Automation Suite
2023.10
true
Linux 版 Automation Suite 安装指南
Last updated 2024年7月24日

为 ArgoCD 启用 SSO

概述

要启用 SSO 身份验证,必须使用 uipathctl 命令行工具。

准备配置文件

在为 ArgoCD 启用 SSO 之前,您必须生成 RBAC 文件和 Dex 配置文件。

RBAC 文件

RBAC 文件包含访问规则。

有关内置角色定义的详细信息,请参阅ArgoCD 文档

有关 ArgoCD 帐户类型及其权限的详细信息,请参阅在 ArgoCD 中管理集群

我们建议在定义组时使用这些角色,但您可以创建自己的权限集。

配置 RBAC 文件

  1. 通过运行以下命令,创建名为 policy.csv 的文件:
    uipathctl config argocd generate-rbacuipathctl config argocd generate-rbac
  2. 将以下内容添加到 policy.csv 文件中并保存:
    p, role:uipath-sync, applications, get, */*, allow
    p, role:uipath-sync, applications, sync, */*, allow
    g, argocdro, role:uipath-syncp, role:uipath-sync, applications, get, */*, allow
    p, role:uipath-sync, applications, sync, */*, allow
    g, argocdro, role:uipath-sync
  3. 通过将以下行附加到 policy.csv RBAC 文件,将 RBAC 组与内置管理员角色和 UiPath™ argocdro 只读角色相关联:
    g, <your_ldap_readonly_group_name>, role:uipath-sync
    g, <your_ldap_admin_group_name>, role:adming, <your_ldap_readonly_group_name>, role:uipath-sync
    g, <your_ldap_admin_group_name>, role:admin
  4. 保存更新的policy.csv RBAC 文件。

示例:

If your LDAP group for ArgoCD administrators is Administrators and the LDAP group for ArgoCD read-only users is Readers, the RBAC file should be similar to the one in the following example:

p, role:uipath-sync, applications, get, */*, allow
p, role:uipath-sync, applications, sync, */*, allow
g, argocdro, role:uipath-sync
g, Readers, role:uipath-sync
g, Administrators, role:adminp, role:uipath-sync, applications, get, */*, allow
p, role:uipath-sync, applications, sync, */*, allow
g, argocdro, role:uipath-sync
g, Readers, role:uipath-sync
g, Administrators, role:admin

For more advanced use cases, the following example shows the default RBAC file:

# Built-in policy which defines two roles: role:readonly and role:admin,
# and additionally assigns the admin user to the role:admin role.
# There are two policy formats:
# 1. Applications, logs, and exec (which belong to a project):
# p, <user/group>, <resource>, <action>, <project>/<object>
# 2. All other resources:
# p, <user/group>, <resource>, <action>, <object>

p, role:readonly, applications, get, */*, allow
p, role:readonly, certificates, get, *, allow
p, role:readonly, clusters, get, *, allow
p, role:readonly, repositories, get, *, allow
p, role:readonly, projects, get, *, allow
p, role:readonly, accounts, get, *, allow
p, role:readonly, gpgkeys, get, *, allow
p, role:readonly, logs, get, */*, allow

p, role:admin, applications, create, */*, allow
p, role:admin, applications, update, */*, allow
p, role:admin, applications, delete, */*, allow
p, role:admin, applications, sync, */*, allow
p, role:admin, applications, override, */*, allow
p, role:admin, applications, action/*, */*, allow
p, role:admin, applicationsets, get, */*, allow
p, role:admin, applicationsets, create, */*, allow
p, role:admin, applicationsets, update, */*, allow
p, role:admin, applicationsets, delete, */*, allow
p, role:admin, certificates, create, *, allow
p, role:admin, certificates, update, *, allow
p, role:admin, certificates, delete, *, allow
p, role:admin, clusters, create, *, allow
p, role:admin, clusters, update, *, allow
p, role:admin, clusters, delete, *, allow
p, role:admin, repositories, create, *, allow
p, role:admin, repositories, update, *, allow
p, role:admin, repositories, delete, *, allow
p, role:admin, projects, create, *, allow
p, role:admin, projects, update, *, allow
p, role:admin, projects, delete, *, allow
p, role:admin, accounts, update, *, allow
p, role:admin, gpgkeys, create, *, allow
p, role:admin, gpgkeys, delete, *, allow
p, role:admin, exec, create, */*, allow

g, role:admin, role:readonly
g, admin, role:admin# Built-in policy which defines two roles: role:readonly and role:admin,
# and additionally assigns the admin user to the role:admin role.
# There are two policy formats:
# 1. Applications, logs, and exec (which belong to a project):
# p, <user/group>, <resource>, <action>, <project>/<object>
# 2. All other resources:
# p, <user/group>, <resource>, <action>, <object>

p, role:readonly, applications, get, */*, allow
p, role:readonly, certificates, get, *, allow
p, role:readonly, clusters, get, *, allow
p, role:readonly, repositories, get, *, allow
p, role:readonly, projects, get, *, allow
p, role:readonly, accounts, get, *, allow
p, role:readonly, gpgkeys, get, *, allow
p, role:readonly, logs, get, */*, allow

