docker深刻2-UI之portainer經過API來更新service的ACL

時間 2019-11-25

標籤 docker 深刻 portainer 經過 api 更新 service acl 欄目 Docker 简体版

原文原文鏈接

docker深刻2-UI之portainer經過API來更新service的ACL
2018/11/5git

準備工做

閱讀文檔github

resource_controls
Manage access control on Docker resources

POST
/resource_controls
Create a new resource control
PUT
/resource_controls/{id}
Update a resource control
DELETE
/resource_controls/{id}
Remove a resource control

本例在 mac 下操做，使用 httpie 來發送請求
brew install httpiedocker
經過 jq 來格式化數據
brew install jqjson
幹活的目錄
/tmp/httpie

緣由

portainer升級至1.19.2後，有比較特別的變化：api

1.19.2bash

Breaking changesapp

This version changes the default ownership for externally created resources from Public to Administrator restricted (#960, #2137). The migration process will automatically migrate any existing resource declared as Public to Administrators only.ide

儘管以前爲 service 設置過 ACL ，但在升級後發現仍是所有重置爲 Administrators 權限rest

臨時解決辦法: 經過API來重置ACL

下面是具體示範：code

1. 拿到認證 token

http POST http://your-portainer-addr/api/auth Username="admin" Password="portainer"
{
    "jwt": "xxJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwidXNlcm5hbWUiOiJhZG1pbiIsInJvbGUiOjEsImV4cCI6MTUzOTYxNzcwNX0.ifadEaqEo7LNWPuPBl8zQMZqeFvxfVPgAD6asNdMQYY"
}

2. 列出teams信息

http GET http://your-portainer-addr/api/teams \
"Authorization: Bearer xxJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwidXNlcm5hbWUiOiJhZG1pbiIsInJvbGUiOjEsImV4cCI6MTUzOTYxNzcwNX0.ifadEaqEo7LNWPuPBl8zQMZqeFvxfVPgAD6asNdMQYY"

[
    {
        "Id": 1,
        "Name": "dev"
    },
    {
        "Id": 2,
        "Name": "qa"
    },
    {
        "Id": 3,
        "Name": "ops"
    }
]

示例: 從文本中讀取json數據來發送POST請求

mkdir /tmp/httpie && cd /tmp/httpie

http POST http://your-portainer-addr/api/resource_controls \
"Authorization: Bearer xxJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwidXNlcm5hbWUiOiJhZG1pbiIsInJvbGUiOjEsImV4cCI6MTUzOTYxNzcwNX0.ifadEaqEo7LNWPuPBl8zQMZqeFvxfVPgAD6asNdMQYY" \
@/tmp/httpie/1.json

示例: 得到經過service前綴過濾後的狀態

http GET http://your-portainer-addr/api/endpoints/5/docker/services\?filters\='{"name":["dev-app1"]}' \
"Authorization: Bearer xxJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwidXNlcm5hbWUiOiJhZG1pbiIsInJvbGUiOjEsImV4cCI6MTUzOTYxNzcwNX0.ifadEaqEo7LNWPuPBl8zQMZqeFvxfVPgAD6asNdMQYY" |jq '.[] | {name: .Spec.Name, id: .ID, teams: .Portainer.ResourceControl.TeamAccesses[0].TeamId}'

3. 得到經過service前綴過濾後的ID

http GET http://your-portainer-addr/api/endpoints/5/docker/services\?filters\='{"name":["dev-app1"]}' \
"Authorization: Bearer xxJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwidXNlcm5hbWUiOiJhZG1pbiIsInJvbGUiOjEsImV4cCI6MTUzOTYxNzcwNX0.ifadEaqEo7LNWPuPBl8zQMZqeFvxfVPgAD6asNdMQYY" |jq '.[].ID' > .id

4. 根據上述信息，批量執行API來建立針對team的ACL權限(注意：此處，根據api文檔，使用的是 POST 方法)

s1='{"Type": "service", "Public": false, "ResourceID": "'
s2='", "Users": [], "Teams": [2]}'

for ID in `cat .id |sed 's/"//g'`;do
  echo $ID
  echo ${s1}${ID}${s2} >acl-create.json

  http POST http://your-portainer-addr/api/resource_controls \
  "Authorization: Bearer xxJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwidXNlcm5hbWUiOiJhZG1pbiIsInJvbGUiOjEsImV4cCI6MTUzOTYxNzcwNX0.ifadEaqEo7LNWPuPBl8zQMZqeFvxfVPgAD6asNdMQYY" \
  @/tmp/httpie/acl-create.json

  echo '---------'
done

5. 【例如權限設置錯誤的場景】根據上述信息，批量執行API來更新針對team的ACL權限(注意：此處，根據api文檔，使用的是 PUT 方法)

s3='{"Public": false, "Users":[], "Teams":[2]}'

for ID in `cat .id |sed 's/"//g'`;do
  echo ${ID}
  echo ${s3} >acl-update.json

  echo '[+] Portainer.ResourceControl.ID:'
  portainer_svc_rc_id=`http GET "http://your-portainer-addr/api/endpoints/5/docker/services/${ID}" \
  "Authorization: Bearer xxJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwidXNlcm5hbWUiOiJhZG1pbiIsInJvbGUiOjEsImV4cCI6MTUzOTYxNzcwNX0.ifadEaqEo7LNWPuPBl8zQMZqeFvxfVPgAD6asNdMQYY" |jq '.Portainer.ResourceControl.Id'`
  echo ${portainer_svc_rc_id}

  echo '[+] Update:'
  http PUT "http://your-portainer-addr/api/resource_controls/${portainer_svc_rc_id}" \
  "Authorization: Bearer xxJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwidXNlcm5hbWUiOiJhZG1pbiIsInJvbGUiOjEsImV4cCI6MTUzOTYxNzcwNX0.ifadEaqEo7LNWPuPBl8zQMZqeFvxfVPgAD6asNdMQYY" \
  @/tmp/httpie/acl-update.json

  echo '---------'
done