Automation Suite
2023.4
False
- 概述
- 要求
- 安装
- 安装后
- 集群管理
- 管理产品
- 集群管理门户入门
- 为 ArgoCD 启用 SSO
- 将对象存储从持久性卷迁移到原始磁盘
- 在对象存储之间迁移数据
- 将集群内对象存储迁移到外部对象存储
- 监控和警示
- 迁移和升级
- 特定于产品的配置
- 最佳实践和维护
- 故障排除
为 ArgoCD 启用 SSO
Linux 版 Automation Suite 安装指南
上次更新日期 2024年4月24日
为 ArgoCD 启用 SSO
启用 SSO 身份验证需要
uipathctl.sh
脚本。有关脚本和需要使用的参数的更多详细信息,请参阅使用 uipathctl.sh。
在为 ArgoCD 启用 SSO 之前,您必须生成 RBAC 文件和连接器文件。
RBAC 文件包含访问规则。有关内置角色定义的详细信息,请参阅 ArgoCD 文档。有关 ArgoCD 帐户类型及其权限的详细信息,请参阅在 ArgoCD 中管理集群。我们建议在定义组时使用这些角色,但您可以创建自己的权限集。
配置 RBAC 文件
示例:
假设 ArgoCD 管理员的 LDAP 组为“Administrators”,ArgoCD 只读用户的 LDAP 组为“Readers”,则 RBAC 文件应为:
p, role:uipath-sync, applications, get, */*, allow
p, role:uipath-sync, applications, sync, */*, allow
g, argocdro, role:uipath-sync
g, Readers, role:uipath-sync
g, Administrators, role:admin
p, role:uipath-sync, applications, get, */*, allow
p, role:uipath-sync, applications, sync, */*, allow
g, argocdro, role:uipath-sync
g, Readers, role:uipath-sync
g, Administrators, role:admin
有关更高级的用例,请参阅默认的 RBAC 文件。
# Built-in policy which defines two roles: role:readonly and role:admin,
# and additionally assigns the admin user to the role:admin role.
# There are two policy formats:
# 1. Applications, logs, and exec (which belong to a project):
# p, <user/group>, <resource>, <action>, <project>/<object>
# 2. All other resources:
# p, <user/group>, <resource>, <action>, <object>
p, role:readonly, applications, get, */*, allow
p, role:readonly, certificates, get, *, allow
p, role:readonly, clusters, get, *, allow
p, role:readonly, repositories, get, *, allow
p, role:readonly, projects, get, *, allow
p, role:readonly, accounts, get, *, allow
p, role:readonly, gpgkeys, get, *, allow
p, role:readonly, logs, get, */*, allow
p, role:admin, applications, create, */*, allow
p, role:admin, applications, update, */*, allow
p, role:admin, applications, delete, */*, allow
p, role:admin, applications, sync, */*, allow
p, role:admin, applications, override, */*, allow
p, role:admin, applications, action/*, */*, allow
p, role:admin, applicationsets, get, */*, allow
p, role:admin, applicationsets, create, */*, allow
p, role:admin, applicationsets, update, */*, allow
p, role:admin, applicationsets, delete, */*, allow
p, role:admin, certificates, create, *, allow
p, role:admin, certificates, update, *, allow
p, role:admin, certificates, delete, *, allow
p, role:admin, clusters, create, *, allow
p, role:admin, clusters, update, *, allow
p, role:admin, clusters, delete, *, allow
p, role:admin, repositories, create, *, allow
p, role:admin, repositories, update, *, allow
p, role:admin, repositories, delete, *, allow
p, role:admin, projects, create, *, allow
p, role:admin, projects, update, *, allow
p, role:admin, projects, delete, *, allow
p, role:admin, accounts, update, *, allow
p, role:admin, gpgkeys, create, *, allow
p, role:admin, gpgkeys, delete, *, allow
p, role:admin, exec, create, */*, allow
g, role:admin, role:readonly
g, admin, role:admin
# Built-in policy which defines two roles: role:readonly and role:admin,
# and additionally assigns the admin user to the role:admin role.
# There are two policy formats:
# 1. Applications, logs, and exec (which belong to a project):
# p, <user/group>, <resource>, <action>, <project>/<object>
# 2. All other resources:
# p, <user/group>, <resource>, <action>, <object>
p, role:readonly, applications, get, */*, allow
p, role:readonly, certificates, get, *, allow
p, role:readonly, clusters, get, *, allow
p, role:readonly, repositories, get, *, allow
p, role:readonly, projects, get, *, allow
p, role:readonly, accounts, get, *, allow
p, role:readonly, gpgkeys, get, *, allow
p, role:readonly, logs, get, */*, allow
p, role:admin, applications, create, */*, allow
p, role:admin, applications, update, */*, allow
p, role:admin, applications, delete, */*, allow
p, role:admin, applications, sync, */*, allow
p, role:admin, applications, override, */*, allow
p, role:admin, applications, action/*, */*, allow
p, role:admin, applicationsets, get, */*, allow
p, role:admin, applicationsets, create, */*, allow
p, role:admin, applicationsets, update, */*, allow
p, role:admin, applicationsets, delete, */*, allow
p, role:admin, certificates, create, *, allow
p, role:admin, certificates, update, *, allow
p, role:admin, certificates, delete, *, allow
p, role:admin, clusters, create, *, allow
p, role:admin, clusters, update, *, allow
p, role:admin, clusters, delete, *, allow
p, role:admin, repositories, create, *, allow
p, role:admin, repositories, update, *, allow
p, role:admin, repositories, delete, *, allow
p, role:admin, projects, create, *, allow
p, role:admin, projects, update, *, allow
p, role:admin, projects, delete, *, allow
p, role:admin, accounts, update, *, allow
p, role:admin, gpgkeys, create, *, allow
p, role:admin, gpgkeys, delete, *, allow
p, role:admin, exec, create, */*, allow
g, role:admin, role:readonly
g, admin, role:admin
LDAP 连接器文件包含为 ArgoCD 配置 SSO 所需的 LDAP 参数。
要通过 LDAP 配置 SSO,请执行以下步骤:
准备 RBAC 和连接器文件后,您可以为 ArgoCD 启用 SSO。
通过在存储连接器文件的目录中运行以下命令,为 ArgoCD 启用 SSO:
./uipathctl.sh sso-apply-overlays --install-type [online|offline] --accept-license-agreement --sso-connector-file ldap_connector.yaml --sso-rbac-file policy.csv
./uipathctl.sh sso-apply-overlays --install-type [online|offline] --accept-license-agreement --sso-connector-file ldap_connector.yaml --sso-rbac-file policy.csv
注意:运行上一个命令后,您应该会在 ArgoCD 登录页面上看到一个 SSO 登录按钮。请提供公司域的用户名和密码。