使用标记配置对象的步骤如下所示。

配置对象

我们来考虑为池对象 pool-123 配置两个所有者,即工程师和营销人员。此处为 “Key”: [“value1”, “value2”] :: “Owner”: [“eng”, “marketing”]

[admin:ctrl10]: > configure pool pool-123
[admin:ctrl10]: pool> markers
New object being created
[admin:ctrl10]: pool:markers> key owner
[admin:ctrl10]: pool:markers> values eng
[admin:ctrl10]: pool:markers> values marketing
[admin:ctrl10]: pool:markers> save
[admin:ctrl10]: pool> save

该池配置显示分配了键和相应的值,如下所示。

+---------------------------------------+-------------------------------+
| Field                                 | Value                         |
+---------------------------------------+-------------------------------+
| uuid                                  | pool-0f373267-d62d-47b5-90e6-486abdd5da53                                                            |
| name                                  | pool-123                      |
| default_server_port                   | 80                            |
| graceful_disable_timeout              | 1 min                         |
| connection_ramp_duration              | 10 min                        |
| max_concurrent_connections_per_server | 0                             |
| lb_algorithm                          | LB_ALGORITHM_LEAST_CONNECTIONS|
| lb_algorithm_hash                     | LB_ALGORITHM_CONSISTENT_HASH_SOURCE_IP_ADDRESS                          |
| inline_health_monitor                 | True                          |
| use_service_port                      | False                         |
| capacity_estimation                   | False                         |
| capacity_estimation_ttfb_thresh       | 0 milliseconds                |
| vrf_ref                               | global                        |
| fewest_tasks_feedback_delay           | 10 sec                        |
| enabled                               | True                          |
| request_queue_enabled                 | False                         |
| request_queue_depth                   | 128                           |
| host_check_enabled                    | False                         |
| sni_enabled                           | True                          |
| rewrite_host_header_to_sni            | False                         |
| rewrite_host_header_to_server_name    | False                         |
| lb_algorithm_core_nonaffinity         | 2                             |
| lookup_server_by_name                 | False                         |
| analytics_profile_ref                 | System-Analytics-Profile      |
| markers[1]                            |                               |
|   key                                 | owner                         |
|   values[1]                           | eng                           |
|   values[2]                           | marketing                     |
| tenant_ref                            | admin                         |
| cloud_ref                             | Default-Cloud                 |
| server_timeout                        | 0 milliseconds                |
| delete_server_on_dns_refresh          | True                          |
| enable_http2                          | False                         |
| ignore_server_port                    | False                         |
| routing_pool                          | False                         |
+---------------------------------------+-------------------------------+

创建角色

创建名为 eng 的角色,并授予其对池对象的写入访问权限。

[admin:ctrl10.79.169.184]: > configure role role-eng
[admin:ctrl10.79.169.184]: role> privileges
New object being created
[admin:ctrl10.79.169.184]: role:privileges> type write_access
[admin:ctrl10.79.169.184]: role:privileges> resource permission_pool
[admin:ctrl10.79.169.184]: role:privileges> save
[admin:ctrl10.79.169.184]: role> filters
New object being created
[admin:ctrl10.79.169.184]: role:filters> match_operation role_filter_glob_match
[admin:ctrl10.79.169.184]: role:filters> match_label
[admin:ctrl10.79.169.184]: role:filters:match_label> key owner
[admin:ctrl10.79.169.184]: role:filters:match_label> values *eng*
[admin:ctrl10.79.169.184]: role:filters:match_label> save
[admin:ctrl10.79.169.184]: role:filters> save
[admin:ctrl10.79.169.184]: role> no allow_unlabelled_access
[admin:ctrl10.79.169.184]: role> save

该角色如下所示。

+-------------------------+-------------------------------------------+
| Field                   | Value                                     |
+-------------------------+-------------------------------------------+
| uuid                    | role-870880cf-6093-4dbb-83bb-b6e0566dfc83 |
| name                    | role-eng                                  |
| privileges[1]           |                                           |
|   type                  | WRITE_ACCESS                              |
|   resource              | PERMISSION_POOL                           |
| filters[1]              |                                           |
|   match_operation       | ROLE_FILTER_GLOB_MATCH                    |
|   match_label           |                                           |
|     key                 | owner                                     |
|     values[1]           | *eng*                                     |
|   enabled               | True                                      |
| allow_unlabelled_access | False                                     |
| tenant_ref              | admin                                     |
+-------------------------+-------------------------------------------+
注:

对于该角色,allow_unlabelled_access 处于禁用状态。这意味着,用户将无法看到未标记的对象。要使未标记的对象可见,必须将此选项设置为 True

同样,也可以为 marketing 角色配置所需的对象权限。

创建标签组

创建 labelgroup-123,这是包含 [“key1”: [“value1”, “value2’, “value3”, …] 列表的新对象。

[admin:ctrl]: > configure labelgroup labelgroup-123
[admin:ctrl]: labelgroup> labels
New object being created
[admin:ctrl]: labelgroup:labels> match_operation role_filter_equals
[admin:ctrl]: labelgroup:labels> match_label
[admin:ctrl]: labelgroup:labels:match_label> key owner
[admin:ctrl1]: labelgroup:labels:match_label> values eng
[admin:ctrl1]: labelgroup:labels:match_label> values marketing
[admin:ctrl1]: labelgroup:labels:match_label> values testing
[admin:ctrl1]: labelgroup:labels:match_label> save
[admin:ctrl1]: labelgroup:labels> save
[admin:ctrl1]: labelgroup> save

该标签组对象如下所示。

+-------------------+-------------------------------------------------+
| Field             | Value                                           |
+-------------------+-------------------------------------------------+
| uuid              | labelgroup-dee35ef6-b3c3-4eae-956a-9b32b6a87d26 |
| name              | labelgroup-123                                  |
| labels[1]         |                                                 |
|   match_operation | ROLE_FILTER_EQUALS                              |
|   match_label     |                                                 |
|     key           | owner                                           |
|     values[1]     | eng                                             |
|     values[2]     | marketing                                       |
|     values[3]     | testing                                         |
+-------------------+-------------------------------------------------+

将标签组与租户关联

[admin:ctrl]: > configure tenant t-1
[admin:ctrl]: tenant> enforce_label_group
[admin:ctrl]: tenant> label_group_refs labelgroup-123
[admin:ctrl]: tenant> save

配置的租户如下所示。

+--------------------------------+--------------------------------------+
| Field                          | Value                                |
+--------------------------------+--------------------------------------+
| uuid                           | tenant-b7a85c33-26c3-40eb-a25c-f86a58d3e5ff                                                            |
| name                           | t-1                                  |
| local                          | True                                 |
| config_settings                |                                      |
|   tenant_vrf                   | False                                |
|   se_in_provider_context       | True                                 |
|   tenant_access_to_provider_se | True                                 |
| enforce_label_group            | True                                 |
| label_group_refs[1]            | labelgroup-123                       |
+--------------------------------+--------------------------------------+

使用不符合标签组中分配的键值规则的标记创建对象时,将显示为错误。

例如,如果池对象配置了标记 “Key”: [“sales”],则会显示错误,如下所示:

[admin:ctrl]: > configure pool pool-4
[admin:ctrl]: pool> markers
New object being created
[admin:ctrl]: pool:markers> key owner
[admin:ctrl]: pool:markers> value sales
[admin:ctrl]: pool:markers> save
[admin:ctrl]: pool> save
Error: {"error": "Marker with key 'owner' to value 'sales' does not qualify the labelgroup rules on this tenant."}