minio does not show the password login by default when OIDC is setup
we generate a dynamic password because users might forget to change the admin password (with the oidc login being so click friendly)
This commit is contained in:
parent
569e830514
commit
316047b1d3
|
@ -11,6 +11,6 @@ RUN wget https://dl.min.io/server/minio/release/linux-amd64/archive/minio.${VERS
|
||||||
# https://dl.min.io/client/mc/release/linux-amd64/
|
# https://dl.min.io/client/mc/release/linux-amd64/
|
||||||
RUN wget https://dl.min.io/client/mc/release/linux-amd64/mc -O /app/code/mc && chmod +x /app/code/mc
|
RUN wget https://dl.min.io/client/mc/release/linux-amd64/mc -O /app/code/mc && chmod +x /app/code/mc
|
||||||
|
|
||||||
COPY env.sh start.sh /app/code/
|
COPY env.sh.template start.sh /app/code/
|
||||||
|
|
||||||
CMD [ "/app/code/start.sh" ]
|
CMD [ "/app/code/start.sh" ]
|
||||||
|
|
|
@ -1,21 +1,19 @@
|
||||||
|
<nosso>
|
||||||
Please use the following credentials to login:
|
Please use the following credentials to login:
|
||||||
|
|
||||||
**Username**: minioadmin<br/>
|
**Username**: minioadmin<br/>
|
||||||
**Password**: minioadmin<br/>
|
**Password**: minioadmin<br/>
|
||||||
|
|
||||||
Please change the credentials immediately by following this [guide](https://cloudron.io/documentation/apps/minio/#admin-credentials).
|
Please change the credentials immediately by following this [guide](https://cloudron.io/documentation/apps/minio/#admin-credentials).
|
||||||
|
</nosso>
|
||||||
|
|
||||||
<sso>
|
<sso>
|
||||||
By default, Cloudron users have `readwrite` access policy.
|
|
||||||
If you'd like to change it, you should create a respective policy by following [Minio documentation](https://min.io/docs/minio/linux/administration/identity-access-management/policy-based-access-control.html)
|
|
||||||
|
|
||||||
After that you should add the variable `MINIO_IDENTITY_OPENID_ROLE_POLICY` in /app/data/env.sh, e.g.
|
Please use the following credentials to login via 'Other Authentication Methods' -> 'Use Credentials':
|
||||||
|
|
||||||
```
|
**Username**: minioadmin<br/>
|
||||||
export MINIO_IDENTITY_OPENID_ROLE_POLICY="new-policy-name"
|
**Password**: See `MINIO_ROOT_PASSWORD` in `/app/data/env.sh` <a href="/frontend/filemanager.html#/viewer/app/$CLOUDRON-APP-ID/env.sh">Open File Manager</a><br/>
|
||||||
```
|
|
||||||
|
|
||||||
Where `new-policy-name` is the policy you have created.
|
Cloudron users have `readwrite` access policy. See the [docs](https://cloudron.io/documentation/apps/minio/#admin-credentials) on how to change it.
|
||||||
|
|
||||||
Be sure to restart the app after making changes.
|
</nosso>
|
||||||
</sso>
|
|
||||||
|
|
9
env.sh
9
env.sh
|
@ -1,9 +0,0 @@
|
||||||
# Add custom minio configuration to this file. Restart the app for changes to take effect.
|
|
||||||
|
|
||||||
export CLOUDRON_MINIO_STARTUP_ARGS='server /app/data/data'
|
|
||||||
|
|
||||||
# See https://docs.min.io/minio/baremetal/reference/minio-server/minio-server.html#envvar.MINIO_ROOT_USER
|
|
||||||
# You can use pwgen -1s 64 to generate usernames and passwords
|
|
||||||
export MINIO_ROOT_USER=minioadmin
|
|
||||||
export MINIO_ROOT_PASSWORD=minioadmin
|
|
||||||
|
|
|
@ -0,0 +1,4 @@
|
||||||
|
# Add custom minio configuration to this file. Restart the app for changes to take effect.
|
||||||
|
|
||||||
|
export CLOUDRON_MINIO_STARTUP_ARGS='server /app/data/data'
|
||||||
|
|
13
start.sh
13
start.sh
|
@ -5,7 +5,18 @@ set -eu
|
||||||
mkdir -p /app/data/data /run/minio/config /run/minio/certs
|
mkdir -p /app/data/data /run/minio/config /run/minio/certs
|
||||||
|
|
||||||
# env vars take precedence over config.yaml (https://github.com/minio/minio/blob/master/docs/distributed/CONFIG.md#things-to-know)
|
# env vars take precedence over config.yaml (https://github.com/minio/minio/blob/master/docs/distributed/CONFIG.md#things-to-know)
|
||||||
[[ ! -f /app/data/env.sh ]] && cp /app/code/env.sh /app/data/env.sh
|
if [[ ! -f /app/data/env.sh ]]; then
|
||||||
|
echo "=> First run"
|
||||||
|
cp /app/code/env.sh.template /app/data/env.sh
|
||||||
|
# minio does not show the password login by default when OIDC is setup (https://github.com/minio/minio/discussions/16928)
|
||||||
|
# we generate a dynamic password because users might forget to change the admin password (with the oidc login being so click friendly)
|
||||||
|
if [[ -n "${CLOUDRON_OIDC_ISSUER:-}" ]]; then
|
||||||
|
echo -e "export MINIO_ROOT_USER=minioadmin\nexport MINIO_ROOT_PASSWORD=$(pwgen -1s 20)\n\n" >> /app/data/env.sh
|
||||||
|
else
|
||||||
|
echo -e "export MINIO_ROOT_USER=minioadmin\nexport MINIO_ROOT_PASSWORD=minioadmin\n\n" >> /app/data/env.sh
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
source /app/data/env.sh
|
source /app/data/env.sh
|
||||||
|
|
||||||
# https://docs.min.io/minio/baremetal/reference/minio-server/minio-server.html#envvar.MINIO_SERVER_URL
|
# https://docs.min.io/minio/baremetal/reference/minio-server/minio-server.html#envvar.MINIO_SERVER_URL
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
"chromedriver": "^121.0.2",
|
"chromedriver": "^121.0.2",
|
||||||
"expect.js": "^0.3.1",
|
"expect.js": "^0.3.1",
|
||||||
"mocha": "^10.3.0",
|
"mocha": "^10.3.0",
|
||||||
"selenium-webdriver": "^4.17.0",
|
"selenium-webdriver": "^4.18.1",
|
||||||
"superagent": "^8.1.2"
|
"superagent": "^8.1.2"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
@ -1192,9 +1192,9 @@
|
||||||
"integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g=="
|
"integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g=="
|
||||||
},
|
},
|
||||||
"node_modules/selenium-webdriver": {
|
"node_modules/selenium-webdriver": {
|
||||||
"version": "4.17.0",
|
"version": "4.18.1",
|
||||||
"resolved": "https://registry.npmjs.org/selenium-webdriver/-/selenium-webdriver-4.17.0.tgz",
|
"resolved": "https://registry.npmjs.org/selenium-webdriver/-/selenium-webdriver-4.18.1.tgz",
|
||||||
"integrity": "sha512-e2E+2XBlGepzwgFbyQfSwo9Cbj6G5fFfs9MzAS00nC99EewmcS2rwn2MwtgfP7I5p1e7DYv4HQJXtWedsu6DvA==",
|
"integrity": "sha512-uP4OJ5wR4+VjdTi5oi/k8oieV2fIhVdVuaOPrklKghgS59w7Zz3nGa5gcG73VcU9EBRv5IZEBRhPr7qFJAj5mQ==",
