automation-suite
2023.10
true
Guia de instalação do Automation Suite no Linux
Last updated 4 de out de 2024

Ativando SSO para ArgoCD

Visão geral

Para habilitar a autenticação SSO, você deve usar a ferramenta de linha de comando uipathctl.

Preparing the configuration files

Você deve gerar o arquivo do RBAC e o arquivo de configuração do Dex antes de habilitar o SSO para o ArgoCD.

The RBAC file

O arquivo RBAC contém regras de acesso.

Para obter detalhes sobre as definições de funções integradas, consulte a documentação do ArgoCD.

Para obter detalhes sobre os tipos de conta do ArgoCD e suas permissões, consulte Gerenciamento do cluster no ArgoCD.

Recomendamos usar essas funções ao definir seus grupos, mas você pode criar seu próprio conjunto de permissões.

Configuring the RBAC file

  1. Crie um arquivo chamado policy.csv executando o seguinte comando:
    uipathctl config argocd generate-rbacuipathctl config argocd generate-rbac
  2. Adicione o seguinte conteúdo ao arquivo policy.csv e salve-o:
    p, role:uipath-sync, applications, get, */*, allow
    p, role:uipath-sync, applications, sync, */*, allow
    g, argocdro, role:uipath-syncp, role:uipath-sync, applications, get, */*, allow
    p, role:uipath-sync, applications, sync, */*, allow
    g, argocdro, role:uipath-sync
  3. Associe seus grupos de RBAC à função de administrador integrada e à função somente leitura do argocdro da UiPath®, anexando as seguintes linhas ao arquivo RBAC policy.csv:
    g, <your_ldap_readonly_group_name>, role:uipath-sync
    g, <your_ldap_admin_group_name>, role:adming, <your_ldap_readonly_group_name>, role:uipath-sync
    g, <your_ldap_admin_group_name>, role:admin
  4. Salve o arquivo RBAC policy.csv atualizado.

Exemplo:

Se seu grupo LDAP para administradores do ArgoCD for Administradores e o grupo LDAP para usuários somente leitura do ArgoCD for Leitores, o arquivo RBAC deve ser semelhante ao do exemplo a seguir:

p, role:uipath-sync, applications, get, */*, allow
p, role:uipath-sync, applications, sync, */*, allow
g, argocdro, role:uipath-sync
g, Readers, role:uipath-sync
g, Administrators, role:adminp, role:uipath-sync, applications, get, */*, allow
p, role:uipath-sync, applications, sync, */*, allow
g, argocdro, role:uipath-sync
g, Readers, role:uipath-sync
g, Administrators, role:admin

Para casos de uso mais avançados, o exemplo a seguir mostra o arquivo RBAC padrão:

# Built-in policy which defines two roles: role:readonly and role:admin,
# and additionally assigns the admin user to the role:admin role.
# There are two policy formats:
# 1. Applications, logs, and exec (which belong to a project):
# p, <user/group>, <resource>, <action>, <project>/<object>
# 2. All other resources:
# p, <user/group>, <resource>, <action>, <object>

p, role:readonly, applications, get, */*, allow
p, role:readonly, certificates, get, *, allow
p, role:readonly, clusters, get, *, allow
p, role:readonly, repositories, get, *, allow
p, role:readonly, projects, get, *, allow
p, role:readonly, accounts, get, *, allow
p, role:readonly, gpgkeys, get, *, allow
p, role:readonly, logs, get, */*, allow

p, role:admin, applications, create, */*, allow
p, role:admin, applications, update, */*, allow
p, role:admin, applications, delete, */*, allow
p, role:admin, applications, sync, */*, allow
p, role:admin, applications, override, */*, allow
p, role:admin, applications, action/*, */*, allow
p, role:admin, applicationsets, get, */*, allow
p, role:admin, applicationsets, create, */*, allow
p, role:admin, applicationsets, update, */*, allow
p, role:admin, applicationsets, delete, */*, allow
p, role:admin, certificates, create, *, allow
p, role:admin, certificates, update, *, allow
p, role:admin, certificates, delete, *, allow
p, role:admin, clusters, create, *, allow
p, role:admin, clusters, update, *, allow
p, role:admin, clusters, delete, *, allow
p, role:admin, repositories, create, *, allow
p, role:admin, repositories, update, *, allow
p, role:admin, repositories, delete, *, allow
p, role:admin, projects, create, *, allow
p, role:admin, projects, update, *, allow
p, role:admin, projects, delete, *, allow
p, role:admin, accounts, update, *, allow
p, role:admin, gpgkeys, create, *, allow
p, role:admin, gpgkeys, delete, *, allow
p, role:admin, exec, create, */*, allow

g, role:admin, role:readonly
g, admin, role:admin# Built-in policy which defines two roles: role:readonly and role:admin,
# and additionally assigns the admin user to the role:admin role.
# There are two policy formats:
# 1. Applications, logs, and exec (which belong to a project):
# p, <user/group>, <resource>, <action>, <project>/<object>
# 2. All other resources:
# p, <user/group>, <resource>, <action>, <object>

p, role:readonly, applications, get, */*, allow
p, role:readonly, certificates, get, *, allow
p, role:readonly, clusters, get, *, allow
p, role:readonly, repositories, get, *, allow
p, role:readonly, projects, get, *, allow
p, role:readonly, accounts, get, *, allow
p, role:readonly, gpgkeys, get, *, allow
p, role:readonly, logs, get, */*, allow

p, role:admin, applications, create, */*, allow
p, role:admin, applications, update, */*, allow
p, role:admin, applications, delete, */*, allow
p, role:admin, applications, sync, */*, allow
p, role:admin, applications, override, */*, allow
p, role:admin, applications, action/*, */*, allow
p, role:admin, applicationsets, get, */*, allow
p, role:admin, applicationsets, create, */*, allow
p, role:admin, applicationsets, update, */*, allow
p, role:admin, applicationsets, delete, */*, allow
p, role:admin, certificates, create, *, allow
p, role:admin, certificates, update, *, allow
p, role:admin, certificates, delete, *, allow
p, role:admin, clusters, create, *, allow
p, role:admin, clusters, update, *, allow
p, role:admin, clusters, delete, *, allow
p, role:admin, repositories, create, *, allow
p, role:admin, repositories, update, *, allow
p, role:admin, repositories, delete, *, allow
p, role:admin, projects, create, *, allow
p, role:admin, projects, update, *, allow
p, role:admin, projects, delete, *, allow
p, role:admin, accounts, update, *, allow
p, role:admin, gpgkeys, create, *, allow
p, role:admin, gpgkeys, delete, *, allow
p, role:admin, exec, create, */*, allow

g, role:admin, role:readonly
g, admin, role:admin

O arquivo de configuração do Dex

O arquivo de configuração do Dex contém os parâmetros necessários para configurar o SSO para o ArgoCD.

Observação: se você já tiver um arquivo de conector LDAP (ldap_connector.yaml), pule para Habilitar o SSO para o ArgoCD.

Para configurar o SSO por meio do LDAP, execute as seguintes etapas:

  1. Gere o arquivo de modelo LDAP executando o seguinte comando. O arquivo de modelo do conector é gerado no mesmo diretório em que você executa o comando.
    uipathctl config argocd generate-dex-config -t ldapuipathctl config argocd generate-dex-config -t ldap
  2. Copie a saída que começa em --- e salve-a como ldap_connector.yaml.
    Exemplo de um arquivo de configuração do ArgoCD:
    ---
    connectors:
      - type: ldap
        # Required field for connector id.
        id: ldap
        # Required field for connector name.
        name: OpenLDAP
        config:
          host: openldap:389
          insecureNoSSL: true
          startTLS: false
          bindDN: cn=admin,dc=example,dc=org
          bindPW: adminpassword
          usernamePrompt: Email Address
          userSearch:
            baseDN: ou=People,dc=example,dc=org
            filter: "(objectClass=person)"
            username: mail
            idAttr: DN
            emailAttr: mail
            nameAttr: cn
          # Group search queries for groups given a user entry.
          groupSearch:
            baseDN: ou=Groups,dc=example,dc=org
            filter: "(objectClass=groupOfNames)"
            userMatchers:
              - userAttr: DN
                groupAttr: member
            nameAttr: cn---
    connectors:
      - type: ldap
        # Required field for connector id.
        id: ldap
        # Required field for connector name.
        name: OpenLDAP
        config:
          host: openldap:389
          insecureNoSSL: true
          startTLS: false
          bindDN: cn=admin,dc=example,dc=org
          bindPW: adminpassword
          usernamePrompt: Email Address
          userSearch:
            baseDN: ou=People,dc=example,dc=org
            filter: "(objectClass=person)"
            username: mail
            idAttr: DN
            emailAttr: mail
            nameAttr: cn
          # Group search queries for groups given a user entry.
          groupSearch:
            baseDN: ou=Groups,dc=example,dc=org
            filter: "(objectClass=groupOfNames)"
            userMatchers:
              - userAttr: DN
                groupAttr: member
            nameAttr: cn
    Exemplo de um arquivo de conector LDAP do Active Directory:
    ---
    connectors:
    - id: ldap
      name: ActiveDirectory
      type: ldap
      config:
        bindDN: cn=admin,cn=Users,dc=example,dc=local
        bindPW: "<admins's password>"
        groupSearch:
          baseDN: dc=example,dc=local
          filter: "(objectClass=group)"
          nameAttr: cn
          userMatchers:
            - userAttr: distinguishedName
              groupAttr: member
        host: "ldaphost:389"
        insecureNoSSL: true
        insecureSkipVerify: true
        startTLS: false
        userSearch:
          baseDN: cn=Users,dc=example,dc=local
          emailAttr: userPrincipalName
          filter: (objectClass=person)
          idAttr: DN
          nameAttr: cn
          username: userPrincipalName
        usernamePrompt: Email Address---
    connectors:
    - id: ldap
      name: ActiveDirectory
      type: ldap
      config:
        bindDN: cn=admin,cn=Users,dc=example,dc=local
        bindPW: "<admins's password>"
        groupSearch:
          baseDN: dc=example,dc=local
          filter: "(objectClass=group)"
          nameAttr: cn
          userMatchers:
            - userAttr: distinguishedName
              groupAttr: member
        host: "ldaphost:389"
        insecureNoSSL: true
        insecureSkipVerify: true
        startTLS: false
        userSearch:
          baseDN: cn=Users,dc=example,dc=local
          emailAttr: userPrincipalName
          filter: (objectClass=person)
          idAttr: DN
          nameAttr: cn
          username: userPrincipalName
        usernamePrompt: Email Address
  3. Atualize o arquivo do conector LDAP com as informações necessárias e salve-o. Recomendamos o uso de LDAPS.

Ativando SSO para ArgoCD

Depois de preparar o RBAC e o arquivo de configuração do Dex, você pode habilitar o SSO para o ArgoCD:

  1. Atualize o arquivo cluster_config.json com os seguintes parâmetros:

    1. fabric.argocd_dex_config_file - digite o caminho para o arquivo de configuração do Dex criado anteriormente.
    2. fabric.argocd_rbac_config_file - digite o caminho para o arquivo do RBAC criado anteriormente.
  2. Execute novamente o instalador de malha:

    ./install-uipath.sh -i cluster_config.json -f -o output.json --accept-license-agreement./install-uipath.sh -i cluster_config.json -f -o output.json --accept-license-agreement

  • Visão geral
  • Preparing the configuration files
  • The RBAC file
  • O arquivo de configuração do Dex
  • Ativando SSO para ArgoCD

Esta página foi útil?

Obtenha a ajuda que você precisa
Aprendendo RPA - Cursos de automação
Fórum da comunidade da Uipath
Uipath Logo White
Confiança e segurança
© 2005-2024 UiPath. Todos os direitos reservados.