Nco tseg. txhais.: cov koob no tau mob siab rau kom paub txog lub peev xwm ntawm Istio thiab ua kom pom lawv hauv kev nqis tes ua, - Kev tswj xyuas kev ua haujlwm tau zoo thiab kev tswj xyuas kev sib txuas hauv network. Tam sim no peb yuav tham txog kev ruaj ntseg: txhawm rau ua kom pom cov haujlwm yooj yim ntsig txog nws, tus sau siv Auth0 qhov kev pabcuam tus kheej, tab sis lwm tus neeg muab kev pabcuam tuaj yeem teeb tsa tau zoo ib yam.
Peb teeb tsa Kubernetes pawg uas peb siv Istio thiab ib qho piv txwv microservice daim ntawv thov, Kev Ntsuas Kev Ntsuas, los ua kom pom Istio lub peev xwm.
Nrog Istio, peb muaj peev xwm ua kom peb cov kev pabcuam me me vim tias lawv tsis tas yuav siv cov txheej txheem xws li Retries, Timeouts, Circuit Breakers, Tracing, Monitoring. . Tsis tas li ntawd, peb tau siv cov kev sim siab tshaj plaws thiab kev xa tawm: A / B test, mirroring thiab canary rollouts.
Hauv cov khoom siv tshiab, peb yuav cuam tshuam nrog cov txheej txheem kawg ntawm txoj hauv kev rau kev lag luam tus nqi: kev lees paub thiab kev tso cai - thiab hauv Istio nws yog qhov txaus siab tiag tiag!
Kev lees paub thiab kev tso cai hauv Istio
Kuv yeej tsis xav tias kuv yuav tau txais kev tshoov siab los ntawm kev lees paub thiab kev tso cai. Istio tuaj yeem muab dab tsi los ntawm kev xav thev naus laus zis los ua kom cov ncauj lus no lom zem thiab, txawm li ntawd los, txhawb siab rau koj?
Cov lus teb yog yooj yim: Istio hloov lub luag haujlwm rau cov peev txheej no los ntawm koj cov kev pabcuam rau Envoy npe. Thaum lub sij hawm thov mus txog cov kev pabcuam, lawv tau raug lees paub thiab tso cai, yog li txhua yam koj yuav tsum tau ua yog sau cov lej ua lag luam uas muaj txiaj ntsig.
Suab zoo? Cia peb saib hauv!
Authentication nrog Auth0
Raws li tus neeg rau zaub mov rau tus kheej thiab kev tswj hwm kev nkag mus, peb yuav siv Auth0, uas muaj kev sim version, yog qhov xav tau siv thiab kuv tsuas nyiam nws. Txawm li cas los xij, tib lub hauv paus ntsiab lus tuaj yeem siv rau lwm yam : KeyCloak, IdentityServer thiab ntau lwm tus.
Ua ntej, mus rau nrog koj tus account, tsim ib tus neeg xauj tsev (tus neeg xauj tsev - "tus neeg xauj tsev", lub ntsiab lus ntawm kev cais tawm, kom paub meej ntxiv saib - kwv yees. txhais.) thiab mus rau Cov ntawv thov> Default Appxaiv sau, raws li qhia hauv screenshot hauv qab no:
Qhia meej qhov no hauv cov ntaub ntawv resource-manifests/istio/security/auth-policy.yaml ():
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: auth-policy
spec:
targets:
- name: sa-web-app
- name: sa-feedback
origins:
- jwt:
issuer: "https://{YOUR_DOMAIN}/"
jwksUri: "https://{YOUR_DOMAIN}/.well-known/jwks.json"
principalBinding: USE_ORIGIN
Nrog cov peev txheej zoo li no, Pilot (ib qho ntawm peb qhov yooj yim Control Plane Cheebtsam hauv Istio - approx. transl.) configures Envoy kom lees paub qhov kev thov ua ntej xa mus rau cov kev pabcuam: sa-web-app ΠΈ sa-feedback. Nyob rau tib lub sijhawm, kev teeb tsa tsis siv rau kev pabcuam Envoys sa-frontend, tso cai rau peb tawm hauv lub frontend unauthenticated. Txhawm rau siv Txoj Cai, khiav cov lus txib:
$ kubectl apply -f resource-manifests/istio/security/auth-policy.yaml
policy.authentication.istio.io βauth-policyβ createdRov qab mus rau nplooj ntawv thiab thov - koj yuav pom tias nws xaus nrog cov xwm txheej 401 Tsis tau tso cai. Tam sim no cia peb redirect frontend cov neeg siv kom authenticate nrog Auth0.
