benfiola
commented
1 month ago I've created a PR to update the MinioPolicyBinding resource to accept a group field as well - hopefully this covers what's being asked here!
Open redtex opened 1 month ago
benfiola
commented
1 month ago I've created a PR to update the MinioPolicyBinding resource to accept a group field as well - hopefully this covers what's being asked here!
redtex
commented
2 weeks ago Sorry for late answer - I'm on vacation. Great - group policy for ipd ldap can be added and deleted. But when I try to delete MinioPolicyBinding for LDAP user, there is error in log:
2024-06-19 07:08:42,473 - ERROR - minio_operator_ext.operator - on_policy_binding_delete:minio-hdd-tenant/user-to-policy failed with retryable error: admin request failed; Status: 404, Body: {"Code":"XMinioAdminNoSuchUser","Message":"The specified user does not exist. If you meant a user in LDAP, use `mc idp ldap` (Specified user does not exist. If you meant a user in LDAP please use command under `mc idp ldap`)","Resource":"/minio/admin/v3/idp/builtin/policy/detach","RequestId":"17DA56247588A4C9","HostId":"f61cc7ec9839268967 4268b333f3d51dc3108ea9bad0007bb3e969a03d6a8cf9"}
There is same error, when I try to make it with mc admin policy detach command. With mc idp ldap policy detach - there is no problem.
So, in the operator rather must be logic, which detects kind of idp, or additional parameter in MinioPolicyBinding object which indicates what idp been used - internal, ldap or openid.
I have minio tenant configured for LDAP authentication. So, we need to make LDAP user and LDAP group policy bindings.
I think it should be extension to MinioPolicyBinding object - add additional "group" property, which will be alternative to "user".