Lura. fassara: An sadaukar da wannan jerin don sanin iyawar Istio da nuna su cikin aiki, - ingantaccen tsarin kwatance da sarrafa zirga-zirgar hanyar sadarwa. Yanzu za mu yi magana game da tsaro: don nuna mahimman ayyukan da suka danganci shi, marubucin yana amfani da sabis na ainihi na Auth0, amma ana iya daidaita sauran masu samar da su ta irin wannan hanya.
Mun kafa gungu na Kubernetes wanda a cikinsa muka tura Istio da aikace-aikacen microservice misali, Analysis Sentiment, don nuna iyawar Istio.
Tare da Istio, mun sami damar ci gaba da ayyukanmu ƙanƙanta saboda basa buƙatar aiwatar da yadudduka kamar Sake gwadawa, Fitowar Lokaci, Masu Sauraron Zagayawa, Binciko, Kulawa. . Bugu da kari, mun yi amfani da ci-gaba gwaji da dabarun tura aiki: A/B gwajin, mirroring da canary rollouts.
A cikin sabon kayan, za mu yi ma'amala da yadudduka na ƙarshe akan hanyar zuwa ƙimar kasuwanci: tabbaci da izini - kuma a cikin Istio abin farin ciki ne na gaske!
Tabbatarwa da izini a cikin Istio
Ban taɓa yarda cewa za a yi min wahayi ta hanyar gaskatawa da izini ba. Menene Istio zai iya bayarwa ta fuskar fasaha don sanya waɗannan batutuwa masu daɗi, har ma da haka, don ƙarfafa ku?
Amsar ita ce mai sauƙi: Istio yana canza alhakin waɗannan damar daga ayyukan ku zuwa wakilin Wakili. A lokacin da buƙatun suka isa ayyukan, an riga an inganta su kuma an ba su izini, don haka duk abin da za ku yi shine rubuta lambar kasuwanci mai amfani.
Yayi kyau? Mu leka ciki!
Tabbatarwa tare da Auth0
A matsayin uwar garken don ainihi da gudanarwar samun dama, za mu yi amfani da Auth0, wanda ke da sigar gwaji, yana da hankali don amfani kuma ina son shi kawai. Koyaya, ana iya amfani da ƙa'idodin guda ɗaya ga kowane ɗayan : KeyCloak, IdentityServer da sauran su.
Na farko, je zuwa tare da asusunku, ƙirƙirar ɗan haya (an haya - “an haya”, rukunin keɓe masu ma’ana, don ƙarin cikakkun bayanai duba - kimanin. fassara) kuma ku tafi Aikace-aikace > Default Appzabar domain, kamar yadda aka nuna a hoton da ke ƙasa:
Ƙayyade wannan yanki a cikin fayil ɗin resource-manifests/istio/security/auth-policy.yaml ():
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: auth-policy
spec:
targets:
- name: sa-web-app
- name: sa-feedback
origins:
- jwt:
issuer: "https://{YOUR_DOMAIN}/"
jwksUri: "https://{YOUR_DOMAIN}/.well-known/jwks.json"
principalBinding: USE_ORIGIN
Tare da irin wannan albarkatun, Pilot (ɗayan ainihin abubuwan haɗin Jirgin Jirgin Sama guda uku a cikin Istio - kusan fassarar.) yana saita Manzo don tantance buƙatun kafin tura su zuwa ayyuka: sa-web-app и sa-feedback. A lokaci guda, ba a yin amfani da ƙa'idar ga Wakilan sabis sa-frontend, ƙyale mu mu bar gaban gaba ba tare da tabbatarwa ba. Don amfani da Manufar, gudanar da umarni:
$ kubectl apply -f resource-manifests/istio/security/auth-policy.yaml
policy.authentication.istio.io “auth-policy” createdKoma shafin kuma ku yi buƙata - za ku ga cewa ya ƙare da matsayi An haramta izinin 401. Yanzu bari mu tura masu amfani da gaba don tantancewa tare da Auth0.
Tabbatar da buƙatun tare da Auth0
Don tabbatar da buƙatun mai amfani na ƙarshe, kuna buƙatar ƙirƙirar API a cikin Auth0 wanda zai wakilci ingantattun ayyuka (bita, cikakkun bayanai, da ƙima). Don ƙirƙirar API, je zuwa Auth0 Portal > APIs > Ƙirƙiri API kuma cike fom:
Muhimmin bayani anan shine Mai ganewa, wanda za mu yi amfani da shi daga baya a cikin rubutun. Bari mu rubuta shi kamar haka:
- masu saurare: {YOUR_AUDIENCE}
Sauran bayanan da muke buƙata suna kan Auth0 Portal a cikin sashin Aikace-aikace - zaɓi Gwaji Application (ƙirƙira ta atomatik tare da API).
A nan za mu rubuta:
- domain: {YOUR_DOMAIN}
- Id abokin ciniki: {YOUR_CLIENT_ID}
Gungura zuwa Gwaji Application zuwa filin rubutu URLs ɗin da aka ba da izini (shawarar URLs don dawo da kira), wanda a ciki muke saka URL inda yakamata a aika kiran bayan an gama tantancewa. A wajenmu shi ne:
http://{EXTERNAL_IP}/callbackKuma don URLs da aka ba da izini ( URLs da aka halatta don fita) ƙara:
http://{EXTERNAL_IP}/logoutMu ci gaba zuwa gaba.
Sabuntawar gaba
Canja zuwa reshe auth0 wurin ajiya [istio-mastery]. A cikin wannan reshe, ana canza lambar gaba don tura masu amfani zuwa Auth0 don tantancewa da amfani da alamar JWT a cikin buƙatun zuwa wasu ayyuka. Ana aiwatar da na ƙarshe kamar haka ():
analyzeSentence() {
fetch('/sentiment', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Authorization': `Bearer ${auth.getAccessToken()}` // Access Token
},
body: JSON.stringify({ sentence: this.textField.getValue() })
})
.then(response => response.json())
.then(data => this.setState(data));
}
Don canza gaba don amfani da bayanan haya a cikin Auth0, buɗe sa-frontend/src/services/Auth.js kuma musanya a cikinsa dabi'un da muka rubuta a sama ():
const Config = {
clientID: '{YOUR_CLIENT_ID}',
domain:'{YOUR_DOMAIN}',
audience: '{YOUR_AUDIENCE}',
ingressIP: '{EXTERNAL_IP}' // Используется для редиректа после аутентификации
}An shirya aikace-aikacen. Ƙayyade ID na Docker a cikin umarnin da ke ƙasa lokacin ginawa da tura canje-canjen da aka yi:
$ docker build -f sa-frontend/Dockerfile
-t $DOCKER_USER_ID/sentiment-analysis-frontend:istio-auth0
sa-frontend
$ docker push $DOCKER_USER_ID/sentiment-analysis-frontend:istio-auth0
$ kubectl set image deployment/sa-frontend
sa-frontend=$DOCKER_USER_ID/sentiment-analysis-frontend:istio-auth0Gwada app! Za a tura ku zuwa Auth0, inda kuke buƙatar shiga (ko rajista), bayan haka za'a mayar da ku zuwa shafin da aka riga an riga an gabatar da buƙatun. Idan kun gwada umarnin da aka ambata a cikin sassan farko na labarin tare da curl, zaku sami lambar 401 Lambar Matsayi, yana nuna cewa buƙatar ba ta da izini.
Bari mu ɗauki mataki na gaba - ba da izini buƙatun.
Izini tare da Auth0
Tabbatarwa yana ba mu damar fahimtar wanene mai amfani, amma ana buƙatar izini don sanin abin da suke da damar zuwa. Istio yana ba da kayan aikin don wannan kuma.
A matsayin misali, bari mu ƙirƙiri ƙungiyoyin masu amfani guda biyu (duba zanen da ke ƙasa):
- Masu amfani (masu amfani) - tare da samun dama ga SA-WebApp da sabis na SA-Frontend kawai;
- Masu daidaitawa (masu daidaitawa) - tare da samun dama ga duk sabis uku.
Manufar izini
Don ƙirƙirar waɗannan ƙungiyoyi, za mu yi amfani da tsawaita izini na Auth0 kuma muyi amfani da Istio don samar musu da matakan shiga daban-daban.
Shigarwa da daidaitawar izini na Auth0
A cikin tashar Auth0, je zuwa kari (Kari) kuma shigar Izinin Auth0. Bayan shigarwa, je zuwa Tsawaita izini, kuma a can - zuwa tsarin mai haya ta danna saman dama kuma zaɓi zaɓin menu da ya dace (Kanfigareshan). Kunna ƙungiyoyi (Kungiyoyi) kuma danna maɓallin buga doka (Dokar buga).
Ƙirƙirar ƙungiyoyi
A Tsawaita izini je zuwa Groups kuma ƙirƙirar rukuni Yan adawa. Tun da za mu bi duk ingantattun masu amfani a matsayin masu amfani na yau da kullun, babu buƙatar ƙirƙirar ƙarin rukuni a gare su.
Zaɓi ƙungiya Yan adawa, Latsa Membersara Membobi, ƙara babban asusun ku. Bar wasu masu amfani ba tare da wata ƙungiya ba don tabbatar da an hana su shiga. (Ana iya ƙirƙirar sabbin masu amfani da hannu ta hanyar Auth0 Portal > Masu amfani > Ƙirƙiri mai amfani.)
Ƙara da'awar rukuni zuwa Alamar Samun dama
An ƙara masu amfani zuwa ƙungiyoyi, amma kuma dole ne a nuna wannan bayanin a cikin alamun samun dama. Don yin aiki da OpenID Connect kuma a lokaci guda dawo da ƙungiyoyin da muke buƙata, alamar zata buƙaci ƙara nata . An aiwatar ta hanyar Auth0.
Don ƙirƙirar ƙa'ida, je zuwa Auth0 Portal zuwa dokokin, Latsa Ƙirƙiri Doka kuma zaɓi doka mara kyau daga samfuran.
Kwafi lambar da ke ƙasa kuma ajiye shi azaman sabuwar doka Ƙara Da'awar Ƙungiya ():
function (user, context, callback) {
context.accessToken['https://sa.io/group'] = user.groups[0];
return callback(null, user, context);
}Примечание: Wannan lambar tana ɗaukar rukunin mai amfani na farko da aka ayyana a cikin Tsawaita izini kuma yana ƙara shi zuwa alamar samun dama azaman da'awar al'ada (a ƙarƙashin sunan sa, kamar yadda Auth0 ya buƙata).
Koma zuwa shafi dokokin kuma duba cewa kana da dokoki guda biyu da aka rubuta cikin tsari mai zuwa:
- auth0-izini-tsawo
- Ƙara Da'awar Ƙungiya
Oda yana da mahimmanci saboda filin rukuni yana karɓar ƙa'idar ba tare da izini ba auth0-izini-tsawo kuma bayan haka an ƙara shi azaman da'awa ta ka'ida ta biyu. Sakamakon shine alamar shiga kamar haka:
{
"https://sa.io/group": "Moderators",
"iss": "https://sentiment-analysis.eu.auth0.com/",
"sub": "google-oauth2|196405271625531691872"
// [сокращено для наглядности]
}
Yanzu kuna buƙatar saita Wakilin Wakilin don bincika damar mai amfani, wanda za a cire ƙungiyar daga da'awar (https://sa.io/group) a cikin alamar shiga da aka dawo. Wannan shine batun sashe na gaba na labarin.
Tsarin izini a cikin Istio
Don izinin yin aiki, dole ne ku kunna RBAC don Istio. Don yin wannan, za mu yi amfani da tsari mai zuwa:
apiVersion: "rbac.istio.io/v1alpha1"
kind: RbacConfig
metadata:
name: default
spec:
mode: 'ON_WITH_INCLUSION' # 1
inclusion:
services: # 2
- "sa-frontend.default.svc.cluster.local"
- "sa-web-app.default.svc.cluster.local"
- "sa-feedback.default.svc.cluster.local" Bayani:
- 1 - ba da damar RBAC kawai don ayyuka da wuraren suna da aka jera a cikin filin
Inclusion; - 2 - muna lissafin jerin ayyukanmu.
Bari mu yi amfani da tsari tare da umarni mai zuwa:
$ kubectl apply -f resource-manifests/istio/security/enable-rbac.yaml
rbacconfig.rbac.istio.io/default created
Duk sabis ɗin yanzu suna buƙatar Ikon Samun Izinin Matsayi. A wasu kalmomi, an haramta samun dama ga duk ayyuka kuma zai haifar da amsa RBAC: access denied. Yanzu bari mu ƙyale samun dama ga masu amfani masu izini.
