admin:ServerInfo
2019-11-19 05:03:18 -05:00
- admin:ServerUpdate
2020-04-12 22:37:09 -04:00
- admin:StorageInfo
- admin:DataUsageInfo
2020-01-26 21:47:52 -05:00
- admin:TopLocks
2020-04-12 22:37:09 -04:00
- admin:OBDInfo
- admin:Profiling,
- admin:ServerTrace
- admin:ConsoleLog
- admin:KMSKeyStatus
2021-06-09 13:37:20 -04:00
- admin:KMSCreateKey
- admin:ServiceRestart
- admin:ServiceStop
- admin:Prometheus
- admin:ForceUnlock
- admin:TopLocksInfo
- admin:BandwidthMonitor
2019-11-19 05:03:18 -05:00
#### User/Group management permissions
2022-02-11 19:51:25 -05:00
2019-11-19 05:03:18 -05:00
- admin:AddUserToGroup
- admin:RemoveUserFromGroup
- admin:GetGroup
- admin:ListGroups
- admin:EnableGroup
- admin:DisableGroup
#### Policy management permissions
2022-02-11 19:51:25 -05:00
2019-11-19 05:03:18 -05:00
- admin:CreatePolicy
- admin:DeletePolicy
- admin:GetPolicy
- admin:AttachUserOrGroupPolicy
- admin:ListUserPolicies
2021-06-09 13:37:20 -04:00
#### Heal management permissions
2022-02-11 19:51:25 -05:00
2021-06-09 13:37:20 -04:00
- admin:Heal
#### Service account management permissions
2022-02-11 19:51:25 -05:00
2021-06-09 13:37:20 -04:00
- admin:CreateServiceAccount
- admin:UpdateServiceAccount
- admin:RemoveServiceAccount
- admin:ListServiceAccounts
#### Bucket quota management permissions
2022-02-11 19:51:25 -05:00
2021-06-09 13:37:20 -04:00
- admin:SetBucketQuota
- admin:GetBucketQuota
#### Bucket target management permissions
2022-02-11 19:51:25 -05:00
2021-06-09 13:37:20 -04:00
- admin:SetBucketTarget
- admin:GetBucketTarget
#### Remote tier management permissions
2022-02-11 19:51:25 -05:00
2021-06-09 13:37:20 -04:00
- admin:SetTier
- admin:ListTier
2019-11-19 05:03:18 -05:00
#### Give full admin permissions
2022-02-11 19:51:25 -05:00
2019-11-19 05:03:18 -05:00
- admin:*
### 5. Using an external IDP for admin users
2022-02-11 19:51:25 -05:00
2019-11-19 05:03:18 -05:00
Admin users can also be externally managed by an IDP by configuring admin policy with
2022-09-29 00:28:45 -04:00
special permissions listed above. Follow [MinIO STS Quickstart Guide ](https://min.io/docs/minio/linux/developers/security-token-service.html ) to manage users with an IDP.
2019-11-19 05:03:18 -05:00
## Explore Further
2022-02-11 19:51:25 -05:00
2022-09-29 00:28:45 -04:00
- [MinIO Client Complete Guide ](https://min.io/docs/minio/linux/reference/minio-mc.html )
- [MinIO STS Quickstart Guide ](https://min.io/docs/minio/linux/developers/security-token-service.html )
- [MinIO Admin Complete Guide ](https://min.io/docs/minio/linux/reference/minio-mc-admin.html )
- [The MinIO documentation website ](https://min.io/docs/minio/linux/index.html )