Authenticating thov nrog Auth0
Txhawm rau txheeb xyuas cov neeg siv kawg thov, koj yuav tsum tsim ib qho API hauv Auth0 uas yuav sawv cev rau cov kev pabcuam uas tau lees paub (kev tshuaj xyuas, cov ntsiab lus, thiab kev ntaus nqi). Txhawm rau tsim API, mus rau Auth0 Portal > APIs > Tsim API thiab sau daim foos:
Cov ntaub ntawv tseem ceeb ntawm no yog Tus cim, uas peb yuav siv tom qab hauv tsab ntawv. Cia peb sau nws li no:
- Cov neeg tuaj saib: {YOG_AUDIENCE}
Cov ntsiab lus tseem ceeb uas peb xav tau yog nyob ntawm Auth0 Portal hauv ntu daim ntawv sau npe - xaiv Daim ntawv thov xeem (tsim cia li nrog rau API).
Ntawm no peb yuav sau:
- sau: {YOUR_DOMAIN}
- Client ID: {YOUR_CLIENT_ID}
Scroll rau Daim ntawv thov xeem mus rau daim ntawv teb Tso cai Callback URLs ( daws qhov URLs rau kev hu rov qab), nyob rau hauv uas peb qhia qhov URL qhov twg hu yuav tsum raug xa tom qab authentication tiav. Hauv peb qhov xwm txheej nws yog:
http://{EXTERNAL_IP}/callbackThiab rau Tso cai Logout URLs (tso cai URLs rau kev txiav tawm) ntxiv:
http://{EXTERNAL_IP}/logoutWb mus rau pem hauv ntej.
Frontend hloov tshiab
Hloov mus rau ceg auth0 chaw cia khoom [istio-mastery]. Hauv cov ceg no, tus lej frontend tau hloov pauv rau cov neeg siv hloov mus rau Auth0 rau kev lees paub thiab siv JWT token hauv kev thov rau lwm cov kev pabcuam. Cov yav tas yog siv raws li nram no ():
analyzeSentence() {
fetch('/sentiment', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Authorization': `Bearer ${auth.getAccessToken()}` // Access Token
},
body: JSON.stringify({ sentence: this.textField.getValue() })
})
.then(response => response.json())
.then(data => this.setState(data));
}
Txhawm rau hloov lub frontend siv cov ntaub ntawv xauj tsev hauv Auth0, qhib sa-frontend/src/services/Auth.js thiab hloov hauv nws qhov tseem ceeb uas peb tau sau saum toj no ():
const Config = {
clientID: '{YOUR_CLIENT_ID}',
domain:'{YOUR_DOMAIN}',
audience: '{YOUR_AUDIENCE}',
ingressIP: '{EXTERNAL_IP}' // ΠΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΡΡΡ Π΄Π»Ρ ΡΠ΅Π΄ΠΈΡΠ΅ΠΊΡΠ° ΠΏΠΎΡΠ»Π΅ Π°ΡΡΠ΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ
}Daim ntawv thov yog npaj txhij. Qhia koj tus Docker ID hauv cov lus txib hauv qab no thaum tsim thiab xa cov kev hloov pauv tau ua:
$ docker build -f sa-frontend/Dockerfile
-t $DOCKER_USER_ID/sentiment-analysis-frontend:istio-auth0
sa-frontend
$ docker push $DOCKER_USER_ID/sentiment-analysis-frontend:istio-auth0
$ kubectl set image deployment/sa-frontend
sa-frontend=$DOCKER_USER_ID/sentiment-analysis-frontend:istio-auth0Sim lub app! Koj yuav raug xa rov qab mus rau Auth0, qhov twg koj yuav tsum tau nkag mus rau hauv (lossis sau npe), tom qab ntawd koj yuav raug xa rov qab mus rau nplooj ntawv uas twb tau lees paub lawm yuav raug thov. Yog tias koj sim cov lus txib tau hais hauv thawj ntu ntawm tsab xov xwm nrog curl, koj yuav tau txais cov cai 401 Status Code, qhia tias qhov kev thov tsis tau tso cai.
