Preface

minio Is a file storage server , He realized Amazon s3 agreement , Therefore, there is a more fine-grained division of permissions in file management , At the same time, it has simple deployment , Support big data storage , Fast upload and download . Distributed deployment can realize the feature of erasure code to prevent file loss . Today's article is mainly about minio Bucket strategy implementation

One 、policy Strategy

minio8.0 There is a very obvious difference between the method of setting policies in version and previous versions

1）7.0 Version implementation

public class SetBucketPolicy {
     
    public static void main(String[] args) 
    throws IOException, NoSuchAlgorithmException, InvalidKeyException, XmlPullParserException {
     
    try {
     
     //  New client 
     MinioClient minioClient = new MinioClient(" Address ", " user name ", 
               " password "); 

     //  If the whole barrel is set , The path is set directly  *
     //  If you set   Prefix / route 
     minioClient.setBucketPolicy(" Barrel name ", " Prefix / route ", PolicyType.READ_ONLY); 
    } catch (MinioException e) {
     
     System.out.println("Error occurred: " + e); 
    } 
    } 
} 

PolicyType Provide a variety of constants, including read-only , read-only , Reading and writing, etc . And the second parameter prefix setting better sets the folder policy under the bucket .

**but-----------------------** here we are 8.0 The method given by the official later is very nonsense , Need to transmit s3 Appoint json Format string . I really don't have the meaning of this operation .（ Maybe in order to be the same as the server protocol of other large manufacturers ）

2）8.0 Then set the bucket policy

public class SetBucketPolicy {
     
    public static void main(String[] args) 
    throws IOException, NoSuchAlgorithmException, InvalidKeyException, XmlPullParserException {
     
    try {
     
     //  New client 
     MinioClient minioClient = new MinioClient(" Address ", " user name ", 
               " password "); 

     try {
    
         //  How to get the corresponding json character string 
    String config = " [\n" +
                " {\n" +
                " \"Action\": [\n" +
                " \"s3:GetBucketLocation\",\n" +
                " \"s3:ListBucket\"\n" +
                " ],\n" +
                " \"Effect\": \"Allow\",\n" +
                " \"Principal\": \"*\",\n" +
                " \"Resource\": \"arn:aws:s3:::my-bucketname\"\n" +
                " },\n" +
                " {\n" +
                " \"Action\": \"s3:GetObject\",\n" +
                " \"Effect\": \"Allow\",\n" +
                " \"Principal\": \"*\",\n" +
                " \"Resource\": \"arn:aws:s3:::my-bucketname/myobject*\"\n" +
                " }\n" +
                " ],\n" +
                " \"Version\": \"2012-10-17\"\n" +
                " }"
         this.minioClient.setBucketPolicy(SetBucketPolicyArgs.builder().bucket(bucketName).config(config).build());

        } catch (ErrorResponseException | InsufficientDataException
                | InternalException | InvalidKeyException 
                | InvalidResponseException | IOException
                | NoSuchAlgorithmException | ServerException 
                | XmlParserException e) {
    
            log.error("[seed] [minio]  Set bucket :{} The strategy failed ", bucketName, e);
        }
    } 
} 

Two 、policy- understand json String meaning

1. What is the strategy of creating new buckets

First let's take a look minio Management platform page provided

We can see in IAM Policies There are several bucket strategies in the column , This strategy is more like giving minio Strategies given by other users of the platform . That means you use mc Or other methods in minio Other administrator accounts have been created on , The permission of this account is achieved by assigning these strategies to it , Of course, you can generate other strategies you want to generate and assign them to users . and Principal This field is user scope . Or divide users into groups , Add a policy to the Group . Can achieve some users （ Group ） When logging in the background, he can only see the buckets in the policy , And the operation of barrels .

**BUT------------** Through java When operating the barrel , We just need to create one as follows minioclient File operations , There is no need for other users , You only need to override the account and password to complete the basic operation , So how about java Implement read-write permission management for buckets ？

     //  New client 
     MinioClient minioClient = new MinioClient(" Address ", " user name ", 
               " password "); 

Call the new bucket through the code to find the new bucket policy json The format string is empty , The management platform policy defaults to private, You can't access it directly through a browser

2. Set the rules of the bucket

We've already said that , Or you are the administrator , And then create the user client, Call interface . If you have a policy to access buckets , Then you can get the documents you want . If you're not , You can only use the super management account by default minioclient Object call . So is there a possibility that I am neither super tube , Not an administrator , Or the administrator does not have permission . I also want to get the documents in this bucket or operate it .** Yes. ！** By setting the access rules of the bucket .

