Ogow. turjumi: Taxanahan waxaa loogu talagalay in lagu barto awoodaha Istio iyo muujinta waxqabadkooda, - marin si fiican loo habeeyey iyo maamulka taraafikada shabakada. Hadda waxaan ka hadli doonaa amniga: si loo muujiyo shaqooyinka aasaasiga ah ee la xiriira, qoraagu wuxuu isticmaalaa adeegga aqoonsiga Auth0, laakiin bixiyeyaasha kale ayaa loo habeyn karaa si la mid ah.
Waxaan samaynay koox Kubernetes ah kaas oo aanu ku dirnay Istio iyo tusaale ahaan codsiga adeeg-yaraha, Falanqaynta dareenka, si loo muujiyo kartida Istio.
Istio, waxaan awoodnay inaan ka dhigno adeegyadeena kuwo yar sababtoo ah uma baahna inay hirgeliyaan lakabyo sida Isku-dayga, Waqti-dhaafka, Jabiyayaasha Wareega, Baafinta, La socodka. . Intaa waxa dheer, waxaanu isticmaalnay farsamooyin tijaabin heersare ah iyo geynta: Tijaabada A/B, muraayadda iyo duubista canary-ga.
Maaddada cusub, waxaan kula macaamili doonnaa lakabyada ugu dambeeya ee waddada qiimaha ganacsiga: xaqiijinta iyo oggolaanshaha - iyo gudaha Istio waa farxad dhab ah!
Xaqiijinta iyo oggolaanshaha gudaha Istio
Marna ma rumaysteen in aan ku dhiirigelin doono xaqiijinta iyo oggolaanshaha. Muxuu Istio ka bixin karaa dhinaca tignoolajiyada si uu mawduucyadan uga dhigo mid xiiso leh oo, xitaa si ka sii badan, kugu dhiirigeliya?
Jawaabtu waa sahlan tahay: Istio waxa ay ka beddeshaa mas'uuliyadda awoodahaan adeegyadaaga wakiilka Ergeyga. Ilaa wakhtiga ay codsiyadu gaadheen adeegyada, horeba waa loo xaqiijiyay oo waa la oggolaaday, markaa waxa kaliya ee ay tahay inaad samayso waa inaad qortaa koodka faa'iidada u leh ganacsiga.
Miyuu fiican yahay? Bal aan eegno gudaha!
Xaqiijinta Auth0
Sida server-ka aqoonsiga iyo maamulka gelitaanka, waxaanu isticmaali doonaa Auth0, kaas oo leh nooc tijaabo ah, oo dareen leh in la isticmaalo oo aan si fudud u jeclahay. Si kastaba ha ahaatee, isla mabaadi'da ayaa lagu dabaqi karaa mid kasta oo kale : KeyCloak, IdentityServer iyo kuwo kale oo badan.
Si aad u bilowdo, tag akoonkaaga ku samee kirayste (kirayste - "kirayste", unug macquul ah oo go'doon ah, wixii faahfaahin dheeraad ah eeg - qiyaastii. turjumi.) oo u tag Codsiyada> App-ka caadiga ahdoorashada Domain, sida ka muuqata sawirka hoose:
Ku qeex boggan faylka resource-manifests/istio/security/auth-policy.yaml ():
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: auth-policy
spec:
targets:
- name: sa-web-app
- name: sa-feedback
origins:
- jwt:
issuer: "https://{YOUR_DOMAIN}/"
jwksUri: "https://{YOUR_DOMAIN}/.well-known/jwks.json"
principalBinding: USE_ORIGIN
Iyada oo kheyraadkan oo kale ah, Pilot (Mid ka mid ah saddexda qaybood ee aasaasiga ah ee Diyaaradda Xakamaynta ee Istio - qiyaastii. transl.) u habeeya ergayga si uu u xaqiijiyo codsiyada ka hor inta aan loo gudbin adeegyada: sa-web-app ΠΈ sa-feedback. Isla mar ahaantaana, qaabeynta laguma dabaqo ergada adeegga sa-frontend, oo noo ogolaanaysa in aan ka tagno safka hore ee aan la hubin. Si aad u dabaqdo siyaasadda, socodsii amarka:
$ kubectl apply -f resource-manifests/istio/security/auth-policy.yaml
policy.authentication.istio.io βauth-policyβ createdKu soo noqo bogga oo samee codsi - waxaad arki doontaa inuu ku dhammaanayo heerka 401 Aan la oggolaan. Hadda aynu dib u jiheyno isticmaalayaasha hore si ay ugu caddeeyaan Auth0.
