4.5.2.2. 手动配置身份验证

要手动配置 OAuth,或在 Reporting Operator 中禁用 OAuth,必须在 MeteringConfig 资源中设置 spec.tls.enabled: false

警告

这也禁用 Reporting Operator、Presto 和 Hive 之间的所有 TLS 和身份验证。您需要自行手动配置这些资源。

身份验证可通过配置以下选项来启用。启用身份验证会将 Reporting Operator pod 配置为将 OpenShift auth-proxy 作为 pod 中的 sidecar 容器运行。这会调整端口,以便报告 API 不会被直接公开,而是通过 auth-proxy sidecar 容器进行代理。

  • reporting-operator.spec.authProxy.enabled
  • reporting-operator.spec.authProxy.cookie.createSecret
  • reporting-operator.spec.authProxy.cookie.seed

您需要将 reporting-operator.spec.authProxy.enabledreporting-operator.spec.authProxy.cookie.createSecret 设置为 true,将 reporting-operator.spec.authProxy.cookie.seed 设置为 32 个字符的随机字符串。

您可使用以下命令来生成 32 个字符的随机字符串。 

$ openssl rand -base64 32 | head -c32; echo.
4.5.2.2.1. 令牌身份验证

当以下选项被设置为 true 时,将针对报告 REST API 启用使用 bearer 令牌的身份验证。bearer 令牌可由服务帐户或用户提供。

  • reporting-operator.spec.authProxy.subjectAccessReview.enabled
  • reporting-operator.spec.authProxy.delegateURLs.enabled

启用身份验证后,必须通过以下任一角色向用于查询该用户或服务帐户报告 API 的 bearer 令牌授予访问权限:

  • report-exporter
  • reporting-admin
  • reporting-viewer
  • metering-admin
  • metering-viewer

Metering Operator 能够为您创建角色绑定,通过在 spec.permissions 部分中指定主体列表来授予这些权限。例如,请参阅以下 advanced-auth.yaml 示例配置。 

apiVersion: metering.openshift.io/v1
kind: MeteringConfig
metadata:
  name: "operator-metering"
spec:
  permissions:
    # anyone in the "metering-admins" group can create, update, delete, etc any
    # metering.openshift.io resources in the namespace.
    # This also grants permissions to get query report results from the reporting REST API.
    meteringAdmins:
    - kind: Group
      name: metering-admins
    # Same as above except read only access and for the metering-viewers group.
    meteringViewers:
    - kind: Group
      name: metering-viewers
    # the default serviceaccount in the namespace "my-custom-ns" can:
    # create, update, delete, etc reports.
    # This also gives permissions query the results from the reporting REST API.
    reportingAdmins:
    - kind: ServiceAccount
      name: default
      namespace: my-custom-ns
    # anyone in the group reporting-readers can get, list, watch reports, and
    # query report results from the reporting REST API.
    reportingViewers:
    - kind: Group
      name: reporting-readers
    # anyone in the group cluster-admins can query report results
    # from the reporting REST API. So can the user bob-from-accounting.
    reportExporters:
    - kind: Group
      name: cluster-admins
    - kind: User
      name: bob-from-accounting

  reporting-operator:
    spec:
      authProxy:
        # htpasswd.data can contain htpasswd file contents for allowing auth
        # using a static list of usernames and their password hashes.
        #
        # username is 'testuser' password is 'password123'
        # generated htpasswdData using: `htpasswd -nb -s testuser password123`
        # htpasswd:
        #   data: |
        #     testuser:{SHA}y/2sYAj5yrQIN4TL0YdPdmGNKpc=
        #
        # change REPLACEME to the output of your htpasswd command
        htpasswd:
          data: |
            REPLACEME

另外,您还可使用任何具有授予 reports/export get 权限规则的角色。这代表,get 访问 Reporting Operator 命名空间中的 Report 资源的 export 子资源。例如:admincluster-admin

默认情况下,Reporting Operator 和 Metering Operator 服务帐户均具有这些权限,其令牌可用于身份验证。