|
||||||
"dependencies": {
|
"dependencies": {
|
||||||
"jszip": "^3.10.1",
|
"jszip": "^3.10.1",
|
||||||
"tmp": "^0.2.1",
|
"tmp": "^0.2.1",
|
||||||
|
@ -2408,9 +2408,9 @@
|
||||||
"integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g=="
|
"integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g=="
|
||||||
},
|
},
|
||||||
"selenium-webdriver": {
|
"selenium-webdriver": {
|
||||||
"version": "4.17.0",
|
"version": "4.18.1",
|
||||||
"resolved": "https://registry.npmjs.org/selenium-webdriver/-/selenium-webdriver-4.17.0.tgz",
|
"resolved": "https://registry.npmjs.org/selenium-webdriver/-/selenium-webdriver-4.18.1.tgz",
|
||||||
"integrity": "sha512-e2E+2XBlGepzwgFbyQfSwo9Cbj6G5fFfs9MzAS00nC99EewmcS2rwn2MwtgfP7I5p1e7DYv4HQJXtWedsu6DvA==",
|
"integrity": "sha512-uP4OJ5wR4+VjdTi5oi/k8oieV2fIhVdVuaOPrklKghgS59w7Zz3nGa5gcG73VcU9EBRv5IZEBRhPr7qFJAj5mQ==",
|
||||||
"requires": {
|
"requires": {
|
||||||
"jszip": "^3.10.1",
|
"jszip": "^3.10.1",
|
||||||
"tmp": "^0.2.1",
|
"tmp": "^0.2.1",
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
"chromedriver": "^121.0.2",
|
"chromedriver": "^121.0.2",
|
||||||
"expect.js": "^0.3.1",
|
"expect.js": "^0.3.1",
|
||||||
"mocha": "^10.3.0",
|
"mocha": "^10.3.0",
|
||||||
"selenium-webdriver": "^4.17.0",
|
"selenium-webdriver": "^4.18.1",
|
||||||
"superagent": "^8.1.2"
|
"superagent": "^8.1.2"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
73
test/test.js
73
test/test.js
|
@ -34,7 +34,7 @@ describe('Application life cycle test', function () {
|
||||||
const EXEC_ARGS = { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' };
|
const EXEC_ARGS = { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' };
|
||||||
|
|
||||||
let browser, app;
|
let browser, app;
|
||||||
var athenticated_by_oidc = false;
|
let athenticated_by_oidc = false, rootPassword;
|
||||||
let username = process.env.USERNAME;
|
let username = process.env.USERNAME;
|
||||||
let password = process.env.PASSWORD;
|
let password = process.env.PASSWORD;
|
||||||
|
|
||||||
|
@ -57,7 +57,10 @@ describe('Application life cycle test', function () {
|
||||||
expect(app).to.be.an('object');
|
expect(app).to.be.an('object');
|
||||||
}
|
}
|
||||||
|
|
||||||
async function login(accessKey='minioadmin', secretKey='minioadmin') {
|
async function login(username, password) {
|
||||||
|
await browser.manage().deleteAllCookies();
|
||||||
|
await browser.get('about:blank');
|
||||||
|
await browser.sleep(2000);
|
||||||
await browser.get(`https://${app.fqdn}/login`);
|
await browser.get(`https://${app.fqdn}/login`);
|
||||||
await browser.sleep(2000);
|
await browser.sleep(2000);
|
||||||
|
|
||||||
|
@ -68,8 +71,8 @@ describe('Application life cycle test', function () {
|
||||||
await browser.sleep(2000);
|
await browser.sleep(2000);
|
||||||
}
|
}
|
||||||
await waitForElement(By.id('accessKey'));
|
await waitForElement(By.id('accessKey'));
|
||||||
await browser.findElement(By.id('accessKey')).sendKeys(accessKey);
|
await browser.findElement(By.id('accessKey')).sendKeys(username);
|
||||||
await browser.findElement(By.id('secretKey')).sendKeys(secretKey);
|
await browser.findElement(By.id('secretKey')).sendKeys(password);
|
||||||
await browser.findElement(By.xpath('//button[@id="do-login"]')).click();