Ku xaqiijinta codsiyada Auth0
Si loo xaqiijiyo codsiyada isticmaalaha dhamaadka, waxaad u baahan tahay inaad ku dhex abuurto API Auth0 kaaso matali doona adeegyada la xaqiijiyay (dib u eegis, tafaasiisha, iyo qiimaynta). Si aad u abuurto API, tag Auth0 Portal> APIs> Abuur API oo buuxi foomka:
Macluumaadka muhiimka ah halkan waa aqoonsado, oo aan gadaal dambe u adeegsan doono qoraalka. Aan u qorno sidatan:
- dhegeystayaasha: { YOUR_ADDIENCE}
Faahfaahinta soo hartay ee aan u baahanahay waxay ku taal Auth0 Portal ee qaybta Codsiyada - dooro Codsiga Imtixaanka (si toos ah loo abuuray API-ga).
Halkan waxaan ku qori doonaa:
- Domain: {YOUR_DOMAIN}
- Aqoonsiga macmiilka: {YOUR_CLIENT_ID}
U rog Codsiga Imtixaanka goobta qoraalka URL-yada dib-u-soo-celinta la oggolaaday ( URL-yada la xaliyay ee dib-u-soo-celinta), kaas oo aan ku caddeyno URL-ka meesha wicitaanka la diri karo ka dib marka la dhammeeyo xaqiijinta. Xaaladeena waa:
http://{EXTERNAL_IP}/callbackIyo URLs ka bixida la ogolyahay ( URL-yada loo ogolyahay ka bixida) ku dar:
http://{EXTERNAL_IP}/logoutAan u gudubno dhanka hore.
Cusboonaysiinta hore
U beddelo laanta auth0 kayd [istio-mastery]. Laankan, koodhka hore ayaa loo beddelaa si loogu jiheeyo isticmaalayaasha Auth0 si loo xaqiijiyo oo u isticmaal calaamadda JWT codsiyada adeegyada kale. Midda dambe ayaa loo fuliyaa sida soo socota ():
analyzeSentence() {
fetch('/sentiment', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Authorization': `Bearer ${auth.getAccessToken()}` // Access Token
},
body: JSON.stringify({ sentence: this.textField.getValue() })
})
.then(response => response.json())
.then(data => this.setState(data));
}
Si aad u bedesho afka hore si aad u isticmaasho xogta kiraystaha gudaha Auth0, fur sa-frontend/src/services/Auth.js oo ku beddelo qiyamka aan kor ku soo qornay ():
const Config = {
clientID: '{YOUR_CLIENT_ID}',
domain:'{YOUR_DOMAIN}',
audience: '{YOUR_AUDIENCE}',
ingressIP: '{EXTERNAL_IP}' // ΠΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΡΡΡ Π΄Π»Ρ ΡΠ΅Π΄ΠΈΡΠ΅ΠΊΡΠ° ΠΏΠΎΡΠ»Π΅ Π°ΡΡΠ΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ
}Codsiga waa diyaar Ku qeex aqoonsigaaga Docker ee amarradan hoose marka la dhisayo oo la dirayo isbeddellada la sameeyay:
$ docker build -f sa-frontend/Dockerfile
-t $DOCKER_USER_ID/sentiment-analysis-frontend:istio-auth0
sa-frontend
$ docker push $DOCKER_USER_ID/sentiment-analysis-frontend:istio-auth0
$ kubectl set image deployment/sa-frontend
sa-frontend=$DOCKER_USER_ID/sentiment-analysis-frontend:istio-auth0Isku day abka! Waxaa laguu wareejin doonaa Auth0, halkaas oo aad u baahan tahay inaad gasho (ama iska diiwaan geliso), ka dib waxaa lagugu soo celin doonaa bogga laga soo codsaday codsiyada hore loo xaqiijiyay. Haddii aad isku daydo amarrada lagu sheegay qaybaha hore ee maqaalka oo leh curl, waxaad heli doontaa koodhka 401 Xeerka Xaaladda, taasoo muujinaysa in codsiga aan la oggolayn.
