website/integrations: add detail to MinIO docs (#5000)

* website/integrations: add detail to MinIO docs

Add more information and reference links for the Scope Mapping, to clarify how it's used.

Also update to reflect that MinIO seems to require a Confidential client type now.

Signed-off-by: Braxton Schafer <braxton@cmdcentral.xyz>

* fix lint and move

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Braxton Schafer <braxton@cmdcentral.xyz>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
Braxton Schafer 2023-03-21 07:26:25 -05:00 committed by GitHub
parent 1452f2680a
commit bbbbc2a718
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 26 additions and 1 deletions

View File

@ -19,6 +19,10 @@ The following placeholders will be used:
- `minio.company` is the FQDN of the MinIO install.
- `authentik.company` is the FQDN of the authentik install.
### Mapping to MinIO policies
The primary way to manage access in MinIO is via [policies](https://min.io/docs/minio/linux/administration/identity-access-management/policy-based-access-control.html#minio-policy). We need to configure authentik to return a list of which MinIO policies should be applied to a user.
Under _Customization_ -> _Property Mappings_, create a _Scope Mapping_. Give it a name like "OIDC-Scope-minio". Set the scope name to `minio` and the expression to the following
```python
@ -27,9 +31,27 @@ return {
}
```
This mapping will result in the default MinIO `readwrite` policy being applied to all users. If you want to create a more granular mapping based on authentik groups, use an expression like this
```python
if ak_is_group_member(request.user, name="Minio admins"):
return {
"policy": "consoleAdmin",
}
elif ak_is_group_member(request.user, name="Minio users"):
return {
"policy": ["readonly", "my-custom-policy"]
}
return None
```
Note that you can assign multiple policies to a user by returning a list, and returning `None` will map no policies to the user, resulting in no access to the MinIO instance. For more information on writing expressions, see [Expressions](../../../docs/property-mappings/expression) and [User](../../../docs/user-group/user#object-attributes) docs.
### Creating application and provider
Create an application in authentik. Create an _OAuth2/OpenID Provider_ with the following parameters:
- Client Type: `Public`
- Client Type: `Confidential`
- Scopes: OpenID, Email, Profile and the scope you created above
- Signing Key: Select any available key
- Redirect URIs: `https://minio.company/oauth_callback`
@ -42,5 +64,8 @@ Note the Client ID and Client Secret values. Create an application, using the pr
~ mc admin config set myminio identity_openid \
config_url="https://authentik.company/application/o/<applicaiton-slug>/.well-known/openid-configuration" \
client_id="<client id from above>" \
client_secret="<client secret from above>" \
scopes="openid,profile,email,minio"
```
The [upstream MinIO docs on OIDC](https://min.io/docs/minio/linux/reference/minio-mc-admin/mc-admin-config.html#openid-identity-management) indicate that the `client_secret` (and thus confidential client type) are optional depending on provider. Experimentally with a single-node MinIO instance, the client secret was required and worked without further issue.