initial importminio

6 files changed, 90 insertions, 0 deletions

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..f63e464
--- /dev/null
+++ b/README.md
@@ -0,0 +1,9 @@
+# Minio Policies
+Useful policies for MinIO.
+Unfortunately, MinIO is now effectively dead,
+so these are here for historical reasons.
+
+* The `bucket` directory contains bucket repositories,
+  which determine read/write rights to a bucket.
+* The `user` directory contains user policies,
+  which determine access rights of users.
diff --git a/bucket/README.md b/bucket/README.md
new file mode 100644
index 0000000..0b2e313
--- /dev/null
+++ b/bucket/README.md
@@ -0,0 +1,17 @@
+# Bucket Policies
+Bucket policies apply to buckets and determine the read/write access to them.
+This is especially useful for allowing anonymous access of various kinds.
+
+## Policies
+The following policies are available:
+
+* fetchonly.json: Similar to ReadOnly in that it allows fetching any object in the bucket anonymously.
+  The difference is that it does not allow *listing* bucket objects,
+  meaning that the object name must be known ahead of time.
+
+## Using
+Apply these policies as so:
+
+1. Download the file.
+2. Edit the file, replacing BUCKETNAME with the name of your bucket.
+3. `mcli policy set-json ./FILE.json MYMINIO/BUCKETNAME`
diff --git a/bucket/fetchonly.json b/bucket/fetchonly.json
new file mode 100644
index 0000000..42b92da
--- /dev/null
+++ b/bucket/fetchonly.json
@@ -0,0 +1,15 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": [
+          "*"
+        ]
+      },
+      "Action": "s3:GetObject",
+      "Resource": "arn:aws:s3:::BUCKETNAME/*"
+    }
+  ]
+}
diff --git a/user/README.md b/user/README.md
new file mode 100644
index 0000000..bede75a
--- /dev/null
+++ b/user/README.md
@@ -0,0 +1,19 @@
+# User Policies
+User policies apply to users and determine the read/write access they will have.
+This is useful to avoid needing to configure each bucket separately.
+
+## Policies
+The following policies are available:
+
+* useronly.json: Grants the user access to the bucket of their name.
+  For example, the user `foo` will be granted access to the bucket `foo` only.
+* userprefix.json: Grants the user access to buckets prefixed by their name.
+  For example, the user `foo` will be granted access to the buckets
+  `foo` and `foobar` but not `barfoo`.
+
+## Using
+Apply these policies as so:
+
+1. Download the file.
+2. `mcli admin policy add MYMINIO NAME NAME.json`
+3. `mcli admin policy set MYMINIO NAME user=USER`
diff --git a/user/useronly.json b/user/useronly.json
new file mode 100644
index 0000000..2300440
--- /dev/null
+++ b/user/useronly.json
@@ -0,0 +1,15 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:*"
+      ],
+      "Resource": [
+        "arn:aws:s3:::${aws:username}",
+        "arn:aws:s3:::${aws:username}/*"
+      ]
+    }
+  ]
+}
diff --git a/user/userprefix.json b/user/userprefix.json
new file mode 100644
index 0000000..609c108
--- /dev/null
+++ b/user/userprefix.json
@@ -0,0 +1,15 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:*"
+      ],
+      "Resource": [
+        "arn:aws:s3:::${aws:username}*",
+        "arn:aws:s3:::${aws:username}*/*"
+      ]
+    }
+  ]
+}