Skip to content

Test LDAP and OpenID on AIStor Objectstore and Console

Jump to bottom
Allan Roger Reid edited this page Nov 5, 2024 · 1 revision

1. Deploy an AIStor

2. Install LDAP for Objectstore

cd ~/github && git clone https://github.com/minio/minio-iam-testing.git
cd ~/github && git clone https://github.com/miniohq/aistor-operator.git
cp ~/github/aistor-operator/testing/configurations/bootstrap-complete.ldif ~/github/minio-iam-testing/ldap/50-bootstrap.ldif
cd ~/github/minio-iam-testing && make docker-images

cd ~/github/minio-iam-testing && LDAP_IMAGE=quay.io/minio/openldap:new DEX_IMAGE=quay.io/minio/dex:new make docker-images

kind load docker-image quay.io/minio/dex:new --name aistor
kind load docker-image quay.io/minio/openldap:new --name aistor

kubectl delete -f ~/github/aistor-operator/testing/configurations/openldap.yaml
kubectl apply -f ~/github/aistor-operator/testing/configurations/openldap.yaml

kubectl wait --namespace default \
    --for=condition=ready pod \
    --selector=app=openldap \
    --timeout=60s

3. Deploy ubuntu pod

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  name: ubuntu-pod
  namespace: default
  labels:
    app: ubuntu
spec:
  containers:
  - image: ubuntu
    command:
      - "sleep"
      - "604800"
    imagePullPolicy: IfNotPresent
    name: ubuntu
  restartPolicy: Always
EOF

kubectl cp ~/github/aistor-operator/testing/configurations/myminio-iam-info.zip ubuntu-pod:/root/myminio-iam-info.zip
kubectl cp ~/github/aistor-operator/testing/configurations/myminio-iam-info-openid.zip ubuntu-pod:/root/myminio-iam-info-openid.zip

kubectl --namespace default exec -it ubuntu-pod -- /bin/bash

4a. LDAP Continue in pod

apt update
apt upgrade -y
apt install curl wget jq -y

wget http://dl.min.io/client/mc/release/linux-amd64/mc
chmod +x mc
mv mc /usr/local/bin

ALIAS_NAME=mincat-allan-1-tls
BUCKET=test-bucket
OBJECTSTORE_NS=test
ACCESS_KEY=B0PZtQqNyhGCNNro
SECRET_KEY=TnQLWHwRMw8SylrsK0C6h5raIklj8iPT

mc alias set "${ALIAS_NAME}" "https://minio.${OBJECTSTORE_NS}.svc.cluster.local" ${ACCESS_KEY} ${SECRET_KEY}
mc ready "${ALIAS_NAME}"

mc mb "${ALIAS_NAME}"/"${BUCKET}"
mc cp /etc/hosts "${ALIAS_NAME}"/"${BUCKET}"

mc idp ldap add "${ALIAS_NAME}" \
  server_addr=openldap-service.default.svc.cluster.local:1389 \
  server_insecure=on \
  lookup_bind_dn=cn=admin,dc=min,dc=io \
  lookup_bind_password=admin \
  user_dn_search_base_dn=dc=min,dc=io \
  user_dn_search_filter="(uid=%s)" \
  group_search_base_dn=ou=swengg,dc=min,dc=io \
  group_search_filter="(&(objectclass=groupOfNames)(member=%d))"

mc admin service restart "${ALIAS_NAME}" --json
mc ready "${ALIAS_NAME}"
mc admin cluster iam import "${ALIAS_NAME}" /root/myminio-iam-info.zip
sleep 10
mc idp ldap info "${ALIAS_NAME}"

# List the svcacct to verify
mc idp ldap accesskey list "${ALIAS_NAME}" "uid=bobfisher,ou=people,ou=hwengg,dc=min,dc=io" --json
mc idp ldap accesskey list "${ALIAS_NAME}" "uid=dillon,ou=people,ou=swengg,dc=min,dc=io" --json

# Create new aliases and verify object listing
mc alias set myminio1 "https://minio.${OBJECTSTORE_NS}.svc.cluster.local" bobfisher-svcacct-1 bobfisher-svcacct-1
mc ls myminio1/ | wc -l
mc ls myminio1/"${BUCKET}" | wc -l

mc alias set myminio2 "https://minio.${OBJECTSTORE_NS}.svc.cluster.local" dillon-svcacct-2 dillon-svcacct-2
mc ls myminio2/ | wc -l
mc ls myminio2/"${BUCKET}" | wc -l

# Check access with restricted permissions
mc idp ldap policy detach "${ALIAS_NAME}" consoleAdmin --user='uid=bobfisher,ou=people,ou=hwengg,dc=min,dc=io'
mc idp ldap policy attach "${ALIAS_NAME}" readonly --user='uid=bobfisher,ou=people,ou=hwengg,dc=min,dc=io'
mc admin user svcacct info "${ALIAS_NAME}" bobfisher-svcacct-1 --json | jq
mc ls myminio1/ | wc -l
echo "hello world" | mc pipe myminio1/test-bucket/helloworld 2>&1

4b. OpenID

exit
kubectl delete -f ~/github/aistor-operator/testing/configurations/openid.yaml
kubectl apply -f ~/github/aistor-operator/testing/configurations/openid.yaml
kubectl wait --namespace default \
  --for=condition=ready pod \
  --selector=app=dex \
  --timeout=60s

Continue in pod

kubectl --namespace default exec -it ubuntu-pod -- /bin/bash

ALIAS_NAME=mincat-allan-1-tls
BUCKET=test-bucket
OBJECTSTORE_NS=test
ACCESS_KEY=B0PZtQqNyhGCNNro
SECRET_KEY=TnQLWHwRMw8SylrsK0C6h5raIklj8iPT
mc idp openid add "${ALIAS_NAME}" \
  config_url="http://openid-service.default.svc.cluster.local:5556/dex/.well-known/openid-configuration" \
  client_id="minio-client-app" \
  client_secret="minio-client-app-secret" \
  scopes="openid,groups,email,profile" \
  redirect_uri="https://minio-console.${OBJECTSTORE_NS}.svc.cluster.local:10000/oauth_callback" \
  display_name="Login via dex1" \
  role_policy="consoleAdmin"

mc admin service restart "${ALIAS_NAME}" --json
mc ready "${ALIAS_NAME}"
mc admin cluster iam import "${ALIAS_NAME}" /root/myminio-iam-info-openid.zip
mc idp openid info "${ALIAS_NAME}"

mc alias set myminio3 "https://minio.${OBJECTSTORE_NS}.svc.cluster.local" dillon-service-2 dillon-service-2
mc ls myminio3/ --json | jq '.key' | wc -l

mc ls myminio3/"${BUCKET}" --json | jq '.key' | wc -l
mc ls myminio3/ --json | jq '.key' | sed 's/"//g' | sed 's\/\\g'
mc ls myminio3/"${BUCKET}" --json | jq '.key' | sed 's/"//g'

5. Use LDAP in AIStor Console

image

Login with bobfisher / bobfisher

Clone this wiki locally