Nco tseg. txhais.: Thawj tshooj cov koob no tau mob siab rau kom paub txog lub peev xwm ntawm Istio thiab ua kom pom lawv hauv kev nqis tes ua, ob - Kev tswj xyuas kev ua haujlwm tau zoo thiab kev tswj xyuas kev sib txuas hauv network. Tam sim no peb yuav tham txog kev ruaj ntseg: txhawm rau ua kom pom cov haujlwm yooj yim ntsig txog nws, tus sau siv Auth0 qhov kev pabcuam tus kheej, tab sis lwm tus neeg muab kev pabcuam tuaj yeem teeb tsa tau zoo ib yam.
Peb teeb tsa Kubernetes pawg uas peb siv Istio thiab ib qho piv txwv microservice daim ntawv thov, Kev Ntsuas Kev Ntsuas, los ua kom pom Istio lub peev xwm.
Nrog Istio, peb muaj peev xwm ua kom peb cov kev pabcuam me me vim tias lawv tsis tas yuav siv cov txheej txheem xws li Retries, Timeouts, Circuit Breakers, Tracing, Monitoring. . Tsis tas li ntawd, peb tau siv cov kev sim siab tshaj plaws thiab kev xa tawm: A / B test, mirroring thiab canary rollouts.
Kuv yeej tsis xav tias kuv yuav tau txais kev tshoov siab los ntawm kev lees paub thiab kev tso cai. Istio tuaj yeem muab dab tsi los ntawm kev xav thev naus laus zis los ua kom cov ncauj lus no lom zem thiab, txawm li ntawd los, txhawb siab rau koj?
Cov lus teb yog yooj yim: Istio hloov lub luag haujlwm rau cov peev txheej no los ntawm koj cov kev pabcuam rau Envoy npe. Thaum lub sij hawm thov mus txog cov kev pabcuam, lawv tau raug lees paub thiab tso cai, yog li txhua yam koj yuav tsum tau ua yog sau cov lej ua lag luam uas muaj txiaj ntsig.
Suab zoo? Cia peb saib hauv!
Authentication nrog Auth0
Raws li tus neeg rau zaub mov rau tus kheej thiab kev tswj hwm kev nkag mus, peb yuav siv Auth0, uas muaj kev sim version, yog qhov xav tau siv thiab kuv tsuas nyiam nws. Txawm li cas los xij, tib lub hauv paus ntsiab lus tuaj yeem siv rau lwm yam Kev siv OpenID Connect: KeyCloak, IdentityServer thiab ntau lwm tus.
Ua ntej, mus rau Auth0 Portal nrog koj tus account, tsim ib tus neeg xauj tsev (tus neeg xauj tsev - "tus neeg xauj tsev", lub ntsiab lus ntawm kev cais tawm, kom paub meej ntxiv saib cov ntaub ntawv - kwv yees. txhais.) thiab mus rau Cov ntawv thov> Default Appxaiv sau, raws li qhia hauv screenshot hauv qab no:
Cov neeg siv tau raug ntxiv rau cov pab pawg, tab sis cov ntaub ntawv no yuav tsum muaj kev cuam tshuam hauv cov tokens. Txhawm rau ua raws li OpenID Connect thiab tib lub sijhawm rov qab cov pab pawg peb xav tau, lub token yuav tsum tau ntxiv nws tus kheej. kev cai thov. Ua raws li txoj cai Auth0.
ΠΡΠΈΠΌΠ΅ΡΠ°Π½ΠΈΠ΅: Cov cai no siv thawj pab pawg neeg siv tau teev tseg hauv Kev Tso Cai Ntxiv thiab ntxiv nws rau qhov nkag token raws li kev thov kev cai (hauv nws lub npe, raws li xav tau los ntawm Auth0).
Rov qab mus rau nplooj ntawv Cov kev cai thiab xyuas tias koj muaj ob txoj cai sau hauv qab no:
auth0-authorization-extension
Ntxiv Pab Pawg Thov
Qhov kev txiav txim yog qhov tseem ceeb vim tias pawg teb tau txais txoj cai asynchronously auth0-authorization-extension thiab tom qab ntawd nws tau ntxiv raws li kev thov los ntawm txoj cai thib ob. Qhov tshwm sim yog ib qho kev nkag token zoo li no:
Cia peb siv lub configuration nrog cov lus txib hauv qab no:
$ kubectl apply -f resource-manifests/istio/security/enable-rbac.yaml
rbacconfig.rbac.istio.io/default created
Tag nrho cov kev pabcuam tam sim no xav tau Lub Luag Haujlwm Raws Li Kev Tswj Xyuas. Hauv lwm lo lus, kev nkag mus rau txhua qhov kev pabcuam raug txwv thiab yuav ua rau muaj lus teb RBAC: access denied. Tam sim no cia peb nkag mus rau cov neeg siv tau tso cai.
Access configuration rau cov neeg siv niaj hnub
Txhua tus neeg siv yuav tsum nkag mus rau SA-Frontend thiab SA-WebApp cov kev pabcuam. Ua tiav siv Istio cov peev txheej hauv qab no:
ServiceRole - txiav txim siab txoj cai uas tus neeg siv muaj;
Puas yog "tag nrho cov neeg siv" txhais tau tias cov neeg siv tsis tau lees paub kuj tseem yuav nkag mus rau SA WebApp? Tsis yog, txoj cai yuav tshuaj xyuas qhov siv tau ntawm JWT token.
Cia peb siv cov configurations:
$ kubectl apply -f resource-manifests/istio/security/user-role.yaml
servicerole.rbac.istio.io/regular-user created
servicerolebinding.rbac.istio.io/regular-user-binding created
$ kubectl apply -f resource-manifests/istio/security/mod-role.yaml
servicerole.rbac.istio.io/mod-user created
servicerolebinding.rbac.istio.io/mod-user-binding created
Vim yog caching nyob rau hauv envoys, nws yuav siv sij hawm ob peb feeb rau kev tso cai cov cai yuav siv tau. Tom qab ntawd koj tuaj yeem ua kom ntseeg tau tias cov neeg siv thiab cov neeg saib xyuas muaj ntau theem nkag.
Xaus ntawm qhov no
Txawm li cas los xij, koj puas tau pom qhov yooj yim dua, tsis muaj zog, scalable thiab ruaj ntseg mus kom ze rau kev lees paub thiab kev tso cai?
Tsuas yog peb qhov kev pabcuam Istio (RbacConfig, ServiceRole, thiab ServiceRoleBinding) tau xav kom ua tiav kev tswj xyuas zoo tshaj qhov kev lees paub thiab kev tso cai ntawm cov neeg siv kawg nkag mus rau cov kev pabcuam.
Tsis tas li ntawd, peb tau saib xyuas cov teeb meem no tawm ntawm peb cov kev pabcuam tus neeg sawv cev, ua tiav: