5.3.2.3. 将 LDAP 组信息映射到 RBAC 角色

创建与 LDAP 服务器的连接并正确配置了组搜索后，需要在 LDAP 组和 RBAC 角色之间创建映射。此映射可以是包含的，也可以是独占性的，并且能够根据用户的组成员资格自动分配给用户一个或多个角色。

警告

如果尚未配置 RBAC，请在这样做时密切关注，特别是切换到新创建的 LDAP 域时。在没有正确配置用户和角色的情况下启用 RBAC 可能会导致管理员无法登录 JBoss EAP 管理界面。

注意

显示的管理 CLI 命令假定您在运行 JBoss EAP 单机服务器。有关将管理 CLI 用于 JBoss EAP 受管域的更多详细信息，请参见 JBoss EAP管理 CLI 指南。

确保已启用并配置 RBAC

在可以使用 LDAP 和 RBAC 角色之间的映射前，RBAC 必须启用并初始配置。

/core-service=management/access=authorization:read-attribute(name=provider)

/core-service=management/access=authorization:read-attribute(name=provider)

Copy to Clipboard

Toggle word wrap

它应产生以下结果：

{ "outcome" => "success", "result" => "rbac" }

{ "outcome" => "success", "result" => "rbac" }

Copy to Clipboard

Toggle word wrap

有关启用和配置 RBAC 的更多信息，请参阅如何为 JBoss EAP 配置服务器安全性中的基于角色的访问控制。

验证现有角色列表

使用 read-children-names 操作获取配置的角色的完整列表：

/core-service=management/access=authorization:read-children-names(child-type=role-mapping)

/core-service=management/access=authorization:read-children-names(child-type=role-mapping)

Copy to Clipboard

Toggle word wrap

这应该会产生一个角色列表：

{
  "outcome" => "success",
  "result" =>
    [ "Administrator", "Deployer", "Maintainer", "Monitor", "Operator", "SuperUser" ]
}

{
  "outcome" => "success",
  "result" =>
    [ "Administrator", "Deployer", "Maintainer", "Monitor", "Operator", "SuperUser" ]
}

Copy to Clipboard

Toggle word wrap

另外，可以检查角色的所有现有映射：

/core-service=management/access=authorization/role-mapping=Administrator:read-resource(recursive=true)

/core-service=management/access=authorization/role-mapping=Administrator:read-resource(recursive=true)

Copy to Clipboard

Toggle word wrap

{
  "outcome" => "success",
  "result" =>
  {
    "include-all" => false,
    "exclude" => undefined,
    "include" => {
      "user-theboss" => {
        "name" => "theboss",
        "realm" => undefined,
        "type" => "USER"
      },
      "user-harold" => {
        "name" => "harold",
        "realm" => undefined,
        "type" => "USER"
      },
      "group-SysOps" => {
        "name" => "SysOps",
        "realm" => undefined,
        "type" => "GROUP"
      }
    }
  }
}

{
  "outcome" => "success",
  "result" =>
  {
    "include-all" => false,
    "exclude" => undefined,
    "include" => {
      "user-theboss" => {
        "name" => "theboss",
        "realm" => undefined,
        "type" => "USER"
      },
      "user-harold" => {
        "name" => "harold",
        "realm" => undefined,
        "type" => "USER"
      },
      "group-SysOps" => {
        "name" => "SysOps",
        "realm" => undefined,
        "type" => "GROUP"
      }
    }
  }
}

Copy to Clipboard

Toggle word wrap

配置 Role-Mapping 条目

如果角色还没有 Role-Mapping 条目，则需要创建一个。例如：

/core-service=management/access=authorization/role-mapping=Auditor:read-resource()

/core-service=management/access=authorization/role-mapping=Auditor:read-resource()

Copy to Clipboard

Toggle word wrap

{
  "outcome" => "failed",
  "failure-description" => "WFLYCTL0216: Management resource '[ (\"core-service\" => \"management\"), (\"access\" => \"authorization\"), (\"role-mapping\" => \"Auditor\") ]' not found"
}

