minIO

[TOC]

https://docs.min.io/cn/minio-quickstart-guide.html
https://docs.min.io/cn/setup-nginx-proxy-with-minio.html
https://tonybai.com/2020/03/16/build-high-performance-object-storage-with-minio-part1-prototype/
Linux storage stack diagram
服务器配置 Guide
MinIO JavaScript Library for Amazon S3 Compatible Cloud Storage
Upload Files Using Pre-signed URLs
MinIO Admin Complete Guide
minio-js github
MinIO Multi-user Quickstart Guide
JavaScript Client API Reference
亚马逊认证 Authenticating Requests: Using Query Parameters (AWS Signature Version 4)
MinIO Client (mc)

minIO

mc :MinIO Client (mc)

How to Choose Your Red Hat Enterprise Linux File System

XFS vs Ext4

If both your server and your storage device are large, XFS is likely to be the best choice

In general, Ext3 or Ext4 is better if an application uses a single read/write thread and small files, while XFS shines when an application uses multiple read/write threads and bigger files.

mount disk

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25



docker run -p 9000:9000 --name minio \
> -v /mnt/data1:/data1 \
> -v /mnt/data2:/data2 \
> -v /mnt/data3:/data3 \
> -v /mnt/data4:/data4 \
> -v /root/storage/config:/root/.minio \
> minio/minio server /data1 /data2 /data3 /data4
Formatting 1st zone, 1 set(s), 4 drives per set.
WARNING: Host local has more than 2 drives of set. A host failure will result in data becoming unavailable.
Status: 4 Online, 0 Offline.
Endpoint: http://172.17.0.4:9000 http://127.0.0.1:9000

Browser Access:
http://172.17.0.4:9000 http://127.0.0.1:9000

Object API (Amazon S3 compatible):
Go: https://docs.min.io/docs/golang-client-quickstart-guide
Java: https://docs.min.io/docs/java-client-quickstart-guide
Python: https://docs.min.io/docs/python-client-quickstart-guide
JavaScript: https://docs.min.io/docs/javascript-client-quickstart-guide
.NET: https://docs.min.io/docs/dotnet-client-quickstart-guide
Detected default credentials 'minioadmin:minioadmin', please change the credentials immediately using 'MINIO_ACCESS_KEY' and 'MINIO_SECRET_KEY'
1
2
3
4
5
6
7
8
9
10
11
docker pull minio/minio
docker run -d -p 9000:9000 --name minio \
-e "MINIO_ACCESS_KEY=AKIAIOSFODNN7EXAMPLE" \
-e "MINIO_SECRET_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" \
-e "MINIO_REGION_NAME=cn_shanghai" \
-v /mnt/data1:/data1 \
-v /mnt/data2:/data2 \
-v /mnt/data3:/data3 \
-v /mnt/data4:/data4 \
-v /root/storage/config:/root/.minio \
minio/minio server /data1 /data2 /data3 /data4
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31


├── data1
│   └── bucket-test1
│   └── gcc-10.2.0.tar.gz
│   ├── 0a74abde-131a-4153-a514-6df267a1012d
│   │   └── part.1
│   └── xl.meta
├── data2
│   └── bucket-test1
│   └── gcc-10.2.0.tar.gz
│   ├── 0a74abde-131a-4153-a514-6df267a1012d
│   │   └── part.1
│   └── xl.meta
├── data3
│   └── bucket-test1
│   └── gcc-10.2.0.tar.gz
│   ├── 0a74abde-131a-4153-a514-6df267a1012d
│   │   └── part.1
│   └── xl.meta
└── data4
└── bucket-test1
└── gcc-10.2.0.tar.gz
├── 0a74abde-131a-4153-a514-6df267a1012d
│   └── part.1
└── xl.meta

16 directories, 8 files
[root@localhost mnt]# cat data1/bucket-test1/gcc-10.2.0.tar.gz/xl.meta
XL2 1 ��Versions���Type�V2Obj��ID��DDir�
t��AS�m�g�-�EcAlgo�EcM�EcN�EcBSize���EcIndex�EcDist��CSumAlgo�PartNums��PartETags���PartSizes���2y�PartASizes���2y�Size��2y�MTime�*�2ŧMetaSys��MetaUsr��etag� 941a8674ea2eeb33f5c30ecf08124874�content-type�application/x-gzip[root@localhost mnt]#

Upload Files Using Pre-signed URLs

https://docs.min.io/docs/upload-files-from-browser-using-pre-signed-urls.html

1
2

npm install --save minio

https://docs.min.io/docs/minio-admin-complete-guide.html#trace

SignatureDoesNotMatch

SignatureDoesNotMatch on Minio Server Docker #794

https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html

https://www.rapidspike.com/blog/s3-signature-not-match-error-using-pre-signed-request/

presignedGetObject’s url return SignatureDoesNotMatch error #6546

https://docs.min.io/docs/javascript-client-api-reference#presignedPutObject

Getting 403 (Forbidden) when uploading to S3 with a signed URL

SignatureDoesNotMatch on Minio Server Docker #794

SignatureDoesNotMatch

docker exec -it minio /bin/sh

1
2
3
4
5
6
7
8
9
10
11
12

http://s3.1024game.cn:9000/uploads/%E5%BA%94%E7%94%A8%E5%95%86%E5%BA%97%E9%A1%B9%E7%9B%AE-Win.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIOSFODNN7EXAMPLE%2F20200820%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20200820T075525Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=bd6bb248a667e6f3ee14f41d9ff0a79a8bba314bd43ec31f0d7125d94b06c428

<Error>
<Code>SignatureDoesNotMatch</Code>
<Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message>
<Key>应用商店项目-Win.zip</Key>
<BucketName>uploads</BucketName>
<Resource>/uploads/应用商店项目-Win.zip</Resource>
<RequestId>162CEAD75B0E8CC9</RequestId>
<HostId>6f9b2b94-d4fe-4687-8a79-7085c2309699</HostId>
</Error>

aws S3 signatureV4

https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html

1
2
3
4
5
6
7
8

https://s3.amazonaws.com/examplebucket/test.txt
?X-Amz-Algorithm=AWS4-HMAC-SHA256
&X-Amz-Credential=<your-access-key-id>/20130721/us-east-1/s3/aws4_request
&X-Amz-Date=20130721T201207Z
&X-Amz-Expires=86400
&X-Amz-SignedHeaders=host
&X-Amz-Signature=<signature-value>

minio config

config ~/.minio

nginx proxy

https://docs.min.io/docs/setup-nginx-proxy-with-minio.html

s3 Uploading an object

https://docs.aws.amazon.com/AmazonS3/latest/dev/mpuoverview.html

https://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html

https://docs.aws.amazon.com/AmazonS3/latest/dev/UploadInSingleOp.html

mc docker

https://hub.docker.com/r/minio/mc/

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
docker pull minio/mc
docker run -it --entrypoint=/bin/sh minio/mc
# Add a MinIO Storage Service
mc config host add <ALIAS> <YOUR-MINIO-ENDPOINT> <YOUR-ACCESS-KEY> <YOUR-SECRET-KEY>
Alias is simply a short name to your MinIO service. MinIO end-point, access and secret keys are supplied by your MinIO service. Admin API uses "S3v4" signature and cannot be changed.

mc config host add minio http://192.168.1.2:9000 YOUR-ACCESS-KEY YOUR-SECRET-KEY
# Test Your Setup
mc admin info minio
# alias

alias minfo='mc admin info'

#Global Options

mc admin --debug info minio




[root@localhost storage]# ./mc admin info minio
● 127.0.0.1:9000
Uptime: 1 week
Version: 2020-08-13T02:39:50Z
Network: 1/1 OK
Drives: 4/4 OK

204 MiB Used, 3 Buckets, 12 Objects
4 drives online, 0 drives offline

./mc admin trace -a -v --debug minio

http://www.lw007.cn/docs/minio-admin-complete-guide.html

mc admin trace

MinIO Server Config Guide

docker-compose.yml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
storage:
restart: always
networks:
default:
aliases:
- bor.minio
image: minio/minio:latest
ports:
- 4554:80
environment:
MINIO_DOMAIN: "s3-us-west-1.amazonaws.com"
MINIO_ACCESS_KEY: ACCESS_KEY_ID
MINIO_SECRET_KEY: secret123
MINIO_HTTP_TRACE: /dev/stdout # move to mc admin trace
command: minio server --address 0.0.0.0:80 /var/data/fakes3
volumes:
- storage_data:/var/data/fakes3:delegated

debugging 调试

https://github.com/minio/minio/tree/master/docs/debugging

1
2
3
4
5
6
7
8
9
10
11
12

Default trace is succinct only to indicate the API operations being called and the HTTP response status.
mc admin trace myminio

# To trace entire HTTP Request
mc admin trace --verbose myminio

# + also internode communication , add flag: --all
mc admin trace --verbose --all myminio


mc admin --debug info minio

on-board diagnostics

1
2

mc admin obd myminio

Deploying S3 Stateful Containers - Minio(vmware) kubectl

permanent url

1
2

var publicUrl = minioClient.protocol + '//' + minioClient.host + ':' + minioClient.port + '/' + minioBucket + '/' + obj.name

bucket policy

Presigned URLs are valid only for a maximum of 7 days. This is mandated by S3 Spec (Ref: http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html).

