automation-suite
2023.4
false
Importante :
A tradução automática foi aplicada parcialmente neste conteúdo.
Guia de instalação do Automation Suite no Linux
Last updated 1 de nov de 2024

Ativando SSO para ArgoCD

Visão geral

O script uipathctl.sh é necessário para habilitar a autenticação SSO. Para obter mais detalhes sobre o script e os parâmetros que você precisa usar, consulte Uso do uipathctl.sh.

Preparing the configuration files

Você deve gerar o arquivo RBAC e o arquivo do conector antes de ativar o SSO para ArgoCD.

The RBAC file

O arquivo RBAC contém regras de acesso.

Para obter detalhes sobre as definições de funções integradas, consulte a documentação do ArgoCD.

Para obter detalhes sobre os tipos de conta do ArgoCD e suas permissões, consulte Gerenciamento do cluster no ArgoCD.

Recomendamos usar essas funções ao definir seus grupos, mas você pode criar seu próprio conjunto de permissões.

Configuring the RBAC file

  1. Crie um arquivo chamado policy.csv, adicione o seguinte conteúdo e salve o arquivo:
    p, role:uipath-sync, applications, get, */*, allow
    p, role:uipath-sync, applications, sync, */*, allow
    g, argocdro, role:uipath-syncp, role:uipath-sync, applications, get, */*, allow
    p, role:uipath-sync, applications, sync, */*, allow
    g, argocdro, role:uipath-sync
  2. Associe seus grupos de RBAC à função de administrador integrada e à função somente leitura do argocdro da UiPath®, anexando as seguintes linhas ao arquivo RBAC policy.csv:
    g, <your_ldap_readonly_group_name>, role:uipath-sync
    g, <your_ldap_admin_group_name>, role:adming, <your_ldap_readonly_group_name>, role:uipath-sync
    g, <your_ldap_admin_group_name>, role:admin
  3. Salve o arquivo RBAC policy.csv atualizado.

Exemplo:

Digamos que seu grupo LDAP para administradores do ArgoCD seja "Administradores" e o grupo LDAP para usuários somente leitura do ArgoCD seja "Leitores", o arquivo RBAC deve ser:

p, role:uipath-sync, applications, get, */*, allow
p, role:uipath-sync, applications, sync, */*, allow
g, argocdro, role:uipath-sync
g, Readers, role:uipath-sync
g, Administrators, role:adminp, role:uipath-sync, applications, get, */*, allow
p, role:uipath-sync, applications, sync, */*, allow
g, argocdro, role:uipath-sync
g, Readers, role:uipath-sync
g, Administrators, role:admin

Para casos de uso mais avançados, consulte o arquivo RBAC padrão.

# Built-in policy which defines two roles: role:readonly and role:admin,
# and additionally assigns the admin user to the role:admin role.
# There are two policy formats:
# 1. Applications, logs, and exec (which belong to a project):
# p, <user/group>, <resource>, <action>, <project>/<object>
# 2. All other resources:
# p, <user/group>, <resource>, <action>, <object>

p, role:readonly, applications, get, */*, allow
p, role:readonly, certificates, get, *, allow
p, role:readonly, clusters, get, *, allow
p, role:readonly, repositories, get, *, allow
p, role:readonly, projects, get, *, allow
p, role:readonly, accounts, get, *, allow
p, role:readonly, gpgkeys, get, *, allow
p, role:readonly, logs, get, */*, allow

p, role:admin, applications, create, */*, allow
p, role:admin, applications, update, */*, allow
p, role:admin, applications, delete, */*, allow
p, role:admin, applications, sync, */*, allow
p, role:admin, applications, override, */*, allow
p, role:admin, applications, action/*, */*, allow
p, role:admin, applicationsets, get, */*, allow
p, role:admin, applicationsets, create, */*, allow
p, role:admin, applicationsets, update, */*, allow
p, role:admin, applicationsets, delete, */*, allow
p, role:admin, certificates, create, *, allow
p, role:admin, certificates, update, *, allow
p, role:admin, certificates, delete, *, allow
p, role:admin, clusters, create, *, allow
p, role:admin, clusters, update, *, allow
p, role:admin, clusters, delete, *, allow
p, role:admin, repositories, create, *, allow
p, role:admin, repositories, update, *, allow
p, role:admin, repositories, delete, *, allow
p, role:admin, projects, create, *, allow
p, role:admin, projects, update, *, allow
p, role:admin, projects, delete, *, allow
p, role:admin, accounts, update, *, allow
p, role:admin, gpgkeys, create, *, allow
p, role:admin, gpgkeys, delete, *, allow
p, role:admin, exec, create, */*, allow