Cia peb ua cov kauj ruam tom ntej - tso cai thov.
Kev tso cai nrog Auth0
Kev lees paub lees paub tso cai rau peb nkag siab tias tus neeg siv yog leej twg, tab sis kev tso cai yuav tsum paub tias lawv nkag mus rau dab tsi. Istio muaj cov cuab yeej rau qhov no thiab.
Ua piv txwv, cia peb tsim ob pawg neeg siv (saib daim duab hauv qab no):
- Cov Neeg Siv (cov neeg siv) - nrog kev nkag mus rau SA-WebApp thiab SA-Frontend cov kev pabcuam nkaus xwb;
- Cov neeg saib xyuas (tus neeg saib xyuas) - nrog kev nkag mus rau tag nrho peb qhov kev pabcuam.
Kev tso cai tswv yim
Txhawm rau tsim cov pab pawg no, peb yuav siv Auth0 Kev Tso Cai txuas ntxiv thiab siv Istio los muab lawv nrog ntau qib kev nkag.
Kev teeb tsa thiab teeb tsa ntawm Auth0 Kev Tso Cai
Hauv Auth0 portal, mus rau extensions (extensions) thiab nruab Auth0 Kev Tso Cai. Tom qab installation, mus rau Tso cai Extension, thiab muaj - mus rau tus neeg xauj tsev teeb tsa los ntawm nyem rau ntawm sab xis saum toj thiab xaiv cov ntawv qhia zaub mov tsim nyog (Kho). Qhib pab pawg (Cov pab pawg) thiab nyem rau ntawm lub pob luam tawm txoj cai (Tshaj tawm txoj cai).
Tsim pab pawg
Hauv Kev Tso Cai Extension mus rau Cov pawg lwm thiab tsim ib pab pawg Moderators. Txij li thaum peb yuav kho tag nrho cov neeg siv cov ntawv pov thawj raws li cov neeg siv niaj hnub, tsis tas yuav tsim ib pab pawg ntxiv rau lawv.
Xaiv ib pab pawg Moderators, Xovxwm Ntxiv Cov Tswvcuab, ntxiv koj tus account tseem ceeb. Cia qee cov neeg siv yam tsis muaj ib pab pawg kom paub tseeb tias lawv raug tsis kam lees nkag. (Cov neeg siv tshiab tuaj yeem tsim manually ntawm Auth0 Portal > Cov Neeg Siv > Tsim Tus Neeg Siv.)
Ntxiv Pab Pawg thov rau Access Token
Cov neeg siv tau raug ntxiv rau cov pab pawg, tab sis cov ntaub ntawv no yuav tsum muaj kev cuam tshuam hauv cov tokens. Txhawm rau ua raws li OpenID Connect thiab tib lub sijhawm rov qab cov pab pawg peb xav tau, lub token yuav tsum tau ntxiv nws tus kheej. . Ua raws li txoj cai Auth0.
Txhawm rau tsim txoj cai, mus rau Auth0 Portal rau Cov kev cai, Xovxwm Tsim Txoj Cai thiab xaiv txoj cai khoob ntawm cov qauv.
