feat: integrate MinIO-backed user filesystem
This commit is contained in:
Codex
@ -0,0 +1,104 @@
|
||||
# User File System MinIO/AuthZ Setup
|
||||
|
||||
The user file system is exposed through Beaver APIs and `user_files_*` tools. MinIO remains an implementation detail.
|
||||
|
||||
The ordinary Files page should only call Beaver's `/api/user-files/*` routes and render the virtual roots `uploads/`, `outputs/`, `shared/`, and `tasks/`. It should not show bucket names, endpoint fields, access keys, secret keys, object prefixes, or MinIO administration actions.
|
||||
|
||||
## AuthZ Settings
|
||||
|
||||
Each backend identity can store MinIO settings in AuthZ:
|
||||
|
||||
```bash
|
||||
curl -X POST "$AUTHZ_URL/backends/$BACKEND_ID/settings/minio" \
|
||||
-H "Content-Type: application/json" \
|
||||
-H "Authorization: Bearer $AUTHZ_ADMIN_TOKEN" \
|
||||
-d '{
|
||||
"endpoint": "minio.example.internal:9000",
|
||||
"access_key": "user-access-key",
|
||||
"secret_key": "user-secret-key",
|
||||
"bucket": "beaver-user-files",
|
||||
"namespace": "users/{backend_id}",
|
||||
"secure": false,
|
||||
"region": null
|
||||
}'
|
||||
```
|
||||
|
||||
Public reads return masked settings. Internal reads require `AUTHZ_INTERNAL_TOKEN` and return the secret key for protected MCP services.
|
||||
|
||||
Deployed personal files use a shared bucket with a backend-scoped namespace. For backend `alice`, Beaver maps:
|
||||
|
||||
- `uploads/report.pdf` to `users/alice/uploads/report.pdf`
|
||||
- `outputs/summary.md` to `users/alice/outputs/summary.md`
|
||||
- `tasks/task-123/result.json` to `users/alice/tasks/task-123/result.json`
|
||||
|
||||
The MinIO policy for Alice's access key must be limited to `beaver-user-files/users/alice/*`. The frontend must still only show Beaver virtual paths, not the shared bucket or namespace.
|
||||
|
||||
Check the public, masked view:
|
||||
|
||||
```bash
|
||||
curl "$AUTHZ_URL/backends/$BACKEND_ID/settings/minio" \
|
||||
-H "Authorization: Bearer $AUTHZ_ADMIN_TOKEN"
|
||||
```
|
||||
|
||||
Check the internal protected view used by MCP services:
|
||||
|
||||
```bash
|
||||
curl "$AUTHZ_URL/internal/backends/$BACKEND_ID/settings/minio" \
|
||||
-H "Authorization: Bearer $AUTHZ_INTERNAL_TOKEN"
|
||||
```
|
||||
|
||||
## Protected MinIO MCP
|
||||
|
||||
Run the MinIO MCP service in protected mode:
|
||||
|
||||
```bash
|
||||
bw-minio-mcp serve \
|
||||
--host 0.0.0.0 \
|
||||
--port 8001 \
|
||||
--authz-url "$AUTHZ_URL" \
|
||||
--authz-token "$AUTHZ_INTERNAL_TOKEN" \
|
||||
--resource-server-url "$MINIO_MCP_PUBLIC_URL/mcp" \
|
||||
--state-root /var/lib/bw-minio-mcp
|
||||
```
|
||||
|
||||
In protected mode, the MCP service does not use static MinIO credentials at startup. Each authenticated tool call resolves the backend identity from the bearer token, loads that backend's MinIO settings from AuthZ, and constructs a per-call provider.
|
||||
|
||||
Outside protected mode, `bw-minio-mcp serve` requires explicit `--endpoint`, `--access-key`, and `--secret-key` values. It intentionally has no embedded production fallback credentials.
|
||||
|
||||
## Beaver Runtime
|
||||
|
||||
Beaver should register the MinIO MCP endpoint with backend-token auth when raw object tools are needed:
|
||||
|
||||
```json
|
||||
{
|
||||
"tools": {
|
||||
"mcpServers": {
|
||||
"minio_mcp": {
|
||||
"url": "https://minio-mcp.example.internal/mcp",
|
||||
"auth": "oauth_backend_token",
|
||||
"authAudience": "mcp:minio_mcp"
|
||||
}
|
||||
}
|
||||
},
|
||||
"authz": {
|
||||
"baseUrl": "https://authz.example.internal",
|
||||
"backendId": "backend-user-id"
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
Product-level file interactions should still go through Beaver's user file system:
|
||||
|
||||
- Frontend: `/api/user-files/status`, `/api/user-files/browse`, `/api/user-files/upload`, `/api/user-files/preview`, `/api/user-files/download`, `/api/user-files/delete`, and `/api/user-files/mkdir`.
|
||||
- Agent tools: `user_files_list`, `user_files_read`, `user_files_write`, `user_files_delete`, and `user_files_mkdir`.
|
||||
- Storage boundary: only `uploads/`, `outputs/`, `shared/`, and `tasks/` are valid user paths.
|
||||
|
||||
The local workspace browser APIs and generic filesystem tools are retained for runtime/development compatibility, but they are not the user-visible file boundary.
|
||||
|
||||
## Verification Checklist
|
||||
|
||||
- The Files page root renders exactly `uploads`, `outputs`, `shared`, and `tasks`.
|
||||
- The Files page source does not call `/api/workspace/browse`.
|
||||
- `/api/user-files/status` does not return local workspace paths or MinIO bucket details.
|
||||
- AuthZ public settings responses mask `secret_key`.
|
||||
- Protected `BW_MinIO_Mcp` returns a clear configuration error if a backend has no MinIO settings instead of falling back to another user's credentials.
|
||||
@ -0,0 +1,12 @@
|
||||
# User File System Tooling Boundary
|
||||
|
||||
The `personal-user-filesystem` change adds `user_files_*` tools for files that users can upload, inspect, and receive from agents. These tools enforce the same virtual roots as the web API:
|
||||
|
||||
- `uploads/`
|
||||
- `outputs/`
|
||||
- `shared/`
|
||||
- `tasks/`
|
||||
|
||||
The existing local workspace filesystem tools remain registered for internal runtime and development workflows. They are workspace-scoped, but they are not the user-visible file boundary. Agents should use `user_files_*` tools when reading user-provided files or writing user-facing outputs.
|
||||
|
||||
Follow-up for stronger isolation: add a runtime policy switch that disables or narrows local workspace filesystem tools for ordinary personal-agent tasks, while keeping `user_files_*` available.
|
||||
Reference in New Issue
Block a user