fix: progagation of service accounts for site replication (#14054)

- Only non-root-owned service accounts are replicated for now. - Add integration tests for OIDC with site replication
2025-11-06 20:33:07 -05:00 · 2022-01-07 17:41:43 -08:00
parent 47e4a36d7e
commit 0a224654c2
8 changed files with 469 additions and 157 deletions
--- a/docs/site-replication/gen-oidc-sts-cred.go
+++ b/docs/site-replication/gen-oidc-sts-cred.go
@@ -0,0 +1,78 @@
+//go:build ignore
+// +build ignore
+
+// Copyright (c) 2015-2022 MinIO, Inc.
+//
+// This file is part of MinIO Object Storage stack
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package main
+
+// This programs mocks user interaction against Dex IDP and generates STS
+// credentials. It is for MinIO testing purposes only.
+//
+// Run like:
+//
+// $ MINIO_ENDPOINT=http://localhost:9000 go run gen-oidc-sts-cred.go
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"net/http"
+	"os"
+
+	cr "github.com/minio/minio-go/v7/pkg/credentials"
+	cmd "github.com/minio/minio/cmd"
+)
+
+func main() {
+	ctx := context.Background()
+
+	endpoint := os.Getenv("MINIO_ENDPOINT")
+	if endpoint == "" {
+		log.Fatalf("Please specify a MinIO server endpoint environment variable like:\n\n\texport MINIO_ENDPOINT=http://localhost:9000")
+	}
+
+	appParams := cmd.OpenIDClientAppParams{
+		ClientID:     "minio-client-app",
+		ClientSecret: "minio-client-app-secret",
+		ProviderURL:  "http://127.0.0.1:5556/dex",
+		RedirectURL:  "http://127.0.0.1:10000/oauth_callback",
+	}
+
+	oidcToken, err := cmd.MockOpenIDTestUserInteraction(ctx, appParams, "dillon@example.io", "dillon")
+	if err != nil {
+		log.Fatalf("Failed to generate OIDC token: %v", err)
+	}
+
+	webID := cr.STSWebIdentity{
+		Client:      &http.Client{},
+		STSEndpoint: endpoint,
+		GetWebIDTokenExpiry: func() (*cr.WebIdentityToken, error) {
+			return &cr.WebIdentityToken{
+				Token: oidcToken,
+			}, nil
+		},
+	}
+
+	value, err := webID.Retrieve()
+	if err != nil {
+		log.Fatalf("Expected to generate credentials: %v", err)
+	}
+
+	// Print credentials separated by colons:
+	fmt.Printf("%s:%s:%s\n", value.AccessKeyID, value.SecretAccessKey, value.SessionToken)
+}
--- a/docs/site-replication/run-multi-site-ldap.sh
+++ b/docs/site-replication/run-multi-site-ldap.sh
--- a/docs/site-replication/run-multi-site-oidc.sh
+++ b/docs/site-replication/run-multi-site-oidc.sh
@@ -0,0 +1,223 @@
+#!/usr/bin/env bash
+
+# shellcheck disable=SC2120
+exit_1() {
+    cleanup
+    exit 1
+}
+
+cleanup() {
+    echo "Cleaning up instances of MinIO"
+    pkill minio
+    pkill -9 minio
+    rm -rf /tmp/minio{1,2,3}
+}
+
+cleanup
+
+unset MINIO_KMS_KES_CERT_FILE
+unset MINIO_KMS_KES_KEY_FILE
+unset MINIO_KMS_KES_ENDPOINT
+unset MINIO_KMS_KES_KEY_NAME
+
+export MINIO_BROWSER=off
+export MINIO_ROOT_USER="minio"
+export MINIO_ROOT_PASSWORD="minio123"
+export MINIO_KMS_AUTO_ENCRYPTION=off
+export MINIO_PROMETHEUS_AUTH_TYPE=public
+export MINIO_KMS_SECRET_KEY=my-minio-key:OSMM+vkKUTCvQs9YL/CVMIMt43HFhkUpqJxTmGl6rYw=
+export MINIO_IDENTITY_OPENID_CONFIG_URL="http://localhost:5556/dex/.well-known/openid-configuration"
+export MINIO_IDENTITY_OPENID_CLIENT_ID="minio-client-app"
+export MINIO_IDENTITY_OPENID_CLIENT_SECRET="minio-client-app-secret"
+export MINIO_IDENTITY_OPENID_CLAIM_NAME="groups"
+export MINIO_IDENTITY_OPENID_SCOPES="openid,groups"
+
+export MINIO_IDENTITY_OPENID_REDIRECT_URI="http://127.0.0.1:10000/oauth_callback"
+minio server --address ":9001" --console-address ":10000" /tmp/minio1/{1...4} >/tmp/minio1_1.log 2>&1 &
+
+export MINIO_IDENTITY_OPENID_REDIRECT_URI="http://127.0.0.1:11000/oauth_callback"
+minio server --address ":9002" --console-address ":11000" /tmp/minio2/{1...4} >/tmp/minio2_1.log 2>&1 &
+
+export MINIO_IDENTITY_OPENID_REDIRECT_URI="http://127.0.0.1:12000/oauth_callback"
+minio server --address ":9003" --console-address ":12000" /tmp/minio3/{1...4} >/tmp/minio3_1.log 2>&1 &
+
+if [ ! -f ./mc ]; then
+    wget -O mc https://dl.minio.io/client/mc/release/linux-amd64/mc \
+        && chmod +x mc
+fi
+
+sleep 10
+
+export MC_HOST_minio1=http://minio:minio123@localhost:9001
+export MC_HOST_minio2=http://minio:minio123@localhost:9002
+export MC_HOST_minio3=http://minio:minio123@localhost:9003
+
+./mc admin replicate add minio1 minio2 minio3
+
+./mc admin policy add minio1 projecta ./docs/site-replication/rw.json
+sleep 5
+
+./mc admin policy info minio2 projecta >/dev/null 2>&1
+if [ $? -ne 0 ]; then
+    echo "expecting the command to succeed, exiting.."