Tsarin isa ga masu amfani na yau da kullun
Dole ne duk masu amfani su sami dama ga ayyukan SA-Frontend da SA-WebApp. An aiwatar ta amfani da albarkatun Istio masu zuwa:
- Matsayin Sabis - ƙayyade haƙƙoƙin da mai amfani ke da shi;
- Matsayin Sabis - yana ƙayyade wanda wannan SabisRole yake.
Ga masu amfani na yau da kullun za mu ba da izinin shiga wasu ayyuka ():
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRole
metadata:
name: regular-user
namespace: default
spec:
rules:
- services:
- "sa-frontend.default.svc.cluster.local"
- "sa-web-app.default.svc.cluster.local"
paths: ["*"]
methods: ["*"]
Kuma ta hanyar regular-user-binding amfani da ServiceRole ga duk masu ziyara shafi ():
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRoleBinding
metadata:
name: regular-user-binding
namespace: default
spec:
subjects:
- user: "*"
roleRef:
kind: ServiceRole
name: "regular-user"Shin "duk masu amfani" yana nufin cewa masu amfani da ba su da tabbaci suma za su sami damar shiga SA WebApp? A'a, manufar za ta duba ingancin alamar JWT.
Bari mu yi amfani da saitunan:
$ kubectl apply -f resource-manifests/istio/security/user-role.yaml
servicerole.rbac.istio.io/regular-user created
servicerolebinding.rbac.istio.io/regular-user-binding createdTsarin isa ga masu daidaitawa
Ga masu daidaitawa, muna son ba da damar samun dama ga duk ayyuka ():
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRole
metadata:
name: mod-user
namespace: default
spec:
rules:
- services: ["*"]
paths: ["*"]
methods: ["*"]
Amma muna son irin waɗannan haƙƙoƙin kawai ga masu amfani waɗanda alamar samun dama ta ƙunshi da'awar https://sa.io/group tare da ma'ana Moderators ():
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRoleBinding
metadata:
name: mod-user-binding
namespace: default
spec:
subjects:
- properties:
request.auth.claims[https://sa.io/group]: "Moderators"
roleRef:
kind: ServiceRole
name: "mod-user" Bari mu yi amfani da saitunan:
$ kubectl apply -f resource-manifests/istio/security/mod-role.yaml
servicerole.rbac.istio.io/mod-user created
servicerolebinding.rbac.istio.io/mod-user-binding createdSaboda caching a cikin wakilai, yana iya ɗaukar mintuna biyu kafin ƙa'idodin izini su fara aiki. Kuna iya tabbatar da cewa masu amfani da masu daidaitawa suna da matakan samun dama daban-daban.
Kammalawa akan wannan bangare
Ko da yake da gaske, shin kun taɓa ganin mafi sauƙi, mara ƙwaƙƙwalwa, daidaitacce kuma amintacciyar hanya don tabbatarwa da izini?
Abubuwan Istio guda uku ne kawai (RbacConfig, ServiceRole, da ServiceRoleBinding) ake buƙata don cimma ingantaccen iko akan tabbatarwa da ba da izinin samun damar mai amfani na ƙarshe zuwa sabis.
Bugu da kari, mun kula da wadannan batutuwa daga ayyukan wakilinmu, inda muka cimma:
- rage yawan adadin lambobin da zai iya ƙunsar matsalolin tsaro da kwari;
- rage yawan wauta yanayi a cikin abin da daya karshen ya juya ya zama m daga waje da kuma manta ba da rahoton shi;
- kawar da buƙatar sabunta duk ayyuka a duk lokacin da aka ƙara sabon matsayi ko dama;
- cewa sabbin ayyuka sun kasance masu sauƙi, amintattu da sauri.
ƙarshe
Istio yana bawa ƙungiyoyi damar mai da hankali kan albarkatun su akan ayyuka masu mahimmanci na kasuwanci ba tare da ƙara sama da kai ga ayyuka ba, maido da su zuwa ƙaramin matsayi.
Labarin (a cikin sassa uku) ya ba da ilimi na asali da shirye-shirye masu amfani don farawa tare da Istio a cikin ayyukan gaske.
PS daga mai fassara
Karanta kuma a kan shafinmu:
- "Komawa zuwa microservices tare da Istio": , ;
- «";
- «".
source: www.habr.com