For permanent sharing you can consider buckets policies - https://docs.minio.io/docs/minio-client-complete-guide#policy

how to generate share url permanent? #5180

Once you set the policy on a bucket like

1
mc policy set public myminio/bucketname

You can use the URL: miniohost:9000/bucketname/object to access the object

#mc policy public minio/test

Access permission for minio/test is set to public

#wget http://10.39.0.45:9000/test/types-of-mounts.png

it’s ok now .ths.
I send url wget http://10.39.0.45:9000/minio/test/types-of-mounts.png before,so i’m wrong

https://blog.nikhilbhardwaj.in/2020/02/25/minio-bucket-policy/

I don’t know if this is a counter example or a different method. If I use the s3.getSignedUrl I can generate urls that are longer than 7 days.
JS Code

1
2
var urlParams= {"Bucket":"opennote","Key":"ovoay3yj5uky.png","Expires":77760000}
s3.getSignedUrl("getObject",urlParams,function(err,data){console.dir(err);console.dir(data)})

This gives a signature of ?AWSAccessKeyId=tests&Expires=1595816882&Signature=HQbjEiQUrqW87ShZSjVVOeHnz0o%3D
Which is valid for 900 days from now.

S3 and Minio accepts this signature and display the object

Why does it work?

Yes only in AWS Signature v2 (legacy), AWS Signature v4 has limited it to maximum of 7 days.

It would be good if somebody point out in docs that polycy prefix should not start with slash / when you type it in via web intrerface, got fooled by that slash hard before checked policies via mc.

1
2
via cmd
mc policy public myminio/bucketname
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
Here is the policy via SDK

{
"Statement": [
{
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListBucketMultipartUploads"
],
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Resource": "arn:aws:s3:::mybucketname",
"Sid": ""
},
{
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:GetObject",
"s3:ListMultipartUploadParts",
"s3:PutObject"
],
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Resource": "arn:aws:s3:::mybucketname/*",
"Sid": ""
}
],
"Version": "2012-10-17"
}
Replace mybucketname with the appropriate bucket name

All I did create a new location in nginx something like /bucketname and in the block add root to the local path for the bucket folder.

minio policy help

PERMISSION:
Allowed policies are: [none, download, upload, public].

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56

mc policy public minio/pub
Name:
mc policy - manage anonymous access to buckets and objects

USAGE:
mc policy [FLAGS] set PERMISSION TARGET
mc policy [FLAGS] set-json FILE TARGET
mc policy [FLAGS] get TARGET
mc policy [FLAGS] get-json TARGET
mc policy [FLAGS] list TARGET

FLAGS:
--recursive, -r list recursively
--config-dir value, -C value path to configuration folder (default: "/root/.mc")
--quiet, -q disable progress bar display
--no-color disable color theme
--json enable JSON formatted output
--debug enable debug output
--insecure disable SSL certificate verification
--help, -h show help

PERMISSION:
Allowed policies are: [none, download, upload, public].

FILE:
A valid S3 policy JSON filepath.

EXAMPLES:
1. Set bucket to "download" on Amazon S3 cloud storage.
$ mc policy set download s3/burningman2011

2. Set bucket to "public" on Amazon S3 cloud storage.
$ mc policy set public s3/shared

3. Set bucket to "upload" on Amazon S3 cloud storage.
$ mc policy set upload s3/incoming

4. Set policy to "public" for bucket with prefix on Amazon S3 cloud storage.
$ mc policy set public s3/public-commons/images

5. Set a custom prefix based bucket policy on Amazon S3 cloud storage using a JSON file.
$ mc policy set-json /path/to/policy.json s3/public-commons/images

