363 lines
9.0 KiB
Markdown
363 lines
9.0 KiB
Markdown
# MinIO Keycloak Integration Guide
|
|
|
|
Complete guide for integrating MinIO with Keycloak for SSO authentication.
|
|
|
|
## 🎯 Overview
|
|
|
|
MinIO supports OpenID Connect (OIDC) authentication, allowing users to log in to MinIO Console using Keycloak credentials. This integration provides:
|
|
|
|
- **Single Sign-On (SSO)** - Users authenticate once with Keycloak
|
|
- **Centralized User Management** - Manage users in Keycloak
|
|
- **Role-Based Access Control** - Map Keycloak roles to MinIO policies
|
|
- **Secure Authentication** - OAuth 2.0 / OpenID Connect flow
|
|
|
|
## 📋 Prerequisites
|
|
|
|
- Keycloak instance running and accessible
|
|
- MinIO instance running
|
|
- Admin access to both Keycloak and MinIO
|
|
|
|
## 🔧 Setup Steps
|
|
|
|
### **Step 1: Create MinIO Client in Keycloak**
|
|
|
|
1. **Login to Keycloak Admin Console**
|
|
```
|
|
https://ai.sriphat.com/keycloak
|
|
```
|
|
|
|
2. **Select Realm**
|
|
- Go to your realm (e.g., `sriphat`)
|
|
|
|
3. **Create Client**
|
|
- Navigate to: **Clients** → **Create Client**
|
|
- **Client ID**: `minio`
|
|
- **Client Type**: `OpenID Connect`
|
|
- **Client Protocol**: `openid-connect`
|
|
- Click **Next**
|
|
|
|
4. **Capability Config**
|
|
- **Client authentication**: `ON`
|
|
- **Authorization**: `OFF`
|
|
- **Authentication flow**:
|
|
- ✅ Standard flow
|
|
- ✅ Direct access grants
|
|
- ❌ Implicit flow
|
|
- ❌ Service accounts roles
|
|
- Click **Next**
|
|
|
|
5. **Login Settings**
|
|
- **Root URL**: `https://ai.sriphat.com/minio-console`
|
|
- **Home URL**: `https://ai.sriphat.com/minio-console`
|
|
- **Valid redirect URIs**:
|
|
```
|
|
https://ai.sriphat.com/minio-console/*
|
|
https://ai.sriphat.com/minio-console/oauth_callback
|
|
```
|
|
- **Valid post logout redirect URIs**: `https://ai.sriphat.com/minio-console`
|
|
- **Web origins**: `https://ai.sriphat.com`
|
|
- Click **Save**
|
|
|
|
6. **Get Client Secret**
|
|
- Go to **Credentials** tab
|
|
- Copy the **Client Secret**
|
|
- Save this for `.env` configuration
|
|
|
|
### **Step 2: Create Client Scope for MinIO Policy**
|
|
|
|
1. **Create Client Scope**
|
|
- Navigate to: **Client Scopes** → **Create client scope**
|
|
- **Name**: `minio-authorization`
|
|
- **Type**: `Optional`
|
|
- **Protocol**: `OpenID Connect`
|
|
- **Display on consent screen**: `OFF`
|
|
- Click **Save**
|
|
|
|
2. **Add Mapper for Policy Claim**
|
|
- Go to **Mappers** tab
|
|
- Click **Add mapper** → **By configuration**
|
|
- Select **User Attribute**
|
|
- **Name**: `minio-policy`
|
|
- **User Attribute**: `minio_policy`
|
|
- **Token Claim Name**: `policy`
|
|
- **Claim JSON Type**: `String`
|
|
- **Add to ID token**: `ON`
|
|
- **Add to access token**: `ON`
|
|
- **Add to userinfo**: `ON`
|
|
- Click **Save**
|
|
|
|
3. **Assign Scope to MinIO Client**
|
|
- Go to **Clients** → `minio`
|
|
- Go to **Client scopes** tab
|
|
- Click **Add client scope**
|
|
- Select `minio-authorization`
|
|
- Choose **Optional**
|
|
- Click **Add**
|
|
|
|
### **Step 3: Create MinIO Policies in Keycloak**
|
|
|
|
MinIO uses policies to control access. Common policies:
|
|
|
|
- `consoleAdmin` - Full admin access
|
|
- `readonly` - Read-only access
|
|
- `readwrite` - Read and write access
|
|
- `diagnostics` - Diagnostics access
|
|
|
|
**Add Policy to Users:**
|
|
|
