Add OPA doc and remove deprecation marking (#14863)

This commit is contained in:
Aditya Manthramurthy 2022-05-04 23:53:42 -07:00 committed by GitHub
parent bcdaa09c75
commit 2b7e75e079
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 85 additions and 3 deletions

View File

@ -108,7 +108,7 @@ func initHelp() {
}, },
config.HelpKV{ config.HelpKV{
Key: config.PolicyOPASubSys, Key: config.PolicyOPASubSys,
Description: "[DEPRECATED] enable external OPA for policy enforcement", Description: "enable external OPA for policy enforcement",
}, },
config.HelpKV{ config.HelpKV{
Key: config.APISubSys, Key: config.APISubSys,

82
docs/sts/opa.md Normal file
View File

@ -0,0 +1,82 @@
# OPA Quickstart Guide [![Slack](https://slack.minio.io/slack?type=svg)](https://slack.minio.io)
OPA is a lightweight general-purpose policy engine that can be co-located with MinIO server, in this document we talk about how to use OPA HTTP API to authorize requests. It can be used with any type of credentials (STS based like OpenID or LDAP, regular IAM users or service accounts).
## Get started
### 1. Start OPA in a container
```sh
podman run -it \
--name opa \
--publish 8181:8181 \
docker.io/openpolicyagent/opa:0.40.0-rootless \
run --server \
--log-format=json-pretty \
--log-level=debug \
--set=decision_logs.console=true
```
### 2. Create a sample OPA Policy
In another terminal, create a policy that allows root user all access and for all other users denies `PutObject`:
```sh
cat > example.rego <<EOF
package httpapi.authz
import input
default allow = false
# Allow the root user to perform any action.
allow {
input.owner == true
}
# All other users may do anything other than call PutObject
allow {
input.action != "s3:PutObject"
input.owner == false
}
EOF
```
Then load the policy via OPA's REST API.
```
curl -X PUT --data-binary @example.rego \
localhost:8181/v1/policies/putobject
```
### 4. Setup MinIO with OPA
Set the `MINIO_POLICY_OPA_URL` as the endpoint that MinIO should send authorization requests to. Then start the server.
```sh
export MINIO_POLICY_OPA_URL=http://localhost:8181/v1/data/httpapi/authz/allow
export MINIO_CI_CD=1
export MINIO_ROOT_USER=minio
export MINIO_ROOT_PASSWORD=minio123
minio server /mnt/data
```
### 5. Test with a regular IAM user
Ensure that `mc` is installed and the configured with the above server with the alias `myminio`.
```sh
# 1. Create a bucket and a user, and upload a file. These operations will succeed.
mc mb myminio/test
mc admin user add myminio foo foobar123
mc cp /etc/issue myminio/test/
# 2. Now access the server as user `foo`. These operations will also succeed.
export MC_HOST_foo=http://foo:foobar123@localhost:9000
mc ls foo/test
mc cat foo/test/issue
# 3. Attempt to upload an object as user `foo` - this will fail with a permissions error.
mc cp /etc/issue myminio/test/issue2
```
## Explore Further
- [MinIO STS Quickstart Guide](https://docs.minio.io/docs/minio-sts-quickstart-guide)
- [The MinIO documentation website](https://docs.minio.io)

View File

@ -28,13 +28,13 @@ var (
Help = config.HelpKVS{ Help = config.HelpKVS{
config.HelpKV{ config.HelpKV{
Key: URL, Key: URL,
Description: `[DEPRECATED] OPA HTTP(s) endpoint e.g. "http://localhost:8181/v1/data/httpapi/authz/allow"` + defaultHelpPostfix(URL), Description: `OPA HTTP(s) endpoint e.g. "http://localhost:8181/v1/data/httpapi/authz/allow"` + defaultHelpPostfix(URL),
Type: "url", Type: "url",
Sensitive: true, Sensitive: true,
}, },
config.HelpKV{ config.HelpKV{
Key: AuthToken, Key: AuthToken,
Description: "[DEPRECATED] authorization token for OPA endpoint" + defaultHelpPostfix(AuthToken), Description: "authorization token for OPA endpoint" + defaultHelpPostfix(AuthToken),
Optional: true, Optional: true,
Type: "string", Type: "string",
Sensitive: true, Sensitive: true,