样书配置

使用 DNS 域名部署 GSLB 配置

Citrix ADM 中的新 RBAC 增强功能仅允许获得授权的应用程序所有者在 Citrix ADM 中创建和管理自己的 DNS 域。现在,您可以授权应用程序所有者使用特定的样书从他们拥有的 DNS 域创建 GSLB 配置。如果所选的 DNS 域名归用户所有,则可以在使用 Citrix ADM 应用程序控制板中的 GSLB 样书创建 GSLB 配置时使用该域名。 Citrix ADM 中有两个用于配置 GSLB 配置的工作流程。

  1. 管理员的工作流程。在 Citrix ADM 中设置 RBAC 环境。也就是说,要创建和导入 GSLB 样书,必须创建用户组、策略和角色,并将用户分配给该组。作为管理员,您必须执行此工作流程。

  2. 应用程序所有者的工作流程。应用程序所有者必须使用他们拥有的域名创建 GSLB 配置。

以下流程图描述了两个工作流程:

GSLB 工作流配置

管理员的工作流

作为管理员,在 Citrix ADM 中创建 RBAC 环境的工作流程包括以下步骤:

首先,创建一本样书以在 Citrix ADC 实例上部署 GSLB 配置。本文档提供了一个 YAML 内容示例,可帮助您创建自己的样书- 生成样书

有关如何创建自定义样书的更多信息,请参阅 创建和使用自定义样书

注意

Citrix ADM 支持样书中一种名为“允许动态值”的新结构。“ 此结构可用于允许用户列出 Citrix ADM 中存在的 DNS 域值并进行选择,以便在 Citrix ADM GUI 的样本中自动填充“域名”参数。

提供了“域名”参数部分示例,供您参考。

此处使用的“域名”参数只是一个示例。该参数在您的自定义样书中可能有所不同。

-
  name: domain-name
   label: DNS Domain Name
   description: GSLB DNS Domain Name
   type: string
   required: true
   allowed-dynamic-values:
      source: local
      resource-type: dns_domain_entry
<!--NeedCopy-->

注意

目前在 Citrix ADM 中,任何默认样书中均未使用“允许的动态值”结构。使用默认 GSLB 样书创建新的自定义 GSLB 样书。将域名参数部分替换为上面提供的示例。您可以使用任何文本编辑器来创建新的样书。

  1. 以管理员身份登录 Citrix ADM。

  2. 导航到 应用程序 > 配置 > 样书

  3. 单击 导入新样本 ,然后将新的 GSLB 样本上传到 Citrix ADM。

    导入样书

    有关如何在 Citrix ADM 中导入样书的更多信息,请参阅 使用自定义样书

  4. 导航到“系统”>“用户”>“策略”,然后单击“添加”为应用程序所有者设置访问策略,如下所示。

    Citrix 建议您创建访问策略,以确保应用程序所有者不会规避您设置的 RBAC 规则。

  5. 键入策略的名称和简短描述。在“权限”部分中,确保强制检查以下查看-编辑权限。

    1. 应用程序 > 控制面板

    2. 应用程序 > 配置

    3. 基础结构 > 实例

    4. 基础结构 > 许可证管理

    5. 设置 > 域名

    您可以提供适用的其他权限,然后单击 创建”。

    为控制面板、配置、实例、许可证管理和 DNS 域名创建访问策略

  6. 导航到 系统 > 用户 > 角色”,然后创建角色并分配在上一步中创建的策略。

  7. 键入角色的名称并提供简短描述。在“策略”部分中,选择 AppOwnerExampleAccessPolicy

    创建应用程序所有者角色

  8. 导航到 系统 > 用户 > ”,然后创建一个组并关联在上一步中创建的角色。

  9. 键入名称和描述,然后在“角色”部分,选择“AppOwnerExampleRole”

