minio does not show the password login by default when OIDC is setup

we generate a dynamic password because users might forget to change the admin password (with the oidc login being so click friendly)
This commit is contained in:
Girish Ramakrishnan 2024-02-20 11:02:56 +01:00
parent 569e830514
commit 316047b1d3
8 changed files with 72 additions and 61 deletions

View File

@ -11,6 +11,6 @@ RUN wget https://dl.min.io/server/minio/release/linux-amd64/archive/minio.${VERS
# https://dl.min.io/client/mc/release/linux-amd64/ # https://dl.min.io/client/mc/release/linux-amd64/
RUN wget https://dl.min.io/client/mc/release/linux-amd64/mc -O /app/code/mc && chmod +x /app/code/mc RUN wget https://dl.min.io/client/mc/release/linux-amd64/mc -O /app/code/mc && chmod +x /app/code/mc
COPY env.sh start.sh /app/code/ COPY env.sh.template start.sh /app/code/
CMD [ "/app/code/start.sh" ] CMD [ "/app/code/start.sh" ]

View File

@ -1,21 +1,19 @@
<nosso>
Please use the following credentials to login: Please use the following credentials to login:
**Username**: minioadmin<br/> **Username**: minioadmin<br/>
**Password**: minioadmin<br/> **Password**: minioadmin<br/>
Please change the credentials immediately by following this [guide](https://cloudron.io/documentation/apps/minio/#admin-credentials). Please change the credentials immediately by following this [guide](https://cloudron.io/documentation/apps/minio/#admin-credentials).
</nosso>
<sso> <sso>
By default, Cloudron users have `readwrite` access policy.
If you'd like to change it, you should create a respective policy by following [Minio documentation](https://min.io/docs/minio/linux/administration/identity-access-management/policy-based-access-control.html)
After that you should add the variable `MINIO_IDENTITY_OPENID_ROLE_POLICY` in /app/data/env.sh, e.g. Please use the following credentials to login via 'Other Authentication Methods' -> 'Use Credentials':
``` **Username**: minioadmin<br/>
export MINIO_IDENTITY_OPENID_ROLE_POLICY="new-policy-name" **Password**: See `MINIO_ROOT_PASSWORD` in `/app/data/env.sh` <a href="/frontend/filemanager.html#/viewer/app/$CLOUDRON-APP-ID/env.sh">Open File Manager</a><br/>
```
Where `new-policy-name` is the policy you have created. Cloudron users have `readwrite` access policy. See the [docs](https://cloudron.io/documentation/apps/minio/#admin-credentials) on how to change it.
Be sure to restart the app after making changes. </nosso>
</sso>

9
env.sh
View File

@ -1,9 +0,0 @@
# Add custom minio configuration to this file. Restart the app for changes to take effect.
export CLOUDRON_MINIO_STARTUP_ARGS='server /app/data/data'
# See https://docs.min.io/minio/baremetal/reference/minio-server/minio-server.html#envvar.MINIO_ROOT_USER
# You can use pwgen -1s 64 to generate usernames and passwords
export MINIO_ROOT_USER=minioadmin
export MINIO_ROOT_PASSWORD=minioadmin

4
env.sh.template Normal file
View File

@ -0,0 +1,4 @@
# Add custom minio configuration to this file. Restart the app for changes to take effect.
export CLOUDRON_MINIO_STARTUP_ARGS='server /app/data/data'

View File

@ -5,7 +5,18 @@ set -eu
mkdir -p /app/data/data /run/minio/config /run/minio/certs mkdir -p /app/data/data /run/minio/config /run/minio/certs
# env vars take precedence over config.yaml (https://github.com/minio/minio/blob/master/docs/distributed/CONFIG.md#things-to-know) # env vars take precedence over config.yaml (https://github.com/minio/minio/blob/master/docs/distributed/CONFIG.md#things-to-know)
[[ ! -f /app/data/env.sh ]] && cp /app/code/env.sh /app/data/env.sh if [[ ! -f /app/data/env.sh ]]; then
echo "=> First run"
cp /app/code/env.sh.template /app/data/env.sh
# minio does not show the password login by default when OIDC is setup (https://github.com/minio/minio/discussions/16928)
# we generate a dynamic password because users might forget to change the admin password (with the oidc login being so click friendly)
if [[ -n "${CLOUDRON_OIDC_ISSUER:-}" ]]; then
echo -e "export MINIO_ROOT_USER=minioadmin\nexport MINIO_ROOT_PASSWORD=$(pwgen -1s 20)\n\n" >> /app/data/env.sh
else
echo -e "export MINIO_ROOT_USER=minioadmin\nexport MINIO_ROOT_PASSWORD=minioadmin\n\n" >> /app/data/env.sh
fi
fi
source /app/data/env.sh source /app/data/env.sh
# https://docs.min.io/minio/baremetal/reference/minio-server/minio-server.html#envvar.MINIO_SERVER_URL # https://docs.min.io/minio/baremetal/reference/minio-server/minio-server.html#envvar.MINIO_SERVER_URL

