xshell 密钥身份验证_使用密钥斗篷和大使边缘堆栈进行集中式身份验证
xshell 密鑰身份驗證
Keycloak is a widely adopted Identity and Access Management (IAM for short) open-source solution. 2014 was a big year for groundbreaking technologies as both the Keycloak and Kubernetes projects were initially released a few weeks apart. Unsurprisingly, many Kubernetes end-users are turning to Keycloak as the preferred way to manage access to the secure APIs and services of their platform.
Keycloak是廣泛采用的身份和訪問管理(簡稱IAM )開源解決方案。 2014年是突破性技術的豐收年,因??為Keycloak和Kubernetes項目最初相隔數周才發布。 毫不奇怪,許多Kubernetes最終用戶都將Keycloak用作管理對其平臺安全API和服務的訪問的首選方法。
Simply running Keycloak in Kubernetes won’t however make your platform secure. A lot of concerns are left to the user to configure and implement: from exposing the Keycloak API endpoints using TLS and an ingress-controller, to enforcing security policies on specific business endpoints. When solving these problems, we have a bias towards using an API Gateway solution to handle encrypted connections and centralize API management policies instead of re-implementing authentication strategies in every language and application of your microservice architecture.
但是,僅在Kubernetes中運行Keycloak并不能確保您的平臺安全。 用戶需要配置和實現許多問題:從使用TLS和入口控制器公開Keycloak API端點到在特定業務端點上實施安全策略。 解決這些問題時,我們傾向于使用API??網關解決方案來處理加密的連接并集中化API管理策略,而不是在您的微服務體系結構的每種語言和應用程序中重新實現身份驗證策略。
Our goal today will be to install Keycloak as our IAM solution and secure it behind the Ambassador Edge Stack, our API Gateway acting as a Kubernetes ingress controller. As a final step, we will deploy a sample application and demonstrate how to use Keycloak as an Identity provider (IdP for short) to restrict access to this application with OAuth2 using request Filters.
我們今天的目標是安裝Keycloak作為我們的IAM解決方案,并將其保護在Ambassador Edge Stack (我們的API網關充當Kubernetes入口控制器)的后面。 最后,我們將部署一個示例應用程序,并演示如何使用Keycloak作為身份提供程序(簡稱IdP ),以使用請求過濾器通過OAuth2限制對此應用程序的訪問。
入門 (Getting Started)
In this tutorial, we will use a non-production-ready Keycloak installation. To simplify our dependency graph, we’ll use the in-memory datastore, which is totally suitable for a demo but wouldn’t guarantee high-availability in a production environment. If you are looking for production-grade persistence, Keycloak offers a variety of storage solutions.
在本教程中,我們將使用非生產就緒的Keycloak安裝。 為了簡化依賴關系圖,我們將使用內存數據存儲,它完全適合于演示,但不能保證生產環境中的高可用性。 如果您正在尋找生產級的持久性, Keycloak提供了多種存儲解決方案 。
The ingress controller is the missing building block in most Kubernetes offerings. Although Kubernetes defines an Ingress resource, it is not actually backed by any implementation that will turn the resource into a public service! The choice and installation of an ingress solution are left to the operator. Here, we will use the community version of the Ambassador Edge Stack, because of its direct integration with Keycloak for authentication, to expose and secure public traffic coming in from internet requests to downstream private services running in our Kubernetes cluster.
入口控制器是大多數Kubernetes產品中缺少的構建塊。 盡管Kubernetes定義了Ingress資源,但實際上并沒有任何將資源變成公共服務的實現的支持! 入口解決方案的選擇和安裝留給操作員。 在這里,我們將使用社區邊緣堆棧版本的Ambassador Edge Stack,因為它直接與Keycloak集成以進行身份??驗證,以公開和保護從Internet請求進入到Kubernetes集群中運行的下游私有服務的公共流量。
At the end of the tutorial, we’ll be up and running with the Ambassador Edge Stack doing TLS termination at the edge of the Kubernetes network, exposing our Keycloak installation under /auth/ and securing our Quote application under /backend/.
在本教程的最后,我們將與Ambassador Edge Stack一起啟動并運行,在Kubernetes網絡的邊緣進行TLS終止,在/auth/下公開我們的Keycloak安裝,并在/backend/下保護Quote應用程序。
使用K8s初始化程序進行腳手架 (Scaffolding with the K8s Initializer)
Kubernetes is often made fun of because of the copious amounts of YAML required. Instead of going into a scavenger hunt for YAML samples and assembling all puzzle pieces together from stale sources, we’ll be using the K8s Initializer to generate all of the Kubernetes resources for us. The K8s Initializer is a project generator tool similar to what exists for application developers: think Spring Initializr or Yeoman.
