minio/docs
1
0
Fork 0
mirror of https://github.com/minio/docs.git synced 2025-08-06 14:42:56 +03:00
Code Activity
Files
remove-recommended-v2-metrics
docs/source/includes/k8s/steps-configure-keycloak-identity-management.rst
Ravind Kumar 23253dd71c DOCS-1273: Operator 6.0.0 Deploy/Upgrade docs, removing Console references (#1284) 
Addresses #1273 

# Summary

This pass does three things:

1. Updates all tutorials related to Operator/Tenant deployment for
Kustomize and Helm
2. Removes references to Operator Console + updates to reference
Kustomize/Helm wherever possible
3. Slightly tidies up old or dangling references

This pass does not do these things:

- Link out heavily to Kubernetes docs (for later)
- Clean up organization (singleplat build handles this)
- Addresses OpenShift, Rancher, etc.

---------

Co-authored-by: Andrea Longo <feorlen@users.noreply.github.com>
Co-authored-by: Allan Roger Reid <allanrogerreid@gmail.com>
Co-authored-by: Daryl White <53910321+djwfyi@users.noreply.github.com>
2024-08-01 15:51:39 -04:00

4.4 KiB
Raw Permalink Blame History

1) Configure or Create a Client for Accessing Keycloak

Authenticate to the Keycloak Administrative Console and navigate to Clients.

2) Create Client Scope for MinIO Client

Client scopes allow Keycloak to map user attributes as part of the JSON Web Token (JWT) returned in authentication requests. This allows MinIO to reference those attributes when assigning policies to the user. This step creates the necessary client scope to support MinIO authorization after successful Keycloak authentication.

3) Apply the Necessary Attribute to Keycloak Users/Groups

You must assign an attribute named policy to the Keycloak Users or Groups. Set the value to any policy <minio-policy> on the MinIO deployment.

4) Configure MinIO for Keycloak Authentication

MinIO supports multiple methods for configuring Keycloak authentication:

  • Using the MinIO Tenant Console
  • Using a terminal/shell and the mc idp openid command

MinIO Tenant Console

You can use the MinIO Tenant Console to configure Keycloak as the External Identity Provider for the MinIO Tenant.

Access the Console service using the NodePort, Ingress, or Load Balancer endpoint. You can use the following command to review the Console configuration:

kubectl describe svc/TENANT_NAME-console -n TENANT_NAMESPACE

Replace TENANT_NAME and TENANT_NAMESPACE with the name of the MinIO Tenant and it's Namespace, respectively.

Select Save to apply the configuration.

CLI

Restart the MinIO deployment for the changes to apply.

Check the MinIO logs and verify that startup succeeded with no errors related to the OIDC configuration.

If you attempt to log in with the Console, you should now see an (SSO) button using the configured Display Name.

Specify a configured user and attempt to log in. MinIO should automatically redirect you to the Keycloak login entry. Upon successful authentication, Keycloak should redirect you back to the MinIO Console using either the originating Console URL or the Redirect URI if configured.

5) Generate Application Credentials using the Security Token Service (STS)

Next Steps

Applications should implement the STS AssumeRoleWithWebIdentity <minio-sts-assumerolewithwebidentity> flow using their SDK <minio-drivers> of choice. When STS credentials expire, applications should have logic in place to regenerate the JWT token, STS token, and MinIO credentials before retrying and continuing operations.

Alternatively, users can generate access keys <minio-id-access-keys> through the MinIO Console for the purpose of creating long-lived API-key like access using their Keycloak credentials.