From 4c735072f76b6e4858b8cf19495e8c659fc60b0d Mon Sep 17 00:00:00 2001 From: Andrea Longo Date: Thu, 8 Jun 2023 11:58:22 -0600 Subject: [PATCH] Move reference docs for mc admin idp commands to mc idp (#873) All the `mc admin idp *` commands have been renamed `mc idp *`. Deprecate everything under `mc admin idp` and create pages for their new names in the MinIO Client section. Affects the following commands and subcommands; * `mc admin idp ldap` * `mc admin idp openid` * `mc admin idp ldap policy` The new pages maintain the existing content and page structure. New pages for each subcommand are out of scope for this PR. Partly addresses https://github.com/minio/docs/issues/859 and https://github.com/minio/docs/issues/866 Staged: http://192.241.195.202:9000/staging/DOCS-859-part-2-idp/linux/html/reference/minio-mc.html http://192.241.195.202:9000/staging/DOCS-859-part-2-idp/linux/html/reference/minio-mc-admin.html http://192.241.195.202:9000/staging/DOCS-859-part-2-idp/linux/html/reference/minio-mc-deprecated.html Co-authored-by: Daryl White <53910321+djwfyi@users.noreply.github.com> --- ...configure-keycloak-identity-management.rst | 6 +- ...configure-keycloak-identity-management.rst | 2 +- ...configure-keycloak-identity-management.rst | 4 +- ...configure-keycloak-identity-management.rst | 2 +- ...e-ad-ldap-external-identity-management.rst | 4 +- ...configure-keycloak-identity-management.rst | 8 +- .../deploy-operator-helm.rst | 2 +- .../mc-admin-idp-ldap-policy.rst | 6 +- .../mc-admin-idp-ldap.rst | 4 + .../mc-admin-idp-openid.rst | 6 +- source/reference/minio-mc-admin.rst | 13 - .../minio-mc-admin/mc-admin-policy.rst | 4 +- .../minio-mc-admin/mc-admin-user-add.rst | 2 +- .../minio-mc-admin/mc-admin-user-disable.rst | 2 +- .../minio-mc-admin/mc-admin-user-enable.rst | 2 +- .../minio-mc-admin/mc-admin-user-info.rst | 2 +- .../minio-mc-admin/mc-admin-user-list.rst | 2 +- .../minio-mc-admin/mc-admin-user-remove.rst | 2 +- .../minio-mc-admin/mc-admin-user.rst | 13 +- source/reference/minio-mc-deprecated.rst | 63 ++++ source/reference/minio-mc.rst | 33 ++ .../reference/minio-mc/mc-idp-ldap-policy.rst | 197 +++++++++++ source/reference/minio-mc/mc-idp-ldap.rst | 293 ++++++++++++++++ source/reference/minio-mc/mc-idp-openid.rst | 315 ++++++++++++++++++ 24 files changed, 942 insertions(+), 45 deletions(-) rename source/reference/{minio-mc-admin => deprecated}/mc-admin-idp-ldap-policy.rst (97%) rename source/reference/{minio-mc-admin => deprecated}/mc-admin-idp-ldap.rst (98%) rename source/reference/{minio-mc-admin => deprecated}/mc-admin-idp-openid.rst (98%) create mode 100644 source/reference/minio-mc/mc-idp-ldap-policy.rst create mode 100644 source/reference/minio-mc/mc-idp-ldap.rst create mode 100644 source/reference/minio-mc/mc-idp-openid.rst diff --git a/source/includes/common/common-configure-keycloak-identity-management.rst b/source/includes/common/common-configure-keycloak-identity-management.rst index 3abbe320..7207ebcf 100644 --- a/source/includes/common/common-configure-keycloak-identity-management.rst +++ b/source/includes/common/common-configure-keycloak-identity-management.rst @@ -266,14 +266,14 @@ Select :guilabel:`Save` to apply the configuration. .. start-configure-keycloak-minio-cli -You can use the :mc-cmd:`mc admin idp openid add` command to create a new configuration for the Keycloak service. +You can use the :mc-cmd:`mc idp openid add` command to create a new configuration for the Keycloak service. The command takes all supported :ref:`OpenID Configuration Settings `: .. code-block:: shell :class: copyable :substitutions: - mc admin idp openid add ALIAS PRIMARY_IAM \ + mc idp openid add ALIAS PRIMARY_IAM \ client_id=MINIO_CLIENT \ client_secret=MINIO_CLIENT_SECRET \ config_url="https://|KEYCLOAK_URL|/realms/REALM/.well-known/openid-configuration" \ @@ -367,4 +367,4 @@ The following example code sets the minimum required environment variables relat For complete documentation on these variables, see :ref:`minio-server-envvar-external-identity-management-openid` -.. end-configure-keycloak-minio-envvar \ No newline at end of file +.. end-configure-keycloak-minio-envvar diff --git a/source/includes/container/steps-configure-keycloak-identity-management.rst b/source/includes/container/steps-configure-keycloak-identity-management.rst index 1657bbd8..a7c8d669 100644 --- a/source/includes/container/steps-configure-keycloak-identity-management.rst +++ b/source/includes/container/steps-configure-keycloak-identity-management.rst @@ -92,7 +92,7 @@ Log in using the default credentials ``minioadmin:minioadmin``. MinIO supports multiple methods for configuring Keycloak authentication: - Using the MinIO Console -- Using a terminal/shell and the :mc:`mc admin idp openid` command +- Using a terminal/shell and the :mc:`mc idp openid` command - Using environment variables set prior to starting MinIO .. tab-set:: diff --git a/source/includes/k8s/steps-configure-keycloak-identity-management.rst b/source/includes/k8s/steps-configure-keycloak-identity-management.rst index bfd92dea..515babe3 100644 --- a/source/includes/k8s/steps-configure-keycloak-identity-management.rst +++ b/source/includes/k8s/steps-configure-keycloak-identity-management.rst @@ -39,7 +39,7 @@ MinIO supports multiple methods for configuring Keycloak authentication: - Using the MinIO Operator Console - Using the MinIO Tenant Console -- Using a terminal/shell and the :mc:`mc admin idp openid` command +- Using a terminal/shell and the :mc:`mc idp openid` command .. tab-set:: @@ -140,4 +140,4 @@ Next Steps Applications should implement the :ref:`STS AssumeRoleWithWebIdentity ` flow using their :ref:`SDK ` of choice. When STS credentials expire, applications should have logic in place to regenerate the JWT token, STS token, and MinIO credentials before retrying and continuing operations. -Alternatively, users can generate :ref:`access keys ` through the MinIO Console for the purpose of creating long-lived API-key like access using their Keycloak credentials. \ No newline at end of file +Alternatively, users can generate :ref:`access keys ` through the MinIO Console for the purpose of creating long-lived API-key like access using their Keycloak credentials. diff --git a/source/includes/linux/steps-configure-keycloak-identity-management.rst b/source/includes/linux/steps-configure-keycloak-identity-management.rst index a5c6fc59..172782ea 100644 --- a/source/includes/linux/steps-configure-keycloak-identity-management.rst +++ b/source/includes/linux/steps-configure-keycloak-identity-management.rst @@ -38,7 +38,7 @@ Set the value to any :ref:`policy ` on the MinIO deployment. MinIO supports multiple methods for configuring Keycloak authentication: - Using the MinIO Console -- Using a terminal/shell and the :mc:`mc admin idp openid` command +- Using a terminal/shell and the :mc:`mc idp openid` command - Using environment variables set prior to starting MinIO .. tab-set:: diff --git a/source/operations/external-iam/configure-ad-ldap-external-identity-management.rst b/source/operations/external-iam/configure-ad-ldap-external-identity-management.rst index b7298dde..c938d0d6 100644 --- a/source/operations/external-iam/configure-ad-ldap-external-identity-management.rst +++ b/source/operations/external-iam/configure-ad-ldap-external-identity-management.rst @@ -275,5 +275,5 @@ Disable a Configured Active Directory / LDAP Connection You can enable and disable the configured AD/LDAP connection as needed. -Use :mc-cmd:`mc admin idp ldap disable` to deactivate a configured connection. -Use :mc-cmd:`mc admin idp ldap enable` to activate a previously configured connection. \ No newline at end of file +Use :mc-cmd:`mc idp ldap disable` to deactivate a configured connection. +Use :mc-cmd:`mc idp ldap enable` to activate a previously configured connection. diff --git a/source/operations/external-iam/configure-keycloak-identity-management.rst b/source/operations/external-iam/configure-keycloak-identity-management.rst index a92f3642..76359bf7 100644 --- a/source/operations/external-iam/configure-keycloak-identity-management.rst +++ b/source/operations/external-iam/configure-keycloak-identity-management.rst @@ -221,27 +221,27 @@ You can validate the functionality by using the Admin REST API with the MinIO cl MinIO supports multiple methods for configuring Keycloak Admin API Support: -- Using a terminal/shell and the :mc:`mc admin idp openid` command +- Using a terminal/shell and the :mc:`mc idp openid` command - Using environment variables set prior to starting MinIO .. tab-set:: .. tab-item:: CLI - You can use the :mc-cmd:`mc admin idp openid update` command to modify the configuration settings for an existing Keycloak service. + You can use the :mc-cmd:`mc idp openid update` command to modify the configuration settings for an existing Keycloak service. You can alternatively include the following configuration settings when setting up Keycloak for the first time. The command takes all supported :ref:`OpenID Configuration Settings `: .. code-block:: shell :class: copyable - mc admin idp openid update ALIAS KEYCLOAK_IDENTIFIER \ + mc idp openid update ALIAS KEYCLOAK_IDENTIFIER \ vendor="keycloak" \ keycloak_admin_url="https://keycloak-url:port/admin" keycloak_realm="REALM" - Replace ``KEYCLOAK_IDENTIFIER`` with the name of the configured Keycloak IDP. - You can use :mc-cmd:`mc admin idp openid ls` to view all configured IDP configurations on the MinIO deployment + You can use :mc-cmd:`mc idp openid ls` to view all configured IDP configurations on the MinIO deployment - Specify the Keycloak admin URL in the :mc-conf:`keycloak_admin_url ` configuration setting diff --git a/source/operations/install-deploy-manage/deploy-operator-helm.rst b/source/operations/install-deploy-manage/deploy-operator-helm.rst index 33b86162..11a50bb9 100644 --- a/source/operations/install-deploy-manage/deploy-operator-helm.rst +++ b/source/operations/install-deploy-manage/deploy-operator-helm.rst @@ -419,7 +419,7 @@ To deploy a Tenant with Helm: #. Expose the Tenant MinIO port - To test the MinIO Client :mc-cmd:`mc` from your local machine, forward the MinIO port and create an alias. + To test the MinIO Client :mc:`mc` from