1） take summary Medium access policy The bucket strategy is modified to public, Then you can pass ip:port/bucketname To access files
2) Access rules are read-only , Just write , Reading and writing . Can match prefix , That is, the folder under the matching bucket , Specify folder access rules .

3. use java Code completion

1） Set the bucket to public

Just set all permissions or targets to *, Let's follow the official writing , I manually set the new bucket to public, Get... By code json character string

    String s = "{\"Version\":\"2012-10-17\"," +
            "\"Statement\":[{\"Effect\":\"Allow\"," +
            "\"Principal\":{\"AWS\":[\"*\"]}," +
            "\"Action\":[\"s3:ListBucketMultipartUploads\",\"s3:GetBucketLocation\",\"s3:ListBucket\"]," +
            "\"Resource\":[\"arn:aws:s3:::new\"]}," +
            "{\"Effect\":\"Allow\"," +
            "\"Principal\":{\"AWS\":[\"*\"]}," +
            "\"Action\":[\"s3:ListMultipartUploadParts\",\"s3:PutObject\",\"s3:AbortMultipartUpload\",\"s3:DeleteObject\",\"s3:GetObject\"]," +
            "\"Resource\":[\"arn:aws:s3:::new/*\"]}]}";

explain ：
Statement The first object in is more like administrator permissions , Such as ListBucketMultipartUploads Upload for partition ,GetBucketLocation Get the address of the bucket ,ListBucket Get the file in the bucket , and Resource To act on that bucket
and ------------------------- The second object is like a rule description of a bucket
Principal by Means everyone ,Action The permissions in can be used for new Under the barrel Add, delete, modify and check all places

2) Permission setting of folder in bucket

In the actual business , Users in actual business are often used id As the bucket of the user in the file server , All the files of the user are stored in this bucket , If this user wants to publish some files , And keep some documents private .
Manually create multiple folders under the new bucket , Modify folder permissions manually , To get json String analysis

Create four sub folders respectively manchao,2,3,tokyo-hot, The setting rules are shown in the figure
Get bucket policy file

    String h = "{\"Version\":\"2012-10-17\"," +
            "\"Statement\":" +
            "[{\"Effect\":\"Allow\"," +
            "\"Principal\":{\"AWS\":[\"*\"]}," +
            "\"Action\":[\"s3:GetBucketLocation\",\"s3:ListBucketMultipartUploads\"]," +
            "\"Resource\":[\"arn:aws:s3:::pic\"]}," +
            // Conditional query statements 
            "{\"Effect\":\"Allow\"," +
            "\"Principal\":{\"AWS\":[\"*\"]}," +
            "\"Action\":[\"s3:ListBucket\"]," +
            "\"Resource\":[\"arn:aws:s3:::pic\"]," +
            "\"Condition\":{\"StringEquals\":{\"s3:prefix\":[\"3/manchao\",\"manchao\",\"2\"]}}}," +
            "" +
            "{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"*\"]}," +
            "\"Action\":[\"s3:ListMultipartUploadParts\"," +
            "\"s3:PutObject\",\"s3:AbortMultipartUpload\",\"s3:DeleteObject\",\"s3:GetObject\"]," +
            "\"Resource\":[\"arn:aws:s3:::pic/manchao*\"]}," +
            "" +
            "{\"Effect\":\"Allow\"," +
            "\"Principal\":{\"AWS\":[\"*\"]}," +
            "\"Action\":[\"s3:GetObject\"]," +
            "\"Resource\":[\"arn:aws:s3:::pic/2*\",\"arn:aws:s3:::pic/3/manchao*\"]}," +
            "" +
            "{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"*\"]}," +
            "\"Action\":[\"s3:AbortMultipartUpload\",\"s3:DeleteObject\",\"s3:ListMultipartUploadParts\",\"s3:PutObject\"]," +
            "\"Resource\":[\"arn:aws:s3:::pic/tokyo-hot*\"]}]}";

You can see a conditional query statement , And in prefix matching, only match to pic Read and write folders under the bucket
read , Write , Reading and writing are three Statement Objects under the collection , Corresponding to three rules , Three rules action and resource Are different values , And multiple paths and permissions are used , separate

4.prefix Is it an assertion ？

Above , I create manchao and 3 Folder ,3 Under the folder I create manchao Folder , Set up prefix by manchao Rules are readable ,3/manchao Will the file under be accessed ？ The answer is no
prefix It is actually a file （ clip ） name , Will match strictly according to the folder path

5.java Code setting bucket policy

Pass in in method json The string is complete . For convenience , You can read , Can write , Read and write action Extract it for string replacement , stay resource Replace the path in .

summary

No, , I haven't figured it out yet