14
test/package-lock.json generated
View File

@ -12,7 +12,7 @@
"chromedriver": "^121.0.2", "chromedriver": "^121.0.2",
"expect.js": "^0.3.1", "expect.js": "^0.3.1",
"mocha": "^10.3.0", "mocha": "^10.3.0",
"selenium-webdriver": "^4.17.0", "selenium-webdriver": "^4.18.1",
"superagent": "^8.1.2" "superagent": "^8.1.2"
} }
}, },
@ -1192,9 +1192,9 @@
"integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==" "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g=="
}, },
"node_modules/selenium-webdriver": { "node_modules/selenium-webdriver": {
"version": "4.17.0", "version": "4.18.1",
"resolved": "https://registry.npmjs.org/selenium-webdriver/-/selenium-webdriver-4.17.0.tgz", "resolved": "https://registry.npmjs.org/selenium-webdriver/-/selenium-webdriver-4.18.1.tgz",
"integrity": "sha512-e2E+2XBlGepzwgFbyQfSwo9Cbj6G5fFfs9MzAS00nC99EewmcS2rwn2MwtgfP7I5p1e7DYv4HQJXtWedsu6DvA==", "integrity": "sha512-uP4OJ5wR4+VjdTi5oi/k8oieV2fIhVdVuaOPrklKghgS59w7Zz3nGa5gcG73VcU9EBRv5IZEBRhPr7qFJAj5mQ==",
"dependencies": { "dependencies": {
"jszip": "^3.10.1", "jszip": "^3.10.1",
"tmp": "^0.2.1", "tmp": "^0.2.1",
@ -2408,9 +2408,9 @@
"integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==" "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g=="
}, },
"selenium-webdriver": { "selenium-webdriver": {
"version": "4.17.0", "version": "4.18.1",
"resolved": "https://registry.npmjs.org/selenium-webdriver/-/selenium-webdriver-4.17.0.tgz", "resolved": "https://registry.npmjs.org/selenium-webdriver/-/selenium-webdriver-4.18.1.tgz",
"integrity": "sha512-e2E+2XBlGepzwgFbyQfSwo9Cbj6G5fFfs9MzAS00nC99EewmcS2rwn2MwtgfP7I5p1e7DYv4HQJXtWedsu6DvA==", "integrity": "sha512-uP4OJ5wR4+VjdTi5oi/k8oieV2fIhVdVuaOPrklKghgS59w7Zz3nGa5gcG73VcU9EBRv5IZEBRhPr7qFJAj5mQ==",
"requires": { "requires": {
"jszip": "^3.10.1", "jszip": "^3.10.1",
"tmp": "^0.2.1", "tmp": "^0.2.1",

View File

@ -12,7 +12,7 @@
"chromedriver": "^121.0.2", "chromedriver": "^121.0.2",
"expect.js": "^0.3.1", "expect.js": "^0.3.1",
"mocha": "^10.3.0", "mocha": "^10.3.0",
"selenium-webdriver": "^4.17.0", "selenium-webdriver": "^4.18.1",
"superagent": "^8.1.2" "superagent": "^8.1.2"
} }
} }

