4.5.2.2. 手动配置身份验证
要手动配置 OAuth,或在 Reporting Operator 中禁用 OAuth,必须在 MeteringConfig 资源中设置 spec.tls.enabled: false。
这也禁用 Reporting Operator、Presto 和 Hive 之间的所有 TLS 和身份验证。您需要自行手动配置这些资源。
身份验证可通过配置以下选项来启用。启用身份验证会将 Reporting Operator pod 配置为将 OpenShift auth-proxy 作为 pod 中的 sidecar 容器运行。这会调整端口,以便报告 API 不会被直接公开,而是通过 auth-proxy sidecar 容器进行代理。
-
reporting-operator.spec.authProxy.enabled -
reporting-operator.spec.authProxy.cookie.createSecret -
reporting-operator.spec.authProxy.cookie.seed
您需要将 reporting-operator.spec.authProxy.enabled 和 reporting-operator.spec.authProxy.cookie.createSecret 设置为 true,将 reporting-operator.spec.authProxy.cookie.seed 设置为 32 个字符的随机字符串。
您可使用以下命令来生成 32 个字符的随机字符串。
$ openssl rand -base64 32 | head -c32; echo.
4.5.2.2.1. 令牌身份验证
当以下选项被设置为 true 时,将针对报告 REST API 启用使用 bearer 令牌的身份验证。bearer 令牌可由服务帐户或用户提供。
-
reporting-operator.spec.authProxy.subjectAccessReview.enabled -
reporting-operator.spec.authProxy.delegateURLs.enabled
启用身份验证后,必须通过以下任一角色向用于查询该用户或服务帐户报告 API 的 bearer 令牌授予访问权限:
- report-exporter
- reporting-admin
- reporting-viewer
- metering-admin
- metering-viewer
Metering Operator 能够为您创建角色绑定,通过在 spec.permissions 部分中指定主体列表来授予这些权限。例如,请参阅以下 advanced-auth.yaml 示例配置。
apiVersion: metering.openshift.io/v1
kind: MeteringConfig
metadata:
name: "operator-metering"
spec:
permissions:
# anyone in the "metering-admins" group can create, update, delete, etc any
# metering.openshift.io resources in the namespace.
# This also grants permissions to get query report results from the reporting REST API.
meteringAdmins:
- kind: Group
name: metering-admins
# Same as above except read only access and for the metering-viewers group.
meteringViewers:
- kind: Group
name: metering-viewers
# the default serviceaccount in the namespace "my-custom-ns" can:
# create, update, delete, etc reports.
# This also gives permissions query the results from the reporting REST API.
reportingAdmins:
- kind: ServiceAccount
name: default
namespace: my-custom-ns
# anyone in the group reporting-readers can get, list, watch reports, and
# query report results from the reporting REST API.
reportingViewers:
- kind: Group
name: reporting-readers
# anyone in the group cluster-admins can query report results
# from the reporting REST API. So can the user bob-from-accounting.
reportExporters:
- kind: Group
name: cluster-admins
- kind: User
name: bob-from-accounting
reporting-operator:
spec:
authProxy:
# htpasswd.data can contain htpasswd file contents for allowing auth
# using a static list of usernames and their password hashes.
#
# username is 'testuser' password is 'password123'
# generated htpasswdData using: `htpasswd -nb -s testuser password123`
# htpasswd:
# data: |
# testuser:{SHA}y/2sYAj5yrQIN4TL0YdPdmGNKpc=
#
# change REPLACEME to the output of your htpasswd command
htpasswd:
data: |
REPLACEME
另外,您还可使用任何具有授予 reports/export get 权限规则的角色。这代表,get 访问 Reporting Operator 命名空间中的 Report 资源的 export 子资源。例如:admin 和 cluster-admin。
默认情况下,Reporting Operator 和 Metering Operator 服务帐户均具有这些权限,其令牌可用于身份验证。
