Managing Security and Access

You can use the AIStor Console to perform several of the identity and access management functions available in AIStor, such as:

  • Create and manage user credentials or groups with the built-in AIStor IDP, connect to one or more OIDC providers, or add an LDAP provider for Single Sign On.
  • Configure single sign on workflows using either OpenID Connect or AD/LDAP.
  • View, manage, and create access policies.
  • Create child access keys that inherit the parent’s permissions.

IAM Users

The IAM Users section provides a management interface for AIStor-managed users.

This section is not visible for deployments using an external identity manager such as Active Directory or an OIDC-compatible provider.

  • Select + Add a user to create a new AIStor-managed user.

    You can assign groups and policies to the user during creation.

  • Select a user’s row to view details for that user.

    You can view and modify the user’s assigned groups and policies.

    You can also view and manage any Access Keys associated to the user.

IAM Groups

The IAM Groups section displays all groups on the AIStor deployment.

This section is not visible for deployments using an external identity manager such as Active Directory or an OIDC-compatible provider.

  • Select + Add a Group to create a new AIStor Group.

    You can assign new users to the group during creation.

    You can assign policies to the group after creation.

  • Select the group row to open the details for that group.

    You can modify the group membership from the Members view.

    You can modify the group’s assigned policies from the Policies view.

    Changing a user’s group membership modifies the policies that each user in the group inherits. See Access Management for more information.

OpenID

AIStor supports using an OpenID Connect (OIDC) compatible IDentity Provider (IDP) for external management of user identities.

Examples of OpenID providers include:

  • Okta
  • KeyCloak
  • Dex
  • Google
  • Facebook

Configuring an external IDP enables Single-Sign On workflows, where applications authenticate against the external IDP before accessing AIStor.

Use the the screens in this section to view, add, or edit OIDC configurations for the deployment. AIStor supports any number of active OIDC configurations.

LDAP

AIStor supports using an Active Directory or LDAP (AD/LDAP) service for external management of user identities. Configuring an external IDentity Provider (IDP) enables Single-Sign On (SSO) workflows, where applications authenticate against the external IDP before accessing AIStor.

Use the the screens in this section to view, add, or edit an LDAP configuration for the deployment. AIStor only supports one active LDAP configuration.

AIStor queries the Active Directory / LDAP server to verify the client-specified credentials. AIStor also performs a group lookup on the AD/LDAP server if configured to do so.

IAM Policies

The IAM Policies section displays all policies on the AIStor deployment. This section allows you to create, modify, or delete policies.

Policies define the authorized actions and resources to which an authenticated user has access. Each policy describes one or more actions a user, group of users, or access key can perform or conditions they must meet.

The policies are JSON formatted text files compatible with Amazon AWS Identity and Access Management policy syntax, structure, and behavior. Refer to Policy Based Action Control for details on managing access in AIStor with policies.

This section or its contents may not be visible if the authenticated user does not have the required administrative permissions.

  • Select + Add Policy to create a new AIStor Policy.

  • Select the policy row to manage the policy details.

    Use the Simple Format to find policies. Use the Raw Format to directly edit the policy JSON.

Use the Users and Groups views to assign a created policy to users and groups, respectively.

Access Keys

The Access Keys section displays all Access Keys associated to the authenticated user. The summary list of access keys that already exist for a particular user includes the access key, expiration, status, name, and description.

Access Keys support providing applications authentication credentials which inherit permissions from the “parent” user.

For deployments using an external identity manager such as Active Directory or an OIDC-compatible provider, access keys provide a way for users to create long-lived credentials.

  • You can select the access key row to view its custom policy, if one exists. You can create or modify the policy from this screen.

    Access key policies cannot exceed the permissions granted to the parent user.

  • You can create a new access key by selecting Create Access Key. The Console auto-generates an access key and password.

    You can select the eye icon on the password field to reveal the value. You can override these values as needed.

    You can set a custom policy for the access key that further restricts the permissions granted to users authenticating with that key. Select the Restrict beyond user policy toggle to expand the policy editor and modify as necessary.

    Ensure you have saved the access key password to a secure location before selecting Create to add the access key. You cannot retrieve or reset the password value after creating the access key.

    To rotate credentials for an application, create a new access key and delete the old one once the application updates to using the new credentials.

All rights reserved 2024-Present, MinIO, Inc.