+    exit_1;
+fi
+./mc admin policy info minio3 projecta >/dev/null 2>&1
+if [ $? -ne 0 ]; then
+    echo "expecting the command to succeed, exiting.."
+    exit_1;
+fi
+
+./mc admin policy remove minio3 projecta
+
+sleep 10
+./mc admin policy info minio1 projecta
+if [ $? -eq 0 ]; then
+    echo "expecting the command to fail, exiting.."
+    exit_1;
+fi
+
+./mc admin policy info minio2 projecta
+if [ $? -eq 0 ]; then
+    echo "expecting the command to fail, exiting.."
+    exit_1;
+fi
+
+./mc admin policy add minio1 projecta ./docs/site-replication/rw.json
+sleep 5
+
+# Generate STS credential with STS call to minio1
+STS_CRED=$(MINIO_ENDPOINT=http://localhost:9001 go run ./docs/site-replication/gen-oidc-sts-cred.go)
+
+MC_HOST_foo=http://${STS_CRED}@localhost:9001 ./mc ls foo
+if [ $? -ne 0 ]; then
+    echo "Expected sts credential to work, exiting.."
+    exit_1;
+fi
+
+sleep 2
+
+# Check that the STS credential works on minio2 and minio3.
+MC_HOST_foo=http://${STS_CRED}@localhost:9002 ./mc ls foo
+if [ $? -ne 0 ]; then
+    echo "Expected sts credential to work, exiting.."
+    exit_1;
+fi
+
+MC_HOST_foo=http://${STS_CRED}@localhost:9003 ./mc ls foo
+if [ $? -ne 0 ]; then
+    echo "Expected sts credential to work, exiting.."
+    exit_1;
+fi
+
+STS_ACCESS_KEY=$(echo ${STS_CRED} | cut -d ':' -f 1)
+
+# Create service account for STS user
+./mc admin user svcacct add minio2 $STS_ACCESS_KEY --access-key testsvc --secret-key testsvc123
+if [ $? -ne 0 ]; then
+    echo "adding svc account failed, exiting.."
+    exit_1;
+fi
+
+sleep 10
+
+./mc admin user svcacct info minio1 testsvc
+if [ $? -ne 0 ]; then
+    echo "svc account not mirrored, exiting.."
+    exit_1;
+fi
+
+./mc admin user svcacct info minio2 testsvc
+if [ $? -ne 0 ]; then
+    echo "svc account not mirrored, exiting.."
+    exit_1;
+fi
+
+./mc admin user svcacct rm minio1 testsvc
+if [ $? -ne 0 ]; then
+    echo "removing svc account failed, exiting.."
+    exit_1;
+fi
+
+sleep 10
+./mc admin user svcacct info minio2 testsvc
+if [ $? -eq 0 ]; then
+    echo "svc account found after delete, exiting.."
+    exit_1;
+fi
+
+./mc admin user svcacct info minio3 testsvc
+if [ $? -eq 0 ]; then
+    echo "svc account found after delete, exiting.."
+    exit_1;
+fi
+
+./mc mb minio1/newbucket
+
+sleep 5
+./mc stat minio2/newbucket
+if [ $? -ne 0 ]; then
+    echo "expecting bucket to be present. exiting.."
+    exit_1;
+fi
+
+./mc stat minio3/newbucket
+if [ $? -ne 0 ]; then
+    echo "expecting bucket to be present. exiting.."
+    exit_1;
+fi
+
+./mc cp README.md minio2/newbucket/
+
+sleep 5
+./mc stat minio1/newbucket/README.md
+if [ $? -ne 0 ]; then
+    echo "expecting object to be present. exiting.."
+    exit_1;
+fi
+
+./mc stat minio3/newbucket/README.md
+if [ $? -ne 0 ]; then
+    echo "expecting object to be present. exiting.."
+    exit_1;
+fi
+
+./mc rm minio3/newbucket/README.md
+sleep 5
+
+./mc stat minio2/newbucket/README.md
+if [ $? -eq 0 ]; then
+    echo "expected file to be deleted, exiting.."
+    exit_1;
+fi
+
+./mc stat minio1/newbucket/README.md
+if [ $? -eq 0 ]; then
+    echo "expected file to be deleted, exiting.."
+    exit_1;
+fi
+
+./mc mb --with-lock minio3/newbucket-olock
+sleep 5
+
+enabled_minio2=$(./mc stat --json minio2/newbucket-olock| jq -r .metadata.ObjectLock.enabled)
+if [ $? -ne 0 ]; then
+    echo "expected bucket to be mirrored with object-lock but not present, exiting..."
+    exit_1;
+fi
+
+if [ "${enabled_minio2}" != "Enabled" ]; then
+    echo "expected bucket to be mirrored with object-lock enabled, exiting..."
+    exit_1;
+fi
+
+enabled_minio1=$(./mc stat --json minio1/newbucket-olock| jq -r .metadata.ObjectLock.enabled)
+if [ $? -ne 0 ]; then
+    echo "expected bucket to be mirrored with object-lock but not present, exiting..."
+    exit_1;
+fi
+
+if [ "${enabled_minio1}" != "Enabled" ]; then
+    echo "expected bucket to be mirrored with object-lock enabled, exiting..."
+    exit_1;
+fi