6. Get bucket permissions.
$ mc policy get s3/shared

7. Get bucket permissions in JSON format.
$ mc policy get-json s3/shared

8. List policies set to a specified bucket.
$ mc policy list s3/shared

9. List public object URLs recursively.
$ mc policy --recursive links s3/shared/
[root@localhost ~]# mc policy get minio/uploads
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

package main
import (
"log"
"time"
"github.com/minio/minio-go"
)

func main() {
s3Client, err := minio.New("172.17.0.2:9000", "minio", "minio123", false)
if err != nil {
log.Fatalln(err)
}
err = s3Client.MakeBucket("test", "us-east-1")
if err != nil {
log.Fatal(err)
}
presignedURL, err := s3Client.PresignedPutObject("test", "my-objectname", time.Duration(1000)*time.Second)
if err != nil {
log.Fatalln(err)
}
log.Println(presignedURL)
}
1
curl -X PUT http://172.17.0.2:9000/test/my-objectname\?X-Amz-Algorithm\=AWS4-HMAC-SHA256\&X-Amz-Credential\=minio%2F20181129%2Fus-east-1%2Fs3%2Faws4_request\&X-Amz-Date\=20181129T030925Z\&X-Amz-Expires\=1000\&X-Amz-SignedHeaders\=host\&X-Amz-Signature\=babb4404c979968de5d21e9e654ad1c73f3ac4fed014c0edaeae639c2d159409 -H 'Content-Type: application/json'  -d  "{ \"blah\" : \"blah\"}"

docker-compose.yml

1
2
3
4
5
6
7
8
9
10
11
12
13

minio:
image: minio/minio:latest
restart: always
environment:
- MINIO_DOMAIN=minio.my.domain.com
- MINIO_REGION=eu-west-1
volumes:
- '/mnt/docker/minio/data:/data'
- '/mnt/docker/minio/config:/root/.minio'
ports:
- "9898:9000"
command: "server /data"
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

upstream minio {
server 127.0.0.1:9898;
}

server {
listen 80;
server_name minio.my.domain.com;
return 302 https://$server_name$request_uri;
}

server {
listen 443 ssl http2;
server_name minio.my.domain.com;
include snippets/self-signed.conf;
include snippets/ssl-params.conf;
location / {
proxy_pass http://minio;
}
}

mc config

1
2
3
4
5
6
7
8
9
# 查询当前的主机host 配置,配置后才能管理
mc config host ls

mc config host add <ALIAS> <YOUR-MINIO-ENDPOINT> <YOUR-ACCESS-KEY> <YOUR-SECRET-KEY>
mc config host add minio http://192.168.1.51:9000 BKIKJAA5BMMU2RHO6IBB V7f1CwQqAcwo80UEIJEjc5gVQUSSx5ohQ9GSrr12

alias minfo='mc admin info'

mc admin --debug info minio
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

mc admin --help
NAME:
mc admin - manage MinIO servers

USAGE:
mc admin COMMAND [COMMAND FLAGS | -h] [ARGUMENTS...]

COMMANDS:
service restart and stop all MinIO servers
update update all MinIO servers
info display MinIO server information
user manage users
group manage groups
policy manage policies defined in the MinIO server
config manage MinIO server configuration
heal heal disks, buckets and objects on MinIO server
profile generate profile data for debugging purposes
top provide top like statistics for MinIO
trace show http trace for MinIO server
console show console logs for MinIO server
prometheus manages prometheus config
kms perform KMS management operations
obd run on-board diagnostics
bucket manage buckets defined in the MinIO server

FLAGS:
--config-dir value, -C value path to configuration folder (default: "/root/.mc")
--quiet, -q disable progress bar display
--no-color disable color theme
--json enable JSON formatted output
--debug enable debug output
--insecure disable SSL certificate verification
--help, -h show help

supports simple queuing service

Minio is written in Go, comes with a command line client plus a browser interface, and supports simple queuing service for Advanced Message Queuing Protocol (AMQP), Elasticsearch, Redis, NATS, and PostgreSQL targets

minio Configuration

1
2
3
4
5
6
7
8
9
10
11
12
13
14


sudo nano /etc/default/minio

MINIO_ACCESS_KEY="minio"
MINIO_VOLUMES="/usr/local/share/minio/"
MINIO_OPTS="-C /etc/minio --address your_server_ip:9000"
MINIO_SECRET_KEY="miniostorage"


MINIO_ACCESS_KEY: This sets the access key you will use to access the Minio browser user interface.
MINIO_SECRET_KEY: This sets the private key you will use to complete your login credentials into the Minio interface. This tutorial has set the value to miniostorage, but we advise choosing a different, more complicated password to secure your server.
MINIO_VOLUMES: This identifies the storage directory that you created for your buckets.
MINIO_OPTS: This changes where and how the server serves data. The -C flag points Minio to the configuration directory it should use, while the --address flag tells Minio the IP address and port to bind to. If the IP address is not specified, Minio will bind to every address configured on the server, including localhost and any Docker-related IP addresses, so directly specifying the IP address here is recommended. The default port 9000 can be changed if you would like.