p, role:admin, applications, create, */*, allow
p, role:admin, applications, update, */*, allow
p, role:admin, applications, delete, */*, allow
p, role:admin, applications, sync, */*, allow
p, role:admin, applications, override, */*, allow
p, role:admin, applications, action/*, */*, allow
p, role:admin, applicationsets, get, */*, allow
p, role:admin, applicationsets, create, */*, allow
p, role:admin, applicationsets, update, */*, allow
p, role:admin, applicationsets, delete, */*, allow
p, role:admin, certificates, create, *, allow
p, role:admin, certificates, update, *, allow
p, role:admin, certificates, delete, *, allow
p, role:admin, clusters, create, *, allow
p, role:admin, clusters, update, *, allow
p, role:admin, clusters, delete, *, allow
p, role:admin, repositories, create, *, allow
p, role:admin, repositories, update, *, allow
p, role:admin, repositories, delete, *, allow
p, role:admin, projects, create, *, allow
p, role:admin, projects, update, *, allow
p, role:admin, projects, delete, *, allow
p, role:admin, accounts, update, *, allow
p, role:admin, gpgkeys, create, *, allow
p, role:admin, gpgkeys, delete, *, allow
p, role:admin, exec, create, */*, allow

g, role:admin, role:readonly
g, admin, role:admin

Dex 配置文件

Dex 配置文件包含为 ArgoCD 配置 SSO 所需的参数。

注意:如果您已拥有 LDAP 连接器文件 (ldap_connector.yaml),请跳至“为 ArgoCD 启用 SSO”。

要通过 LDAP 配置 SSO,请执行以下步骤:

  1. 通过运行以下命令生成 LDAP 模板文件。 将在运行命令的目录中生成连接器模板文件。
    uipathctl config argocd generate-dex-config -t ldapuipathctl config argocd generate-dex-config -t ldap
  2. 复制从---开始的输出,并将其另存为ldap_connector.yaml
    ArgoCD 配置文件示例:
    ---
    connectors:
      - type: ldap
        # Required field for connector id.
        id: ldap
        # Required field for connector name.
        name: OpenLDAP
        config:
          host: openldap:389
          insecureNoSSL: true
          startTLS: false
          bindDN: cn=admin,dc=example,dc=org
          bindPW: adminpassword
          usernamePrompt: Email Address
          userSearch:
            baseDN: ou=People,dc=example,dc=org
            filter: "(objectClass=person)"
            username: mail
            idAttr: DN
            emailAttr: mail
            nameAttr: cn
          # Group search queries for groups given a user entry.
          groupSearch:
            baseDN: ou=Groups,dc=example,dc=org
            filter: "(objectClass=groupOfNames)"
            userMatchers:
              - userAttr: DN
                groupAttr: member
            nameAttr: cn---
    connectors:
      - type: ldap
        # Required field for connector id.
        id: ldap
        # Required field for connector name.
        name: OpenLDAP
        config:
          host: openldap:389
          insecureNoSSL: true
          startTLS: false
          bindDN: cn=admin,dc=example,dc=org
          bindPW: adminpassword
          usernamePrompt: Email Address
          userSearch:
            baseDN: ou=People,dc=example,dc=org
            filter: "(objectClass=person)"
            username: mail
            idAttr: DN
            emailAttr: mail
            nameAttr: cn
          # Group search queries for groups given a user entry.
          groupSearch:
            baseDN: ou=Groups,dc=example,dc=org
            filter: "(objectClass=groupOfNames)"
            userMatchers:
              - userAttr: DN
                groupAttr: member
            nameAttr: cn
    Active Directory LDAP 连接器文件示例:
    ---
    connectors:
    - id: ldap
      name: ActiveDirectory
      type: ldap
      config:
        bindDN: cn=admin,cn=Users,dc=example,dc=local
        bindPW: "<admins's password>"
        groupSearch:
          baseDN: dc=example,dc=local
          filter: "(objectClass=group)"
          nameAttr: cn
          userMatchers:
            - userAttr: distinguishedName
              groupAttr: member
        host: "ldaphost:389"
        insecureNoSSL: true
        insecureSkipVerify: true
        startTLS: false
        userSearch:
          baseDN: cn=Users,dc=example,dc=local
          emailAttr: userPrincipalName
          filter: (objectClass=person)
          idAttr: DN
          nameAttr: cn
          username: userPrincipalName
        usernamePrompt: Email Address---
    connectors:
    - id: ldap
      name: ActiveDirectory
      type: ldap
      config:
        bindDN: cn=admin,cn=Users,dc=example,dc=local
        bindPW: "<admins's password>"
        groupSearch:
          baseDN: dc=example,dc=local
          filter: "(objectClass=group)"
          nameAttr: cn
          userMatchers:
            - userAttr: distinguishedName
              groupAttr: member
        host: "ldaphost:389"
        insecureNoSSL: true
        insecureSkipVerify: true
        startTLS: false
        userSearch:
          baseDN: cn=Users,dc=example,dc=local
          emailAttr: userPrincipalName
          filter: (objectClass=person)
          idAttr: DN
          nameAttr: cn
          username: userPrincipalName
        usernamePrompt: Email Address
  3. 使用所需信息更新 LDAP 连接器文件并保存。 我们建议使用 LDAPS。

为 ArgoCD 启用 SSO

准备好 RBAC 和 Dex 配置文件后,您可以为 ArgoCD 启用 SSO:

  1. 使用以下参数更新 cluster_config.json 文件:

    1. fabric.argocd_dex_config_file - 输入先前创建的 Dex 配置文件的路径。
    2. fabric.argocd_rbac_config_file - 输入先前创建的 RBAC 文件的路径。
  2. 重新运行结构安装程序:

    ./install-uipath.sh -i cluster_config.json -f -o output.json --accept-license-agreement./install-uipath.sh -i cluster_config.json -f -o output.json --accept-license-agreement

  • 概述
  • 准备配置文件
  • RBAC 文件
  • Dex 配置文件
  • 为 ArgoCD 启用 SSO

此页面有帮助吗?

获取您需要的帮助
了解 RPA - 自动化课程
UiPath Community 论坛
Uipath Logo White
信任与安全
© 2005-2024 UiPath。保留所有权利。