为 ArgoCD 启用 SSO

概述

启用 SSO 身份验证需要 uipathctl.sh 脚本。有关脚本和需要使用的参数的更多详细信息，请参阅使用 uipathctl.sh。

准备配置文件

在为 ArgoCD 启用 SSO 之前，您必须生成 RBAC 文件和连接器文件。

RBAC 文件

RBAC 文件包含访问规则。有关内置角色定义的详细信息，请参阅 ArgoCD 文档。有关 ArgoCD 帐户类型及其权限的详细信息，请参阅在 ArgoCD 中管理集群。我们建议在定义组时使用这些角色，但您可以创建自己的权限集。

配置 RBAC 文件

创建一个名为policy.csv的文件，添加以下内容，然后保存文件：
```
p, role:uipath-sync, applications, get, */*, allow
p, role:uipath-sync, applications, sync, */*, allow
g, argocdro, role:uipath-syncp, role:uipath-sync, applications, get, */*, allow
p, role:uipath-sync, applications, sync, */*, allow
g, argocdro, role:uipath-sync
```

Associate your RBAC groups with the built-in admin role and the UiPath® argocdro read-only role, by appending the following lines to the policy.csv RBAC file:

g, <your_ldap_readonly_group_name>, role:uipath-sync
g, <your_ldap_admin_group_name>, role:adming, <your_ldap_readonly_group_name>, role:uipath-sync
g, <your_ldap_admin_group_name>, role:admin

保存更新的policy.csv RBAC 文件。

示例：

假设 ArgoCD 管理员的 LDAP 组为“Administrators”，ArgoCD 只读用户的 LDAP 组为“Readers”，则 RBAC 文件应为：

p, role:uipath-sync, applications, get, */*, allow
p, role:uipath-sync, applications, sync, */*, allow
g, argocdro, role:uipath-sync
g, Readers, role:uipath-sync
g, Administrators, role:adminp, role:uipath-sync, applications, get, */*, allow
p, role:uipath-sync, applications, sync, */*, allow
g, argocdro, role:uipath-sync
g, Readers, role:uipath-sync
g, Administrators, role:admin

有关更高级的用例，请参阅默认的 RBAC 文件。

# Built-in policy which defines two roles: role:readonly and role:admin,
# and additionally assigns the admin user to the role:admin role.
# There are two policy formats:
# 1. Applications, logs, and exec (which belong to a project):
# p, <user/group>, <resource>, <action>, <project>/<object>
# 2. All other resources:
# p, <user/group>, <resource>, <action>, <object>

p, role:readonly, applications, get, */*, allow
p, role:readonly, certificates, get, *, allow
p, role:readonly, clusters, get, *, allow
p, role:readonly, repositories, get, *, allow
p, role:readonly, projects, get, *, allow
p, role:readonly, accounts, get, *, allow
p, role:readonly, gpgkeys, get, *, allow
p, role:readonly, logs, get, */*, allow

p, role:admin, applications, create, */*, allow
p, role:admin, applications, update, */*, allow
p, role:admin, applications, delete, */*, allow
p, role:admin, applications, sync, */*, allow
p, role:admin, applications, override, */*, allow
p, role:admin, applications, action/*, */*, allow
p, role:admin, applicationsets, get, */*, allow
p, role:admin, applicationsets, create, */*, allow
p, role:admin, applicationsets, update, */*, allow
p, role:admin, applicationsets, delete, */*, allow
p, role:admin, certificates, create, *, allow
p, role:admin, certificates, update, *, allow
p, role:admin, certificates, delete, *, allow
p, role:admin, clusters, create, *, allow
p, role:admin, clusters, update, *, allow
p, role:admin, clusters, delete, *, allow
p, role:admin, repositories, create, *, allow
p, role:admin, repositories, update, *, allow
p, role:admin, repositories, delete, *, allow
p, role:admin, projects, create, *, allow
p, role:admin, projects, update, *, allow
p, role:admin, projects, delete, *, allow
p, role:admin, accounts, update, *, allow
p, role:admin, gpgkeys, create, *, allow
p, role:admin, gpgkeys, delete, *, allow
p, role:admin, exec, create, */*, allow

g, role:admin, role:readonly
g, admin, role:admin# Built-in policy which defines two roles: role:readonly and role:admin,
# and additionally assigns the admin user to the role:admin role.
# There are two policy formats:
# 1. Applications, logs, and exec (which belong to a project):
# p, <user/group>, <resource>, <action>, <project>/<object>
# 2. All other resources:
# p, <user/group>, <resource>, <action>, <object>

p, role:readonly, applications, get, */*, allow
p, role:readonly, certificates, get, *, allow
p, role:readonly, clusters, get, *, allow
p, role:readonly, repositories, get, *, allow
p, role:readonly, projects, get, *, allow
p, role:readonly, accounts, get, *, allow
p, role:readonly, gpgkeys, get, *, allow
p, role:readonly, logs, get, */*, allow

