Update replication docs (#11279)

docs/bucket/replication/README.md

@@ -22,16 +22,25 @@ Role ARN = 'arn:minio:replication:us-east-1:c5be6b16-769d-432a-9ef1-4567081f3566
 
 >  The user running the above command needs *s3:GetReplicationConfiguration* and *s3:GetBucketVersioning* permission on the source cluster. We do not recommend running root credentials/super admin with replication, instead create a dedicated user. The access credentials used at the destination requires *s3:ReplicateObject* permission.
 
-The *source* bucket should have following minimal permission policy:
+The following minimal permission policy is needed by admin user setting up replication on the `source`:
 ```
 {
  "Version": "2012-10-17",
  "Statement": [
+  {
+    "Action": [
+        "admin:SetBucketTarget",
+        "admin:GetBucketTarget"
+    ],
+    "Effect": "Allow",
+    "Sid": ""
+  },
   {
    "Effect": "Allow",
    "Action": [
     "s3:GetReplicationConfiguration",
     "s3:ListBucket",
+    "s3:ListBucketMultipartUploads",
     "s3:GetBucketLocation",
     "s3:GetBucketVersioning"
    ],
@@ -50,7 +59,12 @@ The access key provided for the replication *target* cluster should have these m
   {
    "Effect": "Allow",
    "Action": [
-    "s3:GetBucketVersioning"
+    "s3:GetReplicationConfiguration",
+    "s3:ListBucket",
+    "s3:ListBucketMultipartUploads",
+    "s3:GetBucketLocation",
+    "s3:GetBucketVersioning",
+    "s3:GetBucketObjectLockConfiguration"
    ],
    "Resource": [
     "arn:aws:s3:::destbucket"
@@ -59,12 +73,16 @@ The access key provided for the replication *target* cluster should have these m
   {
    "Effect": "Allow",
    "Action": [
+    "s3:GetReplicationConfiguration",
     "s3:ReplicateTags",
+    "s3:AbortMultipartUpload",
     "s3:GetObject",
     "s3:GetObjectVersion",
     "s3:GetObjectVersionTagging",
     "s3:PutObject",
-    "s3:ReplicateObject"
+    "s3:DeleteObject",
+    "s3:ReplicateObject",
+    "s3:ReplicateDelete"
    ],
    "Resource": [
     "arn:aws:s3:::destbucket/*"
@@ -72,8 +90,10 @@ The access key provided for the replication *target* cluster should have these m
   }
  ]
 }
-
 ```
+Please note that the permissions required by the admin user on the target cluster can be more fine grained to exclude permissions like
+"s3:ReplicateDelete", "s3:GetBucketObjectLockConfiguration" etc depending on whether delete replication rules are set up or if object locking is disabled on `destbucket`. The above policies assume that replication of objects, tags and delete marker replication are all enabled on object lock enabled buckets. A sample script to setup replication is provided [here](https://github.com/minio/minio/blob/master/docs/bucket/replication/setup.sh)
+
 Once successfully created and authorized, the `mc admin bucket remote add` command generates a replication target ARN.  This command lists all the currently authorized replication targets:
 ```
 mc admin bucket remote ls myminio/srcbucket --service "replication"

docs/bucket/replication/setup_replication.sh

@@ -0,0 +1,105 @@
+#!/bin/sh
+
+# create buckets with versioning enabled
+mc mb source/bucket --l    # --l flag enables object locking.If not needed, uncomment the 'mc version enable' commands
+mc mb dest/bucket  --l 
+#mc version enable source/bucket
+#mc version enable dest/bucket
+
+#### Create a replication admin on source alias
+# create a replication admin user : repladmin
+mc admin user add source repladmin repladmin123
+
+# create a replication policy for repladmin
+cat > repladmin-policy-source.json <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+    {
+        "Action": [
+            "admin:SetBucketTarget",
+            "admin:GetBucketTarget"
+        ],
+        "Effect": "Allow",
+        "Sid": ""
+     }, 
+     {
+      "Effect": "Allow",
+      "Action": [
+       "s3:GetReplicationConfiguration",
+       "s3:ListBucket",
+       "s3:ListBucketMultipartUploads",
+       "s3:GetBucketLocation",
+       "s3:GetBucketVersioning"
+      ],
+      "Resource": [
+       "arn:aws:s3:::bucket"
+      ]
+     }
+    ]
+   }
+EOF
+mc admin policy add source repladmin-policy ./repladmin-policy-source.json
+cat ./repladmin-policy-source.json
+
+#assign this replication policy to repladmin
+mc admin policy set source repladmin-policy user=repladmin
+
+### on dest alias
+# Create a replication user : repluser on dest alias
+mc admin user add dest repluser repluser123
+
+# create a replication policy for repluser
+# Remove "s3:GetBucketObjectLockConfiguration" if object locking is not enabled, i.e. bucket was not created with `mc mb --with-lock` option
+# Remove "s3:ReplicateDelete" if delete marker replication is not required
+cat > replpolicy.json <<EOF
+{
+ "Version": "2012-10-17",
+ "Statement": [
+  {
+   "Effect": "Allow",
+   "Action": [
+    "s3:GetReplicationConfiguration",
+    "s3:ListBucket",
+    "s3:ListBucketMultipartUploads",
+    "s3:GetBucketLocation",
+    "s3:GetBucketVersioning",
+    "s3:GetBucketObjectLockConfiguration"
+   ],
+   "Resource": [
+    "arn:aws:s3:::bucket"
+   ]
+  },
+  {
+   "Effect": "Allow",
+   "Action": [
+    "s3:GetReplicationConfiguration",
+    "s3:ReplicateTags",
+    "s3:AbortMultipartUpload",
+    "s3:GetObject",
+    "s3:GetObjectVersion",
+    "s3:GetObjectVersionTagging",
+    "s3:PutObject",
+    "s3:DeleteObject",
+    "s3:ReplicateObject",
+    "s3:ReplicateDelete"
+   ],
+   "Resource": [
+    "arn:aws:s3:::bucket/*"
+   ]
+  }
+ ]
+}
+EOF
+mc admin policy add dest replpolicy ./replpolicy.json
+cat ./replpolicy.json
+
+#assign this replication policy to repluser
+mc admin policy set dest replpolicy user=repluser
+
+# define remote target for replication from source/bucket -> dest/bucket
+mc admin bucket remote add repladminAlias/bucket http://repluser:repluser123@localhost:9000/bucket --service replication --region us-east-1
+
+echo "Now, use this ARN to add replication rules using 'mc replicate add' command"
+# use arn returned by above command to create a replication policy on the source/bucket with `mc replicate add`
+#mc replicate add source/bucket --priority 1 --remote-bucket bucket --arn arn:minio:replication:us-east-1:21fb52f5857473e2dbdcf62dcac21240861caf0f8301c3d26aad4de7677869c7:bucket --replicate delete-marker,delete