minio: expand on user management, policies and bucket creation

## Accessing the web interface

To see if the service works, you can connect to the admin interface

through <https://localhost:9090> (TODO: use real IP/hostname

here?) with a normal web browser. The username is `admin` and the

password is in `/etc/default/minio` on the server (currently

`minio-01`).

through <http://localhost:9090> (TODO: use real IP/hostname

here?) with a normal web browser.

The username is `admin` and the password is in `/etc/default/minio` on

the server (currently `minio-01`). You should use that account only to

create or manage other, normal user accounts with lesser access

policies. See [authentication](#authentication) for details.

## Configuring the local mc client

You *must* use the web interface (above) to create a first access

key.

key for the admin user.

This was done through the web interface, and then the access key was

recorded on the UNIX `root` account with:

above configuration will make further commands possible, see for

example [creating a bucket](#creating-a-bucket).

## Creating a user

To create a new user, you can use the `mc` client configured

above. Here, for example, we create a `gitlab` user:

    podman run -v /root/.mc:/root/.mc --rm -it quay.io/minio/mc admin user add admin/gitlab

By default, a user has no privileges. You can grant it access by

attaching a policy, see below.

## Defining and grand an access policy

The [default policies](https://min.io/docs/minio/container/administration/identity-access-management/policy-based-access-control.html#built-in-policies) are quite broad and give access to *all*

buckets on the server, which is almost as the admin user except for

the [admin:* namespace](https://min.io/docs/minio/container/administration/identity-access-management/policy-based-access-control.html#policy-action.admin). So we need to make a bucket policy. First

create a file with this JSON content:

    {

      "Version": "2012-10-17",

      "Statement": [

        {

          "Action": [

                "s3:*"

            ],

          "Effect": "Allow",

          "Resource": [

            "arn:aws:s3:::gitlab/*", "arn:aws:s3:::gitlab"

          ],

          "Sid": "BucketAccessForUser"

        }

      ]

    }

This was inspired by  [Jai Shri Ram's Minio Bucket Policy Notes](https://blog.nikhilbhardwaj.in/2020/02/25/minio-bucket-policy/),

but we actually grant all `s3:*` privileges on the given `gitlab`

bucket space, as we want the `gitlab` user to be able to create

buckets and manage their policies.

That policy needs to be fed to MinIO using the web interface or `mc`

with:

    podman run -v /root/.mc:/root/.mc --rm -it quay.io/minio/mc admin policy add admin gitlab-bucket-policy gitlab-bucket-policy.json

Then the policy can be attached an existing user with, for example:

    podman run -v /root/.mc:/root/.mc --rm -it quay.io/minio/mc admin policy attach admin gitlab-bucket-policy --user=gitlab

## Creating an access key

To create an access key, you should login the web interface with a

normal user (*not* `admin`, [authentication](#authentication) for details) and

create a key in the "Access Keys" tab.

An access key can be created for another user (below `gitlab`) on the

commandline with:

    podman run -v /root/.mc:/root/.mc --rm -it quay.io/minio/mc admin user svcacct add admin gitlab

This will display the credentials in plain text on the terminal, so

watch out for shoulder surfing. The key will inherit the policies

established above for the user.

If you have just created a user, you might want to add an alias for

that user on the server as well, so that future operations can be done

through that user instead of `admin`, for example:

    podman run -v /root/.mc:/root/.mc --rm -it quay.io/minio/mc alias set gitlab http://minio-01.torproject.org:9000

## Creating a bucket

A bucket can be created on a MinIO server using the `mc` commandline

You should also see the bucket in the web interface.

Here's another example, where we create a `gitlab/registry` bucket

under the `gitlab` account:

    podman run -v /root/.mc:/root/.mc --rm -it quay.io/minio/mc mb gitlab/gitlab/registry

## Password resets

MinIO is primarily access through access tokens, issued to users. To

create a new access token, you need a user account.

If that password is lost, you should follow one of two procedures,

depending on whether you need access to the main administrator account

(`admin`, which is the one who can grant access to other accounts) or

a normal user account.

### Normal user

To reset the password on a normal user, you must login through the web

interface; it doesn't seem possible to reset the password on a normal

user through the `mc` command.

### Admin user

The admin user password is set in `/etc/default/minio`. It can be

changed by following a part of the [installation instructions](#installation),

namely:

    PASSWORD=$(tr -dc '[:alnum:]' < /dev/urandom | head -c 32)

    echo "MINIO_ROOT_PASSWORD=$PASSWORD" > /etc/default/minio

    chmod 600 /etc/default/minio

... and then restarting the service:

    systemctl restart container-minio.service

## Pager playbook

### Restarting the service

an access token saved in `/root/.mc` that can be used with the `mc`

commandline client, see the [tests section](#tests) for details.

The `admin` user MUST only be used to manage other user accounts, as

an access key leakage would be catastrophic. Access keys basically

impersonate a user account, and while it's possible to have access

policies per token, we've made the decision to do access controls with

user accounts instead, as that seemed more straightforward.

The normal user accounts are typically accessed with tokens saved as

aliases on the main `minio-01` server. If that access is lost, you can

use the [password reset](#password-reset) procedures to recover.

## Implementation

MinIO is implemented in Golang. We deploy the Docker containers with