View File

@ -34,7 +34,7 @@ describe('Application life cycle test', function () {
const EXEC_ARGS = { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' }; const EXEC_ARGS = { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' };
let browser, app; let browser, app;
var athenticated_by_oidc = false; let athenticated_by_oidc = false, rootPassword;
let username = process.env.USERNAME; let username = process.env.USERNAME;
let password = process.env.PASSWORD; let password = process.env.PASSWORD;
@ -57,7 +57,10 @@ describe('Application life cycle test', function () {
expect(app).to.be.an('object'); expect(app).to.be.an('object');
} }
async function login(accessKey='minioadmin', secretKey='minioadmin') { async function login(username, password) {
await browser.manage().deleteAllCookies();
await browser.get('about:blank');
await browser.sleep(2000);
await browser.get(`https://${app.fqdn}/login`); await browser.get(`https://${app.fqdn}/login`);
await browser.sleep(2000); await browser.sleep(2000);
@ -68,8 +71,8 @@ describe('Application life cycle test', function () {
await browser.sleep(2000); await browser.sleep(2000);
} }
await waitForElement(By.id('accessKey')); await waitForElement(By.id('accessKey'));
await browser.findElement(By.id('accessKey')).sendKeys(accessKey); await browser.findElement(By.id('accessKey')).sendKeys(username);
await browser.findElement(By.id('secretKey')).sendKeys(secretKey); await browser.findElement(By.id('secretKey')).sendKeys(password);
await browser.findElement(By.xpath('//button[@id="do-login"]')).click(); await browser.findElement(By.xpath('//button[@id="do-login"]')).click();
await waitForElement(By.xpath('//span[contains(text(), "Buckets")]')); await waitForElement(By.xpath('//span[contains(text(), "Buckets")]'));
await timers.setTimeout(5000); await timers.setTimeout(5000);
@ -134,9 +137,27 @@ describe('Application life cycle test', function () {
expect(response.body.toString('utf8')).to.contain('<Code>AccessDenied</Code>'); expect(response.body.toString('utf8')).to.contain('<Code>AccessDenied</Code>');
} }
async function changeAdminCredentials() {
let data = fs.readFileSync(path.join(__dirname, '../env.sh.template'), 'utf8');
data += '\nexport MINIO_ROOT_USER=minioakey\nexport MINIO_ROOT_PASSWORD=minioskey\n';
fs.writeFileSync('/tmp/env.sh', data);
execSync(`cloudron push --app ${app.id} /tmp/env.sh /app/data/env.sh`, EXEC_ARGS);
execSync(`cloudron restart --app ${app.id}`, EXEC_ARGS);
await timers.setTimeout(10000);
}
async function getAdminCredentials() {
execSync(`cloudron pull --app ${app.id} /app/data/env.sh /tmp/env.sh`, EXEC_ARGS);
const data = fs.readFileSync('/tmp/env.sh', 'utf8');
const m = data.match(/MINIO_ROOT_PASSWORD=(.*)/);
if (!m) throw new Error('Could not detect root password');
rootPassword = m[1].trim();
console.log(`root password is [${rootPassword}]`);
}
xit('build app', function () { execSync('cloudron build', EXEC_ARGS); }); xit('build app', function () { execSync('cloudron build', EXEC_ARGS); });
// no SSO // // no SSO
it('install app (no SSO)', async function () { it('install app (no SSO)', async function () {
execSync(`cloudron install --no-sso --location ${LOCATION} --secondary-domains API_SERVER_DOMAIN=${LOCATION}-api`, EXEC_ARGS); execSync(`cloudron install --no-sso --location ${LOCATION} --secondary-domains API_SERVER_DOMAIN=${LOCATION}-api`, EXEC_ARGS);
await timers.setTimeout(10000); await timers.setTimeout(10000);
@ -144,33 +165,25 @@ describe('Application life cycle test', function () {
it('can get app information', getAppInfo); it('can get app information', getAppInfo);
it('can Admin login', login.bind(null, 'minioadmin', 'minioadmin')); it('can admin login', login.bind(null, 'minioadmin', 'minioadmin'));
it('can add bucket', addBucket); it('can add bucket', addBucket);
it('can logout', logout); it('can logout', logout);
it('does redirect', checkRedirect); it('does redirect', checkRedirect);
it('check api', checkApi); it('check api', checkApi);
it('can change Admin credentials', async function () { it('can change admin credentials', changeAdminCredentials);
let data = fs.readFileSync(path.join(__dirname, '../env.sh'), 'utf8'); it('can restart app', async function () {
data = data
.replace(/MINIO_ROOT_USER=.*/, 'MINIO_ROOT_USER=minioakey')
.replace(/MINIO_ROOT_PASSWORD=.*/, 'MINIO_ROOT_PASSWORD=minioskey');
fs.writeFileSync('/tmp/env.sh', data);
execSync(`cloudron push --app ${app.id} /tmp/env.sh /app/data/env.sh`, EXEC_ARGS);
execSync(`cloudron restart --app ${app.id}`, EXEC_ARGS); execSync(`cloudron restart --app ${app.id}`, EXEC_ARGS);
await timers.setTimeout(10000); await timers.setTimeout(10000);
}); });
it('can restart app', function () { execSync(`cloudron restart --app ${app.id}`, EXEC_ARGS); }); it('can admin login', login.bind(null, 'minioakey', 'minioskey'));
it('can Admin login', login.bind(null, 'minioakey', 'minioskey'));
it('has bucket', checkBucket); it('has bucket', checkBucket);
