minio

package module

v0.0.0-...-3fe0350 Latest Latest Go to latest Published: May 4, 2023 License: MPL-2.0 Imports: 25 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/lkubb/vault-plugin-database-minio

Links

Open Source Insights

README ¶

MinIO Vault Database Plugin

This plugin allows Vault to manage MinIO authentication and authorization.

Prerequisites

MinIO

After initialization, you will need to create a policy and dedicated user account for Vault.

The policy should look like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "admin:CreateUser",
                "admin:ListGroups",
                "admin:EnableUser",
                "admin:GetPolicy",
                "admin:GetUser",
                "admin:RemoveUserFromGroup",
                "admin:ServerInfo",
                "admin:CreatePolicy",
                "admin:DisableGroup",
                "admin:EnableGroup",
                "admin:DisableUser",
                "admin:ListUserPolicies",
                "admin:DeleteUser",
                "admin:GetGroup",
                "admin:ListUsers",
                "admin:AddUserToGroup",
                "admin:AttachUserOrGroupPolicy",
                "admin:DeletePolicy"
            ]
        }
    ]
}

Proceed with creating the Vault user and assign it this policy.

Vault

First, ensure your Vault configuration defines plugin_directory and api_address correctly (the latter is used for inter-process communication, consider TLS certificates!).

Currently, there are no binary releases, hence you will need to compile this plugin, e.g.:

go build ./cmd/minio-database-plugin
# or gox -osarch="linux/amd64" ./cmd/minio-database-plugin

Then move the plugin into plugin_directory, ensure correct ownership/permissions and register it:

vault plugin register -sha256=${BINARY_SHA_SUM} minio-database-plugin

Configuration

Connection

host: FQDN/IP address of the MinIO API. Required.
port: The port the MinIO API server is listening on (int). Defaults to 9000.
username: The name of the dedicated Vault user. Required.
password: The initial password of the dedicated Vault user. Required.
tls: Whether to enable TLS. Defaults to false.
insecure_tls: Whether to skip verifying server certificates. Defaults to false.
tls_server_name: Specifies the name to use as the SNI host when connecting to the MinIO server via TLS.
tls_min_version: Minimum acceptable TLS version (string). Defaults to 1.2
pem_bundle: Specifies concatenated PEM blocks containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate. Only one of pem_bundle or pem_json can be specified.
pem_json: Specifies JSON containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate. The value in this field must be an encoded JSON object. For convenience, the format is the same as the output of the issue command from the pki secrets engine; see the pki documentation. Only one of pem_bundle or pem_json can be specified.
connect_timeout: Timeout for HTTP connections. Defaults to 5s.

Role

A role's creation_statements define which permissions the issued user will carry and, optionally, which groups the user will belong to. It should be a list containing a single, JSON-encoded string value. The JSON data can contain the following fields:

policy: IAM policy which will be created for each issued user account. This is the most secure method of assigning permissions.
static_policies: A string-valued list of existing policy names that should be assigned to a user account issued under this role. Mind that the policies themselves are not managed by Vault.
groups: A list of group names the issued user should be part of. Groups are created on demand. Mind that the associated policy itself is not managed by Vault.

Notes

This plugin is in very early development.
MinIO must be not be using the Gateway/Filesystem backends, otherwise you will see this error: This 'admin' API is not supported by server in 'mode-server-fs'. Noticeably, the TrueNAS CORE native S3 service is outdated in that respect. You can install the MinIO plugin though, which is more recent.

https://github.com/kula/vault-plugin-secrets-minio

Documentation ¶

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func New ¶

func New() (interface{}, error)

Types ¶

type Minio ¶

type Minio struct {
	// contains filtered or unexported fields
}

func (Minio) Close ¶

func (c Minio) Close() error

func (Minio) Connection ¶

func (c Minio) Connection(ctx context.Context) (interface{}, error)

func (*Minio) DeleteUser ¶

func (c *Minio) DeleteUser(ctx context.Context, req dbplugin.DeleteUserRequest) (dbplugin.DeleteUserResponse, error)

func (*Minio) Initialize ¶

func (c *Minio) Initialize(ctx context.Context, req dbplugin.InitializeRequest) (dbplugin.InitializeResponse, error)

func (*Minio) NewUser ¶

func (c *Minio) NewUser(ctx context.Context, req dbplugin.NewUserRequest) (dbplugin.NewUserResponse, error)

func (*Minio) Type ¶

func (c *Minio) Type() (string, error)

Type returns the TypeName for this backend

func (*Minio) UpdateUser ¶

func (c *Minio) UpdateUser(ctx context.Context, req dbplugin.UpdateUserRequest) (dbplugin.UpdateUserResponse, error)

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
cmd
minio-database-plugin

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL