github.com/minio/minio@v0.0.0-20240328213742-3f72439b8a27/docs/iam/opa.md

github.com/minio/minio@v0.0.0-20240328213742-3f72439b8a27/docs/iam/opa.md (about)

     1  # OPA Quickstart Guide [![Slack](https://slack.minio.io/slack?type=svg)](https://slack.minio.io)
     2  
     3  OPA is a lightweight general-purpose policy engine that can be co-located with MinIO server, in this document we talk about how to use OPA HTTP API to authorize requests. It can be used with any type of credentials (STS based like OpenID or LDAP, regular IAM users or service accounts).
     4  
     5  OPA is enabled through MinIO's Access Management Plugin feature.
     6  
     7  ## Get started
     8  
     9  ### 1. Start OPA in a container
    10  
    11  ```sh
    12  podman run -it \
    13      --name opa \
    14      --publish 8181:8181 \
    15      docker.io/openpolicyagent/opa:0.40.0-rootless \
    16         run --server \
    17             --log-format=json-pretty \
    18             --log-level=debug \
    19             --set=decision_logs.console=true
    20  ```
    21  
    22  ### 2. Create a sample OPA Policy
    23  
    24  In another terminal, create a policy that allows root user all access and for all other users denies `PutObject`:
    25  
    26  ```sh
    27  cat > example.rego <<EOF
    28  package httpapi.authz
    29  
    30  import input
    31  
    32  default allow = false
    33  
    34  # Allow the root user to perform any action.
    35  allow {
    36   input.owner == true
    37  }
    38  
    39  # All other users may do anything other than call PutObject
    40  allow {
    41   input.action != "s3:PutObject"
    42   input.owner == false
    43  }
    44  EOF
    45  ```
    46  
    47  Then load the policy via OPA's REST API.
    48  
    49  ```
    50  curl -X PUT --data-binary @example.rego \
    51    localhost:8181/v1/policies/putobject
    52  ```
    53  
    54  ### 4. Setup MinIO with OPA
    55  
    56  Set the `MINIO_POLICY_PLUGIN_URL` as the endpoint that MinIO should send authorization requests to. Then start the server.
    57  
    58  ```sh
    59  export MINIO_POLICY_PLUGIN_URL=http://localhost:8181/v1/data/httpapi/authz/allow
    60  export MINIO_CI_CD=1
    61  export MINIO_ROOT_USER=minio
    62  export MINIO_ROOT_PASSWORD=minio123
    63  minio server /mnt/data
    64  ```
    65  
    66  ### 5. Test with a regular IAM user
    67  
    68  Ensure that `mc` is installed and the configured with the above server with the alias `myminio`.
    69  
    70  ```sh
    71  # 1. Create a bucket and a user, and upload a file. These operations will succeed.
    72  mc mb myminio/test
    73  mc admin user add myminio foo foobar123
    74  mc cp /etc/issue myminio/test/
    75  
    76  # 2. Now access the server as user `foo`. These operations will also succeed.
    77  export MC_HOST_foo=http://foo:foobar123@localhost:9000
    78  mc ls foo/test
    79  mc cat foo/test/issue
    80  
    81  # 3. Attempt to upload an object as user `foo` - this will fail with a permissions error.
    82  mc cp /etc/issue myminio/test/issue2
    83  ```