5.3.2.3. 将 LDAP 组信息映射到 RBAC 角色
创建与 LDAP 服务器的连接并正确配置了组搜索后,需要在 LDAP 组和 RBAC 角色之间创建映射。此映射可以是包含的,也可以是独占性的,并且能够根据用户的组成员资格自动分配给用户一个或多个角色。
如果尚未配置 RBAC,请在这样做时密切关注,特别是切换到新创建的 LDAP 域时。在没有正确配置用户和角色的情况下启用 RBAC 可能会导致管理员无法登录 JBoss EAP 管理界面。
显示的管理 CLI 命令假定您在运行 JBoss EAP 单机服务器。有关将管理 CLI 用于 JBoss EAP 受管域的更多详细信息,请参见 JBoss EAP管理 CLI 指南。
确保已启用并配置 RBAC
在可以使用 LDAP 和 RBAC 角色之间的映射前,RBAC 必须启用并初始配置。
/core-service=management/access=authorization:read-attribute(name=provider)
它应产生以下结果:
{ "outcome" => "success", "result" => "rbac" }
有关启用和配置 RBAC 的更多信息,请参阅如何为 JBoss EAP 配置服务器安全性中的 基于角色的访问控制。
验证现有角色列表
使用 read-children-names
操作获取配置的角色的完整列表:
/core-service=management/access=authorization:read-children-names(child-type=role-mapping)
这应该会产生一个角色列表:
{ "outcome" => "success", "result" => [ "Administrator", "Deployer", "Maintainer", "Monitor", "Operator", "SuperUser" ] }
另外,可以检查角色的所有现有映射:
/core-service=management/access=authorization/role-mapping=Administrator:read-resource(recursive=true)
{ "outcome" => "success", "result" => { "include-all" => false, "exclude" => undefined, "include" => { "user-theboss" => { "name" => "theboss", "realm" => undefined, "type" => "USER" }, "user-harold" => { "name" => "harold", "realm" => undefined, "type" => "USER" }, "group-SysOps" => { "name" => "SysOps", "realm" => undefined, "type" => "GROUP" } } } }
配置 Role-Mapping 条目
如果角色还没有 Role-Mapping
条目,则需要创建一个。例如:
/core-service=management/access=authorization/role-mapping=Auditor:read-resource()
{ "outcome" => "failed", "failure-description" => "WFLYCTL0216: Management resource '[ (\"core-service\" => \"management\"), (\"access\" => \"authorization\"), (\"role-mapping\" => \"Auditor\") ]' not found" }
添加角色映射:
/core-service=management/access=authorization/role-mapping=Auditor:add()
{ "outcome" => "success" }
验证:
/core-service=management/access=authorization/role-mapping=Auditor:read-resource()
{ "outcome" => "success", "result" => { "include-all" => false, "exclude" => undefined, "include" => undefined } }
将组添加到 Role for Inclusion 和 Exclusion
可以添加组以包含或从角色中排除。
排除映射具有优先权或包含映射。
为包含添加组:
/core-service=management/access=authorization/role-mapping=Auditor/include=group-GroupToInclude:add(name=GroupToInclude, type=GROUP)
为排除添加组:
/core-service=management/access=authorization/role-mapping=Auditor/exclude=group-GroupToExclude:add(name=GroupToExclude, type=GROUP)
检查结果:
/core-service=management/access=authorization/role-mapping=Auditor:read-resource(recursive=true)
{ "outcome" => "success", "result" => { "include-all" => false, "exclude" => { "group-GroupToExclude" => { "name" => "GroupToExclude", "realm" => undefined, "type" => "GROUP" } }, "include" => { "group-GroupToInclude" => { "name" => "GroupToInclude", "realm" => undefined, "type" => "GROUP" } } } }
删除组,使其无法排除或包含在 RBAC 角色绑定中
从包含中删除组:
/core-service=management/access=authorization/role-mapping=Auditor/include=group-GroupToInclude:remove
要删除组,请排除:
/core-service=management/access=authorization/role-mapping=Auditor/exclude=group-GroupToExclude:remove