minio/docs
1
0
Fork 0
mirror of https://github.com/minio/docs.git synced 2025-12-07 08:22:13 +03:00
Code Activity
Files
bfdb0c00d9b2955b29fe1aa439475ebf924cfe54
docs/source/operations/external-iam.rst
Ravind Kumar 571f188a4e Attempting to reduce docs to single platform (#1258) 
##

We are going to make the following changes to the Object Store docs as
part of a larger QC/Content pass:

### Left Navigation

We want to modify the left navigation flow to be a natural progression
from a basic setup to more advanced.

For example:

- Core Concepts
  - Deployment Architecture
  - Availability and Resiliency
  - Erasure Coding and Object Healing
  - Object Scanner
  - Site Replication and Failover
  - Thresholds and Limits
- Installation
  - Deployment Checklist
  - Deploy MinIO on Kubernetes
  - Deploy MinIO on Red Hat Linux
  - Deploy MinIO on Ubuntu Linux
  - Deploy MinIO for Development (MacOS, Windows, Container)
- Security and Encryption (Conceptual Overview)
  - Network Encryption (TLS) (Conceptual overview)
    - Enable Network Encryption using Single Domain
    - Enable Network Encryption using Multiple Domains
    - Enable Network Encryption using certmanager (Kubernetes only)
  - Data Encryption (SSE) (Conceptual overview)
    - Enable SSE using AIStor Key Management Server
    - Enable SSE using KES (Summary page + linkouts)
  - External Identity Management (Conceptual Overview)
    - Enable External Identity management using OpenID
    - Enable External Identity management using AD/LDAP
- Backup and Recovery
  - Create a Multi-Site Replication Configuration
  - Recovery after Hardware Failure
    - Recover after drive failure
    - Recover after node failure
    - Recover after site failure
- Monitoring and Alerts
  - Metrics and Alerting (v3 reference)
    - Monitoring and Alerting using Prometheus
    - Monitoring and Alerting using InfluxDB
    - Monitoring and Alerting using Grafana
    - Metrics V2 Reference
  - Publish Server and Audit Logs to External Services
  - MinIO Healthcheck API

The Administration, Developer, and Reference sections will remain as-is
for now.

http://192.241.195.202:9000/staging/singleplat/mindocs/index.html

# Goals

Maintaining multiple platforms is getting to be too much, and based on
analytics the actual number of users taking advantage of it is minimal.

Furthermore, the majority of traffic is to installation pages.

Therefore we're going to try to collapse back into a single MinIO Object
Storage product, and use simple navigation and on-page selectors to
handle Baremetal vs Kubernetes.

This may also help to eventually stage us to migrate to Hugo + Markdown

---------

Co-authored-by: Daryl White <53910321+djwfyi@users.noreply.github.com>
Co-authored-by: Rushan <rushenn@minio.io>
Co-authored-by: rushenn <rushenn123@gmail.com>
2025-07-30 12:33:02 -04:00

8.3 KiB
Raw Blame History

External Identity Management

minio

Table of Contents

MinIO supports multiple external identity managers through the following IDentity Providers (IDP):

  • OpenID Connect-Compatible <minio-external-iam-oidc>
  • Active Directory / LDAP <minio-external-iam-ad-ldap>

The following tutorials provide specific guidance for select IDP software:

  • Configure MinIO Authentication with KeyCloak <minio-authenticate-using-keycloak>

Users can authenticate against MinIO using their externally managed credentials and the related minio-security-token-service API. Once authenticated, MinIO attempts to associate the user with one or more configured policies <minio-policy>. A user with no associated policies has no permissions on the MinIO deployment.

OpenID Connect (OIDC)

MinIO supports using an OpenID Connect (OIDC) compatible IDentity Provider (IDP) such as Okta, KeyCloak, Dex, Google, or Facebook for external management of user identities. Configuring an external IDP (IDentity Provider) enables Single-Sign On workflows, where applications authenticate against the external IDP (IDentity Provider) before accessing MinIO.

MinIO uses Policy Based Access Control (PBAC) <minio-access-management> to define the actions and resources to which an authenticated user has access. MinIO supports creating and managing policies <minio-policy> which an externally managed user can claim.

For identities managed by the external OpenID Connect (OIDC) compatible provider, MinIO uses a JSON Web Token claim to identify the policy <minio-policy> to assign to the authenticated user.

MinIO by default looks for a policy claim and reads a list of one or more policies to assign. MinIO attempts to match existing policies to those specified in the JWT claim. If none of the specified policies exist on the MinIO deployment, MinIO denies authorization for any and all operations issued by that user. For example, consider a claim with the following key-value assignment:

policy="readwrite_data,read_analytics,read_logs"

The specified policy claim directs MinIO to attach the policies with names matching readwrite_data, read_analytics, and read_logs to the authenticated user.

You can set a custom policy claim using the MINIO_IDENTITY_OPENID_CLAIM_NAME environment variable or by using mc admin config set to set the identity_openid claim_name <identity_openid.claim_name> setting.

See minio-external-identity-management-openid-access-control for more information on mapping MinIO policies to an OIDC-managed identity.

You can use a JWT Debugging tool to decode the returned JWT token and validate that the user attributes include the specified claim. See RFC 7519: JWT Claim for more information on JWT claims. Defer to the documentation for your preferred OIDC provider for instructions on configuring user claims.

Active Directory / LDAP

MinIO supports using an Active Directory or LDAP (AD/LDAP) service for external management of user identities. Configuring an external IDentity Provider (IDP) enables Single-Sign On (SSO) workflows, where applications authenticate against the external IDP before accessing MinIO.

Querying the Active Directory / LDAP Service

MinIO queries the configured Active Directory / LDAP server to verify the credentials specified by the application and optionally return a list of groups in which the user has membership. This process, called Lookup-Bind mode, uses an AD/LDAP user with minimal permissions, only sufficient to authenticate with the AD/LDAP server for user and group lookups.

The following tabs provide a reference of the environment variables and configuration settings required for enabling Lookup-Bind mode.

Environment Variable

  • MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN
  • MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD
  • MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN
  • MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER

See the minio-server-envvar-external-identity-management-ad-ldap reference documentation for more information on these variables. The minio-authenticate-using-ad-ldap-generic tutorial includes complete instructions on setting these values.

Configuration Setting

  • identity_ldap lookup_bind_dn <identity_ldap.lookup_bind_dn>
  • identity_ldap lookup_bind_password <identity_ldap.lookup_bind_password>
  • identity_ldap user_dn_search_base_dn <identity_ldap.user_dn_search_base_dn>
  • identity_ldap user_dn_search_filter <identity_ldap.user_dn_search_filter>

See the identity_ldap reference documentation for more information on these settings. The minio-authenticate-using-ad-ldap-generic tutorial includes complete instructions on setting these variables.

Access Control for AD/LDAP-Managed Identities

MinIO uses Policy Based Access Control (PBAC) <minio-access-management> to define the actions and resources to which an authenticated user has access. When using an Active Directory/LDAP server for identity management (authentication), MinIO maintains control over access (authorization) through PBAC.

When a user successfully authenticates to MinIO using their AD/LDAP credentials, MinIO searches for all policies <minio-policy> which are explicitly associated to that user's Distinguished Name (DN). Specifically, the policy must be assigned to a user with a matching DN using the mc idp ldap policy attach command.

MinIO also supports querying for the user's AD/LDAP group membership. MinIO attempts to match existing policies to the DN for each of the user's groups. The authenticated users complete set of permissions consists of its explicitly assigned and group-inherited policies. See minio-external-identity-management-ad-ldap-access-control-group-lookup for more information.

MinIO uses deny-by-default behavior where a user with no explicitly assigned or group-inherited policies cannot access any resource on the MinIO deployment.

MinIO provides built-in policies <minio-policy-built-in> for basic access control. You can create new policies using the mc admin policy create command.

Group Lookup

MinIO supports querying the Active Directory / LDAP server for a list of groups in which the authenticated user has membership. MinIO attempts to match existing policies <minio-policy> to each group DN and assigns each matching policy to the authenticated user.

The following tabs provide a reference of the environment variables and configuration settings required for enabling group lookups:

Environment Variable

  • MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN
  • MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER

See the minio-server-envvar-external-identity-management-ad-ldap reference documentation for more information on these variables. The minio-authenticate-using-ad-ldap-generic tutorial includes complete instructions on setting these values.

Configuration Setting

  • identity_ldap group_search_base_dn <identity_ldap.group_search_base_dn>
  • identity_ldap group_search_filter <identity_ldap.group_search_filter>

See the identity_ldap reference documentation for more information on these settings. The minio-authenticate-using-ad-ldap-generic tutorial includes complete instructions on setting these variables.

/operations/external-iam/*

View Git Blame Copy Permalink