your local machine, forward the MinIO port and create an alias. * Forward the Tenant's MinIO port: diff --git a/source/reference/minio-mc-admin/mc-admin-idp-ldap-policy.rst b/source/reference/deprecated/mc-admin-idp-ldap-policy.rst similarity index 97% rename from source/reference/minio-mc-admin/mc-admin-idp-ldap-policy.rst rename to source/reference/deprecated/mc-admin-idp-ldap-policy.rst index aa826ed6..ff7527de 100644 --- a/source/reference/minio-mc-admin/mc-admin-idp-ldap-policy.rst +++ b/source/reference/deprecated/mc-admin-idp-ldap-policy.rst @@ -12,6 +12,10 @@ .. mc:: mc admin idp ldap policy +.. versionchanged:: RELEASE.2023-05-26T23-31-54Z + + ``mc admin idp ldap policy`` has moved to :mc-cmd:`mc idp ldap policy`. + Description ----------- @@ -189,4 +193,4 @@ Global Flags .. include:: /includes/common-minio-mc.rst :start-after: start-minio-mc-globals - :end-before: end-minio-mc-globals \ No newline at end of file + :end-before: end-minio-mc-globals diff --git a/source/reference/minio-mc-admin/mc-admin-idp-ldap.rst b/source/reference/deprecated/mc-admin-idp-ldap.rst similarity index 98% rename from source/reference/minio-mc-admin/mc-admin-idp-ldap.rst rename to source/reference/deprecated/mc-admin-idp-ldap.rst index ca9267cd..224a57c8 100644 --- a/source/reference/minio-mc-admin/mc-admin-idp-ldap.rst +++ b/source/reference/deprecated/mc-admin-idp-ldap.rst @@ -12,6 +12,10 @@ .. mc:: mc admin idp ldap +.. versionchanged:: RELEASE.2023-05-26T23-31-54Z + + ``mc admin idp ldap`` and its subcommands have moved to :mc-cmd:`mc idp ldap`. + Description ----------- diff --git a/source/reference/minio-mc-admin/mc-admin-idp-openid.rst b/source/reference/deprecated/mc-admin-idp-openid.rst similarity index 98% rename from source/reference/minio-mc-admin/mc-admin-idp-openid.rst rename to source/reference/deprecated/mc-admin-idp-openid.rst index 4482ffb6..8582ea32 100644 --- a/source/reference/minio-mc-admin/mc-admin-idp-openid.rst +++ b/source/reference/deprecated/mc-admin-idp-openid.rst @@ -12,6 +12,10 @@ .. mc:: mc admin idp openid +.. versionchanged:: RELEASE.2023-05-26T23-31-54Z + + ``mc admin idp openid`` and its subcommands have moved to :mc-cmd:`mc idp openid`. + Description ----------- @@ -304,4 +308,4 @@ Global Flags .. include:: /includes/common-minio-mc.rst :start-after: start-minio-mc-globals - :end-before: end-minio-mc-globals \ No newline at end of file + :end-before: end-minio-mc-globals diff --git a/source/reference/minio-mc-admin.rst b/source/reference/minio-mc-admin.rst index f56aced0..53d72b34 100644 --- a/source/reference/minio-mc-admin.rst +++ b/source/reference/minio-mc-admin.rst @@ -69,17 +69,7 @@ The following table lists :mc:`mc admin` commands: - .. include:: /reference/minio-mc-admin/mc-admin-heal.rst :start-after: start-mc-admin-heal-desc :end-before: end-mc-admin-heal-desc - - * - :mc-cmd:`mc admin idp ldap` - - .. include:: /reference/minio-mc-admin/mc-admin-idp-ldap.rst - :start-after: start-mc-admin-idp-ldap-desc - :end-before: end-mc-admin-idp-ldap-desc - * - :mc-cmd:`mc admin idp openid` - - .. include:: /reference/minio-mc-admin/mc-admin-idp-openid.rst - :start-after: start-mc-admin-idp-openid-desc - :end-before: end-mc-admin-idp-openid-desc - * - :mc-cmd:`mc admin info` - .. include:: /reference/minio-mc-admin/mc-admin-info.rst :start-after: start-mc-admin-info-desc @@ -212,9 +202,6 @@ See :ref:`minio-mc-global-options`. /reference/minio-mc-admin/mc-admin-decommission /reference/minio-mc-admin/mc-admin-group /reference/minio-mc-admin/mc-admin-heal - /reference/minio-mc-admin/mc-admin-idp-ldap - /reference/minio-mc-admin/mc-admin-idp-ldap-policy - /reference/minio-mc-admin/mc-admin-idp-openid /reference/minio-mc-admin/mc-admin-info /reference/minio-mc-admin/mc-admin-kms-key /reference/minio-mc-admin/mc-admin-logs diff --git a/source/reference/minio-mc-admin/mc-admin-policy.rst b/source/reference/minio-mc-admin/mc-admin-policy.rst index 5d57ddd9..9fedbb6e 100644 --- a/source/reference/minio-mc-admin/mc-admin-policy.rst +++ b/source/reference/minio-mc-admin/mc-admin-policy.rst @@ -33,7 +33,7 @@ MinIO PBAC uses IAM-compatible policy JSON documents to define rules for accessi .. end-mc-admin-policy-desc -For complete documentation on MinIO PBAC, including policy document JSON structure and syntax, see :ref:`minio-policy`. +For complete documentation on MinIO PBAC, including policy document JSON structure and syntax, see :ref:`minio-policy`. To manage policies for deployments that use LDAP authentication, see :mc:`mc idp ldap policy`. Subcommands ----------- @@ -93,4 +93,4 @@ Subcommands /reference/minio-mc-admin/mc-admin-policy-entities /reference/minio-mc-admin/mc-admin-policy-info /reference/minio-mc-admin/mc-admin-policy-list - /reference/minio-mc-admin/mc-admin-policy-remove \ No newline at end of file + /reference/minio-mc-admin/mc-admin-policy-remove diff --git a/source/reference/minio-mc-admin/mc-admin-user-add.rst b/source/reference/minio-mc-admin/mc-admin-user-add.rst index b23bfaa5..1a442df6 100644 --- a/source/reference/minio-mc-admin/mc-admin-user-add.rst +++ b/source/reference/minio-mc-admin/mc-admin-user-add.rst @@ -22,7 +22,7 @@ The :mc:`mc admin user add` command adds a new :ref:`MinIO user ` or :mc:`AD/LDAP `. +To manage external Identity Provider users, see :mc:`OIDC ` or :mc:`AD/LDAP `. .. tab-set:: diff --git a/source/reference/minio-mc-admin/mc-admin-user-disable.rst b/source/reference/minio-mc-admin/mc-admin-user-disable.rst index 2d65d932..4aeae4d0 100644 --- a/source/reference/minio-mc-admin/mc-admin-user-disable.rst +++ b/source/reference/minio-mc-admin/mc-admin-user-disable.rst @@ -26,7 +26,7 @@ Clients cannot use the user credentials to authenticate to the MinIO deployment. Disabling a user does *not* remove that user from the deployment. Use :mc-cmd:`mc admin user enable` to enable a disabled user on a MinIO deployment. -To manage external Identity Provider users, see :mc:`OIDC ` or :mc:`AD/LDAP `. +To manage external Identity Provider users, see :mc:`OIDC ` or :mc:`AD/LDAP `. .. tab-set:: diff --git a/source/reference/minio-mc-admin/mc-admin-user-enable.rst b/source/reference/minio-mc-admin/mc-admin-user-enable.rst index 572cbb7d..29d92ec4 100644 --- a/source/reference/minio-mc-admin/mc-admin-user-enable.rst +++ b/source/reference/minio-mc-admin/mc-admin-user-enable.rst @@ -25,7 +25,7 @@ The :mc:`mc admin user enable` command enables a :ref:`MinIO user ` or :mc:`AD/LDAP `. +To manage external Identity Provider users, see :mc:`OIDC ` or :mc:`AD/LDAP `. .. tab-set:: diff --git a/source/reference/minio-mc-admin/mc-admin-user-info.rst b/source/reference/minio-mc-admin/mc-admin-user-info.rst index 265f4552..252f8011 100644 --- a/source/reference/minio-mc-admin/mc-admin-user-info.rst +++ b/source/reference/minio-mc-admin/mc-admin-user-info.rst @@ -22,7 +22,7 @@ The :mc:`mc admin user info` command returns detailed information of a :ref:`Min .. end-mc-admin-user-info-desc -To manage external Identity Provider users, see :mc:`OIDC ` or :mc:`AD/LDAP `. +To manage external Identity Provider users, see :mc:`OIDC ` or :mc:`AD/LDAP `. .. tab-set:: diff --git a/source/reference/minio-mc-admin/mc-admin-user-list.rst b/source/reference/minio-mc-admin/mc-admin-user-list.rst index 78dd92c0..f959964c 100644 --- a/source/reference/minio-mc-admin/mc-admin-user-list.rst +++ b/source/reference/minio-mc-admin/mc-admin-user-list.rst @@ -28,7 +28,7 @@ The :mc:`mc admin user list` command has equivalent functionality to :mc:`mc adm :mc-cmd:`mc admin user ls` does *not* return the access key or secret key associated to a user. Use :mc-cmd:`mc admin user info` to retrieve detailed user information, including the user access key. -To manage external Identity Provider users, see :mc:`OIDC ` or :mc:`AD/LDAP `. +To manage external Identity Provider users, see :mc:`OIDC ` or :mc:`AD/LDAP `. .. tab-set:: diff --git a/source/reference/minio-mc-admin/mc-admin-user-remove.rst b/source/reference/minio-mc-admin/mc-admin-user-remove.rst index a9584079..81cfde25 100644 --- a/source/reference/minio-mc-admin/mc-admin-user-remove.rst +++ b/source/reference/minio-mc-admin/mc-admin-user-remove.rst @@ -24,7 +24,7 @@ The :mc:`mc admin user rm` command removes a :ref:`MinIO user ` or :mc:`AD/LDAP `. +To manage external Identity Provider users, see :mc:`OIDC ` or :mc:`AD/LDAP `. .. tab-set:: diff --git a/source/reference/minio-mc-admin/mc-admin-user.rst b/source/reference/minio-mc-admin/mc-admin-user.rst index 875a5658..8219bf3e 100644 --- a/source/reference/minio-mc-admin/mc-admin-user.rst +++ b/source/reference/minio-mc-admin/mc-admin-user.rst @@ -22,18 +22,15 @@ The :mc:`mc admin user` command and its subcommands manage :ref:`MinIO users ` support the following global options: /reference/minio-mc/mc-event /reference/minio-mc/mc-find /reference/minio-mc/mc-head + /reference/minio-mc/mc-idp-ldap + /reference/minio-mc/mc-idp-ldap-policy + /reference/minio-mc/mc-idp-openid /reference/minio-mc/mc-ilm /reference/minio-mc/mc-legalhold /reference/minio-mc/mc-license diff --git a/source/reference/minio-mc/mc-idp-ldap-policy.rst b/source/reference/minio-mc/mc-idp-ldap-policy.rst new file mode 100644 index 00000000..47f0f8d3 --- /dev/null +++ b/source/reference/minio-mc/mc-idp-ldap-policy.rst @@ -0,0 +1,197 @@ +.. _minio-mc-idp-ldap-policy: + +====================== +``mc idp ldap policy`` +====================== + +.. default-domain:: minio + +.. contents:: Table of Contents + :local: + :depth: 2 + +.. mc:: mc idp ldap policy + +.. versionadded:: RELEASE.2023-05-26T23-31-54Z + + :mc-cmd:`mc idp ldap policy` and its subcommands replace ``mc admin idp ldap policy``. + +Description +----------- + +.. start-mc-idp-ldap-policy-desc + +The :mc-cmd:`mc idp ldap policy` commands allow you to view the mapping relationships between policies and the associated groups or users. The :mc-cmd:`mc idp ldap policy` commands are only supported against MinIO deployments. + + +.. end-mc-idp-ldap-policy-desc + + +The :mc-cmd:`mc idp ldap policy` command has the following subcommands: + +.. list-table:: + :header-rows: 1 + :widths: 40 60 + + * - Subcommand + - Description + + * - :mc-cmd:`mc idp ldap policy attach` + - Attach a policy to an