Parameter definition for file upload on swagger.yaml was removed
since go-swagger doesn't support multiple upload of files. Implementation
was done instead on user_objects.go file.
Co-authored-by: Daniel Valdivia <hola@danielvaldivia.com>
- Update Create Tenant Wizard to support configuring multiple TLS Certificates
- Enable support for both autocert and custom certs when creating a tenant
Co-authored-by: Daniel Valdivia <hola@danielvaldivia.com>
Implemented Log Search API & Prometheus functionality in console, also fixed minor issues in all the platform
Co-authored-by: Benjamin Perez <benjamin@bexsoft.net>
Operator UI - Provide and store License key
- New License section in Operator UI will allow user to provide the
license key via input form
- New License section in Operator UI will allow the user to fetch the
license key using subnet credentials
- Console backend has to verify provided license is valid -
https://godoc.org/github.com/minio/minio/pkg/licverifier#example-package
- Console backend has to store the license key in k8s secrets
Operator UI - Set license to tenant during provisioning
- Check if license key exists in k8s secret during tenant creation
- If License is present attach the license-key jwt to the new console
tenant via an environment variable
Operator UI - Set license for an existing tenant
- Tenant view will display information about the current status of the
Tenant License
- If Tenant doesn't have a License then Operator-UI will allow to attach
new license by clicking the Add License button
- Console backend will extract the license from the k8s secret and save
the license-key jwt in the tenant console environment variable and
redeploy
- Account change password endpoints
- Change account password modal
- Grouped account settings and service accounts
- Removed the SuperAdmin credentials from almost all places, only
missing place is Oauth login
- Renamed service-accounts UI labels to account in Menu
Co-authored-by: Daniel Valdivia <hola@danielvaldivia.com>
* Move heal and watch to tenant details view on operator-ui
* TLS skip verify in wss/watch endpoint
Use insecure: true in the meantime so the wss/watch endpoint works while
we add support for custotm TLS transport in the S3 client library.
Removed "InsecureSkipVerify: true" from s3AdminClient and s3Client HTTP clients
- We preserve the insecure parameter in the `newS3Config` and `NewAdminClientWithInsecure` functions for debugging and testing purposes.
- By default InsecureSkipVerify is false, therefore in order for Operator-Console to verify the TLS connections to MinIO tenants with self-signed certificates it requires the `ca.crt` or the `public.crt` of the tenant to exists under `~/.console/certs/CAs` which is the right way to do it.
Co-authored-by: Cesar Nieto <ces.nietor@gmail.com>
Co-authored-by: Daniel Valdivia <hola@danielvaldivia.com>
Use insecure: true in the meantime so the wss/watch endpoint works while
we add support for custotm TLS transport in the S3 client library.
Removed "InsecureSkipVerify: true" from s3AdminClient and s3Client HTTP clients
- If MinIO is configured with LDAP then users and groups are external, and
the credentials provided in the CONSOLE_ACCESS_KEY and
CONSOLE_SECRET_KEY env vars will belong to an existing user in the active
directory, therefore we need to authenticate first with
`credentials.NewLDAPIdentity`
- Fixed race condition bug in which TLS RootCAs certs were not loading
correctly (certPool was always null)
- Fixed TLS bug in which if Console was deployed without TLS enabled
RootCAs certs were not loading
- Initialize LDAP Admin credentials once
- Initialize stsClient once
Previously cookie path was set to Path="/api", this was a performance
improvement to tell the browser to send the cookie only to request with
that prefix, however also consume endpoints on Path="/ws", since rfc6265
doesnt support multiple paths or regular expressions in the path field
of a cookie we are back to use Path="/" which means send the cookie to
all request under the current domain.
Co-authored-by: Daniel Valdivia <hola@danielvaldivia.com>
- Added support for cookie authentication (authorization header will have priority)
- Removed local storage token management from UI
- cookie hardening (sameSite, httpOnly, secure)
- login endpoint sets cookie via header, logout endpoint expires cookie
- Refactor Routes and ProtectedRoutes components, improvement on the way
application check if user session is valid
Future improvements
- look for all places in backend that returns 401 unauthorized, and destroy session there (not a priority since cookie its invalid anyway)
- Downloading objects in object browser can be simplified since is just a GET request and users will be authenticated via Cookies, no need to craft additional requests
