订阅

UiPath Automation Suite

UiPath Automation Suite 指南

配置集群

此页面包含配置 Automation Suite 的一般说明。

配置工具


The configureUiPathAS.sh script helps you control and manage Automation Suite. The tool comes with the installation bundle and is available in the main installer folder. configureUiPathAS.sh is currently capable of performing only a few operations.

To view more information about configureUiPathAS.sh, run:

sudo ./configureUiPathAS.sh --help

You should see the following output:

configureUiPathAS.sh controls and manage UiPath Automation Suites

Usage:
  configureUiPathAS.sh [command]
  configureUiPathAS.sh [flags]

Available Commands:
  config                               Manage cluster configuration
  tls-cert                             Manage tls and server certificate
  additional-ca-certs                  Manage additional ca certificates
  identity                             Manage identity service
  objectstore                          Manage objectstore
  registry                             Manage registry
  monitoring                           Manage monitoring
  rabbitmq                             Manage rabbitmq
  mongodb                              Manage mongo
  node                                 Manage k8s nodes
  enable-maintenance-mode              Enables maintenance mode on the Cluster
  disable-maintenance-mode             Disables maintenance mode on the Cluster
  is-maintenance-enabled               Checks if maintenance mode is enabled on the Cluster
  resume-scheduled-backups             Resumes the paused scheduled backups
  verify-volumes-backup                Verify if all volumes are backed up
Flags:
  -h|--help                           Display help

***************************************************************************************```

You can use the configureUiPathAS.sh script to manage the following components in the Automation Suite cluster:

  • 服务器证书 - 管理 TLS 和服务器证书(更新并获取证书)

  • 其他 CA 证书 - 管理其他 CA 证书,例如 SQL 服务器证书、代理服务器证书等。

  • 身份服务 - 管理身份服务配置,例如令牌签名证书、SAML 证书、Kerberos 和 Windows 身份验证等。

  • 对象存储 - 管理 ceph 对象存储(目前仅支持调整 CEPH PVC/存储的大小)

  • 注册表 - 管理 Docker 注册表(目前仅支持调整注册表 PVC/存储的大小)

  • 监控 - 管理 Rancher Server(目前仅支持调整 Rancher Server PVC/存储的大小)

  • RabbitMQ - 管理 RabbitMQ 消息队列(目前仅支持调整 RabbitMQ PVC/存储的大小)

  • MongoDB - 管理 MongoDB 数据存储(目前仅支持调整 MongoDB PVC/存储和证书管理)

 

更新 SQL Server 连接

To update the connection string or credentials to the SQL Server, directly edit the cluster_config.json file on the primary the server node. You can directly edit the SQL fields (sql.username, sql.password, and sql.server_url) in the file based on what you need to update.

更新文件后,在同一台计算机上使用更新的配置作为参数重新运行交互式安装向导。您只需在主服务器上重新运行安装。

 

更新 Kerberos 身份验证


更新 Kerberos 身份验证配置

要更新通用 Kerberos 身份验证配置,请执行以下步骤:

  1. 通过 SSH 连接到任何服务器计算机。
  2. 运行以下命令:
./configureUiPathAS.sh identity kerberos-auth global-config update --enabled [kerberos-enabled] --adDomain [ad-domain] --username [default-ad-username]  --keytab [default-ad-user-keytab] --lifetime [ticketLifeTimeInHour]

📘

备注:

  • 要手动生成密钥表文件,请参阅设置 Kerberos 身份验证

  • AD 域控制器在“默认域策略” 、中具有“用户票证最长生存期”Kerberos 设置。确保此处配置的票证生存期不长于域控制器上的设置。

控制台输出成功
Updating kerberos auth.....Success!
If you wish to utilize SQL Integrated Auth using Kerberos, 
please update the SQL connection string to enable Integrated Auth. 
For more info on kerberos auth, <link>
控制台输出失败
Updating kerberos auth.....Failed!
Please provide valid kerberos auth configuration values.

 

更新服务组的 AD 用户名和 AD 用户的密钥表

要更新特定服务的 AD 用户名和/或 AD 用户的密钥表,请执行以下步骤:

  1. 运行以下命令:
./configureUiPathAS.sh identity kerberos-auth service-config update --sg [service-group]  --username [new-ad-username] --keytab [new-ad-user-keytab]

以下服务组可用(区分大小写):

  • orchestrator
  • platform
  • discoverygroup
  • testmanager
  • automationops
  • aicenter
  • documentunderstanding
  • insights
  • dataservice

📘

备注:

要手动生成密钥表文件,请参阅设置 Kerberos 身份验证

控制台输出成功
Updating kerberos config for <service-group> service group.....Success!
If you want to enable sql integrated auth for the <service-group> service goup, 
please update the service's sql connection string. For more info on kerberos auth, <link>
控制台输出失败
Updating kerberos config for <service-group> service group.....Failed!
Please provided a valid kerberos auth configuration values.
For more info on kerberos auth, <link>

 

添加系统管理员


One system administrator is created in Automation Suite by default with the username admin on the host organization. See Managing system administrator for more details.

如果无法访问主机组织 - 例如,如果系统管理员的密码丢失,或者唯一拥有系统管理员帐户的用户离开公司 - 可以使用工具添加或恢复系统管理员。

如果平台服务的 SQL 连接字符串参数“Integrated Security=true”存在,则此脚本不起作用。

./configureUiPathAS.sh identity add-host-admin --username [new-admin-username] --email [new-admin-email] --password [new-admin-password]
  • --username 是必填字段。
  • 仅当新管理员使用基本身份验证登录时,才需要 --password
  • --email 是可选的,除非您的外部身份提供程序要求(例如,Google 通过电子邮件而不是用户名进行匹配)。

关于如何创建或还原管理员,有一些重要说明:

  • 新管理员不能使用与现有管理员相同的用户名或电子邮件地址。如果您使用与现有管理员相同的用户名或电子邮件,则现有管理员会更新。如果要更改密码,这将非常有用。
  • 如果管理员已删除,并且您对新用户使用相同的用户名或电子邮件,则系统将恢复已删除的管理员,而不是创建新的管理员。在这种情况下,密码字段不会被覆盖。一个例外情况是,如果多个管理员使用相同的用户名或电子邮件地址被删除,这将导致创建一个新的管理员。
  • If any of the external identity providers configured on the host are forced, that imposes restrictions on the parameters. For instance, if Windows AD is forced, the username must be in the form [email protected]. If Google is forced, then email is required.
  • 首次登录新的管理员帐户时,必须更改密码。

 

重新启用基本身份验证


Organization and system administrators may be unable to log in due to an issue with their configured Azure Active Directory or other external identity provider. Organization administrators may be locked out because the Disable basic authentication flag is checked in the Authentication Settings. Organization and system administrators may be locked out because an external identity provider was configured as force/exclusive. This tool will try to re-enable basic authentication for an organization.

This script does not work if the SQL connection string parameter Integrated Security=true exists for platform services.

./configureUiPathAS.sh identity enable-basic-auth --orgname [org-name]

📘

备注:

--orgname is a required field. If basic authentication is restricted at the host level, set the orgname to host

 

Updating the TLS protocol


The Istio ingress gateway configured in Automation Suite for routing, communicating between the services, and more uses TLS to secure the exchanges. To prevent any security threats, deprecated TLS protocol version are disabled by default.

Only TLS version 1.2 and above are currently supported, and if you use a previous version, it is recommended that you upgrade. However, it is still possible to connect using a previous TLS version, but you must first enable it on the Automation Suite server.

🚧

重要

TLS 1.0 and 1.1 are deprecated, and enabling these versions can pose a security risk. You are strongly recommended to upgrade to TLS 1.2 or above instead of enabling lower versions on the server.

To enable an unsupported TLS version, take one of the following steps:

  • To enable support for TLS 1.0 and above, run the following command:
kubectl -n istio-system patch gateway main-gateway --type=json \
    -p='[{ "op": "replace", "path": "/spec/servers/0/tls/minProtocolVersion", "value": "TLSV1_0"}]'
  • To enable support for TLS 1.1 and above, run the following command:
kubectl -n istio-system patch gateway main-gateway --type=json \
    -p='[{ "op": "replace", "path": "/spec/servers/0/tls/minProtocolVersion", "value": "TLSV1_1"}]'

2 个月前更新


配置集群


此页面包含配置 Automation Suite 的一般说明。

建议的编辑仅限用于 API 参考页面

您只能建议对 Markdown 正文内容进行编辑,而不能建议对 API 规范进行编辑。