Access Controls

S3 access controls are divided into two pieces: Authentication and Authorization.

Authentication

Client authentication for S3 is managed by MinIO’s Security Token Service (STS), which accepts a user’s authentication token and exchanges it for a session token with MinIO. The session token from STS retains the user’s principal ID, and combines it with all the necessary information MinIO requires to authenticate and authorize the user for all actions they perform within the session.

See the mc client for an overview of how this works.

Authorization

MinIO is configured to defer all authorization decisions to OPA.

Per-Object Authorization

The OPA policies for S3 control access at the object level. That is, objects can be controlled independently even within the same bucket.

Object authorization can change dynamically, either by updating policies or by modifying the user’s attributes in Keycloak.

If a user has an active session, changes to their attributes or the governing policy take effect on their next object operation. In other words, OPA is consulted for every operation the user performs.

Classification Controls

Each object can be (optionally) marked with a classification marking using IC Classification and Control Markings.

Diagram

Set Classification Marking

You can include the classification marking when uploading (or modifying) the content of an object. To do so, the user issues a PUT request to the {object-endpoint}.

Upload an Object
curl -X 'PUT' \
  'http://localhost/api/v1/s3/buckets/inbox-public/objects/content?objectName=my-file.txt&classification=S%2F%2FNF' \ (1)
  -H 'accept: application/json' \
  -H 'Authorization: Basic YWRtaW46eUNITHBDaG12dDRuTVUwNWpaZTZBbGl0'  (2)
  -H 'Content-Type: application/json' \
  -d 'my file content'  (3)
1 Provide the marking in the classification URL arg (be sure to url-escape the value). Here we set it to S//NF.
2 Can use Basic (username/password) or Bearer token.
3 The file content.

You can also set or change the classification marking on an existing object with a PUT request to the /buckets/{bucket}/objects/classification endpoint.

Set Classification
curl -X 'PUT' \
  'http://localhost/api/v1/s3/buckets/inbox-public/objects/classification?objectName=my-file.txt&classification=S%2F%2FREL%20TO%20USA%2C%20FVEY' \ (1)
  -H 'accept: application/json' \
  -H 'Authorization: Basic YWRtaW46eUNITHBDaG12dDRuTVUwNWpaZTZBbGl0'
1 Provide the new marking in the classification URL arg (be sure to url-escape the value). Here we change it to S//REL TO USA, FVEY.

To successfully set (or change) an object’s classification,

  1. The invoking user must be cleared for the marking they are providing (cannot mark beyond their own clearance).

  2. If the object has an existing marking (changing marking), the user must also be cleared for the existing marking.

Get Classification Marking

To see the current classification marking for an object, a user issues a GET request to the /buckets/{bucket}/objects/classification endpoint.

Request
curl -X 'GET' \
  'http://localhost/api/v1/s3/buckets/inbox-public/objects/classification?objectName=my-file.txt' \
  -H 'accept: application/json' \
  -H 'Authorization: Basic YWRtaW46eUNITHBDaG12dDRuTVUwNWpaZTZBbGl0'

This will return the normalized form of the marking, which includes a "raw" attribute containing the originally provided marking.

Response
{
  "raw": "S//REL TO USA, FVEY",
  "components": {
    "classification": "S",
    "disseminationControls": [
      "REL"
    ],
    "ownerProducer": [
      "USA"
    ],
    "releasableTo": [
      "USA",
      "FVEY"
    ]
  }
}

To explore the full API, download the OpenAPI or view it in the Swagger docs.