Aynu qaadno tallaabada xigta - oggolow codsiyada.
Oggolaanshaha Auth0
Xaqiijinta waxay noo ogolaataa inaan fahanno qofka isticmaalaha, laakiin ogolaanshaha ayaa loo baahan yahay si loo ogaado waxa ay galaangal u leeyihiin. Istio waxa uu bixiyaa agab tan sidoo kale.
Tusaale ahaan, aynu abuurno laba kooxood oo isticmaale (eeg jaantuska hoose):
- Isticmaalayaasha ( isticmaalayaasha ) - oo leh marin u helka SA-WebApp iyo adeegyada SA-Frontend oo keliya;
- Dhexdhexaadiyayaasha (Moderators) - iyadoo la heli karo dhammaan saddexda adeeg.
Fikradda oggolaanshaha
Si loo abuuro kooxahan, waxaan isticmaali doonaa Auth0 Oggolaanshaha kordhinta oo waxaan isticmaali doonaa Istio si aan u siino heerar kala duwan oo ay galaan.
Rakibaadda iyo habaynta Oggolaanshaha Auth0
Xariirka Auth0, tag meelaha la dheereeyey (Extensions) oo rakib Oggolaanshaha Auth0. Ka dib markii la rakibo, tag Kordhinta Oggolaanshaha, oo halkaas - qaabeynta kiraystaha adiga oo gujinaya midigta sare oo dooro ikhtiyaarka menu ee habboon (Qaabeynta). Dhaqdhaqaaqa kooxaha (Koox) oo dhagsii badhanka xeerka daabacaada (Xeerka daabac).
Abuurista kooxo
Kordhinta Oggolaanshaha tag Kooxaha oo koox abuur Moderators. Maadaama aan ula dhaqmi doono dhammaan isticmaalayaasha la xaqiijiyay sidii isticmaaleyaal caadi ah, looma baahna in loo abuuro koox dheeri ah iyaga.
Dooro koox Moderators, Riix Kudar Xubnaha, ku dar xisaabtaada ugu weyn. Ka tag isticmaalayaasha qaarkood koox la'aan si aad u hubiso in loo diiday inay galaan (Isticmalayaasha cusub waxaa lagu abuuri karaa gacanta iyada oo loo marayo Auth0 Portal > Isticmaalayaasha > Abuur Isticmaale.)
Kudar Sheegashada Kooxda Token Helitaanka
Isticmaalayaasha ayaa lagu daray kooxaha, laakiin macluumaadkan sidoo kale waa in lagu muujiyaa calaamadaha gelitaanka. Si aad ugu hoggaansanto OpenID Connect isla markaana isla markaa soo celiso kooxaha aan u baahanahay, calaamaddu waxay u baahan doontaa inay ku darto keeda . Waxaa lagu fuliyay xeerar Auth0
Si aad u abuurto qaanuun, aad Auth0 Portal to Rules, Riix Samee Xeer oo ka dooro xeer madhan qaab-dhismeedka.
