go minio 设置访问权限
bucket 权限
桶默认可以有三种 Access Policy 策略:public、custom、private。
- public:不经过任何认证可以直接访问资源
- custom:自定义策略 Access Rule
- private:未经授权不能进行任何操作,所有Access Rules失效
策略为custom
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:PutObject",
"s3:DeleteObject",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::<bucket-name>/*"
]
}
]
}
策略为public
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListBucketMultipartUploads"
],
"Resource": [
"arn:aws:s3:::aite-data"
]
},
{
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:ListMultipartUploadParts",
"s3:PutObject",
"s3:AbortMultipartUpload"
],
"Resource": [
"arn:aws:s3:::aite-data/*"
]
}
]
}
go设置桶权限
func (m *minio) SetUserBucketsAccess(ctx context.Context, userName string, buckets []string) error {
rs := make([]string, 0)
for _, b := range buckets {
rs = append(rs, fmt.Sprintf(`"arn:aws:s3:::%s/*"`, b))
}
policy := fmt.Sprintf(`{"Version": "2012-10-17","Statement": [{"Action": ["s3:*"],"Effect": "Allow","Resource": [%s]}]}`, strings.Join(rs, ","))
fmt.Println(policy)
err := m.adminClient.AddCannedPolicy(ctx, userName, []byte(policy))
if err != nil {
return errors.Errorf(nil, errors.ErrorMinioOperationFailed)
}
err = m.adminClient.SetPolicy(ctx, userName, userName, false)
if err != nil {
return errors.Errorf(nil, errors.ErrorMinioOperationFailed)
}
return nil
}