p, role:admin, applications, create, */*, allow
p, role:admin, applications, update, */*, allow
p, role:admin, applications, delete, */*, allow
p, role:admin, applications, sync, */*, allow
p, role:admin, applications, override, */*, allow
p, role:admin, applications, action/*, */*, allow
p, role:admin, applicationsets, get, */*, allow
p, role:admin, applicationsets, create, */*, allow
p, role:admin, applicationsets, update, */*, allow
p, role:admin, applicationsets, delete, */*, allow
p, role:admin, certificates, create, *, allow
p, role:admin, certificates, update, *, allow
p, role:admin, certificates, delete, *, allow
p, role:admin, clusters, create, *, allow
p, role:admin, clusters, update, *, allow
p, role:admin, clusters, delete, *, allow
p, role:admin, repositories, create, *, allow
p, role:admin, repositories, update, *, allow
p, role:admin, repositories, delete, *, allow
p, role:admin, projects, create, *, allow
p, role:admin, projects, update, *, allow
p, role:admin, projects, delete, *, allow
p, role:admin, accounts, update, *, allow
p, role:admin, gpgkeys, create, *, allow
p, role:admin, gpgkeys, delete, *, allow
p, role:admin, exec, create, */*, allow

g, role:admin, role:readonly
g, admin, role:admin

LDAP 连接器文件

LDAP 连接器文件包含为 ArgoCD 配置 SSO 所需的 LDAP 参数。

注意：如果您已拥有 LDAP 连接器文件 (ldap_connector.yaml)，请跳至“为 ArgoCD 启用 SSO”。

要通过 LDAP 配置 SSO，请执行以下步骤：

通过运行以下命令生成 LDAP 模板文件。将在运行命令的目录中生成连接器模板文件。

./uipathctl.sh sso-generate-connector --sso-connector-type ldap --install-type [online|offline] --accept-license-agreement./uipathctl.sh sso-generate-connector --sso-connector-type ldap --install-type [online|offline] --accept-license-agreement

复制从---开始的输出，并将其另存为ldap_connector.yaml 。

OpenLDAP 连接器文件示例：

---
type: ldap
# Required field for connector id.
id: ldap
# Required field for connector name.
name: OpenLDAP
config:
  host: openldap:389
  insecureNoSSL: true
  startTLS: false
  bindDN: cn=admin,dc=example,dc=org
  bindPW: adminpassword
  usernamePrompt: Email Address
  userSearch:
    baseDN: ou=People,dc=example,dc=org
    filter: "(objectClass=person)"
    username: mail
    idAttr: DN
    emailAttr: mail
    nameAttr: cn
  # Group search queries for groups given a user entry.
  groupSearch:
    baseDN: ou=Groups,dc=example,dc=org
    filter: "(objectClass=groupOfNames)"
    userMatchers:
      - userAttr: DN
        groupAttr: member
    nameAttr: cn---
type: ldap
# Required field for connector id.
id: ldap
# Required field for connector name.
name: OpenLDAP
config:
  host: openldap:389
  insecureNoSSL: true
  startTLS: false
  bindDN: cn=admin,dc=example,dc=org
  bindPW: adminpassword
  usernamePrompt: Email Address
  userSearch:
    baseDN: ou=People,dc=example,dc=org
    filter: "(objectClass=person)"
    username: mail
    idAttr: DN
    emailAttr: mail
    nameAttr: cn
  # Group search queries for groups given a user entry.
  groupSearch:
    baseDN: ou=Groups,dc=example,dc=org
    filter: "(objectClass=groupOfNames)"
    userMatchers:
      - userAttr: DN
        groupAttr: member
    nameAttr: cn

Active Directory LDAP 连接器文件示例：

---
id: ldap
name: ActiveDirectory
type: ldap
config:
  bindDN: cn=admin,cn=Users,dc=example,dc=local
  bindPW: "<admins's password>"
  groupSearch:
    baseDN: dc=example,dc=local
    filter: "(objectClass=group)"
    nameAttr: cn
    userMatchers:
      - userAttr: distinguishedName
        groupAttr: member
  host: "ldaphost:389"
  insecureNoSSL: true
  insecureSkipVerify: true
  startTLS: false
  userSearch:
    baseDN: cn=Users,dc=example,dc=local
    emailAttr: userPrincipalName
    filter: (objectClass=person)
    idAttr: DN
    nameAttr: cn
    username: userPrincipalName
  usernamePrompt: Email Address---
id: ldap
name: ActiveDirectory
type: ldap
config:
  bindDN: cn=admin,cn=Users,dc=example,dc=local
  bindPW: "<admins's password>"
  groupSearch:
    baseDN: dc=example,dc=local
    filter: "(objectClass=group)"
    nameAttr: cn
    userMatchers:
      - userAttr: distinguishedName
        groupAttr: member
  host: "ldaphost:389"
  insecureNoSSL: true
  insecureSkipVerify: true
  startTLS: false
  userSearch:
    baseDN: cn=Users,dc=example,dc=local
    emailAttr: userPrincipalName
    filter: (objectClass=person)
    idAttr: DN
    nameAttr: cn
    username: userPrincipalName
  usernamePrompt: Email Address

使用所需信息更新 LDAP 连接器文件并保存。我们建议使用 LDAPS。

为 ArgoCD 启用 SSO

准备 RBAC 和连接器文件后，您可以为 ArgoCD 启用 SSO。

使用 LDAP

通过在存储连接器文件的目录中运行以下命令，为 ArgoCD 启用 SSO：

./uipathctl.sh sso-apply-overlays --install-type [online|offline] --accept-license-agreement --sso-connector-file ldap_connector.yaml --sso-rbac-file policy.csv./uipathctl.sh sso-apply-overlays --install-type [online|offline] --accept-license-agreement --sso-connector-file ldap_connector.yaml --sso-rbac-file policy.csv