    创建系统组

  10. 单击下一步

  11. 授权设置 选项卡中,选择应用程序所有者有权访问的 Citrix ADC 实例和新的 GSLB 样本。

    授权设置

    重复此步骤可根据需要在组织中创建任意数量的用户组。单击创建组

  12. 创建系统用户并将该用户分配到用户组。本文档仅指在本地创建的用户。如果 Citrix ADM 设置为使用外部身份验证(例如 LDAP),则无需在用户组中创建用户。用户到组的映射是从外部身份验证目录中检索的。

    1. 导航到“系统”>“用户”>“用户”

    2. 键入系统用户的用户名和密码,然后将用户分配到该组。

    创建用户

    注意

    步骤 12 是可选的,如果使用外部身份验证(如 LDAP),则不需要步骤 12。

适用于管理员工作流程的 Citrix ADM REST API

用于登录 Citrix ADM 的 REST API

URL: http: //<MAS_IP>/nitro/v2/config/login
HTTPMETHOD: POST

Body Payload:
{
  "login": {
    "username": "<USER_NAME>",
    "password": "<PASSWORD>",
    "session_timeout": 1800
  }
}

The response results in a session cookie header, that can be sent with the rest of the API requests below.

Set-Cookie: SESSID=##ED31F7C886E248CCDCA8F0E0AD2AA511ACCC5F46C48D6D2BCAA719A9DE62;path=/;secure;HttpOnly
<!--NeedCopy-->

