搜索

5.3.2.3. 将 LDAP 组信息映射到 RBAC 角色

download PDF

创建与 LDAP 服务器的连接并正确配置了组搜索后,需要在 LDAP 组和 RBAC 角色之间创建映射。此映射可以是包含的,也可以是独占性的,并且能够根据用户的组成员资格自动分配给用户一个或多个角色。

警告

如果尚未配置 RBAC,请在这样做时密切关注,特别是切换到新创建的 LDAP 域时。在没有正确配置用户和角色的情况下启用 RBAC 可能会导致管理员无法登录 JBoss EAP 管理界面。

注意

显示的管理 CLI 命令假定您在运行 JBoss EAP 单机服务器。有关将管理 CLI 用于 JBoss EAP 受管域的更多详细信息,请参见 JBoss EAP管理 CLI 指南

确保已启用并配置 RBAC

在可以使用 LDAP 和 RBAC 角色之间的映射前,RBAC 必须启用并初始配置。

/core-service=management/access=authorization:read-attribute(name=provider)

它应产生以下结果:

{ "outcome" => "success", "result" => "rbac" }

有关启用和配置 RBAC 的更多信息,请参阅如何为 JBoss EAP 配置服务器安全性中的 基于角色的访问控制

验证现有角色列表

使用 read-children-names 操作获取配置的角色的完整列表:

/core-service=management/access=authorization:read-children-names(child-type=role-mapping)

这应该会产生一个角色列表:

{
  "outcome" => "success",
  "result" =>
    [ "Administrator", "Deployer", "Maintainer", "Monitor", "Operator", "SuperUser" ]
}

另外,可以检查角色的所有现有映射:

/core-service=management/access=authorization/role-mapping=Administrator:read-resource(recursive=true)
{
  "outcome" => "success",
  "result" =>
  {
    "include-all" => false,
    "exclude" => undefined,
    "include" => {
      "user-theboss" => {
        "name" => "theboss",
        "realm" => undefined,
        "type" => "USER"
      },
      "user-harold" => {
        "name" => "harold",
        "realm" => undefined,
        "type" => "USER"
      },
      "group-SysOps" => {
        "name" => "SysOps",
        "realm" => undefined,
        "type" => "GROUP"
      }
    }
  }
}

配置 Role-Mapping 条目

如果角色还没有 Role-Mapping 条目,则需要创建一个。例如:

/core-service=management/access=authorization/role-mapping=Auditor:read-resource()
{
  "outcome" => "failed",
  "failure-description" => "WFLYCTL0216: Management resource '[ (\"core-service\" => \"management\"), (\"access\" => \"authorization\"), (\"role-mapping\" => \"Auditor\") ]' not found"
}

添加角色映射:

/core-service=management/access=authorization/role-mapping=Auditor:add()
{
  "outcome" => "success"
}

验证:

/core-service=management/access=authorization/role-mapping=Auditor:read-resource()
{
  "outcome" => "success",
  "result" => {
    "include-all" => false,
    "exclude" => undefined,
    "include" => undefined
  }
}

将组添加到 Role for Inclusion 和 Exclusion

可以添加组以包含或从角色中排除。

注意

排除映射具有优先权或包含映射。

为包含添加组:

/core-service=management/access=authorization/role-mapping=Auditor/include=group-GroupToInclude:add(name=GroupToInclude, type=GROUP)

为排除添加组:

/core-service=management/access=authorization/role-mapping=Auditor/exclude=group-GroupToExclude:add(name=GroupToExclude, type=GROUP)

检查结果:

/core-service=management/access=authorization/role-mapping=Auditor:read-resource(recursive=true)
{
  "outcome" => "success",
  "result" => {
    "include-all" => false,
    "exclude" => {
      "group-GroupToExclude" => {
        "name" => "GroupToExclude",
        "realm" => undefined,
        "type" => "GROUP"
      }
    },
    "include" => {
      "group-GroupToInclude" => {
        "name" => "GroupToInclude",
        "realm" => undefined,
        "type" => "GROUP"
      }
    }
  }
}

删除组,使其无法排除或包含在 RBAC 角色绑定中

从包含中删除组:

/core-service=management/access=authorization/role-mapping=Auditor/include=group-GroupToInclude:remove

要删除组,请排除:

/core-service=management/access=authorization/role-mapping=Auditor/exclude=group-GroupToExclude:remove
Red Hat logoGithubRedditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

© 2024 Red Hat, Inc.