主页
产品
Red Hat Data Grid
8.5
Data Grid 服务器指南
6.4. 使用客户端证书配置授权

6.4. 使用客户端证书配置授权

启用客户端证书身份验证意味着您不需要在客户端配置中指定 Data Grid 用户凭证，这意味着您必须将角色与客户端证书中的通用名称(CN)字段关联。

先决条件

为客户端提供包含其公共证书的 Java 密钥存储或证书链的一部分，通常是公共 CA 证书。
配置 Data Grid 服务器，以执行客户端证书身份验证。

流程

打开 Data Grid Server 配置以进行编辑。
在安全授权配置中启用 common-name-role-mapper。
从客户端证书分配具有适当权限的角色的通用名称(CN)。
保存对配置的更改。

注意

Data Grid 通过提取证书主体来创建客户端的身份。当前会忽略证书中存在的任何其他主题备用名称(SAN)。因此，以下 authorization.group-only-mapping 属性必须设置为 false。

客户端证书授权配置

XML

<infinispan>
  <cache-container name="certificate-authentication" statistics="true">
    <security>
      <authorization group-only-mapping="false">
        <!-- Declare a role mapper that associates the common name (CN) field in client certificate trust stores with authorization roles. -->
        <common-name-role-mapper/>
        <!-- In this example, if a client certificate contains `CN=Client1` then clients with matching certificates get ALL permissions. -->
        <role name="Client1" permissions="ALL"/>
      </authorization>
    </security>
  </cache-container>
</infinispan>

<infinispan>
  <cache-container name="certificate-authentication" statistics="true">
    <security>
      <authorization group-only-mapping="false">
        <!-- Declare a role mapper that associates the common name (CN) field in client certificate trust stores with authorization roles. -->
        <common-name-role-mapper/>
        <!-- In this example, if a client certificate contains `CN=Client1` then clients with matching certificates get ALL permissions. -->
        <role name="Client1" permissions="ALL"/>
      </authorization>
    </security>
  </cache-container>
</infinispan>

Copy to Clipboard

Toggle word wrap

JSON

{
  "infinispan": {
    "cache-container": {
      "name": "certificate-authentication",
      "security": {
        "authorization": {
          "group-only-mapping": false,
          "common-name-role-mapper": null,
          "roles": {
            "Client1": {
              "role": {
                "permissions": "ALL"
              }
            }
          }
        }
      }
    }
  }
}

{
  "infinispan": {
    "cache-container": {
      "name": "certificate-authentication",
      "security": {
        "authorization": {
          "group-only-mapping": false,
          "common-name-role-mapper": null,
          "roles": {
            "Client1": {
              "role": {
                "permissions": "ALL"
              }
            }
          }
        }
      }
    }
  }
}

Copy to Clipboard

Toggle word wrap

YAML

infinispan:
  cacheContainer:
    name: "certificate-authentication"
    security:
      authorization:
        groupOnlyMapping: false
        commonNameRoleMapper: ~
        roles:
          Client1:
            role:
              permissions:
                - "ALL"

infinispan:
  cacheContainer:
    name: "certificate-authentication"
    security:
      authorization:
        groupOnlyMapping: false
        commonNameRoleMapper: ~
        roles:
          Client1:
            role:
              permissions:
                - "ALL"

Copy to Clipboard

Toggle word wrap

返回顶部

6.4. 使用客户端证书配置授权

客户端证书授权配置

学习

尝试、购买和销售

社区

关于红帽文档

让开源更具包容性

關於紅帽

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links