使用标记配置对象的步骤如下所示。
配置对象
我们来考虑为池对象 pool-123 配置两个所有者,即工程师和营销人员。此处为 “Key”: [“value1”, “value2”] :: “Owner”: [“eng”, “marketing”]。
[admin:ctrl10]: > configure pool pool-123 [admin:ctrl10]: pool> markers New object being created [admin:ctrl10]: pool:markers> key owner [admin:ctrl10]: pool:markers> values eng [admin:ctrl10]: pool:markers> values marketing [admin:ctrl10]: pool:markers> save [admin:ctrl10]: pool> save
该池配置显示分配了键和相应的值,如下所示。
+---------------------------------------+-------------------------------+ | Field | Value | +---------------------------------------+-------------------------------+ | uuid | pool-0f373267-d62d-47b5-90e6-486abdd5da53 | | name | pool-123 | | default_server_port | 80 | | graceful_disable_timeout | 1 min | | connection_ramp_duration | 10 min | | max_concurrent_connections_per_server | 0 | | lb_algorithm | LB_ALGORITHM_LEAST_CONNECTIONS| | lb_algorithm_hash | LB_ALGORITHM_CONSISTENT_HASH_SOURCE_IP_ADDRESS | | inline_health_monitor | True | | use_service_port | False | | capacity_estimation | False | | capacity_estimation_ttfb_thresh | 0 milliseconds | | vrf_ref | global | | fewest_tasks_feedback_delay | 10 sec | | enabled | True | | request_queue_enabled | False | | request_queue_depth | 128 | | host_check_enabled | False | | sni_enabled | True | | rewrite_host_header_to_sni | False | | rewrite_host_header_to_server_name | False | | lb_algorithm_core_nonaffinity | 2 | | lookup_server_by_name | False | | analytics_profile_ref | System-Analytics-Profile | | markers[1] | | | key | owner | | values[1] | eng | | values[2] | marketing | | tenant_ref | admin | | cloud_ref | Default-Cloud | | server_timeout | 0 milliseconds | | delete_server_on_dns_refresh | True | | enable_http2 | False | | ignore_server_port | False | | routing_pool | False | +---------------------------------------+-------------------------------+
创建角色
创建名为 eng 的角色,并授予其对池对象的写入访问权限。
[admin:ctrl10.79.169.184]: > configure role role-eng [admin:ctrl10.79.169.184]: role> privileges New object being created [admin:ctrl10.79.169.184]: role:privileges> type write_access [admin:ctrl10.79.169.184]: role:privileges> resource permission_pool [admin:ctrl10.79.169.184]: role:privileges> save [admin:ctrl10.79.169.184]: role> filters New object being created [admin:ctrl10.79.169.184]: role:filters> match_operation role_filter_glob_match [admin:ctrl10.79.169.184]: role:filters> match_label [admin:ctrl10.79.169.184]: role:filters:match_label> key owner [admin:ctrl10.79.169.184]: role:filters:match_label> values *eng* [admin:ctrl10.79.169.184]: role:filters:match_label> save [admin:ctrl10.79.169.184]: role:filters> save [admin:ctrl10.79.169.184]: role> no allow_unlabelled_access [admin:ctrl10.79.169.184]: role> save
该角色如下所示。
+-------------------------+-------------------------------------------+ | Field | Value | +-------------------------+-------------------------------------------+ | uuid | role-870880cf-6093-4dbb-83bb-b6e0566dfc83 | | name | role-eng | | privileges[1] | | | type | WRITE_ACCESS | | resource | PERMISSION_POOL | | filters[1] | | | match_operation | ROLE_FILTER_GLOB_MATCH | | match_label | | | key | owner | | values[1] | *eng* | | enabled | True | | allow_unlabelled_access | False | | tenant_ref | admin | +-------------------------+-------------------------------------------+
注:
对于该角色,allow_unlabelled_access 处于禁用状态。这意味着,用户将无法看到未标记的对象。要使未标记的对象可见,必须将此选项设置为 True。
同样,也可以为 marketing 角色配置所需的对象权限。
创建标签组
创建 labelgroup-123,这是包含 [“key1”: [“value1”, “value2’, “value3”, …] 列表的新对象。
[admin:ctrl]: > configure labelgroup labelgroup-123 [admin:ctrl]: labelgroup> labels New object being created [admin:ctrl]: labelgroup:labels> match_operation role_filter_equals [admin:ctrl]: labelgroup:labels> match_label [admin:ctrl]: labelgroup:labels:match_label> key owner [admin:ctrl1]: labelgroup:labels:match_label> values eng [admin:ctrl1]: labelgroup:labels:match_label> values marketing [admin:ctrl1]: labelgroup:labels:match_label> values testing [admin:ctrl1]: labelgroup:labels:match_label> save [admin:ctrl1]: labelgroup:labels> save [admin:ctrl1]: labelgroup> save
该标签组对象如下所示。
+-------------------+-------------------------------------------------+ | Field | Value | +-------------------+-------------------------------------------------+ | uuid | labelgroup-dee35ef6-b3c3-4eae-956a-9b32b6a87d26 | | name | labelgroup-123 | | labels[1] | | | match_operation | ROLE_FILTER_EQUALS | | match_label | | | key | owner | | values[1] | eng | | values[2] | marketing | | values[3] | testing | +-------------------+-------------------------------------------------+
将标签组与租户关联
[admin:ctrl]: > configure tenant t-1 [admin:ctrl]: tenant> enforce_label_group [admin:ctrl]: tenant> label_group_refs labelgroup-123 [admin:ctrl]: tenant> save
配置的租户如下所示。
+--------------------------------+--------------------------------------+ | Field | Value | +--------------------------------+--------------------------------------+ | uuid | tenant-b7a85c33-26c3-40eb-a25c-f86a58d3e5ff | | name | t-1 | | local | True | | config_settings | | | tenant_vrf | False | | se_in_provider_context | True | | tenant_access_to_provider_se | True | | enforce_label_group | True | | label_group_refs[1] | labelgroup-123 | +--------------------------------+--------------------------------------+
使用不符合标签组中分配的键值规则的标记创建对象时,将显示为错误。
例如,如果池对象配置了标记 “Key”: [“sales”],则会显示错误,如下所示:
[admin:ctrl]: > configure pool pool-4
[admin:ctrl]: pool> markers
New object being created
[admin:ctrl]: pool:markers> key owner
[admin:ctrl]: pool:markers> value sales
[admin:ctrl]: pool:markers> save
[admin:ctrl]: pool> save
Error: {"error": "Marker with key 'owner' to value 'sales' does not qualify the labelgroup rules on this tenant."}