Luam cov cai hauv qab no thiab txuag nws raws li txoj cai tshiab Ntxiv Pab Pawg Thov ():
function (user, context, callback) {
context.accessToken['https://sa.io/group'] = user.groups[0];
return callback(null, user, context);
}ΠΡΠΈΠΌΠ΅ΡΠ°Π½ΠΈΠ΅: Cov cai no siv thawj pab pawg neeg siv tau teev tseg hauv Kev Tso Cai Ntxiv thiab ntxiv nws rau qhov nkag token raws li kev thov kev cai (hauv nws lub npe, raws li xav tau los ntawm Auth0).
Rov qab mus rau nplooj ntawv Cov kev cai thiab xyuas tias koj muaj ob txoj cai sau hauv qab no:
- auth0-authorization-extension
- Ntxiv Pab Pawg Thov
Qhov kev txiav txim yog qhov tseem ceeb vim tias pawg teb tau txais txoj cai asynchronously auth0-authorization-extension thiab tom qab ntawd nws tau ntxiv raws li kev thov los ntawm txoj cai thib ob. Qhov tshwm sim yog ib qho kev nkag token zoo li no:
{
"https://sa.io/group": "Moderators",
"iss": "https://sentiment-analysis.eu.auth0.com/",
"sub": "google-oauth2|196405271625531691872"
// [ΡΠΎΠΊΡΠ°ΡΠ΅Π½ΠΎ Π΄Π»Ρ Π½Π°Π³Π»ΡΠ΄Π½ΠΎΡΡΠΈ]
}
Tam sim no koj yuav tsum teeb tsa lub npe Envoy txhawm rau txheeb xyuas cov neeg siv nkag, uas pab pawg yuav raug rub los ntawm kev thov (https://sa.io/group) nyob rau hauv lub rov qab access token. Nov yog lub ntsiab lus rau ntu txuas ntxiv ntawm kab lus.
Kev tso cai teeb tsa hauv Istio
Rau kev tso cai ua haujlwm, koj yuav tsum ua kom RBAC rau Istio. Txhawm rau ua qhov no, peb yuav siv cov kev teeb tsa hauv qab no:
apiVersion: "rbac.istio.io/v1alpha1"
kind: RbacConfig
metadata:
name: default
spec:
mode: 'ON_WITH_INCLUSION' # 1
inclusion:
services: # 2
- "sa-frontend.default.svc.cluster.local"
- "sa-web-app.default.svc.cluster.local"
- "sa-feedback.default.svc.cluster.local" Kev piav qhia:
- 1 - pab RBAC tsuas yog rau cov kev pabcuam thiab cov npe teev npe hauv thaj chaw
Inclusion; - 2 - Peb teev cov npe ntawm peb cov kev pabcuam.
Cia peb siv lub configuration nrog cov lus txib hauv qab no:
$ kubectl apply -f resource-manifests/istio/security/enable-rbac.yaml
rbacconfig.rbac.istio.io/default created
Tag nrho cov kev pabcuam tam sim no xav tau Lub Luag Haujlwm Raws Li Kev Tswj Xyuas. Hauv lwm lo lus, kev nkag mus rau txhua qhov kev pabcuam raug txwv thiab yuav ua rau muaj lus teb RBAC: access denied. Tam sim no cia peb nkag mus rau cov neeg siv tau tso cai.
Access configuration rau cov neeg siv niaj hnub
Txhua tus neeg siv yuav tsum nkag mus rau SA-Frontend thiab SA-WebApp cov kev pabcuam. Ua tiav siv Istio cov peev txheej hauv qab no:
- ServiceRole - txiav txim siab txoj cai uas tus neeg siv muaj;
- ServiceRoleBinding - txiav txim seb qhov ServiceRole no yog leej twg.
Rau cov neeg siv zoo tib yam peb yuav tso cai nkag mus rau qee qhov kev pabcuam ():
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRole
metadata:
name: regular-user
namespace: default
spec:
rules:
- services:
- "sa-frontend.default.svc.cluster.local"
- "sa-web-app.default.svc.cluster.local"
paths: ["*"]
methods: ["*"]
Thiab dhau regular-user-binding siv ServiceRole rau txhua nplooj ntawv tuaj xyuas ():
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRoleBinding
metadata:
name: regular-user-binding
namespace: default
spec:
subjects:
- user: "*"
roleRef:
kind: ServiceRole
name: "regular-user"Puas yog "tag nrho cov neeg siv" txhais tau tias cov neeg siv tsis tau lees paub kuj tseem yuav nkag mus rau SA WebApp? Tsis yog, txoj cai yuav tshuaj xyuas qhov siv tau ntawm JWT token.
