LDAP STS API (#8091)
Add LDAP based users-groups system This change adds support to integrate an LDAP server for user authentication. This works via a custom STS API for LDAP. Each user accessing the MinIO who can be authenticated via LDAP receives temporary credentials to access the MinIO server. LDAP is enabled only over TLS. User groups are also supported via LDAP. The administrator may configure an LDAP search query to find the group attribute of a user - this may correspond to any attribute in the LDAP tree (that the user has access to view). One or more groups may be returned by such a query. A group is mapped to an IAM policy in the usual way, and the server enforces a policy corresponding to all the groups and the user's own mapped policy. When LDAP is configured, the internal MinIO users system is disabled.master
Aditya Manthramurthy
5 years ago
committed by
kannappanr
parent
94e5cb7576
commit
a0456ce940
@ -0,0 +1,178 @@ |
||||
/* |
||||
* MinIO Cloud Storage, (C) 2019 MinIO, Inc. |
||||
* |
||||
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||
* you may not use this file except in compliance with the License. |
||||
* You may obtain a copy of the License at |
||||
* |
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
* |
||||
* Unless required by applicable law or agreed to in writing, software |
||||
* distributed under the License is distributed on an "AS IS" BASIS, |
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
* See the License for the specific language governing permissions and |
||||
* limitations under the License. |
||||
*/ |
||||
|
||||
package cmd |
||||
|
||||
import ( |
||||
"crypto/tls" |
||||
"errors" |
||||
"fmt" |
||||
"log" |
||||
"os" |
||||
"regexp" |
||||
"time" |
||||
|
||||
ldap "gopkg.in/ldap.v3" |
||||
) |
||||
|
||||
const ( |
||||
defaultLDAPExpiry = time.Hour * 1 |
||||
) |
||||
|
||||
// ldapServerConfig contains server connectivity information.
|
||||
type ldapServerConfig struct { |
||||
IsEnabled bool `json:"enabled"` |
||||
|
||||
// E.g. "ldap.minio.io:636"
|
||||
ServerAddr string `json:"serverAddr"` |
||||
|
||||
// STS credentials expiry duration
|
||||
STSExpiryDuration string `json:"stsExpiryDuration"` |
||||
stsExpiryDuration time.Duration // contains converted value
|
||||
|
||||
// Skips TLS verification (for testing, not
|
||||
// recommended in production).
|
||||
SkipTLSVerify bool `json:"skipTLSverify"` |
||||
|
||||
// Format string for usernames
|
||||
UsernameFormat string `json:"usernameFormat"` |
||||
|
||||
GroupSearchBaseDN string `json:"groupSearchBaseDN"` |
||||
GroupSearchFilter string `json:"groupSearchFilter"` |
||||
GroupNameAttribute string `json:"groupNameAttribute"` |
||||
} |
||||
|
||||
func (l *ldapServerConfig) Connect() (ldapConn *ldap.Conn, err error) { |
||||
if l == nil { |
||||
// Happens when LDAP is not configured.
