Product
Overview
What is AIStor?
Features
Replication Replication Console Console Cache Cache Encryption Encryption Versioning Versioning Observability Observability Object Immutability Object Immutability Key Management Server Key Management Server S3 Compatibility S3 Compatibility Identity + Access Mgt Identity + Access Mgt Catalog Catalog Object Prompt Object Prompt Lifecycle Lifecycle Firewall Firewall AIHub AIHub
Tools
Erasure Code Calculator Erasure Code Calculator Determine your raw and usable capacity across a range of erasure coding settings. Reference Hardware Reference Hardware MinIO’s recommended Configuration and reference hardware for building large scale data infrastructure.
Solutions
AI Storage Learn how MinIO is leading the AI storage market from its exclusive features to performance at scale. HDFS Migration Modernize and simplify your big data storage infrastructure with cloud native storage with AIStor. Snowflake Learn how to leverage Snowflake external tables to query data without having to move it.
Integrations Integrations with MinIO Browse our expansive list of
integrations with links to the relevant
documentation.
Veeam Learn how MinIO and Veeam have partnered deliver superior RTO and RPO. Modern Datalakes Learn how modern, multi-engine data lakeshouses depend on MinIO's AIStor. Equinix Repatriate your data onto the cloud you control with MinIO and Equinix. SQL Server Learn how to leverage SQL Server 2022 with MinIO to run queries on your data without having to move it. Commvault Learn how Commvault and MinIO are partnered to deliver performance at scale for mission critical backup and restore workloads. Hybrid Cloud Learn how enterprises use MinIO to build AI data infrastructure that runs on any cloud - public, private or colo. Splunk Find out how MinIO is delivering performance at scale for Splunk SmartStores. VMware Discover how MinIO integrates with VMware across the portfolio from the Persistent Data platform to TKG and how we support their Kubernetes ambitions.
Open Source
Github Community Explore, experiment, ask questions and contribute. Docs Development guides. Slack Channel Open Forum for discussing topics related to MinIO.
Download MinIO Object Store Get MinIO's open source server, client, and SDK.
Resources
Resources Home Browse our library of white papers, solution briefs, benchmarks and videos. Blog Product updates, company news, and educational content. Training Learn the MinIO Way and Become a Data Infrastructure Expert.
Events Join us to take advantage to meet with MinIO partners, employees, and subject-matter experts.
Partner Pricing Login Download

Documentation

MinIO Object Storage for Kubernetes

Active Directory / LDAP Access Management

MinIO supports configuring a single Active Directory or LDAP (AD/LDAP) service for external management of user identities. Enabling AD/LDAP external identity management disables the MinIO internal IDP.

For identities managed by the external AD/LDAP provider, MinIO uses the user’s Distinguished Name and attempts to map it against an existing policy.

If the AD/LDAP configuration includes the necessary settings to query the user’s AD/LDAP group membership, MinIO also uses those group Distinguished Names and attempts to map each against an existing policy.

MinIO by default denies access to all actions or resources not explicitly allowed by a user’s assigned or inherited policies. Users managed by an AD/LDAP provider must specify the necessary policies as part of the user profile data. If no policies match either the user DN or group DNs, MinIO blocks all access to actions and resources on the deployment.

The specific AD/LDAP queries MinIO issues to authenticate the user and retrieve it’s group membership are configured as part of deploying the cluster with Active Directory / LDAP identity management. This page covers creation of MinIO policies to match the possible returned Distinguished Names.

Authentication and Authorization Flow

The login flow for an application using Active Directory / LDAP credentials is as follows:

  1. Specify the AD/LDAP credentials to the MinIO Security Token Service (STS) AssumeRoleWithLDAPIdentity API endpoint.

  2. MinIO verifies the provided credentials against the AD/LDAP server.

  3. MinIO checks for any policy whose name matches the user Distinguished Name (DN) and assigns that policy to the authenticated user.

    If configured to perform group queries, MinIO also queries for a list of AD/LDAP groups in which the user has membership. MinIO checks for any policy whose name matches a returned group DN and assigns that policy to the authenticated user.

  4. MinIO returns temporary credentials in the STS API response in the form of an access key, secret key, and session token. The credentials have permissions matching those policies whose name matches either the authenticated user DN or a group DN.

MinIO provides an example Go application ldap.go that handles the full login flow.

AD/LDAP users can alternatively create access keys associated to their AD/LDAP user Distinguished Name. Access Keys are long-lived credentials which inherit their privileges from the parent user. The parent user can further restrict those privileges while creating the access keys. Use either of the following methods to create a new access key:

  • Log into the MinIO Console using the AD/LDAP-managed user credentials.

    In the User section, select Access Keys followed by Create access keys +.

  • Use the mc admin user svcacct add command to create the access keys. Specify the user Distinguished Name as the username to which to associate the access keys.

Mapping Policies to User DN

The following commands use mc idp ldap policy attach to associate an existing MinIO policy to an AD/LDAP User DN.

mc idp ldap policy attach myminio consoleAdmin \
  --user='cn=sisko,cn=users,dc=example,dc=com'

mc idp ldap policy attach myminio readwrite,diagnostics \
  --user='cn=dax,cn=users,dc=example,dc=com'

  • MinIO would assign an authenticated user with DN matching cn=sisko,cn=users,dc=example,dc=com the consoleAdmin policy, granting complete access to the MinIO server.

  • MinIO would assign an authenticated user with DN matching cn=dax,cn=users,dc=example,dc=com both the readwrite and diagnostics policies, granting general read/write access to the MinIO server and access to diagnostic administrative operations.

  • MinIO would assign no policies to an authenticated user with DN matching cn=quark,cn=users,dc=example,dc=com and deny all access to API operations.

Mapping Policies to Group DN

The following commands use mc idp ldap policy attach to associate an existing MinIO policy to an AD/LDAP Group DN.

mc idp ldap policy attach myminio consoleAdmin \
  --group='cn=ops,cn=groups,dc=example,dc=com'

mc idp ldap policy attach myminio diagnostics \
  --group='cn=engineering,cn=groups,dc=example,dc=com'

  • MinIO would assign any authenticating user with membership in the cn=ops,cn=groups,dc=example,dc=com AD/LDAP group the consoleAdmin policy, granting complete access to the MinIO server.

  • MinIO would assign any authenticating user with membership in the cn=engineering,cn=groups,dc=example,dc=com AD/LDAP group the diagnostics policy, granting access to diagnostic administrative operations.

This work is licensed under a Creative Commons Attribution 4.0 International License. 2020-Present, MinIO, Inc. Creative Commons License