entity + + * - :mc-cmd:`mc idp ldap policy detach` + - Detach a policy from an entity + + * - :mc-cmd:`mc idp ldap policy entities` + - List policy entity mappings + +Syntax +------ + +.. mc-cmd:: attach + + Attach one or more polices to an entity. + + .. tab-set:: + + .. tab-item:: EXAMPLES + + The following example attaches two policies, ``policy1`` and ``policy2``, to the ``projectb`` group on the ``myminio`` deployment. + + .. code-block:: shell + :class: copyable + + mc idp ldap policy attach myminio/ \ + policy1 \ + policy2 \ + --group='cn=projectb,ou=groups,ou=swengg,dc=min,dc=io' + + + The following example attaches the policy, ``userpolicy``, to the user ``bobfisher`` on the ``myminio`` deployment. + + .. code-block:: shell + :class: copyable + + mc idp ldap policy attach myminio/ \ + mypolicy \ + policy2 \ + --user='uid=bobfisher,ou=people,ou=hwengg,dc=min,dc=io' + .. tab-item:: SYNTAX + + The command has the following syntax: + + .. code-block:: shell + :class: copyable + + mc [GLOBALFLAGS] idp ldap policy attach \ + POLICYNAME \ + [POLICY2] ... \ + ALIAS \ + [--user=`USER`] \ + [--group=`GROUP`] + + - Replace ``ALIAS`` with the :ref:`alias ` of a MinIO deployment to configure for AD/LDAP integration. + - Replace ``POLICYNAME`` with the policy to attach to the entity. + You may list multiple policies to attach to the entity. + - Use must use one of either the ``--user`` or ``--group`` flag. + You may only use the flag once in the command. + You cannot use both flags in the same command. + + +.. mc-cmd:: detach + + Detach one or more policies from an entity. + + .. tab-set:: + + .. tab-item:: EXAMPLES + + The following example detaches two policies, ``policy1`` and ``policy2``, from the ``projectb`` group on the ``myminio`` deployment. + + .. code-block:: shell + :class: copyable + + mc idp ldap policy detach myminio/ \ + policy1 \ + policy2 \ + --group='cn=projectb,ou=groups,ou=swengg,dc=min,dc=io' + + + The following example detaches the policy, ``userpolicy``, from the user ``bobfisher`` on the ``myminio`` deployment. + + .. code-block:: shell + :class: copyable + + mc idp ldap policy detach myminio/ \ + mypolicy \ + policy2 \ + --user='uid=bobfisher,ou=people,ou=hwengg,dc=min,dc=io' + .. tab-item:: SYNTAX + + The command has the following syntax: + + .. code-block:: shell + :class: copyable + + mc [GLOBALFLAGS] idp ldap policy detach \ + POLICYNAME \ + [POLICY2] ... \ + ALIAS \ + [--user=`USER`] \ + [--group=`GROUP`] + + - Replace ``ALIAS`` with the :ref:`alias ` of a MinIO deployment to configure for AD/LDAP integration. + - Replace ``POLICYNAME`` with the policy to detach from the entity. + You may list multiple policies to detach from the entity. + - Use must use one of either the ``--user`` or ``--group`` flag. + You may only use the flag once in the command. + You cannot use both flags in the same command. + +.. mc-cmd:: entities + + Display a list of mappings for a user, group, and/or policy. + + .. tab-set:: + + .. tab-item:: EXAMPLES + + The following example lists all mappings for a specific policy, a set of groups, and a selection of users on the ``myminio`` deployment. + + Specifically, it lists + - Users mapped to the ``finteam-policy`` policy. + - Policies assigned to the ``uid=bobfisher,ou=people,ou=hwengg,dc=min,dc=io`` user + - Policies assigned to the ``cn=projectb,ou=groups,ou=swengg,dc=min,dc=io`` group + + .. code-block:: shell + :class: copyable + + mc idp ldap policy entities myminio/ \ + --policy finteam-policy \ + --user 'uid=bobfisher,ou=people,ou=hwengg,dc=min,dc=io' \ + --group 'cn=projectb,ou=groups,ou=swengg,dc=min,dc=io' + + .. tab-item:: SYNTAX + + The command has the following syntax: + + .. code-block:: shell + :class: copyable + + mc [GLOBALFLAGS] idp ldap policy entities \ + ALIAS \ + [--user `value`, -u `value`] \ + [--group `value`, -g `value`] \ + [--policy value] + + - Replace ``ALIAS`` with the :ref:`alias ` of a MinIO deployment to configure for AD/LDAP integration. + - You may use each of the ``--user``, ``--group``, and/or ``--policy`` flags as many times as desired in the command. + - For each flag, the output lists the entities mapped to the specified policy, user, or group. + - Omit all flags to return a list of mappings for all policies. + + +Global Flags +------------ + +.. include:: /includes/common-minio-mc.rst + :start-after: start-minio-mc-globals + :end-before: end-minio-mc-globals diff --git a/source/reference/minio-mc/mc-idp-ldap.rst b/source/reference/minio-mc/mc-idp-ldap.rst new file mode 100644 index 00000000..29326460 --- /dev/null +++ b/source/reference/minio-mc/mc-idp-ldap.rst @@ -0,0 +1,293 @@ +.. _minio-mc-idp-ldap: + +=============== +``mc idp ldap`` +=============== + +.. default-domain:: minio + +.. contents:: Table of Contents + :local: + :depth: 2 + +.. mc:: mc idp ldap + +.. versionadded:: RELEASE.2023-05-26T23-31-54Z + + :mc-cmd:`mc idp ldap` and its subcommands replace ``mc admin idp ldap``. + +Description +----------- + +.. start-mc-idp-ldap-desc + +The :mc-cmd:`mc idp ldap` commands allow you to manage configurations to 3rd party :ref:`Active Directory or LDAP Identity and Access Management (IAM) integrations `. + +.. end-mc-idp-ldap-desc + +Define configuration settings as an alternative to using environment variables when :ref:`setting up an AD/LDAP connection `. The :mc-cmd:`mc idp ldap` commands are only supported against MinIO deployments. + +.. note:: + + MinIO :ref:`AD/LDAP environment variables ` override their corresponding configuration settings as modified or set by this command. + +The :mc-cmd:`mc idp ldap` command has the following subcommands: + +.. list-table:: + :header-rows: 1 + :widths: 40 60 + + * - Subcommand + - Description + + * - :mc-cmd:`mc idp ldap add` + - Create an AD/LDAP IDP server configuration. + + * - :mc-cmd:`mc idp ldap update` + - Modify an existing AD/LDAP IDP server configuration. + + * - :mc-cmd:`mc idp ldap ls` + - Lists AD/LDAP server configurations. + + * - :mc-cmd:`mc idp ldap rm` + - Remove an AD/LDAP IDP server configuration from a deployment. + + * - :mc-cmd:`mc idp ldap info` + - Displays details for a specific AD/LDAP server configuration. + + * - :mc-cmd:`mc idp ldap enable` + - Enables an AD/LDAP server configuration. + + * - :mc-cmd:`mc idp ldap disable` + - Disables an AD/LDAP server configuration. + + * - :mc-cmd:`mc idp ldap policy` subcommands + - Manage AD/LDAP policies and entity mappings. + +Configuration Parameters +------------------------ + +The :mc-cmd:`mc idp ldap` subcommands support configuration parameters. +The parameters define the server's interaction with the Active Directory or LDAP IAM provider. + +For a more detailed explanation of the configuration parameters, refer to the :ref:`config setting documentation `. + +Syntax +------ + +.. mc-cmd:: add + + Create a new configuration for an AD/LDAP provider. + MinIO supports no more than *one* (1) AD/LDAP provider per deployment. + + .. tab-set:: + + .. tab-item:: EXAMPLE + + The following example sets the AD/LDAP configuration settings for the ``myminio`` deployment. + + .. code-block:: shell + :class: copyable + + mc idp ldap add \ + myminio \ + server_addr=myldapserver:636 \ + lookup_bind_dn=cn=admin,dc=min,dc=io \ + lookup_bind_password=somesecret \ + user_dn_search_base_dn=dc=min,dc=io \ + user_dn_search_filter="(uid=%s)" \ + group_search_base_dn=ou=swengg,dc=min,dc=io \ + group_search_filter="(&(objectclass=groupofnames)(member=%d))" + + .. tab-item:: SYNTAX + + The command has the following syntax: + + .. code-block:: shell + :class: copyable + + mc [GLOBALFLAGS] idp ldap add \ + ALIAS \ + [CFG_PARAM1] \ + [CFG_PARAM2]... + + - Replace ``ALIAS`` with the :ref:`alias ` of a MinIO deployment to create for AD/LDAP integration. + - Replace the ``[CFG_PARAM#]`` with each of the :ref:`configuration setting ` key-value pairs in the format of ``PARAMETER="value"``. + +.. mc-cmd:: update + + Modify an existing set of configurations for an AD/LDAP provider. + + .. tab-set:: + + .. tab-item:: EXAMPLE + + The following example changes two of the AD/LDAP configuration settings for the ``myminio`` deployment. + + .. code-block:: shell + :class: copyable + + mc idp ldap update \ + myminio \ + lookup_bind_dn=cn=admin,dc=min,dc=io \ + lookup_bind_password=somesecret + + .. tab-item:: SYNTAX + + The command has the following syntax: + + .. code-block:: shell + :class: copyable + + mc [GLOBALFLAGS] idp ldap update \ + ALIAS \ + [CFG_PARAM1] \ + [CFG_PARAM2]... + + - Replace ``ALIAS`` with the :ref:`alias ` of a MinIO deployment to update for AD/LDAP integration. + - Replace the ``[CFG_PARAM#]`` with each of the :ref:`configuration setting ` key-value pairs to update in the format of ``PARAMETER="value"``. + +.. mc-cmd:: ls, list + + Lists the existing set of configurations for an AD/LDAP provider. + + .. tab-set:: + + .. tab-item:: EXAMPLE + + The following example lists the AD/LDAP configuration settings for the ``myminio`` deployment. + + .. code-block:: shell + :class: copyable + + mc idp ldap ls myminio + + .. tab-item:: SYNTAX + + The command has the following syntax: + + .. code-block:: shell + :class: copyable + + mc [GLOBALFLAGS] idp ldap ls ALIAS + + - Replace ``ALIAS`` with the :ref:`alias ` of a MinIO deployment to list the AD/LDAP integration. + +.. mc-cmd:: rm, remove + + Remove the existing configuration for an AD/LDAP provider. + + .. tab-set:: + + .. tab-item:: EXAMPLE + + The following example removes the AD/LDAP provider settings for the ``myminio`` deployment. + + .. code-block:: shell + :class: copyable + + mc idp ldap rm myminio + + .. tab-item:: SYNTAX + + The command has the following syntax: + + .. code-block:: shell + :class: copyable + + mc [GLOBALFLAGS] idp ldap rm \ + ALIAS + + - Replace ``ALIAS`` with the :ref:`alias ` of a MinIO deployment to remove the AD/LDAP integration. + + +.. mc-cmd:: info + + Outputs the current configuration for an AD/LDAP provider on a specified MinIO deployment. + + .. tab-set:: + + .. tab-item:: EXAMPLE + + The following example outputs the AD/LDAP configuration settings on the ``myminio`` deployment. + + .. code-block:: shell + :class: copyable + + mc idp ldap info myminio + + .. tab-item:: SYNTAX + + The command has the following syntax: + + .. code-block:: shell + :class: copyable + + mc [GLOBALFLAGS] idp ldap info \ + ALIAS + + - Replace ``ALIAS`` with the :ref:`alias ` of a MinIO deployment to retrieve info on the AD/LDAP integration. + +.. mc-cmd:: enable + + Enables the currently configured AD/LDAP provider. + + .. tab-set:: + + .. tab-item:: EXAMPLE + + The following example enables the AD/LDAP configuration on the ``myminio`` deployment. + + .. code-block:: shell + :class: copyable + + mc idp ldap enable \ + myminio + + .. tab-item:: SYNTAX + + The command has the following syntax: + + .. code-block:: shell + :class: copyable + + mc [GLOBALFLAGS] idp ldap enable \ + ALIAS + + - Replace ``ALIAS`` with the :ref:`alias ` of a MinIO deployment to enable the AD/LDAP integration. + +.. mc-cmd:: disable + + Disables the currently configured AD/LDAP provider. + + .. tab-set:: + + .. tab-item:: EXAMPLE + + The following example disables the AD/LDAP configurations on the ``myminio`` deployment. + + .. code-block:: shell + :class: copyable + + mc idp ldap disable \ + myminio + + .. tab-item:: SYNTAX + + The command has the following syntax: + + .. code-block:: shell + :class: copyable + + mc [GLOBALFLAGS] idp ldap disable \ + ALIAS + + - Replace ``ALIAS`` with the :ref:`alias ` of a MinIO deployment to disable the AD/LDAP integration. + +Global Flags +------------ + +.. include:: /includes/common-minio-mc.rst + :start-after: start-minio-mc-globals + :end-before: end-minio-mc-globals + diff --git a/source/reference/minio-mc/mc-idp-openid.rst b/source/reference/minio-mc/mc-idp-openid.rst new file mode 100644 index 00000000..cf4a0607 --- /dev/null +++ b/source/reference/minio-mc/mc-idp-openid.rst @@ -0,0 +1,315 @@ +.. _minio-mc-idp-openid: + +================= +``mc idp openid`` +================= + +.. default-domain:: minio + +.. contents:: Table of Contents + :local: + :depth: 2 + +.. mc:: mc idp openid + +.. versionadded:: RELEASE.2023-05-26T23-31-54Z + + :mc-cmd:`mc idp openid` and its subcommands replace ``mc admin idp openid``. + +Description +----------- + +.. start-mc-idp-openid-desc + +The :mc-cmd:`mc idp openid` commands allow you to manage configurations to 3rd party :ref:`OpenID Identity and Access Management (IAM) integrations `. + +.. end-mc-idp-openid-desc + +Define configuration settings as an alternative to using environment variables when :ref:`setting up an OpenID connection `. The :mc-cmd:`mc idp openid` commands are only supported against MinIO deployments. + + +.. note:: + + MinIO :ref:`OpenID environment variables ` override their corresponding configuration settings as modified or set by this command. + +The :mc-cmd:`mc idp openid` command has the following subcommands: + +.. list-table:: + :header-rows: 1 + :widths: 40 60 + + * - Subcommand + - Description + + * - :mc-cmd:`mc idp openid add` + - Create an OpenID IDP server configuration. + + * - :mc-cmd:`mc idp openid update` + - Modify an existing OpenID IDP server configuration. + + * - :mc-cmd:`mc idp openid rm` + - Remove an OpenID IDP server configuration from a deployment. + + * - :mc-cmd:`mc idp openid ls` + - Outputs a list of the existing OpenID server configurations for a deployment. + + * - :mc-cmd:`mc idp openid info` + - Displays details for a specific OpenID server configuration. + + * - :mc-cmd:`mc idp openid enable` + - Enables an OpenID server configuration. + + * - :mc-cmd:`mc idp openid disable` + - Disables an OpenID server configuration. + +Configuration Parameters +------------------------ + +The :mc-cmd:`mc idp openid` subcommands support configuration parameters. +The parameters define the server's interaction with the IAM provider. + +For a more detailed explanation of the configuration parameters, refer to the :ref:`config setting documentation `. + +Syntax +------ + +.. mc-cmd:: add + + Create a new set of configurations for an OpenID provider. + + You can run the command multiple times to set up multiple OpenID providers. + + When adding multiple OpenID providers, only one can be a JWT Claim-based provider. + All others must be role-based providers. + + .. tab-set:: + + .. tab-item:: EXAMPLE + + The following example creates the configuration settings for the ``myminio`` deployment as defined in a new ``test-config`` setup for Dex integration. + + .. code-block:: shell + :class: copyable + + mc idp openid add myminio test-config \ + client_id=minio-client-app \ + client_secret=minio-client-app-secret \ + config_url="http://localhost:5556/dex/.well-known/openid-configuration" \ + scopes="openid,groups" \ + redirect_uri="http://127.0.0.1:10000/oauth_callback" \ + role_policy="consoleAdmin" + + .. tab-item:: SYNTAX + + The command has the following syntax: + + .. code-block:: shell + :class: copyable + + mc [GLOBALFLAGS] idp openid add \ + ALIAS \ + [CFG_NAME] \ + [CFG_PARAM1] \ + [CFG_PARAM2]... + + - Replace ``ALIAS`` with the :ref:`alias ` of a MinIO deployment to configure for OpenID integration. + - Replace ``CFG_NAME`` with a unique string for this configuration. + If not specified, the