用于创建访问策略的 REST API

URL: https://<MAS_IP>/nitro/v2/config/rba_policy
HTTP METHOD: POST

{
  "rba_policy": {
    "name": " AppOwnerAccessPolicy",
    "description": " ExampleCompany AppOwner Access Policy",
    "tenant_id": "7c12ec97-1472-4096-97e7-a5acb453cc5c",
    "statement": [
      {
        "access_type": true,
        "resource_type": "application",
        "operation_name": "add",
        "dependent_resources": "mail_profile,slack_profile,smtp_server,app_category"
      },
      {
        "access_type": true,
        "resource_type": "application",
        "operation_name": "get",
        "dependent_resources": "download,smtp_server,ns_vserver_license,app_category,app_summary,app_health_dashboard_details,haproxy_frontend,haproxy_backend,haproxy_frontend_stats"
      },
      {
        "access_type": true,
        "resource_type": "si_app_unit",
        "operation_name": "get",
        "dependent_resources": "download,smtp_server,app_summary,si_app_summary,si_device,security_app_dashboard_details,si_geo_location,si_safety_app_firewall,si_safety_overview,si_safety_security_check,si_safety_system_security,si_safety_signature"
      },
      {
        "access_type": true,
        "resource_type": "stylebooks",
        "operation_name": "get",
        "dependent_resources": "download,smtp_server,ns_vserver_license"
      },
      {
        "access_type": true,
        "resource_type": "stylebooks",
        "operation_name": "add",
        "dependent_resources": "mail_profile,slack_profile,smtp_server"
      },
      {
        "access_type": true,
        "resource_type": "configpacks",
        "operation_name": "get",
        "dependent_resources": "download,smtp_server,stylebooks,ns_vserver_license"
      },
      {
        "access_type": true,
        "resource_type": "configpacks",
        "operation_name": "add",
        "dependent_resources": "mail_profile,slack_profile,smtp_server"
      },
      {
        "access_type": true,
        "resource_type": "stylebooks_system_settings",
        "operation_name": "get",
        "dependent_resources": "download,smtp_server"
      },
      {
        "access_type": true,
        "resource_type": "stylebooks_system_settings",
        "operation_name": "add",
        "dependent_resources": "mail_profile,slack_profile,smtp_server"
      },
      {
        "access_type": true,
        "resource_type": "ns_crvserver",
        "operation_name": "get",
        "dependent_resources": "download,DeviceAPIProxy,smtp_server,perf_cache_redirection_report,poll_activity_status,ns_emon_poll_policy,lb_export_report"
      },
      {
        "access_type": true,
        "resource_type": "ns_crvserver",
        "operation_name": "add",
        "dependent_resources": "DeviceAPIProxy,mail_profile,slack_profile,smtp_server,poll_activity_status,ns_emon_poll_policy,lb_export_report"
      },
      {
        "access_type": true,
        "resource_type": "haproxy_frontend",
        "operation_name": "get",
        "dependent_resources": "download,DeviceAPIProxy,smtp_server,haproxy_backend,haproxy_server"
      },
      {
        "access_type": true,
        "resource_type": "haproxy_frontend",
        "operation_name": "add",
        "dependent_resources": "DeviceAPIProxy,mail_profile,slack_profile,smtp_server"
      },
      {
        "access_type": true,
        "resource_type": "ns_server",
        "operation_name": "get",
        "dependent_resources": "download,DeviceAPIProxy,smtp_server,ns_emon_poll_policy,poll_activity_status,ns_server,lb_export_report"
      },
      {
        "access_type": true,
        "resource_type": "ns_server",
        "operation_name": "add",
        "dependent_resources": "DeviceAPIProxy,mail_profile,slack_profile,smtp_server,ns_emon_poll_policy,poll_activity_status,lb_export_report"
      },
      {
        "access_type": true,
        "resource_type": "ns_lbvserver",
        "operation_name": "get",
        "dependent_resources": "download,DeviceAPIProxy,smtp_server,perf_lb_vserver_report,ns_emon_poll_policy,poll_activity_status,lb_export_report"
      },
      {
        "access_type": true,
        "resource_type": "ns_lbvserver",
        "operation_name": "add",
        "dependent_resources": "DeviceAPIProxy,mail_profile,slack_profile,smtp_server,ns_emon_poll_policy,poll_activity_status,lb_export_report"
      },
      {
        "access_type": true,
        "resource_type": "ns_service",
        "operation_name": "get",
        "dependent_resources": "download,DeviceAPIProxy,smtp_server,ns_emon_poll_policy,poll_activity_status,ns_visualizer_lb_bindings,lb_export_report"
      },
      {
        "access_type": true,
        "resource_type": "ns_service",
        "operation_name": "add",
        "dependent_resources": "DeviceAPIProxy,mail_profile,slack_profile,smtp_server,ns_emon_poll_policy,poll_activity_status,ns_visualizer_lb_bindings,lb_export_report"
      },
      {
        "access_type": true,
        "resource_type": "ns_servicegroup",
        "operation_name": "get",
        "dependent_resources": "download,DeviceAPIProxy,smtp_server,ns_emon_poll_policy,poll_activity_status,ns_servicegroupmember_binding,ns_visualizer_lb_bindings,lb_export_report"
      },
      {
        "access_type": true,
        "resource_type": "ns_servicegroup",
        "operation_name": "add",
        "dependent_resources": "DeviceAPIProxy,mail_profile,slack_profile,smtp_server,ns_emon_poll_policy,poll_activity_status,ns_servicegroupmember_binding,ns_visualizer_lb_bindings,lb_export_report"
      },
      {
        "access_type": true,
        "resource_type": "ns_authenticationvserver",
        "operation_name": "get",
        "dependent_resources": "download,DeviceAPIProxy,smtp_server,perf_authentication_report,poll_activity_status,ns_emon_poll_policy,lb_export_report"
      },
      {
        "access_type": true,
        "resource_type": "ns_authenticationvserver",
        "operation_name": "add",
        "dependent_resources": "DeviceAPIProxy,mail_profile,slack_profile,smtp_server,poll_activity_status,ns_emon_poll_policy,lb_export_report"
      },
      {
        "access_type": true,
        "resource_type": "syslog_messages",
        "operation_name": "get",
        "dependent_resources": "download,smtp_server"
      },
      {
        "access_type": true,
        "resource_type": "ns_emon_poll_policy",
        "operation_name": "get",
        "dependent_resources": "download,poll_activity_status,smtp_server"
      },
      {
        "access_type": true,
        "resource_type": "ns_emon_poll_policy",
        "operation_name": "add",
        "dependent_resources": "download,poll_activity_status,mail_profile,slack_profile,smtp_server"
      },
      {
        "access_type": true,
        "resource_type": "ns_visualizer_gslb_bindings",
        "operation_name": "add",
        "dependent_resources": "DeviceAPIProxy,mail_profile,slack_profile,smtp_server,poll_activity_status,ns_emon_poll_policy,ns_gslbvserver_domain,lb_export_report"
      },
      {
        "access_type": true,
        "resource_type": "ns_visualizer_gslb_bindings",
        "operation_name": "get",
        "dependent_resources": "download,DeviceAPIProxy,smtp_server,poll_activity_status,ns_emon_poll_policy,ns_gslbvserver_domain,lb_export_report"
      },
      {
        "access_type": true,
        "resource_type": "ns_gslbservice",
        "operation_name": "add",
        "dependent_resources": "DeviceAPIProxy,mail_profile,slack_profile,smtp_server,poll_activity_status,ns_emon_poll_policy,lb_export_report"
      },
      {
        "access_type": true,
        "resource_type": "ns_gslbservice",
        "operation_name": "get",
        "dependent_resources": "download,DeviceAPIProxy,smtp_server,poll_activity_status,ns_emon_poll_policy,lb_export_report"
      },
      {
        "access_type": true,
        "resource_type": "ns_gslbvserver",
        "operation_name": "get",
        "dependent_resources": "download,DeviceAPIProxy,smtp_server,perf_global_server_load_balancing_report,poll_activity_status,ns_emon_poll_policy,lb_export_report"
      },
      {
        "access_type": true,
        "resource_type": "ns_gslbvserver",
        "operation_name": "add",
        "dependent_resources": "DeviceAPIProxy,mail_profile,slack_profile,smtp_server,poll_activity_status,ns_emon_poll_policy,lb_export_report"
     },
      {
        "access_type": true,
        "resource_type": "ns_vpnvserver",
        "operation_name": "add",
        "dependent_resources": "DeviceAPIProxy,mail_profile,slack_profile,smtp_server,poll_activity_status,ns_emon_poll_policy,lb_export_report"
      },
      {
        "access_type": true,
        "resource_type": "ns_vpnvserver",
        "operation_name": "get",
        "dependent_resources": "download,DeviceAPIProxy,smtp_server,perf_ssl_vpn_report,poll_activity_status,ns_emon_poll_policy,lb_export_report"
      },
      {
        "access_type": true,
        "resource_type": "ns_csvserver",
        "operation_name": "get",
        "dependent_resources": "download,DeviceAPIProxy,smtp_server,perf_content_switching_report,ns_emon_poll_policy,poll_activity_status,ns_visualizer_cs_bindings,lb_export_report"
      },
      {
        "access_type": true,
        "resource_type": "ns_csvserver",
        "operation_name": "add",
        "dependent_resources": "DeviceAPIProxy,mail_profile,slack_profile,smtp_server,ns_emon_poll_policy,poll_activity_status,ns_visualizer_cs_bindings,lb_export_report"
      },
      {
        "access_type": true,
        "resource_type": "dns_domain_entry",
        "operation_name": "get",
        "dependent_resources": ""
      },
      {
        "access_type": true,
        "resource_type": "dns_domain_entry",
        "operation_name": "add",
        "dependent_resources": ""
      },
      {
        "access_type": true,
        "resource_type": "devicewise_detail_summary",
        "operation_name": "get",
        "dependent_resources": "download,mps_user_heatmap,ns_event,mps_agent,active_event,smtp_server,mps_datacenter,event_severity_report,event_device_report,ns_conf,device_event_summary"
      },
      {
        "access_type": true,
        "resource_type": "devicewise_detail_summary",
        "operation_name": "add",
        "dependent_resources": "mail_profile,slack_profile,smtp_server"
      },
      {
        "access_type": true,
        "resource_type": "cbwanopt",
        "operation_name": "get",
        "dependent_resources": "download,device_backup,traceroute,inventory,inventory_status,ping,mps_datacenter,cbwanopt_device_profile,sdwanvw_device_profile,sdwanvw_snmp_config,sdwanvw_appflowconfig,smtp_server,cbwanopt_snmp_config,cbwanopt_appflowconfig,sdwanvw,tag"
      },
      {
        "access_type": true,
        "resource_type": "cbwanopt",
        "operation_name": "add",
        "dependent_resources": "inventory,managed_device,device_backup,upload,cbwanopt_device_profile,mps_datacenter,mail_profile,slack_profile,smtp_server,sdwanvw_device_profile,sdwanvw_snmp_config,sdwanvw_appflowconfig,cbwanopt_snmp_config,cbwanopt_appflowconfig,sdwanvw,tag"
      },
      {
        "access_type": true,
        "resource_type": "device_login",
        "operation_name": "get",
        "dependent_resources": ""
      },
      {
        "access_type": true,
        "resource_type": "ns",
        "operation_name": "get",
        "dependent_resources": "download,ns_config_replicate,ns_conf,ns_ns_runningconfig,ns_ns_savedconfig,active_event,device_backup,traceroute,inventory,inventory_status,ping,ns_device_profile,nssdx_device_profile,sdx_snmp_config,sdx_syslog_config,smtp_server,ns_cluster,ns_snmp_config,ns_syslog_config,ns_l7_latency_config,ica_l7_latency_update,af_vserver_policy,ns_vserver_appflow_config,mps_datacenter,ns_appflow_param_config,ns_ns_license,ns_ns_mode,ns_network_interface,advanced_analytics_config,tag"
      },
      {
        "access_type": true,
        "resource_type": "ns",
        "operation_name": "add",
        "dependent_resources": "inventory,ns_l7_latency_config,ica_l7_latency_update,af_vserver_policy,ns_config_replicate,managed_device,device_backup,upload,ns_device_profile,nssdx_device_profile,mps_datacenter,sdx_snmp_config,sdx_syslog_config,mail_profile,slack_profile,smtp_server,ns_cluster,ns_snmp_config,ns_syslog_config,ns_vserver_appflow_config,ns_appflow_param_config,advanced_analytics_config,tag"
      },
      {
        "access_type": true,
        "resource_type": "haproxyhost",
        "operation_name": "get",
        "dependent_resources": "download,traceroute,inventory,inventory_status,ping,mps_datacenter,smtp_server,haproxy_device_profile,device_backup,tag"
      },
      {
        "access_type": true,
        "resource_type": "haproxyhost",
        "operation_name": "add",
        "dependent_resources": "inventory,managed_device,mail_profile,slack_profile,smtp_server,mps_datacenter,haproxy_device_profile,haproxy,device_backup,tag"
      },
      {
        "access_type": true,
        "resource_type": "docker_host",
        "operation_name": "add",
        "dependent_resources": "inventory,ns_snmp_config,managed_device,ns,upload,mail_profile,slack_profile,smtp_server,mps_datacenter,ns_device_profile,docker_nscpx_image"
      },
      {
        "access_type": true,
        "resource_type": "docker_host",
        "operation_name": "get",
        "dependent_resources": "download,ns_snmp_config,ns_conf,ns_ns_runningconfig,ns_ns_savedconfig,smtp_server,mps_datacenter,ns_device_profile,traceroute,inventory,inventory_status,ping,active_event,ns_ns_license,ns_ns_mode,ns_network_interface"
      },
      {
        "access_type": true,
        "resource_type": "perf_reports",
        "operation_name": "add",
        "dependent_resources": "mail_profile,slack_profile,smtp_server,perf_custom_dashboard"
      },
      {
        "access_type": true,
        "resource_type": "perf_reports",
        "operation_name": "get",
        "dependent_resources": "download,smtp_server,perf_report_counters,perf_res_util_report,perf_http_req_tcp_conn_report,perf_lb_ssl_traffic_report,perf_ip_bytes_rxtx_report,perf_ip_pkt_rxtx_report,perf_icmp_pkt_rxtx_report,perf_icmp_bytes_rxtx_report,perf_icmpv6_pkt_rxtx_report,perf_icmpv6_bytes_rxtx_report,perf_ipv6_bytes_rxtx_report,perf_ipv6_pkt_rxtx_report,perf_udp_bytes_rxtx_report,perf_udp_packets_rxtx_report,perf_cmp_bytes_rxtx_report,perf_cmp_tcp_bytes_rxtx_report,perf_cmp_tcp_ratiosaving_report,perf_cmp_decmp_bytes_rxtx_report,perf_cmp_decmp_ratiosaving_report,perf_tcp_server_conn_report,perf_tcp_surgelen_spareconn_report,perf_http_bytes_rx_report,perf_http_gets_posts_report,perf_ssl_transactions_hits_report,perf_ssl_client_auth_report,perf_ssl_rsa_dhkey_report,perf_ssl_frontend_ciphers_report,perf_ssl_backend_ciphers_report,perf_wsdevice_cpu_utilization_report,perf_wsdevice_send_compression_ratio_report,perf_wsdevice_connected_plugins_report,perf_wsdevice_data_reduction_report,perf_wsdevice_link_utilization_report,perf_wsserviceclassstatstable_pass_through_connection_report,perf_wsserviceclassstatstable_service_class_report,perf_wsserviceclassstatstable_acceleration_report,perf_wslinkstatstable_throughput_report,perf_wslinkstatstable_packet_loss_report,perf_wsappstatstable_application_report,perf_wsqosstatstable_qos_report,perf_ssl_cpu_keyexchange_report,perf_ssl_be_rsa_dhkey_report,perf_custom_dashboard,perf_ns_throughput_report,perf_network_interface_report"
      },
      {
        "access_type": true,
        "resource_type": "perf_threshold",
        "operation_name": "get",
        "dependent_resources": "download,perf_reports,perf_report_counters,smtp_server,sms_server,sms_profile"
      },
      {
        "access_type": true,
        "resource_type": "perf_threshold",
        "operation_name": "add",
        "dependent_resources": "mail_profile,slack_profile,smtp_server,sms_server,sms_profile"
      },
      {
        "access_type": true,
        "resource_type": "perf_poll_config",
        "operation_name": "add",
        "dependent_resources": "mail_profile,slack_profile,smtp_server"
      },
      {
        "access_type": true,
        "resource_type": "perf_poll_config",
        "operation_name": "get",
        "dependent_resources": "smtp_server,download"
      },
      {
        "access_type": true,
        "resource_type": "license_server_info",
        "operation_name": "get",
        "dependent_resources": "sms_server,license_proxy_server,jazz_license,download,sms_profile,smtp_server,user_managed_tp_vserver,managed_vserver,user_managed_vserver,haproxy_frontend,haproxy_backend,license_file,device_license_info,license_info,ns_authenticationvserver,ns_gslbvserver,ns_vpnvserver,ns_csvserver,ns_crvserver,ns_lbvserver,autoselection_preference,license_threshold,license_expiry_info"