{
  "outcome" => "failed",
  "failure-description" => "WFLYCTL0216: Management resource '[ (\"core-service\" => \"management\"), (\"access\" => \"authorization\"), (\"role-mapping\" => \"Auditor\") ]' not found"
}

Copy to Clipboard

Toggle word wrap

添加角色映射：

/core-service=management/access=authorization/role-mapping=Auditor:add()

/core-service=management/access=authorization/role-mapping=Auditor:add()

Copy to Clipboard

Toggle word wrap

{
  "outcome" => "success"
}

{
  "outcome" => "success"
}

Copy to Clipboard

Toggle word wrap

验证：

/core-service=management/access=authorization/role-mapping=Auditor:read-resource()

/core-service=management/access=authorization/role-mapping=Auditor:read-resource()

Copy to Clipboard

Toggle word wrap

{
  "outcome" => "success",
  "result" => {
    "include-all" => false,
    "exclude" => undefined,
    "include" => undefined
  }
}

{
  "outcome" => "success",
  "result" => {
    "include-all" => false,
    "exclude" => undefined,
    "include" => undefined
  }
}

Copy to Clipboard

Toggle word wrap

将组添加到 Role for Inclusion 和 Exclusion

可以添加组以包含或从角色中排除。

注意

排除映射具有优先权或包含映射。

为包含添加组：

/core-service=management/access=authorization/role-mapping=Auditor/include=group-GroupToInclude:add(name=GroupToInclude, type=GROUP)

/core-service=management/access=authorization/role-mapping=Auditor/include=group-GroupToInclude:add(name=GroupToInclude, type=GROUP)

Copy to Clipboard

Toggle word wrap

为排除添加组：

/core-service=management/access=authorization/role-mapping=Auditor/exclude=group-GroupToExclude:add(name=GroupToExclude, type=GROUP)

/core-service=management/access=authorization/role-mapping=Auditor/exclude=group-GroupToExclude:add(name=GroupToExclude, type=GROUP)

Copy to Clipboard

Toggle word wrap

检查结果：

/core-service=management/access=authorization/role-mapping=Auditor:read-resource(recursive=true)

/core-service=management/access=authorization/role-mapping=Auditor:read-resource(recursive=true)

Copy to Clipboard

Toggle word wrap

{
  "outcome" => "success",
  "result" => {
    "include-all" => false,
    "exclude" => {
      "group-GroupToExclude" => {
        "name" => "GroupToExclude",
        "realm" => undefined,
        "type" => "GROUP"
      }
    },
    "include" => {
      "group-GroupToInclude" => {
        "name" => "GroupToInclude",
        "realm" => undefined,
        "type" => "GROUP"
      }
    }
  }
}

{
  "outcome" => "success",
  "result" => {
    "include-all" => false,
    "exclude" => {
      "group-GroupToExclude" => {
        "name" => "GroupToExclude",
        "realm" => undefined,
        "type" => "GROUP"
      }
    },
    "include" => {
      "group-GroupToInclude" => {
        "name" => "GroupToInclude",
        "realm" => undefined,
        "type" => "GROUP"
      }
    }
  }
}

Copy to Clipboard

Toggle word wrap

删除组，使其无法排除或包含在 RBAC 角色绑定中

从包含中删除组：

/core-service=management/access=authorization/role-mapping=Auditor/include=group-GroupToInclude:remove

/core-service=management/access=authorization/role-mapping=Auditor/include=group-GroupToInclude:remove

Copy to Clipboard

Toggle word wrap

要删除组，请排除：

/core-service=management/access=authorization/role-mapping=Auditor/exclude=group-GroupToExclude:remove

/core-service=management/access=authorization/role-mapping=Auditor/exclude=group-GroupToExclude:remove

Copy to Clipboard

Toggle word wrap

5.3.2.3. 将 LDAP 组信息映射到 RBAC 角色

学习

尝试、购买和销售

社区

关于红帽文档

让开源更具包容性

關於紅帽

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links