|
await browser.findElement(By.xpath('//button[@id="do-login"]')).click();
|
||||||
await waitForElement(By.xpath('//span[contains(text(), "Buckets")]'));
|
await waitForElement(By.xpath('//span[contains(text(), "Buckets")]'));
|
||||||
await timers.setTimeout(5000);
|
await timers.setTimeout(5000);
|
||||||
|
@ -134,9 +137,27 @@ describe('Application life cycle test', function () {
|
||||||
expect(response.body.toString('utf8')).to.contain('<Code>AccessDenied</Code>');
|
expect(response.body.toString('utf8')).to.contain('<Code>AccessDenied</Code>');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
async function changeAdminCredentials() {
|
||||||
|
let data = fs.readFileSync(path.join(__dirname, '../env.sh.template'), 'utf8');
|
||||||
|
data += '\nexport MINIO_ROOT_USER=minioakey\nexport MINIO_ROOT_PASSWORD=minioskey\n';
|
||||||
|
fs.writeFileSync('/tmp/env.sh', data);
|
||||||
|
execSync(`cloudron push --app ${app.id} /tmp/env.sh /app/data/env.sh`, EXEC_ARGS);
|
||||||
|
execSync(`cloudron restart --app ${app.id}`, EXEC_ARGS);
|
||||||
|
await timers.setTimeout(10000);
|
||||||
|
}
|
||||||
|
|
||||||
|
async function getAdminCredentials() {
|
||||||
|
execSync(`cloudron pull --app ${app.id} /app/data/env.sh /tmp/env.sh`, EXEC_ARGS);
|
||||||
|
const data = fs.readFileSync('/tmp/env.sh', 'utf8');
|
||||||
|
const m = data.match(/MINIO_ROOT_PASSWORD=(.*)/);
|
||||||
|
if (!m) throw new Error('Could not detect root password');
|
||||||
|
rootPassword = m[1].trim();
|
||||||
|
console.log(`root password is [${rootPassword}]`);
|
||||||
|
}
|
||||||
|
|
||||||
xit('build app', function () { execSync('cloudron build', EXEC_ARGS); });
|
xit('build app', function () { execSync('cloudron build', EXEC_ARGS); });
|
||||||
|
|
||||||
// no SSO
|
// // no SSO
|
||||||
it('install app (no SSO)', async function () {
|
it('install app (no SSO)', async function () {
|
||||||
execSync(`cloudron install --no-sso --location ${LOCATION} --secondary-domains API_SERVER_DOMAIN=${LOCATION}-api`, EXEC_ARGS);
|
execSync(`cloudron install --no-sso --location ${LOCATION} --secondary-domains API_SERVER_DOMAIN=${LOCATION}-api`, EXEC_ARGS);
|
||||||
await timers.setTimeout(10000);
|
await timers.setTimeout(10000);
|
||||||
|
@ -144,33 +165,25 @@ describe('Application life cycle test', function () {
|
||||||
|
|
||||||
it('can get app information', getAppInfo);
|
it('can get app information', getAppInfo);
|
||||||
|
|
||||||
it('can Admin login', login.bind(null, 'minioadmin', 'minioadmin'));
|
it('can admin login', login.bind(null, 'minioadmin', 'minioadmin'));
|
||||||
it('can add bucket', addBucket);
|
it('can add bucket', addBucket);
|
||||||
it('can logout', logout);
|
it('can logout', logout);
|
||||||
it('does redirect', checkRedirect);
|
it('does redirect', checkRedirect);
|
||||||
it('check api', checkApi);
|
it('check api', checkApi);
|
||||||
|
|
||||||
it('can change Admin credentials', async function () {
|
it('can change admin credentials', changeAdminCredentials);
|
||||||
let data = fs.readFileSync(path.join(__dirname, '../env.sh'), 'utf8');
|
it('can restart app', async function () {
|
||||||
data = data
|
|
||||||
.replace(/MINIO_ROOT_USER=.*/, 'MINIO_ROOT_USER=minioakey')
|
|
||||||
