S3 Storage

Data Fabric runs and internally manages a MinIO cluster for S3-compatible blob storage.

It uses MinIO’s Security Token Service (STS) for user JWT token authentication. This enables MinIO to identify the user by their principal ID in Keycloak (instead of a separate access key and secret key), which is needed to authorize the user for access to specific objects.

For authorization decisions, MinIO defers to Open Policy Agent (OPA) on a per-object basis. This is where security policies are applied, such as classification access controls.

Diagram

See Clients for getting connected.