|
||||
return |
||||
} |
||||
if l.SkipTLSVerify { |
||||
ldapConn, err = ldap.DialTLS("tcp", l.ServerAddr, &tls.Config{InsecureSkipVerify: true}) |
||||
} else { |
||||
ldapConn, err = ldap.DialTLS("tcp", l.ServerAddr, &tls.Config{}) |
||||
} |
||||
return |
||||
} |
||||
|
||||
// newLDAPConfigFromEnv loads configuration from the environment
|
||||
func newLDAPConfigFromEnv() (l ldapServerConfig, err error) { |
||||
if ldapServer, ok := os.LookupEnv("MINIO_IDENTITY_LDAP_SERVER_ADDR"); ok { |
||||
l.IsEnabled = true |
||||
l.ServerAddr = ldapServer |
||||
|
||||
if v := os.Getenv("MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY"); v == "true" { |
||||
l.SkipTLSVerify = true |
||||
} |
||||
|
||||
if v := os.Getenv("MINIO_IDENTITY_LDAP_STS_EXPIRY"); v != "" { |
||||
expDur, err := time.ParseDuration(v) |
||||
if err != nil { |
||||
return l, errors.New("LDAP expiry time err:" + err.Error()) |
||||
} |
||||
if expDur <= 0 { |
||||
return l, errors.New("LDAP expiry time has to be positive") |
||||
} |
||||
l.STSExpiryDuration = v |
||||
l.stsExpiryDuration = expDur |
||||
} else { |
||||
l.stsExpiryDuration = defaultLDAPExpiry |
||||
} |
||||
|
||||
if v := os.Getenv("MINIO_IDENTITY_LDAP_USERNAME_FORMAT"); v != "" { |
||||
subs := newSubstituter("username", "test") |
||||
if _, err := subs.substitute(v); err != nil { |
||||
return l, errors.New("Only username may be substituted in the username format") |
||||
} |
||||
l.UsernameFormat = v |
||||
} |
||||
|
||||
grpSearchFilter := os.Getenv("MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER") |
||||
grpSearchNameAttr := os.Getenv("MINIO_IDENTITY_LDAP_GROUP_NAME_ATTRIBUTE") |
||||
grpSearchBaseDN := os.Getenv("MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN") |
||||
|
||||
// Either all group params must be set or none must be set.
|
||||
allNotSet := grpSearchFilter == "" && grpSearchNameAttr == "" && grpSearchBaseDN == "" |
||||
allSet := grpSearchFilter != "" && grpSearchNameAttr != "" && grpSearchBaseDN != "" |
||||
if !allNotSet && !allSet { |
||||
return l, errors.New("All group related parameters must be set") |
||||
} |
||||
|
||||
if allSet { |
||||
subs := newSubstituter("username", "test", "usernamedn", "test2") |
||||
if _, err := subs.substitute(grpSearchFilter); err != nil { |
||||
return l, errors.New("Only username and usernamedn may be substituted in the group search filter string") |
||||
} |
||||
l.GroupSearchFilter = grpSearchFilter |
||||
|
||||
l.GroupNameAttribute = grpSearchNameAttr |
||||
|
||||
subs = newSubstituter("username", "test", "usernamedn", "test2") |
||||
if _, err := subs.substitute(grpSearchBaseDN); err != nil { |
||||
return l, errors.New("Only username and usernamedn may be substituted in the base DN string") |
||||
} |
||||
l.GroupSearchBaseDN = grpSearchBaseDN |
||||
} |
||||
} |
||||
return |
||||
} |
||||
|
||||
// substituter - This type is to allow restricted runtime
|
||||
// substitutions of variables in LDAP configuration items during
|
||||
// runtime.
|
||||
type substituter struct { |
||||
vals map[string]string |
||||
} |
||||
|
||||
// newSubstituter - sets up the substituter for usage, for e.g.:
|
||||
//
|
||||
// subber := newSubstituter("username", "john")
|
||||
func newSubstituter(v ...string) substituter { |
||||
if len(v)%2 != 0 { |
||||
log.Fatal("Need an even number of arguments") |
||||
} |
||||
vals := make(map[string]string) |
||||
for i := 0; i < len(v); i += 2 { |
||||
vals[v[i]] = v[i+1] |
||||
} |
||||
return substituter{vals: vals} |
||||
} |
||||
|
||||
// substitute - performs substitution on the given string `t`. Returns
|
||||
// an error if there are any variables in the input that do not have
|
||||
// values in the substituter. E.g.:
|
||||
//
|
||||
// subber.substitute("uid=${username},cn=users,dc=example,dc=com")
|
||||
//
|
||||
// returns "uid=john,cn=users,dc=example,dc=com"
|
||||
//
|
||||
// whereas:
|
||||
//
|
||||
// subber.substitute("uid=${usernamedn}")
|
||||
//
|
||||
// returns an error.