Cia peb siv cov configurations:
$ kubectl apply -f resource-manifests/istio/security/user-role.yaml
servicerole.rbac.istio.io/regular-user created
servicerolebinding.rbac.istio.io/regular-user-binding createdAccess configuration rau cov neeg nruab nrab
Rau cov neeg saib xyuas, peb xav kom nkag mus rau txhua qhov kev pabcuam ():
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRole
metadata:
name: mod-user
namespace: default
spec:
rules:
- services: ["*"]
paths: ["*"]
methods: ["*"]
Tab sis peb xav tau cov cai no tsuas yog rau cov neeg siv uas nws nkag mus rau token muaj cov lus thov https://sa.io/group nrog lub ntsiab lus Moderators ():
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRoleBinding
metadata:
name: mod-user-binding
namespace: default
spec:
subjects:
- properties:
request.auth.claims[https://sa.io/group]: "Moderators"
roleRef:
kind: ServiceRole
name: "mod-user" Cia peb siv cov configurations:
$ kubectl apply -f resource-manifests/istio/security/mod-role.yaml
servicerole.rbac.istio.io/mod-user created
servicerolebinding.rbac.istio.io/mod-user-binding createdVim yog caching nyob rau hauv envoys, nws yuav siv sij hawm ob peb feeb rau kev tso cai cov cai yuav siv tau. Tom qab ntawd koj tuaj yeem ua kom ntseeg tau tias cov neeg siv thiab cov neeg saib xyuas muaj ntau theem nkag.
Xaus ntawm qhov no
Txawm li cas los xij, koj puas tau pom qhov yooj yim dua, tsis muaj zog, scalable thiab ruaj ntseg mus kom ze rau kev lees paub thiab kev tso cai?
Tsuas yog peb qhov kev pabcuam Istio (RbacConfig, ServiceRole, thiab ServiceRoleBinding) tau xav kom ua tiav kev tswj xyuas zoo tshaj qhov kev lees paub thiab kev tso cai ntawm cov neeg siv kawg nkag mus rau cov kev pabcuam.
Tsis tas li ntawd, peb tau saib xyuas cov teeb meem no tawm ntawm peb cov kev pabcuam tus neeg sawv cev, ua tiav:
- txo cov lej ntawm cov lej uas yuav muaj teeb meem kev nyab xeeb thiab kab;
- txo tus naj npawb ntawm cov xwm txheej ruam uas ib qho kawg tau ua kom nkag tau los ntawm sab nraud thiab tsis nco qab qhia nws;
- tshem tawm qhov yuav tsum tau hloov kho tag nrho cov kev pabcuam txhua zaus ntxiv lub luag haujlwm tshiab lossis txoj cai;
- tias cov kev pabcuam tshiab nyob twj ywm yooj yim, ruaj ntseg thiab ceev ceev.
xaus
Istio tso cai rau cov pab pawg tsom mus rau lawv cov peev txheej ntawm cov haujlwm tseem ceeb hauv kev lag luam yam tsis ntxiv nyiaj siv ua haujlwm rau cov kev pabcuam, rov qab mus rau micro raws li txoj cai.
Cov kab lus (hauv peb ntu) tau muab cov kev paub yooj yim thiab cov lus qhia npaj ua kom tau zoo rau kev pib nrog Istio hauv cov haujlwm tiag tiag.
PS los ntawm tus txhais lus
Nyeem kuj ntawm peb blog:
- "Rov qab mus rau microservices nrog Istio": , ;
- «»;
- Β«".
Tau qhov twg los: www.hab.com