mirrors/object-browser
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
96 Commits 11 Branches 205 Tags
438211199d14f2c7647770187f331ec767821cef
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Lenin Alevski 438211199d LDAP authentication support for MCS (#114) 
This PR adds ldap authentication support for mcs based on
https://github.com/minio/minio/blob/master/docs/sts/ldap.md

How to test:

```
$ docker run --rm -p 389:389 -p 636:636 --name my-openldap-container
--detach osixia/openldap:1.3.0
```

Run the `billy.ldif` file using `ldapadd` command to create a new user
and assign it to a group.

```
$ cat > billy.ldif << EOF
dn: uid=billy,dc=example,dc=org
uid: billy
cn: billy
sn: 3
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
loginShell: /bin/bash
homeDirectory: /home/billy
uidNumber: 14583102
gidNumber: 14564100
userPassword: {SSHA}j3lBh1Seqe4rqF1+NuWmjhvtAni1JC5A
mail: billy@example.org
gecos: Billy User
dn: ou=groups,dc=example,dc=org
objectclass:organizationalunit
ou: groups
description: generic groups branch
of s3::*)
dn: cn=mcsAdmin,ou=groups,dc=example,dc=org
objectClass: top
objectClass: posixGroup
gidNumber: 678
dn: cn=mcsAdmin,ou=groups,dc=example,dc=org
changetype: modify
add: memberuid
memberuid: billy
EOF

$ docker cp billy.ldif
my-openldap-container:/container/service/slapd/assets/test/billy.ldif
$ docker exec my-openldap-container ldapadd -x -D
"cn=admin,dc=example,dc=org" -w admin -f
/container/service/slapd/assets/test/billy.ldif -H ldap://localhost -ZZ
```

Query the ldap server to check the user billy was created correctly and
got assigned to the mcsAdmin group, you should get a list
containing ldap users and groups.

```
$ docker exec my-openldap-container ldapsearch -x -H ldap://localhost -b
dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin
```

Query the ldap server again, this time filtering only for the user
`billy`, you should see only 1 record.

```
$ docker exec my-openldap-container ldapsearch -x -H ldap://localhost -b
uid=billy,dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin
```

Change the password for user billy

Set the new password for `billy` to `minio123` and enter `admin` as the
default `LDAP Password`

```
$ docker exec -it my-openldap-container /bin/bash
ldappasswd -H ldap://localhost -x -D "cn=admin,dc=example,dc=org" -W
-S "uid=billy,dc=example,dc=org"
New password:
Re-enter new password:
Enter LDAP Password:
```

Add the mcsAdmin policy to user billy on MinIO

```
$ cat > mcsAdmin.json << EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "admin:*"
      ],
      "Effect": "Allow",
      "Sid": ""
    },
    {
      "Action": [
        "s3:*"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::*"
      ],
      "Sid": ""
    }
  ]
}
EOF
$ mc admin policy add myminio mcsAdmin mcsAdmin.json
$ mc admin policy set myminio mcsAdmin user=billy
```

Run MinIO

```
export MINIO_ACCESS_KEY=minio
export MINIO_SECRET_KEY=minio123
export MINIO_IDENTITY_LDAP_SERVER_ADDR='localhost:389'
export MINIO_IDENTITY_LDAP_USERNAME_FORMAT='uid=%s,dc=example,dc=org'
export
MINIO_IDENTITY_LDAP_USERNAME_SEARCH_FILTER='(|(objectclass=posixAccount)(uid=%s))'
export MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY=on
export MINIO_IDENTITY_LDAP_SERVER_INSECURE=on
./minio server ~/Data
```