|
||||
func (s *substituter) substitute(t string) (string, error) { |
||||
for k, v := range s.vals { |
||||
re := regexp.MustCompile(fmt.Sprintf(`\$\{%s\}`, k)) |
||||
t = re.ReplaceAllLiteralString(t, v) |
||||
} |
||||
// Check if all requested substitutions have been made.
|
||||
re := regexp.MustCompile(`\$\{.*\}`) |
||||
if re.MatchString(t) { |
||||
return "", errors.New("unsupported substitution requested") |
||||
} |
||||
return t, nil |
||||
} |
||||
@ -0,0 +1,63 @@ |
||||
// +build ignore
|
||||
|
||||
/* |
||||
* MinIO Cloud Storage, (C) 2019 MinIO, Inc. |
||||
* |
||||
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||
* you may not use this file except in compliance with the License. |
||||
* You may obtain a copy of the License at |
||||
* |
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
* |
||||
* Unless required by applicable law or agreed to in writing, software |
||||
* distributed under the License is distributed on an "AS IS" BASIS, |
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
* See the License for the specific language governing permissions and |
||||
* limitations under the License. |
||||
*/ |
||||
package main |
||||
|
||||
import ( |
||||
"fmt" |
||||
"log" |
||||
|
||||
miniogo "github.com/minio/minio-go" |
||||
cr "github.com/minio/minio-go/pkg/credentials" |
||||
) |
||||
|
||||
var ( |
||||
// LDAP integrated Minio endpoint
|
||||
stsEndpoint = "http://localhost:9000" |
||||
|
||||
// LDAP credentials
|
||||
ldapUsername = "ldapuser" |
||||
ldapPassword = "ldapsecret" |
||||
) |
||||
|
||||
func main() { |
||||
|
||||
// If client machine is configured as a Kerberos client, just
|
||||
// pass nil instead of `getKrbConfig()` below.
|
||||
li, err := cr.NewLDAPIdentity(stsEndpoint, ldapUsername, ldapPassword) |
||||
if err != nil { |
||||
log.Fatalf("INIT Err: %v", err) |
||||
} |
||||
|
||||
v, err := li.Get() |
||||
if err != nil { |
||||
log.Fatalf("GET Err: %v", err) |
||||
} |
||||
fmt.Printf("%#v\n", v) |
||||
|
||||
minioClient, err := miniogo.NewWithCredentials("localhost:9000", li, false, "") |
||||
if err != nil { |
||||
log.Fatalln(err) |
||||
} |
||||
|
||||
fmt.Println("Calling list buckets with temp creds:") |
||||
b, err := minioClient.ListBuckets() |
||||
if err != nil { |
||||
log.Fatalln(err) |
||||
} |
||||
fmt.Println(b) |
||||
} |
||||
@ -0,0 +1,92 @@ |
||||
# MinIO LDAP Integration |
||||
|
||||
MinIO provides a custom STS API that allows integration with LDAP |
||||
based corporate environments. The flow is as follows: |
||||
|
||||
1. User provides their LDAP username and password to the STS API. |
||||
2. MinIO logs-in to the LDAP server as the user - if the login |
||||
succeeds the user is authenticated. |
||||
3. MinIO then queries the LDAP server for a list of groups that the |
||||
user is a member of. |
||||
- This is done via a customizable LDAP search query. |
||||
4. MinIO then generates temporary credentials for the user storing the |
||||
list of groups in a cryptographically secure session token. The |
||||
temporary access key, secret key and session token are returned to |
||||
the user. |
||||
5. The user can now use these credentials to make requests to the |
||||
MinIO server. |
||||
|
||||
The administrator will associate IAM access policies with each group |
||||
and if required with the user too. The MinIO server then evaluates |
||||
applicable policies on a user (these are the policies associated with |
||||
the groups along with the policy on the user if any) to check if the |
||||
request should be allowed or denied. |
||||
|
||||
## Configuring LDAP on MinIO |
||||
|
||||
LDAP configuration is designed to be simple for the MinIO |
||||
administrator. |
||||
|
||||
The full path of a user DN (Distinguished Name) |
||||
(e.g. `uid=johnwick,cn=users,cn=accounts,dc=minio,dc=io`) is |
||||
configured as a format string in the |
||||