.replace(/MINIO_ROOT_PASSWORD=.*/, 'MINIO_ROOT_PASSWORD=minioskey');
|
|
||||||
fs.writeFileSync('/tmp/env.sh', data);
|
|
||||||
execSync(`cloudron push --app ${app.id} /tmp/env.sh /app/data/env.sh`, EXEC_ARGS);
|
|
||||||
execSync(`cloudron restart --app ${app.id}`, EXEC_ARGS);
|
execSync(`cloudron restart --app ${app.id}`, EXEC_ARGS);
|
||||||
await timers.setTimeout(10000);
|
await timers.setTimeout(10000);
|
||||||
});
|
});
|
||||||
|
|
||||||
it('can restart app', function () { execSync(`cloudron restart --app ${app.id}`, EXEC_ARGS); });
|
it('can admin login', login.bind(null, 'minioakey', 'minioskey'));
|
||||||
|
|
||||||
it('can Admin login', login.bind(null, 'minioakey', 'minioskey'));
|
|
||||||
it('has bucket', checkBucket);
|
it('has bucket', checkBucket);
|
||||||
it('can logout', logout);
|
it('can logout', logout);
|
||||||
it('does redirect', checkRedirect);
|
it('does redirect', checkRedirect);
|
||||||
it('check api', checkApi);
|
it('check api', checkApi);
|
||||||
it('uninstall app', function () { execSync('cloudron uninstall --app ' + app.id, EXEC_ARGS); });
|
it('uninstall app', function () { execSync('cloudron uninstall --app ' + app.id, EXEC_ARGS); });
|
||||||
|
|
||||||
|
|
||||||
// SSO
|
// SSO
|
||||||
it('install app (SSO)', async function () {
|
it('install app (SSO)', async function () {
|
||||||
execSync(`cloudron install --location ${LOCATION} --secondary-domains API_SERVER_DOMAIN=${LOCATION}-api`, EXEC_ARGS);
|
execSync(`cloudron install --location ${LOCATION} --secondary-domains API_SERVER_DOMAIN=${LOCATION}-api`, EXEC_ARGS);
|
||||||
|
@ -178,8 +191,8 @@ describe('Application life cycle test', function () {
|
||||||
});
|
});
|
||||||
|
|
||||||
it('can get app information', getAppInfo);
|
it('can get app information', getAppInfo);
|
||||||
|
it('can get admin credentials', getAdminCredentials);
|
||||||
it('can Admin login', login.bind(null, 'minioadmin', 'minioadmin'));
|
it('can admin login', async function () { await login('minioadmin', rootPassword); });
|
||||||
it('can add bucket', addBucket);
|
it('can add bucket', addBucket);
|
||||||
it('can logout', logout);
|
it('can logout', logout);
|
||||||
it('does redirect', checkRedirect);
|
it('does redirect', checkRedirect);
|
||||||
|
@ -189,20 +202,14 @@ describe('Application life cycle test', function () {
|
||||||
it('has bucket', checkBucket);
|
it('has bucket', checkBucket);
|
||||||
it('can logout', logout);
|
it('can logout', logout);
|
||||||
|
|
||||||
it('can change Admin credentials', async function () {
|
it('can change admin credentials', changeAdminCredentials);
|
||||||
let data = fs.readFileSync(path.join(__dirname, '../env.sh'), 'utf8');
|
|
||||||
data = data
|
it('can restart app', async function () {
|
||||||
.replace(/MINIO_ROOT_USER=.*/, 'MINIO_ROOT_USER=minioakey')
|
|
||||||
.replace(/MINIO_ROOT_PASSWORD=.*/, 'MINIO_ROOT_PASSWORD=minioskey');
|
|
||||||
fs.writeFileSync('/tmp/env.sh', data);
|
|
||||||
execSync(`cloudron push --app ${app.id} /tmp/env.sh /app/data/env.sh`, EXEC_ARGS);
|
|
||||||
execSync(`cloudron restart --app ${app.id}`, EXEC_ARGS);
|
execSync(`cloudron restart --app ${app.id}`, EXEC_ARGS);
|
||||||
await timers.setTimeout(10000);
|
await timers.setTimeout(10000);
|
||||||
});
|
});
|
||||||
|
|
