Skip to content

[question or bug] how to configure tenant to map a oidc user group to a specific policy? #177

Description

@davgia

Hi,

I have the following tenant:

apiVersion: rustfs.com/v1alpha1
kind: Tenant
metadata:
  name: test
  namespace: rustfs
spec:
  buckets:
  - name: shared-files
  credsSecret:
    name: rustfs
  env:
  - name: RUSTFS_IDENTITY_OPENID_ENABLE
    value: "true"
  - name: RUSTFS_IDENTITY_OPENID_CONFIG_URL
    value: https://keycloak.example.com/realms/example/.well-known/openid-configuration
  - name: RUSTFS_IDENTITY_OPENID_SCOPES
    value: openid,profile,email,groups
  - name: RUSTFS_IDENTITY_OPENID_GROUPS_CLAIM
    value: groups
  - name: RUSTFS_IDENTITY_OPENID_USERNAME_CLAIM
    value: preferred_username
  - name: RUSTFS_IDENTITY_OPENID_ROLE_POLICY
    value: consoleAdmin
  - name: RUSTFS_IDENTITY_OPENID_DISPLAY_NAME
    value: Keycloak
  - name: RUSTFS_IDENTITY_OPENID_REDIRECT_URI
    value: https://rustfs.example.com/rustfs/admin/v3/oidc/callback/keycloak
  - name: RUSTFS_IDENTITY_OPENID_CLIENT_ID
    valueFrom:
      secretKeyRef:
        key: client-id
        name: rustfs-oidc
  - name: RUSTFS_IDENTITY_OPENID_CLIENT_SECRET
    valueFrom:
      secretKeyRef:
        key: client-secret
        name: rustfs-oidc
  image: REDACTED.dkr.ecr.eu-west-1.amazonaws.com/docker.io/rustfs/rustfs
  imagePullSecret:
    name: aws-ecr-pull-secrets
  mountPath: /data
  policies:
  - document:
      configMapKeyRef:
        key: policy-administrators.json
        name: rustfs-policies
    name: administrators
  - document:
      configMapKeyRef:
        key: policy-maintainers.json
        name: rustfs-policies
    name: maintainers
  - document:
      configMapKeyRef:
        key: policy-developers.json
        name: rustfs-policies
    name: developers
  - document:
      configMapKeyRef:
        key: policy-shared-readwrite.json
        name: rustfs-policies
    name: shared-readwrite
  pools:
  - name: primary
    persistence:
      volumeClaimTemplate:
        accessModes:
        - ReadWriteOnce
        resources:
          requests:
            storage: 64Gi
        storageClassName: nfs-client
      volumesPerServer: 1
    servers: 1
  users:
  - name: shared
    policies:
    - shared-readwrite
status:
  provisioning:
    users:
    - desiredHash: sha256:cc76eeab87ad3727c40d72dfae3025939eeff56f470e6319db9cdde86c4b28b3
      lastTransitionTime: "2026-07-10T20:13:58Z"
      message: 'failed to apply RustFS policy ''maintainers'': upstream returned 400
        Bad Request'
      name: maintainers
      reason: PolicyApplyFailed
      state: Failed

This is my configmap:

apiVersion: v1
data:
  policy-administrators.json: '{"Statement":[{"Action":["s3:*"],"Condition":{"ForAnyValue:StringEquals":{"jwt:groups":["administrators"]}},"Effect":"Allow","Resource":"*"}],"Version":"2012-10-17"}'
  policy-developers.json: '{"Statement":[{"Action":["s3:GetBucketLocation","s3:ListBucket","s3:GetObject"[],"Condition":{"ForAnyValue:StringEquals":{"jwt:groups":["developers"]}},"Effect":"Allow","Resource":"*"}],"Version":"2012-10-17"}'
  policy-maintainers.json: '{"Statement":[{"Action":["s3:*"],"Condition":{"ForAnyValue:StringEquals":{"jwt:groups":["maintainers"[]}},"Effect":"Allow","Resource":"*"},{"Action":["s3:PutBucketPolicy","s3:PutBucketAcl","s3:PutObjectAcl","s3:DeleteObject","s3:DeleteObjectVersion","s3:DeleteBucket"[],"Condition":{"ForAnyValue:StringEquals":{"jwt:groups":["maintainers"]}},"Effect":"Deny","Resource":"*"}],"Version":"2012-10-17"}'
  policy-shared-readwrite.json: '{"Statement":[{"Action":["s3:*"],"Effect":"Allow","Resource":["arn:aws:s3:::shared-files","arn:aws:s3:::shared-files/**"]}],"Version":"2012-10-17"}'
kind: ConfigMap
metadata:
  labels:
    rustfs.tenant: test
  name: rustfs-policies
  namespace: rustfs

Is the condition supported? Judging from the error it is not. Can I achieve the same result with a different approach supported by rustfs? I would like to avoid manually configuring it from web ui.

Thanks!

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions