客户端证书身份验证示例¶

本节介绍如何在 Driverless AI 中配置`客户端证书 <https://en.wikipedia.org/wiki/Client_certificate>`__ 身份验证。

客户端证书和 SSL 配置选项¶

以下选项可在配置客户端证书身份验证时进行指定。

SSL 配置选项¶

为启用客户端证书身份验证，必须启用 TLS 双向身份验证 (mTLS)。使用以下配置选项来配置 mTLS。请参阅`mTLS 身份验证主题 <authentication-mtls.html>`__ ，了解更多关于如何启用 mTLS 的信息。

ssl_client_verify_mode: 设置客户端验证模式。从以下验证模式中选择：

CERT_NONE: 客户端无需提供证书。如果提供证书，则将忽略由此产生的任何验证错误。

CERT_OPTIONAL: 客户端无需提供证书。如果提供证书，则将根据已配置的 CA 证书链进行验证。

CERT_REQUIRED: 客户端需要提供证书以供验证。请注意，为使 Driverless 能够验证其自身的回调请求，在选择此模式时需要配置 ssl_client_key_file 和 ssl_client_crt_file 选项。

ssl_ca_file: 指定`证书颁发机构 (CA) <https://en.wikipedia.org/wiki/Certificate_authority>`__ 证书文件的路径。当启用客户端身份验证时，此证书将被用于验证客户端证书。如果未指定路径，则将使用系统默认证书对客户端进行验证。
ssl_client_key_file: 如果 ssl_client_verify_mode = "CERT_REQUIRED"，则需要此文件。指定 Driverless AI 用于对其自身进行身份验证的私钥的 HTTPS 设置路径。
ssl_client_crt_file: 如果 ssl_client_verify_mode = "CERT_REQUIRED"，则需要此文件。指定 Driverless AI 用于对其自身进行身份验证的客户端证书的 HTTPS 设置路径。

客户端证书选项¶

auth_tls_crl_file: 用于验证客户端证书的证书吊销列表 (CRL) 文件的路径。
auth_tls_user_lookup: 指定获取用户身份信息的方式。从以下方式中选择：
- REGEXP_ONLY: 使用 auth_tls_subject_field 和 auth_tls_field_parse_regexp 从客户端证书中提取用户名。
- LDAP_LOOKUP: 使用 LDAP 服务器来获取用户名。（请参阅 LDAP 身份验证示例一节，了解关于其他 LDAP 身份验证配置选项的信息。）

使用 LDAP_LOOKUP:

auth_tls_ldap_server: 指定 LDAP 服务器主机名或 IP 地址。
auth_tls_ldap_port: 指定 LDAP 服务器端口号。默认端口号为 389。
auth_tls_ldap_use_ssl: 指定当连接至 LDAP 服务器时是启用 (True) 还是禁用 (False) SSL。
auth_tls_ldap_tls_file: 指定 SSL 证书路径。
auth_tls_ldap_bind_dn: 指定 LDAP 绑定用户的完整可分辨名称。
auth_tls_ldap_bind_password: 指定 LDAP 绑定密码。
auth_tls_subject_field: 主题字段，可用作用户名或其他值（提供进一步验证）的来源。
auth_tls_field_parse_regexp: 用于解析主题字段的正则表达式，以获取用户名或其他提供进一步验证的值。
auth_tls_ldap_search_base: 指定在目录信息树 (DIT) 中开始搜索的位置。
auth_tls_ldap_search_filter: 指定 LDAP 搜索筛选器，用于在使用 tls_certificate 身份验证方式时通过 LDAP_LOOKUP 查找特定用户。可使用 auth_tls_field_parse_regexp 中的具名捕获组进行替换，从而实现动态构建：
auth_tls_field_parse_regexp = "\w+ (?P<id>\d+)" auth_tls_ldap_search_filter = "(&(objectClass=person)(id={{id}}))
auth_tls_ldap_username_attribute: 指定用作用户名的 LDAP 记录属性。
auth_tls_ldap_authorization_lookup_filter: （可选）指定在查找到用户后执行的其他搜索筛选器。这有助于检查用户是否属于 LDAP 模式中某一特定组的成员，在此模式中，组成员资格定义于组条目中，而非单个用户条目中。（请参阅接下来的查找筛选器示例一节，查看关于如何使用该选项的示例。）
auth_tls_ldap_authorization_search_base: 指定基本可分辨名称 (Dn)，以启动授权查找。当指定 auth_tls_ldap_authorization_lookup_filter 时，需要进行指定此项。

查找筛选器示例¶

以下示例使用 auth_tls_ldap_authorization_lookup_filter 选项来确定各用户在 LDAP 模式中是否属于 chemists 组的成员，在此模式下，组（组织单位）成员资格定义于组条目中。

# Specify to use email as username
auth_tls_ldap_username_attribute = "mail"
# Specify search string
auth_tls_ldap_search_filter = "(&(objectClass=inetOrgPerson)(uid={{username}}))"
# Specify the base DN to start the search from
auth_tls_ldap_authorization_search_base="dc=example,dc=com"
# Filter the results of the search to determine which users are members of a specific group
auth_tls_ldap_authorization_lookup_filter = "(&(objectClass=groupOfUniqueNames)(uniqueMember=uid={{uid}},dc=example,dc=com)(ou=chemists))"

启用客户端证书身份验证¶

若要在 Docker 映像中启用客户端证书身份验证，需指定您想要使用的身份验证环境变量。每个变量必须以 DRIVERLESS_AI_ 开头。在以下示例中，启用了客户端证书身份验证，并将 LDAP_LOOKUP 用于 TLS 用户查找方式。

nvidia-docker run \
  --pid=host \
  --init \
  --rm \
  --shm-size=256m \
  -p 12345:12345 \
  -u `id -u`:`id -g` \
  -e DRIVERLESS_AI_ENABLED_FILE_SYSTEMS="file,s3,hdfs" \
  -e DRIVERLESS_AI_ENABLE_HTTPS="true" \
  -e DRIVERLESS_AI_SSL_KEY_FILE="/etc/pki/dai-server.key" \
  -e DRIVERLESS_AI_SSL_CRT_FILE="/etc/pki/dai-server.crt" \
  -e DRIVERLESS_AI_SSL_CA_FILE="/etc/pki/ca.crt" \
  -e DRIVERLESS_AI_SSL_CLIENT_VERIFY_MODE="CERT_REQUIRED" \
  -e DRIVERLESS_AI_SSL_CLIENT_KEY_FILE="/etc/pki/dai-self.key" \
  -e DRIVERLESS_AI_SSL_CLIENT_CRT_FILE="/etc/pki/dai-self.cert" \
  -e DRIVERLESS_AI_AUTHENTICATION_METHOD="tls_certificate" \
  -e DRIVERLESS_AI_AUTH_TLS_SUBJECT_FIELD="CN" \
  -e DRIVERLESS_AI_AUTH_TLS_CRL_FILE="/etc/pki/crl.pem" \
  -e DRIVERLESS_AI_AUTH_TLS_FIELD_PARS_REGEXP="(?P<di>.*)" \
  -e DRIVERLESS_AI_AUTH_TLS_USER_LOOKUP="LDAP_LOOKUP" \
  -e DRIVERLESS_AI_LDAP_SERVER="ldap.forumsys.com" \
  -e DRIVERLESS_AI_LDAP_BIND_DN="cn=read-only-admin,dc=example,dc=com" \
  -e DRIVERLESS_AI_LDAP_BIND_PASSWORD="password" \
  -e DRIVERLESS_AI_LDAP_SEARCH_BASE="dc=example,dc=com" \
  -e DRIVERLESS_AI_LDAP_USER_NAME_ATTRIBUTE="uid" \
  -e DRIVERLESS_AI_LDAP_SEARCH_FILTER="(&(objectClass=inetOrgPerson)(uid={{id}}))" \
  -e DRIVERLESS_AI_AUTH_TLS_LDAP_AUTHORIZATION_SEARCH_BASE="dc=example,dc=com" \
  -e DRIVERLESS_AI_AUTH_TLS_LDAP_AUTHORIZATION_LOOKUP_FILTER="(&(objectClass=groupOfUniqueNames)(uniqueMember=uid={{uid}},dc=example,dc=com)(ou=chemists))" \
  -v `pwd`/data:/data \
  -v `pwd`/log:/log \
  -v `pwd`/license:/license \
  -v `pwd`/tmp:/tmp \
  h2oai/dai-centos7-x86_64:1.9.2.1-cuda10.0.xx

本机安装包括 DEB、RPM 和 TAR SH 安装。以下示例展示了如何编辑 config.toml 文件以启用客户端证书身份验证，并将 LDAP_LOOKUP 用于 TLS 用户查找方式。

导出 Driverless AI config.toml 文件或将其添加至 ~/.bashrc。例如：

# DEB and RPM
export DRIVERLESS_AI_CONFIG_FILE="/etc/dai/config.toml"

# TAR SH
export DRIVERLESS_AI_CONFIG_FILE="/path/to/your/unpacked/dai/directory/config.toml"

打开 config.toml 文件并编辑以下身份验证变量。安装 Driverless AI 后，可在 etc/dai 文件夹中找到 config.toml 文件。

# https settings
enable_https = true

# https settings
# Path to the SSL key file
#
ssl_key_file = "/etc/pki/dai-server.key"

# https settings
# Path to the SSL certificate file
#
ssl_crt_file = "/etc/pki/dai-server.crt"

# https settings
# Path to the Certification Authority certificate file. This certificate will be
# used when to verify client certificate when client authentication is turned on.
# If this is not set, clients are verified using default system certificates.
#
ssl_ca_file = "/etc/pki/ca.crt"

# https settings
# Sets the client verification mode.
# CERT_NONE: Client does not need to provide the certificate and if it does any
# verification errors are ignored.
# CERT_OPTIONAL: Client does not need to provide the certificate and if it does
# certificate is verified agains set up CA chains.
# CERT_REQUIRED: Client needs to provide a certificate and certificate is
# verified.
# You'll need to set 'ssl_client_key_file' and 'ssl_client_crt_file'
# When this mode is selected for Driverless to be able to verify
# it's own callback requests.
#
ssl_client_verify_mode = "CERT_REQUIRED"

# https settings
# Path to the private key that Driverless will use to authenticate itself when
# CERT_REQUIRED mode is set.
#
ssl_client_key_file = "/etc/pki/dai-self.key"

# https settings
# Path to the client certificate that Driverless will use to authenticate itself
# when CERT_REQUIRED mode is set.
#
ssl_client_crt_file = "/etc/pki/dai-self.crt"

# Enable client certificate authentication
authentication_method = "tls_certificate"

# Subject field that is used as a source for a username or other values that provide further validation
auth_tls_subject_field = "CN"

# Path to the CRL file that will be used to verify client certificate.
auth_tls_crl_file = "/etc/pki/crl.pem"

# Sets up the way how user identity would be obtained
# REGEXP_ONLY: Will use 'auth_tls_subject_field' and 'auth_tls_field_parse_regexp'
# to extract the username from the client certificate.
# LDAP_LOOKUP: Will use LDAP server to lookup for the username.
# 'ldap_server', 'ldap_use_ssl', 'ldap_tls_file', 'ldap_bind_dn',
# 'ldap_bind_password' options are used to establish
# the connection with the LDAP server.
# 'auth_tls_subject_field' and 'auth_tls_field_parse_regexp'
# options are used to parse the certificate.
# 'ldap_search_base', 'ldap_search_filter', and
# 'ldap_username_attribute' options are used to do the lookup.
# 'ldap_search_filter' can be built dynamically using the named
# capturing groups from the 'auth_tls_field_parse_regexp' for
# substitution.
# Example:
# auth_tls_field_parse_regexp = "\w+ (?P<id>\d+)"
# ldap_search_filter = "(&(objectClass=person)(id={{id}}))"
auth_tls_user_lookup = "LDAP_LOOKUP"

# Regular expression that is used to parse the subject field in order to
# obtain the username or other values that provide further validation
auth_tls_field_parse_regexp = "\w+ (?P<id>\d+)"

# ldap server domain or ip
ldap_server = "ldap.forumsys.com"

# Complete DN of the LDAP bind user
ldap_bind_dn = "cn=read-only-admin,dc=example,dc=com"

# Password for the LDAP bind
ldap_bind_password = "password"

# the location in the DIT where the search will start
ldap_search_base = "dc=example,dc=com"

# specify key to find user name
ldap_user_name_attribute = "uid"

# A string that describes what you are searching for. You can use Python
# substitution to have this constructed dynamically.
# (only {{DAI_USERNAME}} is supported)
ldap_search_filter = "(&(objectClass=inetOrgPerson)(uid={{id}}))"

# Base DN where to start the Authorization lookup. Used when
# 'auth_tls_ldap_authorization_lookup_filter' is set.
auth_tls_ldap_authorization_search_base="dc=example,dc=com"

# Sets optional additional lookup filter that is performed after the
# user is found. This can be used for example to check whether the is member of
# particular group.
# Filter can be built dynamically from the attributes returned by the lookup.
# Authorization fails when search does not return any entry. If one ore more
# entries are returned authorization succeeds.
# Example:
# auth_tls_field_parse_regexp = "\w+ (?P<id>\d+)"
# ldap_search_filter = "(&(objectClass=person)(id={{id}}))"
# auth_tls_ldap_authorization_lookup_filter = "(&(objectClass=group)(member=uid={{uid}},dc=example,dc=com))"
# If this option is empty no additional lookup is done and just a successful user
# lookup is enough to authorize the user.
#
auth_tls_ldap_authorization_lookup_filter = "(&(objectClass=groupOfUniqueNames)(uniqueMember=uid={{uid}},dc=example,dc=com)(ou=chemists))"

启动（或重启）Driverless AI。