|
1. **Go to Users**
|
|
- Navigate to: **Users** → Select user
|
|
|
|
2. **Add Attribute**
|
|
- Go to **Attributes** tab
|
|
- Click **Add attribute**
|
|
- **Key**: `minio_policy`
|
|
- **Value**: `consoleAdmin` (or other policy)
|
|
- Click **Save**
|
|
|
|
### **Step 4: Configure MinIO Environment Variables**
|
|
|
|
Update `07-minio/.env`:
|
|
|
|
```bash
|
|
# Keycloak Integration
|
|
MINIO_IDENTITY_OPENID_CONFIG_URL=https://ai.sriphat.com/keycloak/realms/sriphat/.well-known/openid-configuration
|
|
MINIO_IDENTITY_OPENID_CLIENT_ID=minio
|
|
MINIO_IDENTITY_OPENID_CLIENT_SECRET=your-client-secret-from-step-1
|
|
MINIO_IDENTITY_OPENID_CLAIM_NAME=policy
|
|
MINIO_IDENTITY_OPENID_SCOPES=openid,profile,email,minio-authorization
|
|
MINIO_IDENTITY_OPENID_REDIRECT_URI=https://ai.sriphat.com/minio-console/oauth_callback
|
|
```
|
|
|
|
### **Step 5: Restart MinIO**
|
|
|
|
```bash
|
|
cd 07-minio
|
|
docker compose down
|
|
docker compose up -d
|
|
```
|
|
|
|
### **Step 6: Test Authentication**
|
|
|
|
1. **Access MinIO Console**
|
|
```
|
|
https://ai.sriphat.com/minio-console
|
|
```
|
|
|
|
2. **Click "Login with SSO"**
|
|
- You'll be redirected to Keycloak
|
|
- Login with Keycloak credentials
|
|
- After successful authentication, you'll be redirected back to MinIO Console
|
|
|
|
## 🔐 MinIO Policies
|
|
|
|
### **Default Policies**
|
|
|
|
MinIO comes with built-in policies:
|
|
|
|
| Policy | Description |
|
|
|--------|-------------|
|
|
| `consoleAdmin` | Full admin access to console and buckets |
|
|
| `readonly` | Read-only access to buckets |
|
|
| `readwrite` | Read and write access to buckets |
|
|
| `diagnostics` | Access to diagnostics and monitoring |
|
|
| `writeonly` | Write-only access (upload only) |
|
|
|
|
### **Custom Policies**
|
|
|
|
Create custom policies in MinIO Console or via `mc` CLI:
|
|
|
|
```bash
|
|
# Install mc (MinIO Client)
|
|
wget https://dl.min.io/client/mc/release/linux-amd64/mc
|
|
chmod +x mc
|
|
sudo mv mc /usr/local/bin/
|
|
|
|
# Configure mc
|
|
mc alias set myminio https://ai.sriphat.com/minio minioadmin minioadmin_secure_password_2026
|
|
|
|
# Create custom policy
|
|
cat > custom-policy.json <<EOF
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"s3:GetObject",
|
|
"s3:PutObject",
|
|
"s3:DeleteObject"
|
|
],
|
|
"Resource": [
|
|
"arn:aws:s3:::mybucket/*"
|
|
]
|
|
}
|
|
]
|
|
}
|
|
EOF
|
|
|
|
# Add policy to MinIO
|
|
mc admin policy create myminio custom-policy custom-policy.json
|
|
```
|
|
|
|
## 🔄 Policy Mapping Flow
|
|
|
|
```
|
|
User logs in with Keycloak
|
|
↓
|
|
Keycloak returns ID token with 'policy' claim
|
|
↓
|
|
MinIO reads 'policy' claim value (e.g., "consoleAdmin")
|
|
↓
|
|
MinIO applies corresponding policy to user session
|
|
↓
|
|
User has permissions defined by the policy
|
|
```
|
|
|
|
## 🎯 Role-Based Access Example
|
|
|
|
### **Scenario: Different User Roles**
|
|
|
|
**Admin Users:**
|
|
```
|
|
Keycloak User Attribute:
|
|
minio_policy: consoleAdmin
|
|
```
|
|
|
|
**Data Scientists:**
|
|
```
|
|
Keycloak User Attribute:
|
|
minio_policy: readwrite
|
|
```
|
|
|
|
**Analysts:**
|
|
```
|
|
Keycloak User Attribute:
|
|
minio_policy: readonly
|
|
```
|
|
|
|
## 🐛 Troubleshooting
|
|
|
|
### **Issue: "Login with SSO" button not showing**
|
|
|
|
**Check:**
|
|
```bash
|
|
# Verify environment variables
|
|
docker exec minio printenv | grep MINIO_IDENTITY_OPENID
