1.簡介
minio官方提供二種第三方登錄接入方法:
- OIDC: 所有支持open api v2的認(rèn)證體系,例如 Okta铃慷、KeyCloak单芜、Dex蜕该、Google 或 Facebook犁柜,用于用戶身份的外部管理。
- LDAP
2.在google后臺生成相關(guān)認(rèn)證信息
{
"web":{
"client_id":"123456",
"project_id":"test",
"auth_uri":"https://accounts.google.com/o/oauth2/auth",
"token_uri":"https://oauth2.googleapis.com/token",
"client_secret":"abcd123",
"auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs",
"redirect_uris":[
"https://minio/oauth_callback"
],
"javascript_origins":[
"https://minio"
]
}
}
3.安裝minio
這里使用helm安裝到k8s中堂淡,安裝方法就不列出馋缅。
獲取helm chart
$ helm repo add bitnami https://charts.bitnami.com/bitnami
$ helm fetch bitnami/minio --version 11.3.2
修改values.yaml,配置相關(guān)參數(shù)信息
extraEnvVars:
- name: MINIO_IDENTITY_OPENID_CLIENT_ID
value: "123456"
- name: MINIO_IDENTITY_OPENID_CLIENT_SECRET
value: "abcd123"
- name: MINIO_IDENTITY_OPENID_REDIRECT_URI
value: "https://minio/oauth_callback"
- name: MINIO_IDENTITY_OPENID_SCOPES
value: "openid,email,profile"
- name: MINIO_IDENTITY_OPENID_CONFIG_URL
value: "https://accounts.google.com/.well-known/openid-configuration"
- name: MINIO_IDENTITY_OPENID_CLAIM_NAME
value: email
說明:
- MINIO_IDENTITY_OPENID_REDIRECT_URI:回調(diào)URL
- MINIO_IDENTITY_OPENID_CONFIG_URL:直接配置成google openapi的配置URL即可
- MINIO_IDENTITY_OPENID_CLAIM_NAME:重點(diǎn)扒腕,(取open api返回的字段中內(nèi)容)[https://developers.google.com/identity/protocols/oauth2/openid-connect],來綁定默認(rèn)策略(比如這里用的email)
4.創(chuàng)建默認(rèn)策略
策略文件:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::test/**"
]
]
}
創(chuàng)建策略
$ mc admin policy add test abc@test.com minio-acces-policy.json
5.打開Web界面萤悴,跳轉(zhuǎn)到google auth瘾腰,使用abc@test.com郵箱登陸,就會自動綁定上述策略覆履。
6.總結(jié)
不足之處:
- 當(dāng)開啟google openid登陸后蹋盆,默認(rèn)的admin user就無法登陸了
- 因?yàn)間oogle jwt返回的信息有限,導(dǎo)致默認(rèn)策略只能以郵箱為單位硝全,無法提前定義