it('can logout', logout); it('can logout', logout);
it('does redirect', checkRedirect); it('does redirect', checkRedirect);
it('check api', checkApi); it('check api', checkApi);
it('uninstall app', function () { execSync('cloudron uninstall --app ' + app.id, EXEC_ARGS); }); it('uninstall app', function () { execSync('cloudron uninstall --app ' + app.id, EXEC_ARGS); });
// SSO // SSO
it('install app (SSO)', async function () { it('install app (SSO)', async function () {
execSync(`cloudron install --location ${LOCATION} --secondary-domains API_SERVER_DOMAIN=${LOCATION}-api`, EXEC_ARGS); execSync(`cloudron install --location ${LOCATION} --secondary-domains API_SERVER_DOMAIN=${LOCATION}-api`, EXEC_ARGS);
@ -178,8 +191,8 @@ describe('Application life cycle test', function () {
}); });
it('can get app information', getAppInfo); it('can get app information', getAppInfo);
it('can get admin credentials', getAdminCredentials);
it('can Admin login', login.bind(null, 'minioadmin', 'minioadmin')); it('can admin login', async function () { await login('minioadmin', rootPassword); });
it('can add bucket', addBucket); it('can add bucket', addBucket);
it('can logout', logout); it('can logout', logout);
it('does redirect', checkRedirect); it('does redirect', checkRedirect);
@ -189,20 +202,14 @@ describe('Application life cycle test', function () {
it('has bucket', checkBucket); it('has bucket', checkBucket);
it('can logout', logout); it('can logout', logout);
it('can change Admin credentials', async function () { it('can change admin credentials', changeAdminCredentials);
let data = fs.readFileSync(path.join(__dirname, '../env.sh'), 'utf8');
data = data it('can restart app', async function () {
.replace(/MINIO_ROOT_USER=.*/, 'MINIO_ROOT_USER=minioakey')
.replace(/MINIO_ROOT_PASSWORD=.*/, 'MINIO_ROOT_PASSWORD=minioskey');
fs.writeFileSync('/tmp/env.sh', data);
execSync(`cloudron push --app ${app.id} /tmp/env.sh /app/data/env.sh`, EXEC_ARGS);
execSync(`cloudron restart --app ${app.id}`, EXEC_ARGS); execSync(`cloudron restart --app ${app.id}`, EXEC_ARGS);
await timers.setTimeout(10000); await timers.setTimeout(10000);
}); });
it('can restart app', function () { execSync(`cloudron restart --app ${app.id}`, EXEC_ARGS); }); it('can admin login', login.bind(null, 'minioakey', 'minioskey'));
it('can Admin login', login.bind(null, 'minioakey', 'minioskey'));
it('has bucket', checkBucket); it('has bucket', checkBucket);
it('can logout', logout); it('can logout', logout);
it('does redirect', checkRedirect); it('does redirect', checkRedirect);
@ -223,7 +230,7 @@ describe('Application life cycle test', function () {
}); });
it('can get app information', getAppInfo); it('can get app information', getAppInfo);
it('can Admin login', login.bind(null, 'minioakey', 'minioskey')); it('can admin login', login.bind(null, 'minioakey', 'minioskey'));
it('has bucket', checkBucket); it('has bucket', checkBucket);
it('can logout', logout); it('can logout', logout);
@ -241,7 +248,7 @@ describe('Application life cycle test', function () {
}); });
it('can get app information', getAppInfo); it('can get app information', getAppInfo);
it('can Admin login', login.bind(null, 'minioakey', 'minioskey')); it('can admin login', login.bind(null, 'minioakey', 'minioskey'));
it('has bucket', checkBucket); it('has bucket', checkBucket);
it('can logout', logout); it('can logout', logout);
@ -255,7 +262,7 @@ describe('Application life cycle test', function () {
it('uninstall app', function () { execSync('cloudron uninstall --app ' + app.id, EXEC_ARGS); }); it('uninstall app', function () { execSync('cloudron uninstall --app ' + app.id, EXEC_ARGS); });
// test update // test update
it('can install app', function () { execSync('cloudron install --appstore-id io.minio.cloudronapp --location ' + LOCATION, EXEC_ARGS); }); it('can install app for update', function () { execSync('cloudron install --appstore-id io.minio.cloudronapp --location ' + LOCATION, EXEC_ARGS); });
it('can get app information', getAppInfo); it('can get app information', getAppInfo);
it('can login', login.bind(null, 'minioadmin', 'minioadmin')); it('can login', login.bind(null, 'minioadmin', 'minioadmin'));
@ -272,7 +279,7 @@ describe('Application life cycle test', function () {
it('can configure', function () { execSync(`cloudron configure --app ${LOCATION} --location ${LOCATION} --secondary-domains API_SERVER_DOMAIN=${LOCATION}-api`, EXEC_ARGS); }); it('can configure', function () { execSync(`cloudron configure --app ${LOCATION} --location ${LOCATION} --secondary-domains API_SERVER_DOMAIN=${LOCATION}-api`, EXEC_ARGS); });
it('can get app information', getAppInfo); it('can get app information', getAppInfo);
it('can Admin login', login.bind(null, 'minioadmin', 'minioadmin')); it('can admin login', login.bind(null, 'minioadmin', 'minioadmin'));
it('has bucket', checkBucket); it('has bucket', checkBucket);
it('can logout', logout); it('can logout', logout);