UiPath Documentation
automation-suite
2023.10
false
重要 :
新发布内容的本地化可能需要 1-2 周的时间才能完成。

Linux 版 Automation Suite 安装指南

为 ArgoCD 启用 SSO

概述

要启用 SSO 身份验证,必须使用 uipathctl 命令行工具。

准备配置文件

在为 ArgoCD 启用 SSO 之前,您必须生成 RBAC 文件和 Dex 配置文件。

RBAC 文件

RBAC 文件包含访问规则。

有关内置角色定义的详细信息,请参阅ArgoCD 文档

有关 ArgoCD 帐户类型及其权限的详细信息,请参阅在 ArgoCD 中管理集群

我们建议在定义组时使用这些角色,但您可以创建自己的权限集。

配置 RBAC 文件
  1. 通过运行以下命令,创建名为 policy.csv 的文件: 
    uipathctl config argocd generate-rbac
uipathctl config argocd generate-rbac
  2. 将以下内容添加到 policy.csv 文件中并保存: 
    p, role:uipath-sync, applications, get, */*, allow
p, role:uipath-sync, applications, sync, */*, allow
g, argocdro, role:uipath-sync
p, role:uipath-sync, applications, get, */*, allow
p, role:uipath-sync, applications, sync, */*, allow
g, argocdro, role:uipath-sync
  3. 通过将以下行附加到policy.csv RBAC 文件,将 RBAC 组与内置管理员角色和 UiPath™ argocdro只读角色相关联: 
    g, <your_ldap_readonly_group_name>, role:uipath-sync
g, <your_ldap_admin_group_name>, role:admin
g, <your_ldap_readonly_group_name>, role:uipath-sync
g, <your_ldap_admin_group_name>, role:admin
  4. 保存更新的policy.csv RBAC 文件。
示例

如果 ArgoCD 管理员的 LDAP 组是管理员,而 ArgoCD 只读用户的 LDAP 组是读取者,则 RBAC 文件应类似于以下示例:

p, role:uipath-sync, applications, get, */*, allow
p, role:uipath-sync, applications, sync, */*, allow
g, argocdro, role:uipath-sync
g, Readers, role:uipath-sync
g, Administrators, role:admin
p, role:uipath-sync, applications, get, */*, allow
p, role:uipath-sync, applications, sync, */*, allow
g, argocdro, role:uipath-sync
g, Readers, role:uipath-sync
g, Administrators, role:admin

对于更高级的用例,以下示例显示了默认的 RBAC 文件:

# Built-in policy which defines two roles: role:readonly and role:admin,
# and additionally assigns the admin user to the role:admin role.
# There are two policy formats:
# 1. Applications, logs, and exec (which belong to a project):
# p, <user/group>, <resource>, <action>, <project>/<object>
# 2. All other resources:
# p, <user/group>, <resource>, <action>, <object>

p, role:readonly, applications, get, */*, allow
p, role:readonly, certificates, get, *, allow
p, role:readonly, clusters, get, *, allow
p, role:readonly, repositories, get, *, allow
p, role:readonly, projects, get, *, allow
p, role:readonly, accounts, get, *, allow
p, role:readonly, gpgkeys, get, *, allow
p, role:readonly, logs, get, */*, allow

p, role:admin, applications, create, */*, allow
p, role:admin, applications, update, */*, allow
p, role:admin, applications, delete, */*, allow
p, role:admin, applications, sync, */*, allow
p, role:admin, applications, override, */*, allow
p, role:admin, applications, action/*, */*, allow
p, role:admin, applicationsets, get, */*, allow
p, role:admin, applicationsets, create, */*, allow
p, role:admin, applicationsets, update, */*, allow
p, role:admin, applicationsets, delete, */*, allow
p, role:admin, certificates, create, *, allow
p, role:admin, certificates, update, *, allow
p, role:admin, certificates, delete, *, allow
p, role:admin, clusters, create, *, allow
p, role:admin, clusters, update, *, allow
p, role:admin, clusters, delete, *, allow
p, role:admin, repositories, create, *, allow
p, role:admin, repositories, update, *, allow
p, role:admin, repositories, delete, *, allow
p, role:admin, projects, create, *, allow
p, role:admin, projects, update, *, allow
p, role:admin, projects, delete, *, allow
p, role:admin, accounts, update, *, allow
p, role:admin, gpgkeys, create, *, allow
p, role:admin, gpgkeys, delete, *, allow
p, role:admin, exec, create, */*, allow

g, role:admin, role:readonly
g, admin, role:admin
# Built-in policy which defines two roles: role:readonly and role:admin,
# and additionally assigns the admin user to the role:admin role.
# There are two policy formats:
# 1. Applications, logs, and exec (which belong to a project):
# p, <user/group>, <resource>, <action>, <project>/<object>
# 2. All other resources:
# p, <user/group>, <resource>, <action>, <object>

p, role:readonly, applications, get, */*, allow
p, role:readonly, certificates, get, *, allow
p, role:readonly, clusters, get, *, allow
p, role:readonly, repositories, get, *, allow
p, role:readonly, projects, get, *, allow
p, role:readonly, accounts, get, *, allow
p, role:readonly, gpgkeys, get, *, allow
p, role:readonly, logs, get, */*, allow

p, role:admin, applications, create, */*, allow
p, role:admin, applications, update, */*, allow
p, role:admin, applications, delete, */*, allow
p, role:admin, applications, sync, */*, allow
p, role:admin, applications, override, */*, allow
p, role:admin, applications, action/*, */*, allow
p, role:admin, applicationsets, get, */*, allow
p, role:admin, applicationsets, create, */*, allow
p, role:admin, applicationsets, update, */*, allow
p, role:admin, applicationsets, delete, */*, allow
p, role:admin, certificates, create, *, allow
p, role:admin, certificates, update, *, allow
p, role:admin, certificates, delete, *, allow
p, role:admin, clusters, create, *, allow
p, role:admin, clusters, update, *, allow
p, role:admin, clusters, delete, *, allow
p, role:admin, repositories, create, *, allow
p, role:admin, repositories, update, *, allow
p, role:admin, repositories, delete, *, allow
p, role:admin, projects, create, *, allow
p, role:admin, projects, update, *, allow
p, role:admin, projects, delete, *, allow
p, role:admin, accounts, update, *, allow
p, role:admin, gpgkeys, create, *, allow
p, role:admin, gpgkeys, delete, *, allow
p, role:admin, exec, create, */*, allow

g, role:admin, role:readonly
g, admin, role:admin

Dex 配置文件

Dex 配置文件包含为 ArgoCD 配置 SSO 所需的参数。

备注:

如果您已拥有 LDAP 连接器文件 ( ldap_connector.yaml ),请跳至为 ArgoCD 启用 SSO

要通过 LDAP 配置 SSO,请执行以下步骤:

  1. 通过运行以下命令生成 LDAP 模板文件。 将在运行命令的目录中生成连接器模板文件。

    uipathctl config argocd generate-dex-config -t ldap
uipathctl config argocd generate-dex-config -t ldap

  2. 复制从---开始的输出,并将其另存为ldap_connector.yaml

    ArgoCD 配置文件示例:

    ---
connectors:
- type: ldap
  # Required field for connector id.
  id: ldap
  # Required field for connector name.
  name: OpenLDAP
  config:
    host: openldap:389
    insecureNoSSL: true
    startTLS: false
    bindDN: cn=admin,dc=example,dc=org
    bindPW: adminpassword
    usernamePrompt: Email Address
    userSearch:
      baseDN: ou=People,dc=example,dc=org
      filter: "(objectClass=person)"
      username: mail
      idAttr: DN
      emailAttr: mail
      nameAttr: cn
    # Group search queries for groups given a user entry.
    groupSearch:
      baseDN: ou=Groups,dc=example,dc=org
      filter: "(objectClass=groupOfNames)"
      userMatchers:
        - userAttr: DN
          groupAttr: member
      nameAttr: cn
---
connectors:
- type: ldap
  # Required field for connector id.
  id: ldap
  # Required field for connector name.
  name: OpenLDAP
  config:
    host: openldap:389
    insecureNoSSL: true
    startTLS: false
    bindDN: cn=admin,dc=example,dc=org
    bindPW: adminpassword
    usernamePrompt: Email Address
    userSearch:
      baseDN: ou=People,dc=example,dc=org
      filter: "(objectClass=person)"
      username: mail
      idAttr: DN
      emailAttr: mail
      nameAttr: cn
    # Group search queries for groups given a user entry.
    groupSearch:
      baseDN: ou=Groups,dc=example,dc=org
      filter: "(objectClass=groupOfNames)"
      userMatchers:
        - userAttr: DN
          groupAttr: member
      nameAttr: cn

    Active Directory LDAP 连接器文件示例:

    ---
connectors:
- id: ldap
name: ActiveDirectory
type: ldap
config:
  bindDN: cn=admin,cn=Users,dc=example,dc=local
  bindPW: "<admins's password>"
  groupSearch:
    baseDN: dc=example,dc=local
    filter: "(objectClass=group)"
    nameAttr: cn
    userMatchers:
      - userAttr: distinguishedName
        groupAttr: member
  host: "ldaphost:389"
  insecureNoSSL: true
  insecureSkipVerify: true
  startTLS: false
  userSearch:
    baseDN: cn=Users,dc=example,dc=local
    emailAttr: userPrincipalName
    filter: (objectClass=person)
    idAttr: DN
    nameAttr: cn
    username: userPrincipalName
  usernamePrompt: Email Address
---
connectors:
- id: ldap
name: ActiveDirectory
type: ldap
config:
  bindDN: cn=admin,cn=Users,dc=example,dc=local
  bindPW: "<admins's password>"
  groupSearch:
    baseDN: dc=example,dc=local
    filter: "(objectClass=group)"
    nameAttr: cn
    userMatchers:
      - userAttr: distinguishedName
        groupAttr: member
  host: "ldaphost:389"
  insecureNoSSL: true
  insecureSkipVerify: true
  startTLS: false
  userSearch:
    baseDN: cn=Users,dc=example,dc=local
    emailAttr: userPrincipalName
    filter: (objectClass=person)
    idAttr: DN
    nameAttr: cn
    username: userPrincipalName
  usernamePrompt: Email Address

  3. 使用所需信息更新 LDAP 连接器文件并保存。 我们建议使用 LDAPS。

为 ArgoCD 启用 SSO

准备好 RBAC 和 Dex 配置文件后,您可以为 ArgoCD 启用 SSO:

  1. 使用以下参数更新cluster_config.json文件:
    1. fabric.argocd_dex_config_file - 输入先前创建的 Dex 配置文件的路径。
    2. fabric.argocd_rbac_config_file - 输入先前创建的 RBAC 文件的路径。
  2. 重新运行结构安装程序: 
    ./install-uipath.sh -i cluster_config.json -f -o output.json --accept-license-agreement
./install-uipath.sh -i cluster_config.json -f -o output.json --accept-license-agreement
  • 概述
  • 准备配置文件
  • RBAC 文件
  • Dex 配置文件
  • 为 ArgoCD 启用 SSO

此页面有帮助吗?

连接

需要帮助? 支持

想要了解详细内容? UiPath Academy

有问题? UiPath 论坛

保持更新