|
|
|
|
# Check MinIO logs
|
|
docker logs minio
|
|
```
|
|
|
|
**Solution:**
|
|
- Ensure all `MINIO_IDENTITY_OPENID_*` variables are set
|
|
- Restart MinIO container
|
|
|
|
### **Issue: Redirect loop after login**
|
|
|
|
**Check:**
|
|
- `MINIO_BROWSER_REDIRECT_URL` matches Keycloak redirect URI
|
|
- Valid redirect URIs in Keycloak client include `/oauth_callback`
|
|
|
|
**Solution:**
|
|
```bash
|
|
# Update .env
|
|
MINIO_BROWSER_REDIRECT_URL=https://ai.sriphat.com/minio-console
|
|
MINIO_IDENTITY_OPENID_REDIRECT_URI=https://ai.sriphat.com/minio-console/oauth_callback
|
|
```
|
|
|
|
### **Issue: User has no permissions after login**
|
|
|
|
**Check:**
|
|
- User has `minio_policy` attribute in Keycloak
|
|
- Policy name matches MinIO policy exactly (case-sensitive)
|
|
|
|
**Solution:**
|
|
```bash
|
|
# Verify user attribute in Keycloak
|
|
# Add minio_policy attribute with value: consoleAdmin
|
|
```
|
|
|
|
### **Issue: Cannot access Keycloak config URL**
|
|
|
|
**Check:**
|
|
```bash
|
|
# Test from MinIO container
|
|
docker exec minio curl -k https://ai.sriphat.com/keycloak/realms/sriphat/.well-known/openid-configuration
|
|
```
|
|
|
|
**Solution:**
|
|
- Ensure MinIO container can reach Keycloak
|
|
- Check network connectivity
|
|
- Verify Keycloak realm name is correct
|
|
|
|
## 📊 Monitoring
|
|
|
|
### **Check OpenID Configuration**
|
|
|
|
```bash
|
|
# View current OpenID config
|
|
docker exec minio mc admin config get myminio identity_openid
|
|
```
|
|
|
|
### **View Active Sessions**
|
|
|
|
```bash
|
|
# List active user sessions
|
|
docker exec minio mc admin user list myminio
|
|
```
|
|
|
|
### **Audit Logs**
|
|
|
|
```bash
|
|
# Enable audit logging
|
|
docker exec minio mc admin config set myminio audit_webhook:1 endpoint="http://your-webhook-endpoint"
|
|
|
|
# View logs
|
|
docker logs minio -f
|
|
```
|
|
|
|
## 🔒 Security Best Practices
|
|
|
|
1. **Use HTTPS Only**
|
|
- Always use HTTPS for MinIO and Keycloak
|
|
- Configure SSL certificates properly
|
|
|
|
2. **Rotate Client Secrets**
|
|
- Periodically rotate Keycloak client secrets
|
|
- Update MinIO configuration after rotation
|
|
|
|
3. **Least Privilege Principle**
|
|
- Assign minimal required policies to users
|
|
- Use custom policies for specific use cases
|
|
|
|
4. **Monitor Access**
|
|
- Enable audit logging
|
|
- Review access logs regularly
|
|
|
|
5. **Secure Network**
|
|
- Use firewall rules to restrict access
|
|
- Consider VPN for sensitive data
|
|
|
|
## 📚 References
|
|
|
|
- [MinIO OpenID Connect](https://min.io/docs/minio/linux/operations/external-iam/configure-openid-external-identity-management.html)
|
|
- [Keycloak OpenID Connect](https://www.keycloak.org/docs/latest/server_admin/#_oidc)
|
|
- [MinIO IAM Policies](https://min.io/docs/minio/linux/administration/identity-access-management/policy-based-access-control.html)
|
|
|
|
## 🎉 Summary
|
|
|
|
After completing these steps:
|
|
- ✅ MinIO integrated with Keycloak SSO
|
|
- ✅ Users can login with Keycloak credentials
|
|
- ✅ Role-based access control configured
|
|
- ✅ Centralized user management in Keycloak
|
|
- ✅ Secure HTTPS access via Nginx reverse proxy
|
|
|
|
**Access MinIO Console:**
|
|
```
|
|
https://ai.sriphat.com/minio-console
|
|
```
|
|
|
|
**Login with SSO** → Keycloak authentication → MinIO Console access! 🚀
|