1.简介
minio官方提供二种第三方登录接入方法:
- OIDC: 所有支持open api v2的认证体系,例如 Okta、KeyCloak、Dex、Google 或 Facebook,用于用户身份的外部管理。
- LDAP
2.在google后台生成相关认证信息
{
"web":{
"client_id":"123456",
"project_id":"test",
"auth_uri":"https://accounts.google.com/o/oauth2/auth",
"token_uri":"https://oauth2.googleapis.com/token",
"client_secret":"abcd123",
"auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs",
"redirect_uris":[
"https://minio/oauth_callback"
],
"javascript_origins":[
"https://minio"
]
}
}
3.安装minio
这里使用helm安装到k8s中,安装方法就不列出。
获取helm chart
$ helm repo add bitnami https://charts.bitnami.com/bitnami
$ helm fetch bitnami/minio --version 11.3.2
修改values.yaml,配置相关参数信息
extraEnvVars:
- name: MINIO_IDENTITY_OPENID_CLIENT_ID
value: "123456"
- name: MINIO_IDENTITY_OPENID_CLIENT_SECRET
value: "abcd123"
- name: MINIO_IDENTITY_OPENID_REDIRECT_URI
value: "https://minio/oauth_callback"
- name: MINIO_IDENTITY_OPENID_SCOPES
value: "openid,email,profile"
- name: MINIO_IDENTITY_OPENID_CONFIG_URL
value: "https://accounts.google.com/.well-known/openid-configuration"
- name: MINIO_IDENTITY_OPENID_CLAIM_NAME
value: email
说明:
- MINIO_IDENTITY_OPENID_REDIRECT_URI:回调URL
- MINIO_IDENTITY_OPENID_CONFIG_URL:直接配置成google openapi的配置URL即可
- MINIO_IDENTITY_OPENID_CLAIM_NAME:重点,(取open api返回的字段中内容)[https://developers.google.com/identity/protocols/oauth2/openid-connect],来绑定默认策略(比如这里用的email)
4.创建默认策略
策略文件:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::test/**"
]
]
}
创建策略
$ mc admin policy add test abc@test.com minio-acces-policy.json
5.打开Web界面,跳转到google auth,使用abc@test.com邮箱登陆,就会自动绑定上述策略。
6.总结
不足之处:
- 当开启google openid登陆后,默认的admin user就无法登陆了
- 因为google jwt返回的信息有限,导致默认策略只能以邮箱为单位,无法提前定义
网友评论