Installing the Minio Systemd Startup Script

curl -O https://raw.githubusercontent.com/minio/minio-service/master/linux-systemd/minio.service

/etc/systemd/system/minio.service

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

[Unit]
Description=MinIO
Documentation=https://docs.min.io
Wants=network-online.target
After=network-online.target
AssertFileIsExecutable=/usr/local/bin/minio

[Service]
WorkingDirectory=/usr/local/

User=minio-user
Group=minio-user

EnvironmentFile=/etc/default/minio
ExecStartPre=/bin/bash -c "if [ -z \"${MINIO_VOLUMES}\" ]; then echo \"Variable MINIO_VOLUMES not set in /etc/default/minio\"; exit 1; fi"

ExecStart=/usr/local/bin/minio server $MINIO_OPTS $MINIO_VOLUMES

# Let systemd restart this service always
Restart=always

# Specifies the maximum file descriptor number that can be opened by this process
LimitNOFILE=65536

# Disable timeout logic and wait until process is stopped
TimeoutStopSec=infinity
SendSIGKILL=no

[Install]
WantedBy=multi-user.target

# Built for ${project.name}-${project.version} (${project.name})

sudo mv minio.service /etc/systemd/system

sudo systemctl daemon-reload

sudo systemctl enable minio

sudo systemctl start minio

sudo systemctl status minio

sudo ufw allow 9000

sudo ufw enable

Minio Server With a TLS Certificate

sudo ufw allow 80

sudo ufw allow 443

sudo ufw status verbose

install Certbot. Since Certbot maintains a separate PPA repository, you will first have to add it to your list of repositories before installing Certbot as shown:

To prepare to add the PPA repository, first install software-properties-common, a package for managing PPAs:

1
2

sudo apt install software-properties-common

This package provides some useful scripts for adding and removing PPAs instead of doing it manually.

Now add the Universe repository:

1
sudo add-apt-repository universe

This repository contains free and open source software maintained by the Ubuntu community, but is not officially maintained by Canonical, the developers of Ubuntu. This is where we will find the repository for Certbot.

Next, add the Certbot repository:

1
sudo add-apt-repository ppa:certbot/certbot

sudo apt update

install certbot

sudo apt install certbot

Since Ubuntu 18.04 doesn’t yet support automatic installation, you will use the certonly command and --standalone to obtain the certificate:

1
sudo certbot certonly --standalone -d minio-server.your_domain

--standalone means that this certificate is for a built-in standalone web server. For more information on this, see our How To Use Certbot Standalone Mode to Retrieve Let’s Encrypt SSL Certificates on Ubuntu 18.04 tutorial.

1
2
3
4
5
6

sudo cp /etc/letsencrypt/live/minio-server.your_domain_name/privkey.pem /etc/minio/certs/private.key
sudo cp /etc/letsencrypt/live/minio-server.your_domain_name/fullchain.pem /etc/minio/certs/public.crt


sudo chown minio-user:minio-user /etc/minio/certs/private.key

https://www.digitalocean.com/community/tutorials/how-to-set-up-an-object-storage-server-using-minio-on-ubuntu-18-04

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60

mc mb minio/bucketAuto
mc: <ERROR> Unable to make bucket `minio/bucketAuto`. Bucket name contains invalid characters
[root@localhost ~]# mc mb minio/bucketauto
Bucket created successfully `minio/bucketauto`.

mc admin user add TARGET ACCESSKEY SECRETKEY

ACCESSKEY:
Also called as username.

SECRETKEY:
Also called as password.

1. Add a new user 'foobar' to MinIO server.
$ set +o history
$ mc admin user add myminio foobar foo12345
$ set -o history
2. Add a new user 'foobar' to MinIO server, prompting for keys.
$ mc admin user add myminio
Enter Access Key: foobar
Enter Secret Key: foobar12345
3. Add a new user 'foobar' to MinIO server using piped keys.
$ set +o history
$ echo -e "foobar\nfoobar12345" | mc admin user add myminio
$ set -o history

Step 3 - Create the policy to grant access to the bucket local/wifey
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::wifey/*", "arn:aws:s3:::wifey"
],
"Sid": "BucketAccessForUser"
}
]
}

Add policy to your minio instance
mc admin policy add local wifey-bucket-policy /tmp/sample-bucket-policy.txt

Associate policy with your user
mc admin policy set local wifey-bucket-policy user=wifey-user

Now the credentials that you share with a user will only allow them to access this one bucket.

mc admin user info local wifey-user
AccessKey: wifey-user
Status: enabled
PolicyName: wifey-bucket-policy
MemberOf: