MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-11-07 21:02:58 -05:00
Code Issues Packages Projects Releases Wiki Activity

feat: Deprecate embedded browser and import console (#12460)

Browse Source 
This feature also changes the default port where
the browser is running, now the port has moved
to 9001 and it can be configured with

```
--console-address ":9001"
```
This commit is contained in:
Harshavardhana
2021-06-17 20:27:04 -07:00
committed by GitHub
parent ef99438695
commit cdeccb5510
264 changed files with 2034 additions and 59009 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
docs/sts/README.md
View File

@@ -92,11 +92,10 @@ This will open the login page of keycloak, upon successful login, STS credential
These credentials can now be used to perform MinIO API operations.
### Using MinIO Browser
### Using MinIO Console
- Open MinIO URL on the browser, lets say http://localhost:9000
- Click on `Log in with OpenID`
- Provide `Client ID` and press ENTER, if `client_id` is already configured for MinIO this page will automatically redirect to Keycloak user login page.
- Open MinIO URL on the browser, lets say http://localhost:9000/
- Click on `Login with SSO`
- User will be redirected to the Keycloak user login page, upon successful login the user will be redirected to MinIO page and logged in automatically,
the user should see now the buckets and objects they have access to.

17
docs/sts/assume-role.md
View File

@@ -1,22 +1,5 @@
# AssumeRole [![Slack](https://slack.min.io/slack?type=svg)](https://slack.min.io)
**Table of Contents**
- [Introduction](#introduction)
- [API Request Parameters](#api-request-parameters)
- [Version](#version)
- [AUTHPARAMS](#authparams)
- [DurationSeconds](#durationseconds)
- [Policy](#policy)
- [Response Elements](#response-elements)
- [Errors](#errors)
- [Sample `POST` Request](#sample-post-request)
- [Sample Response](#sample-response)
- [Using AssumeRole API](#using-assumerole-api)
- [Explore Further](#explore-further)
<!-- markdown-toc end -->
## Introduction
Returns a set of temporary security credentials that you can use to access MinIO resources. AssumeRole requires authorization credentials for an existing user on MinIO. The advantages of this API are

15
docs/sts/client-grants.md
View File

@@ -1,20 +1,5 @@
# AssumeRoleWithClientGrants [![Slack](https://slack.min.io/slack?type=svg)](https://slack.min.io)
**Table of Contents**
- [Introduction](#introduction)
- [API Request Parameters](#api-request-parameters)
- [Token](#token)
- [Version](#version)
- [DurationSeconds](#durationseconds)
- [Policy](#policy)
- [Response Elements](#response-elements)
- [Errors](#errors)
- [Sample `POST` Request](#sample-post-request)
- [Sample Response](#sample-response)
- [Using ClientGrants API](#using-clientgrants-api)
- [Explore Further](#explore-further)
## Introduction
Returns a set of temporary security credentials for applications/clients who have been authenticated through client credential grants provided by identity provider. Example providers include KeyCloak, Okta etc.

7
docs/sts/keycloak.md
View File

@@ -114,11 +114,10 @@ This will open the login page of keycloak, upon successful login, STS credential
These credentials can now be used to perform MinIO API operations.
### Using MinIO Browser
### Using MinIO Console
- Open MinIO URL on the browser, lets say http://localhost:9000
- Click on `Log in with OpenID`
- Provide `Client ID` and press ENTER, if `client_id` is already configured for MinIO this page will automatically redirect to Keycloak user login page.
- Open MinIO URL on the browser, lets say http://localhost:9000/
- Click on `Login with SSO`
- User will be redirected to the Keycloak user login page, upon successful login the user will be redirected to MinIO page and logged in automatically,
the user should see now the buckets and objects they have access to.

27
docs/sts/ldap.md
View File

@@ -1,29 +1,5 @@
# AssumeRoleWithLDAPIdentity [![Slack](https://slack.min.io/slack?type=svg)](https://slack.min.io)
**Table of Contents**
- [AssumeRoleWithLDAPIdentity [![Slack](https://slack.min.io/slack?type=svg)](https://slack.min.io)](#assumerolewithldapidentity-slackhttpsslackminioslacktypesvghttpsslackminio)
- [Introduction](#introduction)
- [Configuring AD/LDAP on MinIO](#configuring-adldap-on-minio)
- [Supported modes of operation](#supported-modes-of-operation)
- [Lookup-Bind Mode](#lookup-bind-mode)
- [Username-Format Mode](#username-format-mode)
- [Group membership search](#group-membership-search)
- [Variable substitution in AD/LDAP configuration strings](#variable-substitution-in-adldap-configuration-strings)
- [Managing User/Group Access Policy](#managing-usergroup-access-policy)
- [API Request Parameters](#api-request-parameters)
- [LDAPUsername](#ldapusername)
- [LDAPPassword](#ldappassword)
- [Version](#version)
- [Policy](#policy)
- [Response Elements](#response-elements)
- [Errors](#errors)
- [Sample `POST` Request](#sample-post-request)
- [Sample Response](#sample-response)
- [Using LDAP STS API](#using-ldap-sts-api)
- [Caveats](#caveats)
- [Explore Further](#explore-further)
## Introduction
MinIO provides a custom STS API that allows integration with LDAP based corporate environments including Microsoft Active Directory. The MinIO server can be configured in two possible modes: either using a LDAP separate service account, called lookup-bind mode or in username-format mode. In either case the login flow for a user is the same as the STS flow:
@@ -252,9 +228,6 @@ $ go run ldap.go -u foouser -p foopassword
}
```
## Caveats
**LDAP STS credentials are not yet supported on MinIO Browser UI, we may add this feature in future releases.**
## Explore Further
- [MinIO Admin Complete Guide](https://docs.min.io/docs/minio-admin-complete-guide.html)
- [The MinIO documentation website](https://docs.min.io)

4
docs/sts/web-identity.go
View File

@@ -136,7 +136,7 @@ func main() {
AuthURL: ddoc.AuthEndpoint,
TokenURL: ddoc.TokenEndpoint,
},
RedirectURL: fmt.Sprintf("http://localhost:%d/oauth2/callback", port),
RedirectURL: fmt.Sprintf("http://10.0.0.67:%d/oauth2/callback", port),
Scopes: scopes,
}
@@ -223,7 +223,7 @@ func main() {
w.Write(c)
})
address := fmt.Sprintf("localhost:%v", port)
address := fmt.Sprintf(":%v", port)
log.Printf("listening on http://%s/", address)
log.Fatal(http.ListenAndServe(address, nil))
}

26
docs/sts/web-identity.md
View File

@@ -1,22 +1,5 @@
# AssumeRoleWithWebIdentity [![Slack](https://slack.min.io/slack?type=svg)](https://slack.min.io)
**Table of Contents**
- [Introduction](#introduction)
- [API Request Parameters](#api-request-parameters)
- [WebIdentityToken](#webidentitytoken)
- [Version](#version)
- [DurationSeconds](#durationseconds)
- [Policy](#policy)
- [Response Elements](#response-elements)
- [Errors](#errors)
- [Sample `POST` Request](#sample-post-request)
- [Sample Response](#sample-response)
- [Using WebIdentity API](#using-webidentity-api)
- [Authorization Flow](#authorization-flow)
- [Using MinIO Browser](#using-minio-browser)
- [Explore Further](#explore-further)
## Introduction
Calling AssumeRoleWithWebIdentity does not require the use of MinIO default credentials. Therefore, you can distribute an application (for example, on mobile devices) that requests temporary security credentials without including MinIO default credentials in the application. Instead, the identity of the caller is validated by using a JWT access token from the web identity provider. The temporary security credentials returned by this API consists of an access key, a secret key, and a security token. Applications can use these temporary security credentials to sign calls to MinIO API operations.
@@ -141,8 +124,8 @@ $ go run web-identity.go -cid 204367807228-ok7601k6gj1pgge7m09h7d79co8p35xx.apps
- Once obtained the JWT id_token is further sent to STS endpoint i.e MinIO to retrive temporary credentials.
- Temporary credentials are displayed on the browser upon successful retrieval.
## Using MinIO Browser
To support WebIdentity login on MinIO Browser, set openid configuration and restart MinIO
## Using MinIO Console
To support WebIdentity based login for MinIO Console, set openid configuration and restart MinIO
```
mc admin config set myminio identity_openid config_url="<CONFIG_URL>" client_id="<client_identifier>"
@@ -158,10 +141,9 @@ Sample URLs for Keycloak are
JWT token returned by the Identity Provider should include a custom claim for the policy, this is required to create a STS user in MinIO. The name of the custom claim could be either `policy` or `<NAMESPACE_PREFIX>policy`. If there is no namespace then `claim_prefix` can be ingored. For example if the custom claim name is `https://min.io/policy` then, `claim_prefix` should be set as `https://min.io/`.
- Open MinIO Browser and click `Log in with OpenID`
- Enter the `Client ID` obtained from Identity Provider and press ENTER, if not you can set a `client_id` on server to avoid this step.
- Open MinIO Console and click `Login with SSO`
- The user will be redirected to the Identity Provider login page
- Upon successful login on Identity Provider page the user will be automatically logged into MinIO Browser
- Upon successful login on Identity Provider page the user will be automatically logged into MinIO Console.
## Explore Further
- [MinIO Admin Complete Guide](https://docs.min.io/docs/minio-admin-complete-guide.html)