Run MCS

```
export MCS_ACCESS_KEY=minio
export MCS_SECRET_KEY=minio123
...
export MCS_LDAP_ENABLED=on
./mcs server
```
2020-05-12 10:26:38 -07:00
.github/workflows
update golangci-lint to v1.24 on github workflow (#40)
2020-04-06 16:04:18 -07:00
cmd/mcs
add support for mcs build to trim gopaths (#60)
2020-04-09 11:29:49 -07:00
models
Add list and delete service accounts api (#91)
2020-05-04 15:48:38 -07:00
pkg
LDAP authentication support for MCS (#114)
2020-05-12 10:26:38 -07:00
portal-ui
Fixed delete bucket event functionality (#109)
2020-05-09 10:16:15 -07:00
restapi
LDAP authentication support for MCS (#114)
2020-05-12 10:26:38 -07:00
.dockerignore
MinIO CLI and Releaser. (#31)
2020-04-06 11:27:43 -07:00
.gitignore
Add Create Service Account api (#72)
2020-04-29 18:28:28 -07:00
.golangci.yml
Lint file
2020-04-01 18:33:40 -07:00
.goreleaser.yml
MinIO CLI and Releaser. (#31)
2020-04-06 11:27:43 -07:00
bindata_assetfs.go
Intial Commit Migrating from github.com/minio/m3
2020-04-01 18:18:57 -07:00
code_of_conduct.md
add code of conduct, contributing and security guidelines (#61)
2020-04-09 12:04:15 -07:00
CONTRIBUTING.md
add code of conduct, contributing and security guidelines (#61)
2020-04-09 12:04:15 -07:00
CREDITS
add CREDITS file (#93)
2020-05-04 15:41:16 -07:00
DEVELOPMENT.md
LDAP authentication support for MCS (#114)
2020-05-12 10:26:38 -07:00
Dockerfile
MinIO CLI and Releaser. (#31)
2020-04-06 11:27:43 -07:00
Dockerfile.release
MinIO CLI and Releaser. (#31)
2020-04-06 11:27:43 -07:00
go.mod
Add list and delete service accounts api (#91)
2020-05-04 15:48:38 -07:00
go.sum
LDAP authentication support for MCS (#114)
2020-05-12 10:26:38 -07:00
LICENSE
Add license file
2020-04-01 21:56:04 -07:00
Makefile
idp integration for mcs (#75)
2020-05-01 08:38:52 -07:00
NOTICE
Rename NOTICE and generate as mcs
2020-04-01 21:54:57 -07:00
package-lock.json
Users List & Creation (#4)
2020-04-02 11:36:37 -07:00
README.md
Connect MCS with Minio insecure TLS/Custom CAs (#102)
2020-05-08 17:11:47 -07:00
SECURITY.md
add code of conduct, contributing and security guidelines (#61)
2020-04-09 12:04:15 -07:00
swagger.yml
Add list and delete service accounts api (#91)
2020-05-04 15:48:38 -07:00
yarn.lock
Users List & Creation (#4)
2020-04-02 11:36:37 -07:00

README.md

Minio Console Server

A graphical user interface for MinIO

Setup

All mcs needs is a MinIO user with admin privileges and URL pointing to your MinIO deployment.

Note: We don't recommend using MinIO's Operator Credentials

  1. Create a user for mcs using mc.
$ set +o history
$ mc admin user add myminio mcs YOURMCSSECRET
$ set -o history
  1. Create a policy for mcs
$ cat > mcsAdmin.json << EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "admin:*"
      ],
      "Effect": "Allow",
      "Sid": ""
    },
    {
      "Action": [
        "s3:*"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::*"
      ],
      "Sid": ""
    }
  ]
}
EOF
$ mc admin policy add myminio mcsAdmin mcsAdmin.json
  1. Set the policy for the new mcs user
$ mc admin policy set myminio mcsAdmin user=mcs

Run MCS server

To run the server:

export MCS_HMAC_JWT_SECRET=YOURJWTSIGNINGSECRET

#required to encrypt jwet payload
export MCS_PBKDF_PASSPHRASE=SECRET

#required to encrypt jwet payload
export MCS_PBKDF_SALT=SECRET

export MCS_ACCESS_KEY=mcs
export MCS_SECRET_KEY=YOURMCSSECRET
export MCS_MINIO_SERVER=http://localhost:9000
./mcs server

Connect MCS to a Minio using TLS and a self-signed certificate

...
export MCS_MINIO_SERVER_TLS_SKIP_VERIFICATION=on
export MCS_MINIO_SERVER=https://localhost:9000
./mcs server

You can verify that the apis work by doing the request on localhost:9090/api/v1/...

Contribute to mcs Project

Please follow mcs Contributor's Guide

Description
No description provided
Readme AGPL-3.0 790 MiB
Languages
JavaScript 84.7%
TypeScript 7.7%
Go 7.1%
Shell 0.3%
Makefile 0.1%