Nuqul ka samee summada hoose oo u kaydi sidii xeer cusub Kudar Sheegashada Kooxda ():
function (user, context, callback) {
context.accessToken['https://sa.io/group'] = user.groups[0];
return callback(null, user, context);
}tacliiq: Koodhkani waxa uu qaataa kooxdii ugu horaysay ee isticmaale ee lagu qeexay Oggolaanshaha Oggolaanshaha oo waxa uu ku daraa calaamada gelitaanka sida sheegasho caadadii ah (hoosta magaceeda, sida uu rabo Auth0).
Ku laabo bogga Rules oo hubi inaad haysatid laba xeer oo u qoran sida soo socota:
- auth0-ogolaanshaha-kordhinta
- Kudar Sheegashada Kooxda
Nidaamku waa muhiim sababtoo ah goobta kooxdu waxay u heshaa qaanuunka si isku mid ah auth0-ogolaanshaha-kordhinta intaas ka bacdina waxaa lagu daraa dacwo ahaan xeerka labaad. Natiijadu waa sidatan:
{
"https://sa.io/group": "Moderators",
"iss": "https://sentiment-analysis.eu.auth0.com/",
"sub": "google-oauth2|196405271625531691872"
// [ΡΠΎΠΊΡΠ°ΡΠ΅Π½ΠΎ Π΄Π»Ρ Π½Π°Π³Π»ΡΠ΄Π½ΠΎΡΡΠΈ]
}
Hadda waxaad u baahan tahay inaad habayso wakiilka ergayga si aad u hubiso gelitaanka isticmaalaha, kaas oo kooxda laga soo saari doono sheegashada (https://sa.io/group) calaamada gelitaanka soo noqday. Kani waa mowduuca qaybta xigta ee maqaalka.
Qaabeynta oggolaanshaha gudaha Istio
Si loo oggolaado inay shaqeyso, waa inaad RBAC u oggolaataa Istio. Si tan loo sameeyo, waxaan isticmaali doonaa qaabeynta soo socota:
apiVersion: "rbac.istio.io/v1alpha1"
kind: RbacConfig
metadata:
name: default
spec:
mode: 'ON_WITH_INCLUSION' # 1
inclusion:
services: # 2
- "sa-frontend.default.svc.cluster.local"
- "sa-web-app.default.svc.cluster.local"
- "sa-feedback.default.svc.cluster.local" Sharaxaad:
- 1 - awood RBAC kaliya adeegyada iyo meelaha magac ee ku qoran goobta
Inclusion; - 2 β Waxaan taxnay liiska adeegyadayada.
Aynu ku dabaqno qaabaynta amarkan soo socda:
$ kubectl apply -f resource-manifests/istio/security/enable-rbac.yaml
rbacconfig.rbac.istio.io/default created
Dhammaan adeegyadu hadda waxay u baahan yihiin Xakamaynta Helitaanka Door-ku-salaysan. Si kale haddii loo dhigo, helitaanka dhammaan adeegyada waa mamnuuc waxayna keeni doontaa jawaab RBAC: access denied. Hadda aynu ogolaano gelitaanka isticmaalayaasha idman
Helitaanka qaabeynta isticmaalayaasha caadiga ah
Dhammaan isticmaalayaashu waa inay galaangal u yeeshaan adeegyada SA-Frontend iyo SA-WebApp. La fuliyay iyadoo la adeegsanayo ilaha Istio ee soo socda:
- Door adeeg - waxay go'aamisaa xuquuqda uu isticmaaluhu leeyahay;
- ServiceRoleBinding - ayaa go'aamiya qofka ServiceRole ka tirsan yahay.
Isticmaalayaasha caadiga ah waxaan u oggolaan doonaa helitaanka adeegyada qaarkood ():
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRole
metadata:
name: regular-user
namespace: default
spec:
rules:
- services:
- "sa-frontend.default.svc.cluster.local"
- "sa-web-app.default.svc.cluster.local"
paths: ["*"]
methods: ["*"]
Oo loo maro regular-user-binding Codso ServiceRole dhammaan booqdayaasha bogga ():
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRoleBinding
metadata:
name: regular-user-binding
namespace: default
spec:
subjects:
- user: "*"
roleRef:
kind: ServiceRole
name: "regular-user""Dhammaan isticmaalayaasha" macnaheedu ma in isticmaalayaasha aan la aqoonsan waxay sidoo kale heli doonaan SA WebApp? Maya, siyaasaddu waxay hubin doontaa ansaxnimada calaamadda JWT.
Aynu dabaqno habaynta:
$ kubectl apply -f resource-manifests/istio/security/user-role.yaml
servicerole.rbac.istio.io/regular-user created
servicerolebinding.rbac.istio.io/regular-user-binding createdQaabeynta gelitaanka ee dhexdhexaadiyeyaasha
Dhexdhexaadiyeyaasha, waxaan rabnaa inaan awoodno gelitaanka dhammaan adeegyada ():
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRole
metadata:
name: mod-user
namespace: default
spec:
rules:
- services: ["*"]
paths: ["*"]
methods: ["*"]
Laakiin waxaan u rabnaa xuquuqahaas oo keliya isticmaalayaasha kuwaas oo calaamadahooda gelitaanka ay ku jirto sheegashada https://sa.io/group macne leh Moderators ():
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRoleBinding
metadata:
name: mod-user-binding
namespace: default
spec:
subjects:
- properties:
request.auth.claims[https://sa.io/group]: "Moderators"
roleRef:
kind: ServiceRole
name: "mod-user" Aynu dabaqno habaynta:
$ kubectl apply -f resource-manifests/istio/security/mod-role.yaml
servicerole.rbac.istio.io/mod-user created
servicerolebinding.rbac.istio.io/mod-user-binding createdXiritaanka ergada awgeed, waxa ay qaadan kartaa dhawr daqiiqadood in xeerarka oggolaanshaha ay hirgalaan. Waxaad markaa hubin kartaa in isticmaalayaasha iyo dhexdhexaadiyeyaasha ay leeyihiin heerar kala duwan oo gelitaanka.
Gabagabada qaybtan
Si dhab ah in kastoo, weligaa ma aragtay hab ka fudud, dadaal la'aan, la miisaami karo oo sugan oo xaqiijinta iyo oggolaanshaha?
Kaliya seddex Istio (RbacConfig, ServiceRole, iyo ServiceRoleBinding) ayaa loo baahnaa si loo gaaro kontorool wanaagsan oo ku saabsan xaqiijinta iyo oggolaanshaha adeegsadaha ugu dambeeya ee helitaanka adeegyada.
Intaa waxaa dheer, arrimahan waxaan ka ilaalinay adeegyada ergeyga, anagoo gaarnay:
- yaraynta cadadka koodka guud ee laga yaabo inay ku jiraan dhibaatooyinka amniga iyo cayayaanka;
- yaraynta tirada xaaladaha nacasnimada ah taas oo hal dhibic ka soo baxday in laga heli karo dibadda oo illowday in la soo sheego;
- baabi'inta baahida loo qabo in la cusboonaysiiyo dhammaan adeegyada mar kasta oo door ama xaq cusub lagu daro;
- in adeegyada cusub ay yihiin kuwo fudud, ammaan ah oo degdeg ah.
gunaanad
Istio waxay u ogolaataa kooxaha inay diirada saaraan agabkooda hawlaha muhiimka ah ee ganacsiga iyaga oo aan ku darin kharashka dheeraadka ah ee adeegyada, iyaga oo dib ugu celinaya xaalad yar.
Maqaalka (saddex qaybood) ayaa bixiyay aqoonta aasaasiga ah iyo tilmaamo wax ku ool ah oo diyaarsan oo lagu bilaabayo Istio mashaariicda dhabta ah.
PS ka turjumaan
Sidoo kale ka akhri boggayaga:
- "Ku laabo adeegaha yaryar ee Istio": , ;
- Β«";
- Β«".
Source: www.habr.com