||||||
it('can restart app', function () { execSync(`cloudron restart --app ${app.id}`, EXEC_ARGS); });
|
it('can admin login', login.bind(null, 'minioakey', 'minioskey'));
|
||||||
|
|
||||||
it('can Admin login', login.bind(null, 'minioakey', 'minioskey'));
|
|
||||||
it('has bucket', checkBucket);
|
it('has bucket', checkBucket);
|
||||||
it('can logout', logout);
|
it('can logout', logout);
|
||||||
it('does redirect', checkRedirect);
|
it('does redirect', checkRedirect);
|
||||||
|
@ -223,7 +230,7 @@ describe('Application life cycle test', function () {
|
||||||
});
|
});
|
||||||
|
|
||||||
it('can get app information', getAppInfo);
|
it('can get app information', getAppInfo);
|
||||||
it('can Admin login', login.bind(null, 'minioakey', 'minioskey'));
|
it('can admin login', login.bind(null, 'minioakey', 'minioskey'));
|
||||||
it('has bucket', checkBucket);
|
it('has bucket', checkBucket);
|
||||||
it('can logout', logout);
|
it('can logout', logout);
|
||||||
|
|
||||||
|
@ -241,7 +248,7 @@ describe('Application life cycle test', function () {
|
||||||
});
|
});
|
||||||
it('can get app information', getAppInfo);
|
it('can get app information', getAppInfo);
|
||||||
|
|
||||||
it('can Admin login', login.bind(null, 'minioakey', 'minioskey'));
|
it('can admin login', login.bind(null, 'minioakey', 'minioskey'));
|
||||||
it('has bucket', checkBucket);
|
it('has bucket', checkBucket);
|
||||||
it('can logout', logout);
|
it('can logout', logout);
|
||||||
|
|
||||||
|
@ -255,7 +262,7 @@ describe('Application life cycle test', function () {
|
||||||
it('uninstall app', function () { execSync('cloudron uninstall --app ' + app.id, EXEC_ARGS); });
|
it('uninstall app', function () { execSync('cloudron uninstall --app ' + app.id, EXEC_ARGS); });
|
||||||
|
|
||||||
// test update
|
// test update
|
||||||
it('can install app', function () { execSync('cloudron install --appstore-id io.minio.cloudronapp --location ' + LOCATION, EXEC_ARGS); });
|
it('can install app for update', function () { execSync('cloudron install --appstore-id io.minio.cloudronapp --location ' + LOCATION, EXEC_ARGS); });
|
||||||
it('can get app information', getAppInfo);
|
it('can get app information', getAppInfo);
|
||||||
|
|
||||||
it('can login', login.bind(null, 'minioadmin', 'minioadmin'));
|
it('can login', login.bind(null, 'minioadmin', 'minioadmin'));
|
||||||
|
@ -272,7 +279,7 @@ describe('Application life cycle test', function () {
|
||||||
it('can configure', function () { execSync(`cloudron configure --app ${LOCATION} --location ${LOCATION} --secondary-domains API_SERVER_DOMAIN=${LOCATION}-api`, EXEC_ARGS); });
|
it('can configure', function () { execSync(`cloudron configure --app ${LOCATION} --location ${LOCATION} --secondary-domains API_SERVER_DOMAIN=${LOCATION}-api`, EXEC_ARGS); });
|
||||||
it('can get app information', getAppInfo);
|
it('can get app information', getAppInfo);
|
||||||
|
|
||||||
it('can Admin login', login.bind(null, 'minioadmin', 'minioadmin'));
|
it('can admin login', login.bind(null, 'minioadmin', 'minioadmin'));
|
||||||
it('has bucket', checkBucket);
|
it('has bucket', checkBucket);
|
||||||
it('can logout', logout);
|
it('can logout', logout);
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue