docker深入2-UI之portainer通过API来更新service的ACL

作者：佚名上传时间：2019-03-21 版权申诉

docker深入2-UI之portainer通过API来更新service的ACL
2018/11/5

准备工作

阅读文档

resource_controls
Manage access control on Docker resources

POST
/resource_controls
Create a new resource control
PUT
/resource_controls/{id}
Update a resource control
DELETE
/resource_controls/{id}
Remove a resource control

本例在 mac 下操作，使用 httpie 来发送请求
brew install httpie
通过 jq 来格式化数据
brew install jq
干活的目录
/tmp/httpie

原因

portainer升级至1.19.2后，有比较特别的变化：

1.19.2

> Breaking changes
>
>
>> This version changes the default ownership for externally created resources from Public to Administrator restricted (#960, #2137). The migration process will automatically migrate any existing resource declared as Public to Administrators only.
>>

尽管之前为 service 设置过 ACL ，但在升级后发现还是全部重置为 Administrators 权限

临时解决办法: 通过API来重置ACL

下面是具体示范：

1. 拿到认证 token

http POST http://your-portainer-addr/api/auth Username="admin" Password="portainer"
{
    "jwt": "xxJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwidXNlcm5hbWUiOiJhZG1pbiIsInJvbGUiOjEsImV4cCI6MTUzOTYxNzcwNX0.ifadEaqEo7LNWPuPBl8zQMZqeFvxfVPgAD6asNdMQYY"
}

2. 列出teams信息

http GET http://your-portainer-addr/api/teams \
"Authorization: Bearer xxJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwidXNlcm5hbWUiOiJhZG1pbiIsInJvbGUiOjEsImV4cCI6MTUzOTYxNzcwNX0.ifadEaqEo7LNWPuPBl8zQMZqeFvxfVPgAD6asNdMQYY"

[
    {
        "Id": 1,
        "Name": "dev"
    },
    {
        "Id": 2,
        "Name": "qa"
    },
    {
        "Id": 3,
        "Name": "ops"
    }
]

示例: 从文本中读取json数据来发送POST请求

mkdir /tmp/httpie && cd /tmp/httpie

http POST http://your-portainer-addr/api/resource_controls \
"Authorization: Bearer xxJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwidXNlcm5hbWUiOiJhZG1pbiIsInJvbGUiOjEsImV4cCI6MTUzOTYxNzcwNX0.ifadEaqEo7LNWPuPBl8zQMZqeFvxfVPgAD6asNdMQYY" \
@/tmp/httpie/1.json

示例: 获得通过service前缀过滤后的状态

http GET http://your-portainer-addr/api/endpoints/5/docker/services\?filters\='{"name":["dev-app1"]}' \
"Authorization: Bearer xxJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwidXNlcm5hbWUiOiJhZG1pbiIsInJvbGUiOjEsImV4cCI6MTUzOTYxNzcwNX0.ifadEaqEo7LNWPuPBl8zQMZqeFvxfVPgAD6asNdMQYY" |jq '.[] | {name: .Spec.Name, id: .ID, teams: .Portainer.ResourceControl.TeamAccesses[0].TeamId}'

3. 获得通过service前缀过滤后的ID

http GET http://your-portainer-addr/api/endpoints/5/docker/services\?filters\='{"name":["dev-app1"]}' \
"Authorization: Bearer xxJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwidXNlcm5hbWUiOiJhZG1pbiIsInJvbGUiOjEsImV4cCI6MTUzOTYxNzcwNX0.ifadEaqEo7LNWPuPBl8zQMZqeFvxfVPgAD6asNdMQYY" |jq '.[].ID' > .id

4. 根据上述信息，批量执行API来创建针对team的ACL权限(注意：此处，根据api文档，使用的是 POST 方法)

s1='{"Type": "service", "Public": false, "ResourceID": "'
s2='", "Users": [], "Teams": [2]}'

for ID in `cat .id |sed 's/"//g'`;do
  echo $ID
  echo ${s1}${ID}${s2} >acl-create.json

  http POST http://your-portainer-addr/api/resource_controls \
  "Authorization: Bearer xxJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwidXNlcm5hbWUiOiJhZG1pbiIsInJvbGUiOjEsImV4cCI6MTUzOTYxNzcwNX0.ifadEaqEo7LNWPuPBl8zQMZqeFvxfVPgAD6asNdMQYY" \
  @/tmp/httpie/acl-create.json

  echo '---------'
done

5. 【例如权限设置错误的场景】根据上述信息，批量执行API来更新针对team的ACL权限(注意：此处，根据api文档，使用的是 PUT 方法)

s3='{"Public": false, "Users":[], "Teams":[2]}'

for ID in `cat .id |sed 's/"//g'`;do
  echo ${ID}
  echo ${s3} >acl-update.json

  echo '[+] Portainer.ResourceControl.ID:'
  portainer_svc_rc_id=`http GET "http://your-portainer-addr/api/endpoints/5/docker/services/${ID}" \
  "Authorization: Bearer xxJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwidXNlcm5hbWUiOiJhZG1pbiIsInJvbGUiOjEsImV4cCI6MTUzOTYxNzcwNX0.ifadEaqEo7LNWPuPBl8zQMZqeFvxfVPgAD6asNdMQYY" |jq '.Portainer.ResourceControl.Id'`
  echo ${portainer_svc_rc_id}

  echo '[+] Update:'
  http PUT "http://your-portainer-addr/api/resource_controls/${portainer_svc_rc_id}" \
  "Authorization: Bearer xxJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwidXNlcm5hbWUiOiJhZG1pbiIsInJvbGUiOjEsImV4cCI6MTUzOTYxNzcwNX0.ifadEaqEo7LNWPuPBl8zQMZqeFvxfVPgAD6asNdMQYY" \
  @/tmp/httpie/acl-update.json

  echo '---------'
done