由于需要大量的YAML,因此經常被人嘲笑Kubernetes。 我們將使用K8s Initializer為我們生成所有Kubernetes資源,而不是去尋找YAML樣本并從陳舊的來源中組裝所有拼圖塊。 K8s Initializer是一個項目生成器工具,類似于應用程序開發人員可以使用的工具:例如Spring Initializr或Yeoman。
The wizard-like interface of the K8s Initializer will guide us through a few questions to understand and configure specific settings that vary from one cloud provider to the other. These implementation details are often where promises are broken and portability falls short, making it hard to configure ingress controllers and expose services to public traffic. Hopefully, we can do away with the little gotchas by using a comprehensive tool like the K8s Initializer who will provide us with an optimal configuration.
K8s Initializer的類似于向導的界面將引導我們解決一些問題,以了解和配置具體設置,具體設置因一家云提供商而異。 這些實現細節經常在承諾被兌現且可移植性不足的地方,使得難以配置入口控制器并將服務暴露給公共流量。 希望我們可以使用像K8s Initializer這樣的綜合工具來消除一些小麻煩,它將為我們提供最佳配置。
Specifically for this tutorial, we picked our target Kubernetes cluster: “Google Kubernetes Engine” with a “Google External Load Balancer (L4)” load balancer. We also chose a public Hostname for our installation. Using a public hostname will require an extra step to configure a DNS entry to point to our installation, but given we want to demonstrate how to build a public secure application stack, it’s worth the extra effort. As for the K8s Initializer’s Auth configuration, we undoubtedly selected Keycloak, with a temporary password.
在本教程中,我們專門選擇了目標Kubernetes集群:“ Google Kubernetes Engine”和“ Google External Load Balancer(L4)”負載均衡器。 我們還為安裝選擇了公共主機名。 使用公共主機名將需要額外的步驟來配置DNS條目以指向我們的安裝,但是鑒于我們要演示如何構建公共安全應用程序堆棧,因此值得付出額外的努力。 至于K8s Initializer的Auth配置,我們無疑選擇了帶有臨時密碼的Keycloak。
Once satisfied with our K8s Initializer options, we hit the “download” button. We’ll be given a set of ready-to-go YAML files and instructions.
對我們的K8s Initializer選項滿意后,我們點擊“下載”按鈕。 我們將為您提供一套現成的YAML文件和說明。
Give it a try! https://app.getambassador.io/
試試看! https://app.getambassador.io/
安裝大使邊緣堆棧 (Installing the Ambassador Edge Stack)
We’ll start by installing the Ambassador Edge Stack simply because it contains a bunch of Kubernetes Custom Resource Definitions dependencies. Given you have access to your desired Kubernetes cluster, the installation will be as simple as running kubectl apply commands and configuring a DNS entry to point to the external IP of the provisioned service.
我們將首先安裝Ambassador Edge Stack,因為它包含了一堆Kubernetes自定義資源定義依賴項。 如果您可以訪問所需的Kubernetes群集,則安裝將像運行kubectl apply命令并配置DNS條目以指向所配置服務的外部IP一樣簡單。
安裝Keycloak (Installing Keycloak)
Installing Keycloak from the generated YAML is again straightforward: a single kubectl apply command. One curious cat might peek at the Keycloak YAML file, don’t worry it won’t kill you! You’ll actually be able to appreciate how the Ambassador Mapping resource will instruct traffic hitting the public /auth/ prefix endpoint to be forwarded to our private Keycloak pod running in our Kubernetes cluster.
從生成的YAML安裝Keycloak還是很簡單的:一個kubectl apply命令。 一只好奇的貓可能會偷看Keycloak YAML文件,不要擔心它不會殺死您! 您實際上將能夠理解大使映射資源將如何指示到達公共/auth/前綴端點的流量轉發到運行在Kubernetes集群中的私有Keycloak pod。
Giving Keycloak a few minutes to start, we’ll then be able to access it’s UI at https://domain-name/auth/. Since we chose to let “Ambassador terminate TLS using a Let’s Encrypt certificate” in the K8s Initializer options, we can appreciate how automatic TLS termination is happening with a secure certificate for our Keycloak installation.
讓Keycloak幾分鐘開始,然后我們可以通過https:// domain-name / auth /來訪問它的UI。 由于我們選擇了K8s Initializer選項中的“ 大使使用Let's Encrypt證書來終止TLS” ,因此我們可以了解在安裝Keycloak時使用安全證書進行自動TLS終止的情況。
We can then log in to Keycloak’s Administration Console UI using the default admin username and the temporary password we’ve selected previously to configure Keycloak to our needs… and change the password!