command creates default configuration values. + - Replace the ``[CFG_PARAM#]`` with each of the :ref:`configuration setting ` key-value pairs in the format of ``PARAMETER="value"``. + +.. mc-cmd:: update + + Modify an existing set of configurations for an OpenID provider. + + .. tab-set:: + + .. tab-item:: EXAMPLE + + The following example changes two of the configuration settings for the ``myminio`` deployment as defined in the ``test-config`` setup for Dex integration. + + .. code-block:: shell + :class: copyable + + mc idp openid update \ + myminio \ + test_config \ + scopes="openid,groups" \ + role_policy="consoleAdmin" + + .. tab-item:: SYNTAX + + The command has the following syntax: + + .. code-block:: shell + :class: copyable + + mc [GLOBALFLAGS] idp openid update \ + ALIAS \ + [CFG_NAME] \ + [CFG_PARAM1] \ + [CFG_PARAM2]... + + - Replace ``ALIAS`` with the :ref:`alias ` of a MinIO deployment to configure for OpenID integration. + - Replace ``CFG_NAME`` with a unique string for this configuration. + If not specified, the command updates the default configuration. + - Replace the ``[CFG_PARAM#]`` with each of the :ref:`configuration setting ` key-value pairs to update in the format of ``PARAMETER="value"``. + +.. mc-cmd:: rm, remove + + Remove an existing set of configurations for an OpenID provider. + + .. tab-set:: + + .. tab-item:: EXAMPLE + + The following example removes the ``test-config`` settings for the ``myminio`` deployment. + + .. code-block:: shell + :class: copyable + + mc idp openid rm myminio test_config + + .. tab-item:: SYNTAX + + The command has the following syntax: + + .. code-block:: shell + :class: copyable + + mc [GLOBALFLAGS] idp openid rm \ + ALIAS \ + [CFG_NAME] + + - Replace ``ALIAS`` with the :ref:`alias ` of a MinIO deployment to configure for OpenID integration. + - Replace ``CFG_NAME`` with a unique string for this configuration. + If not specified, the command removes the default configurations. + +.. mc-cmd:: ls, list + + Outputs a list of existing configuration sets for OpenID providers. + + .. tab-set:: + + .. tab-item:: EXAMPLE + + The following example outputs a list of all OpenID configuration sets defined for the ``myminio`` deployment. + + .. code-block:: shell + :class: copyable + + mc idp openid ls myminio + + .. tab-item:: SYNTAX + + The command has the following syntax: + + .. code-block:: shell + :class: copyable + + mc [GLOBALFLAGS] idp openid ls ALIAS + + - Replace ``ALIAS`` with the :ref:`alias ` of a MinIO deployment to list OpenID integrations for. + + +.. mc-cmd:: info + + Outputs the set of values defined for an existing set of server configurations for an OpenID provider. + + .. tab-set:: + + .. tab-item:: EXAMPLE + + The following example outputs the configuration settings defined for the ``test_config`` set of OpenID settings on the ``myminio`` deployment. + + .. code-block:: shell + :class: copyable + + mc idp openid info myminio test_config + + .. tab-item:: SYNTAX + + The command has the following syntax: + + .. code-block:: shell + :class: copyable + + mc [GLOBALFLAGS] idp openid info \ + ALIAS \ + [CFG_NAME] + + - Replace ``ALIAS`` with the :ref:`alias ` of a MinIO deployment to configure for OpenID integration. + - Replace ``CFG_NAME`` with a unique string for this configuration. + If not specified, the information displays for the default server configuration. + +.. mc-cmd:: enable + + Begin using an existing set of configurations for an OpenID provider. + + .. tab-set:: + + .. tab-item:: EXAMPLE + + The following example enables the server configurations defined as ``test_config`` on the ``myminio`` deployment. + + .. code-block:: shell + :class: copyable + + mc idp openid enable \ + myminio \ + test_config + + .. tab-item:: SYNTAX + + The command has the following syntax: + + .. code-block:: shell + :class: copyable + + mc [GLOBALFLAGS] idp openid enable \ + ALIAS \ + [CFG_NAME] + + - Replace ``ALIAS`` with the :ref:`alias ` of a MinIO deployment to configure for OpenID integration. + - Replace ``CFG_NAME`` with a unique string for this configuration. + If not specified, the command enables the default configuration values. + +.. mc-cmd:: disable + + Stop using a set of configurations for an OpenID provider. + + .. tab-set:: + + .. tab-item:: EXAMPLE + + The following example disables the server configurations defined as ``test_config`` on the ``myminio`` deployment. + + .. code-block:: shell + :class: copyable + + mc idp openid disable \ + myminio \ + test_config + + .. tab-item:: SYNTAX + + The command has the following syntax: + + .. code-block:: shell + :class: copyable + + mc [GLOBALFLAGS] idp openid disable \ + ALIAS \ + [CFG_NAME] + + - Replace ``ALIAS`` with the :ref:`alias ` of a MinIO deployment to configure for OpenID integration. + - Replace ``CFG_NAME`` with a unique string for this configuration. + If not specified, the command disables the default configuration values. + + + +Global Flags +------------ + +.. include:: /includes/common-minio-mc.rst + :start-after: start-minio-mc-globals + :end-before: end-minio-mc-globals