Security

Configuring Minio for DC/OS access

Prerequisites

Provisioning a service account

This section describes how to configure DC/OS access for Minio. Depending on your security mode, Minio may require service authentication for access to DC/OS.

Security mode Service Account
Disabled Not available
Permissive Optional
Strict Required

If you install a service in permissive mode and do not specify a service account, Metronome and Marathon will act as if requests made by this service are made by an account with the superuser permission.

Prerequisites:

Create a Key Pair

In this step, a 2048-bit RSA public-private key pair is created using the Enterprise DC/OS CLI.

Create a public-private key pair and save each value into a separate file within the current directory.

dcos security org service-accounts keypair <private-key>.pem <public-key>.pem

NOTE: You can use the DC/OS Secret Store to secure the key pair.

Create a Service Account

From a terminal prompt, create a new service account (e.g. minio) containing the public key (<your-public-key>.pem).

dcos security org service-accounts create -p <your-public-key>.pem -d "Minio" minio

You can verify your new service account using the following command.

dcos security org service-accounts show minio

Create a Secret

Create a secret (miniod/<secret-name>) with your service account (again e.g. minio) and private key specified (<private-key>.pem).

NOTE: If you store your secret in a path that matches the service name, for example, service name and secret path are both minio, then only the service named minio can access it.

Permissive

dcos security secrets create-sa-secret <private-key>.pem model.serviceName minio/<secret-name>

Strict

dcos security secrets create-sa-secret --strict <private-key>.pem minio miniod/<secret-name>

You can list the secrets with this command:

dcos security secrets list /

Prerequisites

Configure Transport Encryption

Set up the service account

Grant the service account the correct permissions.

  • In DC/OS 1.10, the required permission is dcos:superuser full.
  • In DC/OS 1.11 and later, the required permissions are:
dcos:secrets:default:/<service name>/* full
dcos:secrets:list:default:/<service name> read
dcos:adminrouter:ops:ca:rw full
dcos:adminrouter:ops:ca:ro full

where <service name> is the name of the service to be installed.

Run the following DC/OS Enterprise CLI commands to set permissions for the service account on a strict cluster:

dcos security org users grant ${SERVICE_ACCOUNT} dcos:mesos:master:task:app_id:<service/name> create
dcos security org users grant ${SERVICE_ACCOUNT} dcos:mesos:master:reservation:principal:dev_hdfs create
dcos security org users grant ${SERVICE_ACCOUNT} dcos:mesos:master:volume:principal:dev_hdfs create

Install the service

Install the DC/OS Minio service including the following options in addition to your own:

{
    "service": {
        "service_account": "<your service account name>",
        "service_account_secret": "<full path of service secret>",
        "security": {
            "transport_encryption": {
                "enabled": true
            }
        }
    }
}

Accessing the Minio web interface with Edge-LB TLS configuration

Pre-requisites for EdgeLB with TLS configuration

  1. DC/OS cluster with Service account and Service account secret configured.

  2. Minio service installed with TLS enabled.

Steps

For Edge-LB pool configuration:

  1. Add repo of Edge-LB-aws.

    dcos package repo add --index=0 edgelb-aws \https://edge-lb-infinity-artifacts.s3.amazonaws.com/autodelete7d/master/edgelb/stub-universe-edgelb.json
    
  2. Add repo of Edge-LB-Pool-aws.

    dcos package repo add --index=0 edgelb-pool-aws \https://edge-lb-infinity-artifacts.s3.amazonaws.com/autodelete7d/master/edgelb-pool/stub-universe-edgelb-pool.json
    
  3. Install the Edge-LB package:

    dcos package install edgelb --yes
    
  4. Create the configuration JSON file with required parameters to access DC/OS Minio:

    {
    "apiVersion": "V2",
    "name": "minio",
    "count": 1,
    "autoCertificate": true,
    "haproxy": {
       "frontends": [
          {
          "bindPort": 9001,
          "protocol": "HTTPS",
          "certificates": [
             "$AUTOCERT"
          ],
          "linkBackend": {
             "defaultBackend": "miniodemo"
          }
          }
       ],
       "backends": [
       {
          "name": "miniodemo",
          "protocol": "HTTPS",
          "rewriteHttp": {
             "host": "miniod.miniodemo.l4lb.thisdcos.directory"
             },
             "request": {
                "forwardfor": true,
                "xForwardedPort": true,
                "xForwardedProtoHttpsIfTls": true,
                "setHostHeader": true,
                "rewritePath": true
          },
          "services": [{
          "endpoint": {
             "type": "ADDRESS",
             "address": "miniod.miniodemo.l4lb.thisdcos.directory",
             "port": 9000
          }
          }]
          }
          ]
       }
    }
    
    
  5. Create edge-pool using the JSON file created in the preceding step:

    dcos edgelb create edgelb-pool-config.json
    
  6. Accessing Minio:

    https://<Public IP of the Public Node of the cluster>>:9001/minio
    

    The Minio server can be accessed using the Minio client by registering it to the Minio Server. To register a Minio client, specify the public IP of the Public Agent running EdgeLB.

    With TLS

    Figure 1. - Minio browser

    For more details on the Minio Client, refer to the link: minio-client-complete-guide

Installing the service

  1. Install the DC/OS Minio Service, including the following options in addition to your own:

    {
       "service": {
          "service_account": "<your service account name>",
          "service_account_secret": "<full path of service secret>",
          "security": {
             "tls_ssl": {
                "enabled": true
                      }
                      }
                }
    }
    

    TLS Service View

    Figure 2. - TLS service view

  2. Running stage view TLS Running Stage

    Figure 3. - The Running stage view will display the progress of your installation.

  3. Verify your installation by viewing the log:

    TLS Successful Execution

    Figure 4. - Successful execution