如何給jobserver加入認證,本文給一些尋找答案的方式。
通過官方文檔和示例一般就能夠解決了。
首先啓用shiro認證
在你的 conf
配置文件里加入:
shiro {
authentication = on
# 推薦用絕對路徑
config.path = "shiro.ini"
}
然後在配置同一個目錄加入 shiro.ini
文件。
查看官方給的模板示例:
basic
# =============================================================================
# Use this template for basic username / password authentication
# =============================================================================
# -----------------------------------------------------------------------------
# Format: Users and their passwords
# username = password
# -----------------------------------------------------------------------------
[users]
user1 = password1
user2 = password2
user3 = password3
這個結構爲shiro認證的,完整結構爲:user = password, role1,role2
LDAP認證
這個要複雜一些,加上了用戶組:https://github.com/spark-jobserver/spark-jobserver/blob/master/job-server/config/shiro.ini.ldap.template
# Template for LDAP authorization
# To get detailed LDAP messages change log4j.rootLogger level to DEBUG in the log4j-server.properties file
#------------------#
# General Settings #
#------------------#
activeDirectoryRealm.contextFactory.url = ldap://localhost:389
activeDirectoryRealm.userDnTemplate = cn={0},ou=people,dc=xyz,dc=com
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager
#-------------------------------------------#
# LDAP authorization without group checking #
#-------------------------------------------#
# activate this for basic ldap authorization, without group checking
activeDirectoryRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
#---------------------------------------------------#
# LDAP authorization with group membership checking #
#---------------------------------------------------#
# activate this for checking group membership of users based on the specified userSearchFilter and groupSearchFilter variable
# activeDirectoryRealm = spark.jobserver.auth.LdapGroupRealm
# search base for ldap groups (only relevant for LdapGroupRealm):
#activeDirectoryRealm.contextFactory.environment[ldap.searchBase] = dc=xyz,dc=com
# filter to authenticate users ({0} is replaced by the user name)
# activeDirectoryRealm.userSearchFilter=(&(objectClass=person)(CN={0}))
# filter to validate group membership ({0} is replaced by a group from the allowedGroups variable,
# {1} by the user name and {2} by the full user path in ldap)
# activeDirectoryRealm.groupSearchFilter=(&(member={2})(objectClass=posixGroup)(CN={0}))
# allowed groups as comma separated list
#activeDirectoryRealm.contextFactory.environment[ldap.allowedGroups] = group1,group2
最後訪問
在瀏覽器會自動彈出認證框,google瀏覽器可能有問題,firefox沒發現問題。
通過 curl
訪問:
curl -k --basic --user 'user:pw' https://localhost:8090/contexts
# 或者用header
curl -H "Authorization:Basic xxx==" url
通過代碼也是一樣:
/**
* 構造Basic Auth認證頭信息
*/
private static String getHeader() {
String auth = "username:passwrd";
byte[] encodedAuth = Base64.encodeBase64(auth.getBytes(StandardCharsets.US_ASCII));
return "Basic " + new String(encodedAuth);
}