admin管理员组文章数量:1400007
I have a Min.io instance correctly configured and running in a docker container environment. It is fully integrated with an external OpenID provider (a Keycloak container) to manage SSO logins and registrations.
The Min.io instance has two separate buckets with the following structure:
- bucket "bucket1" - folder "function3" - folder "users" - folder "user1" - folder "user2" - bucket "bucket2" - folder "function1" - folder "function2"
I want to implement a new policy to control access to the buckets, specifically:
- Every user can only read the contents of bucket
bucket2 - Every user, denoted as
$user, can read and write on thebucket1/function3/users/$userand eventually just read everywhere else (e.g.user1can read and write onbucket1/function3/users/user1but cannot write -possibly also cannot read but it's not required- onbucket1/function3/users/user2)
So far, I've tried the following approach
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::bucket1"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::bucket1/*"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::bucket1/function3/users/${aws:username}/*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::bucket2/*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::bucket2"
}
]
}
but it doesn't fully fit. Infact:
- Every user can correctly only read the contents of bucket
bucket2✅ - The specific user (e.g.
user1) cannot even readbucket1or its content (included the subfolderbucket1/function3/users/user1) ❌
As a temporary workaround solution, I’ve created a dedicated policy rule for each user to grant access to the necessary subpath statically. Is there a way to create a single dynamic policy that can apply to all users for this purpose?
I have a Min.io instance correctly configured and running in a docker container environment. It is fully integrated with an external OpenID provider (a Keycloak container) to manage SSO logins and registrations.
The Min.io instance has two separate buckets with the following structure:
- bucket "bucket1" - folder "function3" - folder "users" - folder "user1" - folder "user2" - bucket "bucket2" - folder "function1" - folder "function2"
I want to implement a new policy to control access to the buckets, specifically:
- Every user can only read the contents of bucket
bucket2 - Every user, denoted as
$user, can read and write on thebucket1/function3/users/$userand eventually just read everywhere else (e.g.user1can read and write onbucket1/function3/users/user1but cannot write -possibly also cannot read but it's not required- onbucket1/function3/users/user2)
So far, I've tried the following approach
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::bucket1"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::bucket1/*"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::bucket1/function3/users/${aws:username}/*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::bucket2/*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::bucket2"
}
]
}
but it doesn't fully fit. Infact:
- Every user can correctly only read the contents of bucket
bucket2✅ - The specific user (e.g.
user1) cannot even readbucket1or its content (included the subfolderbucket1/function3/users/user1) ❌
As a temporary workaround solution, I’ve created a dedicated policy rule for each user to grant access to the necessary subpath statically. Is there a way to create a single dynamic policy that can apply to all users for this purpose?
Share Improve this question asked Mar 25 at 14:59 pheeleeppoopheeleeppoo 1,5356 gold badges26 silver badges31 bronze badges 1 |1 Answer
Reset to default 0It understands that the problem was on the parameter ${aws:username} . Infact this parameter is referring to the supported S3 policy keys (see the Min.io documentation for further details).
Since the solution here is including an external OpenID connection (e.g. KeyCloak) we should use one of the supported policy variables for use in authorizing OIDC-managed users. The list of supported variable can be find here.
Finally, the working solution is obtained substituting the parameter ${aws:username} with the parameter ${jwt:preferred_username} (the field inside the token that Min.io could read from KeyCloak). The right policy is the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::bucket1"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::bucket1/*"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::bucket1/function3/users/${jwt:preferred_username}/*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::bucket2/*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::bucket2"
}
]
}
本文标签: keycloakMinio dynamic policy for bucket subpathStack Overflow
版权声明:本文标题:keycloak - Min.io dynamic policy for bucket subpath - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1744187581a2594365.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
${aws:username}parameter is not properly read because it refers to the internal Min.io user management – pheeleeppoo Commented Apr 1 at 9:06