      },
      {
        "access_type": true,
        "resource_type": "license_server_info",
        "operation_name": "add",
        "dependent_resources": "sms_server,license_proxy_server,jazz_license,sms_profile,mail_profile,slack_profile,smtp_server,user_managed_tp_vserver,managed_vserver,upload,license_file,license_info,license_threshold,mas_license,user_managed_vserver,autoselection_preference,license_expiry_info"
      }
    ],
    "ui": [
      {
        "access_type": true,
        "name": "ApplicationsDashboard",
        "display_name": "Dashboard"
      },
      {
        "access_type": true,
        "name": "SecurityDashboard",
        "display_name": "App Security Dashboard"
      },
      {
        "access_type": true,
        "name": "Stylebooks",
        "display_name": "StyleBooks"
      },
      {
        "access_type": true,
        "name": "Stylebooks",
        "display_name": "Configpacks"
      },
      {
        "access_type": true,
        "name": "StylebooksSettings",
        "display_name": "Settings"
      },
      {
        "access_type": true,
        "name": "CacheRedirection",
        "display_name": "Cache Redirection"
      },
      {
        "access_type": true,
        "name": "HAProxy",
        "display_name": "HAProxy"
      },
      {
        "access_type": true,
        "name": "Servers",
        "display_name": "Servers"
      },
      {
        "access_type": true,
        "name": "VirtualServers",
        "display_name": "Virtual Servers"
      },
      {
        "access_type": true,
        "name": "Services",
        "display_name": "Services"
      },
      {
        "access_type": true,
        "name": "ServiceGroups",
        "display_name": "Service Groups"
      },
      {
        "access_type": true,
       "name": "Authentication",
        "display_name": "Authentication"
      },
      {
        "access_type": true,
        "name": "MonitoringAuditing",
        "display_name": "Auditing"
      },
      {
        "access_type": true,
        "name": "MonitoringSettings",
        "display_name": "Settings"
      },
      {
        "access_type": true,
        "name": "GSLBDomains",
        "display_name": "Domains"
      },
      {
        "access_type": true,
        "name": "GSLBServices",
        "display_name": "Services"
      },
      {
        "access_type": true,
        "name": "GSLBVirtualServer",
        "display_name": "Virtual Server"
      },
      {
        "access_type": true,
        "name": "NetScalerGateway",
        "display_name": "NetScaler Gateway"
      },
      {
        "access_type": true,
        "name": "ContentSwitching",
        "display_name": "Content Switching"
      },
      {
        "access_type": true,
        "name": "DNSDomainNames",
        "display_name": "DNS Domain Names"
      },
      {
        "access_type": true,
        "name": "NetworkDashboard",
        "display_name": "Instances Dashboard"
      },
      {
        "access_type": true,
        "name": "NetScalerSDWANWOInstances",
        "display_name": "NetScaler SD-WAN"
      },
      {
        "access_type": true,
        "name": "InstanceOperations",
        "display_name": "Instance Operations"
      },
      {
        "access_type": true,
        "name": "NetScalerInstances",
        "display_name": "NetScaler ADC"
      },
      {
        "access_type": true,
        "name": "HAProxyInstances",
        "display_name": "HAProxy"
      },
      {
        "access_type": true,
        "name": "NetScalerCPXDockerHost",
        "display_name": "Docker Hosts"
      },
      {
        "access_type": true,
        "name": "Reports",
        "display_name": "Reports"
      },
      {
        "access_type": true,
        "name": "Thresholds",
        "display_name": "Thresholds"
      },
      {
        "access_type": true,
        "name": "ReportingSettings",
        "display_name": "Settings"
      },
      {
        "access_type": true,
        "name": "Licenses",
        "display_name": "License Management"
      }
    ]
  }
}
<!--NeedCopy-->

