minio集群部署以及租户、桶的权限管理分配
播报文章
关注
wget -P /usr/bin/ https://dl.min.io/server/minio/release/linux-amd64/minio
chmod +x /usr/bin/minio
#默认启动(默认端口9000)
minio server /data
#指定IP和端口启动
nohup minio server --address 0.0.0.0:7000 /data > /var/log/minio.log 2>&1 &
#启动后日志:
http://0.0.0.0:7000
Object API (Amazon S3 compatible):
Go: https://docs.min.io/docs/golang-client-quickstart-guide
Java: https://docs.min.io/docs/java-client-quickstart-guide
Python: https://docs.min.io/docs/python-client-quickstart-guide
JavaScript: https://docs.min.io/docs/javascript-client-quickstart-guide
.NET: https://docs.min.io/docs/dotnet-client-quickstart-guide
Detected default credentials 'minioadmin:minioadmin', please change the credentials immediately using 'MINIO_ROOT_USER' and 'MINIO_ROOT_PASSWORD'
IAM initialization complete
集群部署
#官方推荐集群最小4台服务器,集群最小数据挂载点为4个。以下按4台服务器,每台2个挂载点演示部署步骤。
#以下步骤需要在所有节点都执行
1.创建数据存储目录
mkdir /data1 /data2
2.创建部署目录
mkdir -p /opt/minio
3.创建配置文件目录
mkdir -p /etc/minio
4.编写集群启动脚本
[root@minio1 ~]# cat /opt/minio/run.sh
#!/bin/bash
export MINIO_ACCESS_KEY=minio
export MINIO_SECRET_KEY=WanFang@2001#$
/opt/minio/minio server --config-dir /etc/minio \
http://192.168.1.11/data1 http://192.168.1.11/data2 \
http://192.168.1.12/data1 http://192.168.1.12/data2 \
http://192.168.1.13/data1 http://192.168.1.13/data2 \
http://192.168.1.14/data1 http://192.168.1.14/data2 \
#其中,“MINIO_ACCESS_KEY”为用户名,“MINIO_SECRET_KEY”为密码,密码不能设置过于简单,不然minio会启动失败,“–config-dir”指定集群配置文件目录
5.编写服务脚本
[root@minio1 ~]# cat /usr/lib/systemd/system/minio.service
[Unit]
Description=Minio service
Documentation=https://docs.minio.io/
[Service]
WorkingDirectory=/opt/minio/
ExecStart=/opt/minio/run.sh
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
6.添加脚本权限
chmod +x /usr/lib/systemd/system/minio.service
chmod +x /opt/minio/minio
chmod +x /opt/minio/run.sh
7.启动
systemctl daemon-reload
systemctl start minio
systemctl enable minio
8.测试
#浏览器输入集群任意节点地址+9000端口,即可访问minio,用户名密码为前面设置 的“MINIO_ACCESS_KEY”和“MINIO_SECRET_KEY”,可创建“bucket”并上传文件测试
9.nginx代理
#一定要写上 Host Header 的代理,否则请求签名两边对不上。
#nginx.conf部分配置如下:
upstream minio {
server 192.168.1.11:9000 weight=5;
server 192.168.1.12:9000 weight=5;
server 192.168.1.13:9000 weight=5;
server 192.168.1.14:9000 weight=5;
}
server {
listen 80;
server_name minio;
client_max_body_size 20M;
charset utf-8;
location / {
proxy_set_header Host $http_host;
client_body_buffer_size 10M;
client_max_body_size 20M;
proxy_buffers 1024 4k;
proxy_read_timeout 300;
proxy_pass http://minio/;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
mc安装
#下载
https://dl.minio.io/client/mc/release/linux-amd64/mc
#安装
mv mc /usr/bin
chmod +x /usr/bin/mc
创建用户并赋权限
#第1步:创建名称为myminio的本地host,使用的账号密码是部署过程中minio.service的账号密码
mc config host add myminio http://localhost:9000 minio "WanFang@2001#$"
mc config host list myminio #查看host名为myminio的配置信息
mc alias remove myminio #删除host myminio
#第2步:创建myminio下的用户:user1/12345678
mc admin user add myminio user1 12345678
mc admin user list myminio #查看host名为myminio下所有用户状态
mc admin user enable|disable myminio user1 #启用|禁用 用户user1
#第3步:为myminio添加自定义策略权限文件p1.json,名字为p1
mc admin policy list myminio #列出myminio所有权限策略
mc admin policy add myminio p1 p1.json
#p1文件中的“bucket1”代表桶名称
#p1.json内容如下:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::bucket1/*"
]
}
]
}
#第4步:为用户user1设置权限策略p1
mc admin policy list myminio #列出myminio所有权限策略
mc admin policy set myminio p1 user=user1 #赋予用户user1在myminio/bucket1桶的查看对象、上传、下载权限
mc admin policy set readonly p1 user=user1 #赋予用户user1在myminio/bucket1桶的下载权限
#第5步:设置host myminio的bucket1桶下的对象永久访问链接
#允许的权限包括:none, download, upload, public
mc policy set download myminio/bucket1/*
#查看myminio/bucket1桶的策略
mc policy list myminio/bucket1
#注:以下两条命令的区别
mc admin policy list myminio #列出myminio所有权限策略
mc policy list myminio/bucket1 #列出myminio/bucket1权限