然后,我們可以使用默認的admin用戶名和先前選擇的臨時密碼登錄Keycloak的管理控制臺UI,以根據需要配置Keycloak并更改密碼!
使用Keycloak保護API (Securing your APIs with Keycloak)
配置Keycloak領域,客戶端和用戶 (Configuring a Keycloak Realm, Client and User)
To secure our APIs, we will be using our shiny new Keycloak installation as our IdP. We first need to create a client to handle authentication requests from Ambassador Edge Stack. All of these configuration steps can be achieved using the Keycloak UI.
為了保護我們的API,我們將使用閃亮的新Keycloak安裝作為IdP。 我們首先需要創建一個客戶端來處理來自Edge Edge大使館的身份驗證請求。 所有這些配置步驟都可以使用Keycloak UI來實現。
We first start by creating a new “Realm”. Hovering on top of the “Master” label in the right-hand navigation, we can click on “Add realm”. We picked ambassador as the “Name” of our new realm. This will be needed later on to configure the authorizationURL field in the auth Filter.
我們首先從創建一個新的“領域”開始。 我們將鼠標懸停在右側導航欄中的“主”標簽上方,然后單擊“添加領域”。 我們選擇ambassador作為新領域的“名稱”。 稍后將需要使用它來配置auth過濾器中的authorizationURL字段。
We’ll create a new client by navigating to “Clients” and clicking “Create”. We chose the following settings:
我們將通過導航到“客戶端”并單擊“創建”來創建新客戶端。 我們選擇了以下設置:
-
--
Client ID: ambassador — This value will be used in the clientID field of the auth Filter.
客戶端ID : ambassador -該值將在auth過濾器的clientID字段中使用。
-
--
Client Protocol: openid-connect
客戶端協議 : openid-connect
-
--
Root URL: None, left blank
根網址 :無,留空
On the following screen, we configured the Client with:
在以下屏幕上,我們為客戶端配置了:
-
--
Access Type: confidential
訪問類型 : confidential
-
--
Valid Redirect URIs: *
有效的重定向URI : *
Navigating to the “Mappers” tab in our Client, we clicked “Create” and used the following settings:
導航到客戶端中的“映射器”選項卡,我們單擊“創建”并使用以下設置:
-
--
Protocol: openid-connect
協議 : openid-connect
-
--
Name: Ambassador Mapper
姓名 : Ambassador Mapper
-
--
Mapper Type: Audience
對應類型 : Audience
-
--
Included Client Audience: Select the name of the Client from the dropdown. Remember, we named our Client ambassador.
包括的客戶對象 :從下拉列表中選擇客戶的名稱。 請記住,我們任命了我們的客戶ambassador 。
Going back to our ambassador Client, we navigated to the “Client Scopes” section and configured our Client for offline_access.
回到ambassador客戶端,我們導航到“客戶端范圍”部分,并將客戶端配置為offline_access 。
Back again to our ambassador Client, we then navigated to the “Credentials” section. We took note of the “Secret” value as it will be used later when configuring our auth Filter.
返回到我們的ambassador客戶,然后我們導航到“憑據”部分。 我們記下了“秘密”值,因為稍后將在配置我們的身份驗證過濾器時使用它。
Along with our Client configuration, let’s configure a Keycloak “User”:
連同我們的客戶端配置,讓我們配置一個Keycloak“用戶”:
Navigating to the “Users” section of the Keycloak Administration Console, we will click on “Add user”. We gave our user a simple username: my-keycloak-user, then clicked “Save”.
導航到Keycloak管理控制臺的“用戶”部分,我們將單擊“添加用戶”。 我們為用戶提供了一個簡單的用戶名: my-keycloak-user ,然后單擊“保存”。
Now that we have a user with which we are able to authenticate ourselves with, let’s deploy an application.
現在我們有了一個可以用來進行身份驗證的用戶,讓我們部署一個應用程序。
部署報價服務 (Deploying a Quote service)
Deploying custom applications on Kubernetes is achieved by creating some Kubernetes resources defined as… You guessed it, more YAML! This time, since we are deploying a sample backend application, the sample is somewhat lightweight. You can save the following definitions to a “quote-service.yaml” file and deploy it using kubectl apply -f quote-service.yaml.
通過創建一些定義為…的Kubernetes資源,可以在Kubernetes上部署自定義應用程序。您猜到了,更多的YAML! 這次,由于我們正在部署示例后端應用程序,因此該示例有些輕巧。 您可以將以下定義保存到“ quote-service.yaml”文件中,然后使用kubectl apply -f quote-service.yaml部署。
---apiVersion: v1
kind: Service
metadata:
name: quote
namespace: default
spec:
ports:
- name: http
port: 80
targetPort: 8080
selector:
app: quote
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: quote
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: quote
strategy:
type: RollingUpdate
template:
metadata:
labels:
app: quote
spec:
containers:
- name: backend
image: docker.io/datawire/quote:0.4.1
ports:
- name: http
containerPort: 8080
---
apiVersion: getambassador.io/v2
kind: Mapping
metadata:
name: quote-backend
namespace: default
spec:
prefix: /backend/
service: quote
This will create a Kubernetes Deployment, Service, and Mapping to publicly expose our running Quote application under the /backend/ path. Give it a try, it’s currently unprotected: https://domain-name/backend/.
這將創建一個Kubernetes Deployment , Service和Mapping以在/backend/路徑下公開公開我們正在運行的Quote應用程序。 試試看,它目前未受保護: https:// domain-name / backend / 。
保護訪問 (Securing access)
Building on the configurations we applied to our Keycloak installation in the “Configuring a Keycloak Realm, Client and User” section earlier, we’ll be creating an OAuth2 Filter and FilterPolicy resources in Kubernetes. Don’t forget to replace the placeholders in this YAML sample with the values from your installation! Once again, save the following definitions to a “keycloak-filter.yaml” file and deploy it using kubectl apply -f keycloak-filter.yaml.
在前面的“配置Keycloak領域,客戶端和用戶”部分中,基于我們應用于Keycloak安裝的配置,我們將在Kubernetes中創建OAuth2 Filter和FilterPolicy資源。 不要忘記用安裝中的值替換此YAML示例中的占位符! 再次將以下定義保存到“ keycloak-filter.yaml”文件,并使用kubectl apply -f keycloak-filter.yaml 。
---apiVersion: getambassador.io/v2
kind: Filter
metadata:
name: keycloak-filter
namespace: ambassador
spec:
OAuth2:
authorizationURL: https://{domain-name}/auth/realms/ambassador
audience: ambassador
clientID: ambassador
secret: {client_secret}
protectedOrigins:
- origin: https://{domain-name}
---
apiVersion: getambassador.io/v2
kind: FilterPolicy
metadata:
name: quote-policy
namespace: default
spec:
rules:
- host: "*"
path: /backend/
filters:
- name: keycloak-filter
namespace: ambassador
arguments:
scopes:
- "offline_access"
Since the FilterPolicy is acting on the /backend/ path, when navigating to our Quote service under https://domain-name/backend/ we are now prompted for authentication by Keycloak! Try logging in with the my-keycloak-user username we created earlier!
由于FilterPolicy作用在/backend/路徑上,因此當導航到https:// domain-name / backend /下的Quote服務時,Keycloak會提示我們進行身份驗證! 嘗試使用我們之前創建的my-keycloak-user名登錄!
We are just one step away from extending this FilterPolicy configuration to protect multiple paths, endpoints and services using the same authentication strategy. Talk about an efficient way to roll out single sign-on and centralize your authentication mechanism! Now, just follow these instructions to configure fine-grained settings of Filter and FilterPolicy resources with Keycloak.
與擴展此FilterPolicy配置以使用相同的身份驗證策略保護多個路徑,端點和服務僅一步之遙。 討論推出單點登錄并集中身份驗證機制的有效方法! 現在,只需按照以下說明使用Keycloak配置Filter和FilterPolicy資源的細粒度設置 。
學到更多 (Learn More)
In this tutorial, we’ve shown how to centralize your authentication in Kubernetes by deploying Keycloak as your IdP and the Ambassador Edge Stack as your Kubernetes-native API Gateway. With the help of the K8s Initializer, you are able to get these tools up and running in just a few clicks.
在本教程中,我們展示了如何通過將Keycloak部署為您的IdP和將Ambassador Edge Stack部署為您的Kubernetes本地API網關來在Kubernetes中集中身份驗證。 借助K8s Initializer,您只需單擊幾下即可啟動并運行這些工具。
To learn more about these tools and centralized authentication strategies, check out the following resources:
要了解有關這些工具和集中式身份驗證策略的更多信息,請查看以下資源:
Keycloak
鑰匙斗篷
Ambassador Edge Stack
邊緣大使
K8s Initializer
K8s初始化器
Join our Slack
加入我們的松弛
翻譯自: https://blog.getambassador.io/centralized-authentication-with-keycloak-and-ambassador-edge-stack-d509ffbc7b6f
xshell 密鑰身份驗證
總結
以上是生活随笔為你收集整理的xshell 密钥身份验证_使用密钥斗篷和大使边缘堆栈进行集中式身份验证的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 从COVID-19大流行中汲取哪些教训?
- 下一篇: 【网络空间安全数学基础第8章】环和域