Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

Since release 3.2.0, the MinIO console has been integrated into the platform.

MinIO is an object storage engine that is compatible with the Amazon S3 API. Its main component is the MinIO (MinIO object storage) server, which offers the S3 API and manages physical storage in a distributed manner, forming a cluster of MinIO object storage servers.

Besides, to facilitate the management of the MinIO cluster (buckets, policies, users...), so that a user can browse the structure of directories and files of a bucket through a web UI, and so that other applications can be integrated via REST API, MinIO has the MinIO Console module. This module connects to the MinIO Object Storage server, and offers all those services without storing anything itself, all management concepts residing in the MinIO Object Storage.

To integrate the MinIO console within the platform's control panel, we had to made a set of technical decisions, mainly derived from the following problems:

  1. The MinIO console web UI is exposed using an http address without a contextpath (http://minioconsole/). This poses a problem when exposing it to the Internet (within a controlpanel iframe), since you can not use a proxy_pass on the loadbalancer that redirects to the internal MinIO console endpoint.

  2. MinIO exposes the web console with a set of security headers that prevent the console from being easily integrated into an iFrame, so certain headers have to be filtered through an intermediary (NGINX)

  3. The MinIO session cookie is created with the SameSite attribute set to LAX, which prevents it from being displayed in an iframe – so we will have to replace the MinIO cookie with one generated by us from the controlpanel.

  4. The MinIO console has its own menu, meaning that if it is integrated directly into the platform, it can be quite a confusing screen. To avoid this, we have touched the MinIO console code to remove the menu and some other options.

For problem #4, we have chosen to have two MinIO consoles:

  • Minio-browser: Modified MinIO console to remove the menu and other options that allow the users to leave the administration of their bucket. This is the console displayed on the MyFiles page of the controlpanel:

Having modified this console, we now manage its source code, its built, and its release as a container ourselves. Its location in the repository is:

https://gitlab.devops.onesait.com/onesait/platform/engine/onesait-platform/onesait-cloud-platform/-/tree/develop/tools/MinioBrowserConsole

Where we can find a README.MD with the instructions of what has been touched in the source code, how the Front is compiled, and how the Docker image is generated to publish it later with a push in the registry: : registry.onesaitplatform.com/minio/console

Note: Before modifying the console and testing to generate the image, you must:

  1. Install Go

  2. Install node:

    1. sudo apt install nodejs

  3. Install yarn:

    1. sudo apt install npm

    2. sudo npm install -g yarn

With this, now you can follow the steps described in the README.MD:

  1. Compile the Front: From /console-0.10.1/portal-ui

    1. yarn install

    2. make default or yarn default

To test it locally, once the front has been compiled, you have to build the project and run it. This is done:

Para probarlo en local, una vez compilado el front, habria que construir el proyecto y ejecutarlo. esto se hace:

  1. Compile the project: From /console-0.10.1

    1. make install

  2. Test it by starting the console from $HOME/go/bin

    1. export CONSOLE_PBKDF_PASSPHRASE=SECRET

    2. export CONSOLE_PBKDF_SALT=SECRET

    3. export CONSOLE_MINIO_SERVER=http://<minio-server>:<minio-port>

    4. ./console server --port=9001

  • MInio-console: Generic MinIO console. We use the containerized image from the official release of the MinIO console. This is the console that is displayed to administrators when they select the Minio Console button.

Problem #1 is resolved by exposing the minio consoles as subdomains instead of mediating a context-path. To do this, we have to add both subdomains in the DNS of the installation or in the hosts file of the PCs that are going to access the console. E.g:

These subdomains are solved in the loadbalancer by adding a “server” type entry for each of them. This can be done by adding both files to nginx/conf.d/

Each of them already does the proxy_pass to the corresponding MinIO console service:

For minioadmin-development.onesaitplatform.com

server {
       listen       80;
       server_name  minioadmin-development.onesaitplatform.com;

       location / {
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_set_header Host $http_host;

          proxy_hide_header X-XSS-Protection;
          proxy_hide_header X-Frame-Options;
          proxy_hide_header 'Access-Control-Allow-Origin';

          add_header 'Access-Control-Allow-Origin' '*';
          add_header 'Access-Control-Allow-Credentials' 'true';

          proxy_connect_timeout 500;
          proxy_http_version 1.1;
          proxy_set_header Connection "";
          chunked_transfer_encoding off;

          proxy_pass http://minio-console:9090/;
       }
}

For miniobrowser-development.onesaitplatform.com:

server {
       listen       80;

       server_name  miniobrowser-development.onesaitplatform.com;

       location / {

          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_set_header Host $http_host;
 
          proxy_hide_header X-XSS-Protection;
          proxy_hide_header X-Frame-Options;
          proxy_hide_header 'Access-Control-Allow-Origin';
 
          add_header 'Access-Control-Allow-Origin' '*';
          add_header 'Access-Control-Allow-Credentials' 'true';

          proxy_connect_timeout 500;
          proxy_http_version 1.1;
          proxy_set_header Connection "";
          chunked_transfer_encoding off;

          proxy_pass http://minio-browser:9090/;
       }
}

If needed, add the corresponding include in nginx.conf

include /usr/local/conf.d/minio-browser-nginx.conf;
include /usr/local/conf.d/minio-console-nginx.conf;

Problem #2 is solved with the header configuration added (we add some and remove others) in the previous step when we create the console server in NGINX.

Problem #3 is solved with code in the ObjectStorageController.java class, where we log in to the MinIO console via REST API and create the session cookie in the browser programmatically.

response.setHeader("Set-Cookie", "token=" + userTokenForCookie + "; Domain=" + this.cookieDomain
				+ "; Path=/; Secure; SameSite=None");

It is very important to configure the cookieDomain correctly (it is done through the configuration in Endpoint Modules in the control panel), which must be the superior domain to which the subdomains created for the MinIO consoles belong:

E.g.: for miniobrowser-development.onesaitplatform.com –> It has to be set to “onesaitplatform.com

Likewise, the consoles must be exposed securely via HTTPs:

  • No labels