g, role:admin, role:readonly
g, admin, role:admin# Built-in policy which defines two roles: role:readonly and role:admin,
# and additionally assigns the admin user to the role:admin role.
# There are two policy formats:
# 1. Applications, logs, and exec (which belong to a project):
# p, <user/group>, <resource>, <action>, <project>/<object>
# 2. All other resources:
# p, <user/group>, <resource>, <action>, <object>

p, role:readonly, applications, get, */*, allow
p, role:readonly, certificates, get, *, allow
p, role:readonly, clusters, get, *, allow
p, role:readonly, repositories, get, *, allow
p, role:readonly, projects, get, *, allow
p, role:readonly, accounts, get, *, allow
p, role:readonly, gpgkeys, get, *, allow
p, role:readonly, logs, get, */*, allow

p, role:admin, applications, create, */*, allow
p, role:admin, applications, update, */*, allow
p, role:admin, applications, delete, */*, allow
p, role:admin, applications, sync, */*, allow
p, role:admin, applications, override, */*, allow
p, role:admin, applications, action/*, */*, allow
p, role:admin, applicationsets, get, */*, allow
p, role:admin, applicationsets, create, */*, allow
p, role:admin, applicationsets, update, */*, allow
p, role:admin, applicationsets, delete, */*, allow
p, role:admin, certificates, create, *, allow
p, role:admin, certificates, update, *, allow
p, role:admin, certificates, delete, *, allow
p, role:admin, clusters, create, *, allow
p, role:admin, clusters, update, *, allow
p, role:admin, clusters, delete, *, allow
p, role:admin, repositories, create, *, allow
p, role:admin, repositories, update, *, allow
p, role:admin, repositories, delete, *, allow
p, role:admin, projects, create, *, allow
p, role:admin, projects, update, *, allow
p, role:admin, projects, delete, *, allow
p, role:admin, accounts, update, *, allow
p, role:admin, gpgkeys, create, *, allow
p, role:admin, gpgkeys, delete, *, allow
p, role:admin, exec, create, */*, allow

g, role:admin, role:readonly
g, admin, role:admin

The LDAP connector file

O arquivo do conector LDAP contém os parâmetros LDAP necessários para configurar SSO para ArgoCD.

Observação: se você já tiver um arquivo de conector LDAP (ldap_connector.yaml), pule para Habilitar o SSO para o ArgoCD.

Para configurar o SSO por meio do LDAP, execute as seguintes etapas:

  1. Gere o arquivo de modelo LDAP executando o seguinte comando. O arquivo de modelo do conector é gerado no mesmo diretório em que você executa o comando.
    ./uipathctl.sh sso-generate-connector --sso-connector-type ldap --install-type [online|offline] --accept-license-agreement./uipathctl.sh sso-generate-connector --sso-connector-type ldap --install-type [online|offline] --accept-license-agreement
  2. Copie a saída que começa em --- e salve-a como ldap_connector.yaml.
    Exemplo de um arquivo de conector openLDAP:
    ---
    type: ldap
    # Required field for connector id.
    id: ldap
    # Required field for connector name.
    name: OpenLDAP
    config:
      host: openldap:389
      insecureNoSSL: true
      startTLS: false
      bindDN: cn=admin,dc=example,dc=org
      bindPW: adminpassword
      usernamePrompt: Email Address
      userSearch:
        baseDN: ou=People,dc=example,dc=org
        filter: "(objectClass=person)"
        username: mail
        idAttr: DN
        emailAttr: mail
        nameAttr: cn
      # Group search queries for groups given a user entry.
      groupSearch:
        baseDN: ou=Groups,dc=example,dc=org
        filter: "(objectClass=groupOfNames)"
        userMatchers:
          - userAttr: DN
            groupAttr: member
        nameAttr: cn---
    type: ldap
    # Required field for connector id.
    id: ldap
    # Required field for connector name.
    name: OpenLDAP
    config:
      host: openldap:389
      insecureNoSSL: true
      startTLS: false
      bindDN: cn=admin,dc=example,dc=org
      bindPW: adminpassword
      usernamePrompt: Email Address
      userSearch:
        baseDN: ou=People,dc=example,dc=org
        filter: "(objectClass=person)"
        username: mail
        idAttr: DN
        emailAttr: mail
        nameAttr: cn
      # Group search queries for groups given a user entry.
      groupSearch:
        baseDN: ou=Groups,dc=example,dc=org
        filter: "(objectClass=groupOfNames)"
        userMatchers:
          - userAttr: DN
            groupAttr: member
        nameAttr: cn
    Exemplo de um arquivo de conector LDAP do Active Directory:
    ---
    id: ldap
    name: ActiveDirectory
    type: ldap
    config:
      bindDN: cn=admin,cn=Users,dc=example,dc=local
      bindPW: "<admins's password>"
      groupSearch:
        baseDN: dc=example,dc=local
        filter: "(objectClass=group)"
        nameAttr: cn
        userMatchers:
          - userAttr: distinguishedName
            groupAttr: member
      host: "ldaphost:389"
      insecureNoSSL: true
      insecureSkipVerify: true
      startTLS: false
      userSearch:
        baseDN: cn=Users,dc=example,dc=local
        emailAttr: userPrincipalName
        filter: (objectClass=person)
        idAttr: DN
        nameAttr: cn
        username: userPrincipalName
      usernamePrompt: Email Address---
    id: ldap
    name: ActiveDirectory
    type: ldap
    config:
      bindDN: cn=admin,cn=Users,dc=example,dc=local
      bindPW: "<admins's password>"
      groupSearch:
        baseDN: dc=example,dc=local
        filter: "(objectClass=group)"
        nameAttr: cn
        userMatchers:
          - userAttr: distinguishedName
            groupAttr: member
      host: "ldaphost:389"
      insecureNoSSL: true
      insecureSkipVerify: true
      startTLS: false
      userSearch:
        baseDN: cn=Users,dc=example,dc=local
        emailAttr: userPrincipalName
        filter: (objectClass=person)
        idAttr: DN
        nameAttr: cn
        username: userPrincipalName
      usernamePrompt: Email Address
  3. Atualize o arquivo do conector LDAP com as informações necessárias e salve-o. Recomendamos o uso de LDAPS.

Ativando SSO para ArgoCD

Depois de preparar o RBAC e o arquivo do conector, você pode ativar o SSO para ArgoCD.

Usando LDAP

Habilite o SSO para ArgoCD executando o seguinte comando no diretório onde o arquivo do conector está armazenado:

./uipathctl.sh sso-apply-overlays --install-type [online|offline] --accept-license-agreement --sso-connector-file ldap_connector.yaml --sso-rbac-file policy.csv./uipathctl.sh sso-apply-overlays --install-type [online|offline] --accept-license-agreement --sso-connector-file ldap_connector.yaml --sso-rbac-file policy.csv
Observação: depois de executar o comando anterior, você verá um botão de login SSO na página de login do ArgoCD. Forneça o nome de usuário e a senha do domínio da sua empresa.
  • Visão geral
  • Preparing the configuration files
  • The RBAC file
  • The LDAP connector file
  • Ativando SSO para ArgoCD
  • Usando LDAP

Esta página foi útil?

Obtenha a ajuda que você precisa
Aprendendo RPA - Cursos de automação
Fórum da comunidade da Uipath
Uipath Logo White
Confiança e segurança
© 2005-2024 UiPath. Todos os direitos reservados.