jbride/minio_integrations_quickstart

MinIO Integrations Quickstart

Table of Contents

• 1. Environment Variables
  • 1.1. Local (docker-compose)
• 2. Integration with Keycloak
  • 2.1. policy claim
  • 2.2. Minio Admin Console
  • 2.3. MinIO REST APIs secured using OAuth2
• 3. TO-DO

1. Environment Variables

1.1. Local (docker-compose)

1. For a local (docker-compose) environemnt, set the following environment variables in your shell with values similar to the following:

   export RHSSO_HOST=sso.local
   export RHSSO_URL=http://$RHSSO_HOST:4080
   export RHSSO_MASTER_PASSWD=admin
   export REALM_ID=ldap-demo
   export OAUTH_CLIENT_ID=minio-oauth                              # Used by application clients to the MinIO REST APIs
   export OIDC_CLIENT_ID=minio-oidc                                # Used to secure MinIO admin console
   export SSO_CLIENT_SECRET=avqeuje9yGOG37H1rbGm8I4qI7ht0ux1
   export ACCESS_TOKEN_URL="$RHSSO_URL/realms/$REALM_ID/protocol/openid-connect/token"
   export MINIO_ROUTE=http://localhost:9000

2. Add the following entry to your /etc/hosts:

   127.0.0.1   sso.local

2. Integration with Keycloak

This quickstart demonstrates Integration between MinIO and Keycloak.

Specifically, the MinIO admin console is secured using Authorization Code flow of OIDC. In addition, the MinIO REST APIs are secured using Client Credentials flow of OAuth2.

2.1. policy claim

The policy claim on each of the OAuth2 access token is utilized for authorization purposes in MinIO.

The value of the policy claim can be viewed as follows:

1. Retrieve an OAuth2 access token using OAuth2 Client Credentials flow :

   TKN=$(curl -X POST "$ACCESS_TOKEN_URL" \
               -H "Content-Type: application/x-www-form-urlencoded" \
               -d "client_id=$OAUTH_CLIENT_ID" \
               -d "client_secret=$SSO_CLIENT_SECRET" \
               -d "grant_type=client_credentials" \
               -d "scope=openid" \
               | sed 's/.*access_token":"//g' | sed 's/".*//g')
   
   $ echo $TKN

   Note	The value of the policy claim is set as a hard-coded value.

2. The value of policy claim can be viewed as follows:

   $ jq -R 'split(".") | .[1] | @base64d | fromjson' <<< $TKN | jq -r .policy
   
   
   consoleAdmin

3. Alternatively, you can also retrieve an OAuth2 access token using the OAuth2 Resource Owner Password Credentials flow configured on the client that will be used to secure the MinIO web console:

   TKN=$(curl -X POST "$ACCESS_TOKEN_URL" \
               -H "Content-Type: application/x-www-form-urlencoded" \
               -d "username=minioAdmin" \
               -d "password=minio" \
               -d "grant_type=password" \
               -d "client_id=$OIDC_CLIENT_ID" \
               -d "client_secret=$SSO_CLIENT_SECRET" \
               -d "scope=openid" \
               | sed 's/.*access_token":"//g' | sed 's/".*//g')
   
   $ echo $TKN

   Note	The value of the policy claim originates as an attribute on the minioAdmin user.

2.2. Minio Admin Console

1. Login using the following credentials:app-name:

   1. Username: minioAdmin

   2. Password: minio

2.3. MinIO REST APIs secured using OAuth2

Via the AssumeRoleWithWebIdentity API of Minio, a temporary access credential can be generated by exchanging for a JSON Web Token (issued by Keycloak).

This access credential can then be used by a client to access the MinIO REST APIs.

2.3.1. Command line test

1. Retrieve a token from the OAuth2 client-credentials enabled SSO client:

   TKN=$(curl -X POST "$ACCESS_TOKEN_URL" \
               -H "Content-Type: application/x-www-form-urlencoded" \
               -d "client_id=$OAUTH_CLIENT_ID" \
               -d "client_secret=$SSO_CLIENT_SECRET" \
               -d "grant_type=client_credentials" \
               -d "scope=openid" \
               | sed 's/.*access_token":"//g' | sed 's/".*//g')

   Note	This SSO client (as per $OAUTH_CLIENT_ID) is configured to allow Authentication with a service account.

2. Invoke the MinIO Security Token Service (STS) AssumeRoleWIthIdentity API endpoint to generate a temporary access credential using a JWT:app-name:

   curl -X POST "$MINIO_ROUTE" \
               -H "Content-Type: application/x-www-form-urlencoded" \
               -d "Action=AssumeRoleWithWebIdentity" \
               -d "WebIdentityToken=$TKN" \
               -d "Version=2011-06-15" \
               -d "DurationSeconds=86000"
   
   
   <?xml version="1.0" encoding="utf-8"?>
   <AssumeRoleWithWebIdentityResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
   
     <AssumeRoleWithWebIdentityResult>
       <AssumedRoleUser>
         <Arn></Arn>
         <AssumeRoleId></AssumeRoleId>
       </AssumedRoleUser>
   
       ...
    </AssumeRoleWithWebIdentityResponse>

2.3.2. Web App test

1. Change directory to jdk-app

   $ cd jdk-app

2. Create and populate .env file in root of this project similar to the following:

   org.acme.minIOendpointUrl=http://127.0.0.1:9000
   org.acme.minIObucketName=xxxx
   org.acme.minIOobjectPath=/xxx/yyyy/zzz.jpeg
   org.acme.minIOobjectTags=type:photo,family:true,year:2022,numPeople:3
   
   # Service account
   #org.acme.minIOaccessKey=xxxx
   #org.acme.minIOsecretKey=xxxx
   
   # oauth client credentials
   org.acme.oauth.idpEndpoint=http://sso.local:4080/realms/ldap-demo/protocol/openid-connect/token
   org.acme.oauth.clientId=minio-oauth
   org.acme.oauth.clientSecret=xxxxx

3. Execute quarkus:dev

   $ mvn quarkus:dev

4. In a different shell, execute:

   $ curl -X PUT localhost:8080/minio/lifecycle

3. TO-DO

1. Versioning