**MINIO_IDENTITY_LDAP_USERNAME_FORMAT** environment variable. This |
||||
allows an LDAP user to not specify this whole string in the LDAP STS |
||||
API. Instead the user only needs to specify the username portion |
||||
(i.e. `johnwick` in this example) that will be substituted into the |
||||
format string configured on the server. |
||||
|
||||
MinIO can be configured to find the groups of a user from LDAP by |
||||
specifying the **MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER** and |
||||
**MINIO_IDENTITY_LDAP_GROUP_NAME_ATTRIBUTE** environment |
||||
variables. When a user logs in via the STS API, the MinIO server |
||||
queries the LDAP server with the given search filter and extracts the |
||||
given attribute from the search results. These values represent the |
||||
groups that the user is a member of. On each access MinIO applies the |
||||
IAM policies attached to these groups in MinIO. |
||||
|
||||
LDAP is configured via the following environment variables: |
||||
|
||||
| Variable | Required? | Purpose | |
||||
|----------------------------------------------|---------------------------|-----------------------------------------------------| |
||||
| **MINIO_IDENTITY_LDAP_SERVER_ADDR** | **YES** | LDAP server address | |
||||
| **MINIO_IDENTITY_LDAP_USERNAME_FORMAT** | **YES** | Format of full username DN | |
||||
| **MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN** | **NO** | Base DN in LDAP hierarchy to use in search requests | |
||||
| **MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER** | **NO** | Search filter to find groups of a user | |
||||
| **MINIO_IDENTITY_LDAP_GROUP_NAME_ATTRIBUTE** | **NO** | Attribute of search results to use as group name | |
||||
| **MINIO_IDENTITY_LDAP_STS_EXPIRY_DURATION** | **NO** (default: "1h") | STS credentials validity duration | |
||||
| **MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY** | **NO** (default: "false") | Disable TLS certificate verification | |
||||
|
||||
Please note that MinIO will only access the LDAP server over TLS. |
||||
|
||||
An example setup for development or experimentation: |
||||
|
||||
``` shell |
||||
export MINIO_IDENTITY_LDAP_SERVER_ADDR=myldapserver.com:636 |
||||
export MINIO_IDENTITY_LDAP_USERNAME_FORMAT="uid=${username},cn=accounts,dc=myldapserver,dc=com" |
||||
export MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN="dc=myldapserver,dc=com" |
||||
export MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER="(&(objectclass=groupOfNames)(member=${usernamedn}))" |
||||
export MINIO_IDENTITY_LDAP_GROUP_NAME_ATTRIBUTE="cn" |
||||
export MINIO_IDENTITY_LDAP_STS_EXPIRY_DURATION=60 |
||||
export MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY=true |
||||
``` |
||||
|
||||
### Variable substitution in LDAP configuration strings |
||||
|
||||
In the configuration values described above, some values support |
||||
runtime substitutions. The substitution syntax is simply |
||||
`${variable}` - this substring is replaced with the (string) value of |
||||
`variable`. The following substitutions will be available: |
||||
|
||||
| Variable | Example Runtime Value | Description | |
||||
|--------------|------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------| |
||||
| *username* | "james" | The LDAP username of a user. | |
||||
| *usernamedn* | "uid=james,cn=accounts,dc=myldapserver,dc=com" | The LDAP username DN of a user. This is constructed from the LDAP user DN format string provided to the server and the actual LDAP username. | |
||||
|
||||
The **MINIO_IDENTITY_LDAP_USERNAME_FORMAT** environment variable |
||||
supports substitution of the *username* variable only. |
||||
|
||||
The **MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER** and |
||||
**MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN** environment variables |
||||
support substitution of the *username* and *usernamedn* variables |
||||
only. |
||||
Loading…
Reference in new issue