用于创建访问角色的 REST API

URL: https://<MAS_IP>/nitro/v2/config/rba_role
HTTPMETHOD: POST

Payload:
{
  "rba_role": {
    "name": "AppOwnerRole",
    "description": "ExampleCompany App Owner Role",
    "policies": [
      "AppOwnerAccessPolicy"
    ]
  }
<!--NeedCopy-->

用于上传新 GSLB 样书的 REST API

URL: https://<MAS_IP>/stylebook/nitro/v2/config/stylebooks
HTTPMETHOD: POST

Payload:
{
    "stylebook": {
      "file_name": "my-own-gslb.yaml",
      "source": "bmFtZTogZ3NsYi1kbnMtZG9tYW...aXRvcm5hbWU=",
      "encoding": "base64"
    }
  }
<!--NeedCopy-->

注意

样书的名称可能会在您的系统上发生变化。

用于创建组和分配选定实例和样书的 REST API

URL: https://<MAS_IP>/nitro/v2/config/mpsgroup
HTTPMETHOD: POST

Payload:
{
  "mpsgroup": {
    "id": "",
    "name": "AppOwnerGroup1",
    "description": "ExampleCompany App Owner Group",
    "roles": [
      "AppOwnerRole"
    ],
    "enable_session_timeout": false,
    "assign_all_devices": false,
    "ass ign_all_apps": false,
    "application_names_with_regex": [

    ],
    "standalone_instances_id": [
      "72c178da-47df-4426-9acc-cd6316f92506",
      "c948061e-6240-4062-931c-f6988ef36e3b"
    ],
    "application_list": [

    ],
    "permission": "none",
    "application_names": [

    ],
    "authscope_props": [
      {
        "propname": "configuration_template_id",
        "propvalues": [
          "NONE"
        ]
      },
      {
        "propname": "dns_domain_entry_id",
        "propvalues": [
          "cf6631e5-2f56-4bb1-b0a5-90fabfc0e3e2",
          "b268905c-522d-47e3-a2ca-3f8d8a754373"
        ]
      },
      {
        "propname": "stylebook_id",
        "propvalues": [
          "gslbbb963abe85936913035e1d4dd14b56f7",
          "moni72fad4494466d102b19c18ac329fa9f3"
        ]
      }
    ],
    "tenant_id": "6d024111-6636-4571-a250-d47b31aba7a8"
  }
}
<!--NeedCopy-->

注意

要获取 DNS 域名的 ID 以及上述 API 负载中使用的 GSLB 样书,您可以使用常规 Citrix ADM API 来查询与实体名称对应的 ID。例如,要获取名为“app1.acme.com”的 DNS 域的 ID,可以使用以下 Citrix ADM REST API。

URL: https://<MAS_IP>/nitro/v2/config/dns_domain_entry?filter=name: app1.acme.com
HTTPMETHOD: GET

The ID of this domain can be extracted from the following response.
{
  "errorcode": 0,
  "message": "Done",
  "operation": "get",
  "resourceType": "dns_domain_entry",
  "username": "nsroot",
  "tenant_name": "Owner",
  "tenant_id": "568d8e12-1d88-42b2-8943-cbaa04826fd1",
  "resourceName": "",
  "dns_domain_entry": [
    {
      "tenant_id": "568d8e12-1d88-42b2-8943-cbaa04826fd1",
      "name": "app1.acme.com",
      "id": "3e3d85ea-1c21-49b2-97f4-60fccdbae2e0",
      "description": "app1 domain name"
    }
  ]
}
<!--NeedCopy-->

同样,要获取命名空间为 com.citrix.adc.stylebook 的样书的样书 ID,版本:1.0,name: my-own-gslb,可以使用以下 API。

URL: https://<MAS_IP>/stylebook/nitro/v1/config/stylebooks?filter=name:my-own-gslb,namespace:com.citrix.adc.stylebooks,version:1.0
HTTPMETHOD: GET
<!--NeedCopy-->

响应包含样本详细信息,包括其 ID 属性。

{
  "stylebooks": [
    {
      "author": null,
      "builtin": "false",
      "builtins": "{"netscaler.nitro.config": "10.5"}",
      "deprecate": "false",
      "description": " This StyleBook is used to configure one or a number of Citrix ADCs in different sites into a GSLB setup. It is assumed that the SNIP IP on each Citrix ADC to be used by this StyleBook as the Site IP is already configured on the appliance.",
      "display_name": "HTTP/SSL LoadBalancing StyleBook",
      "filename": "my-own-gslb.yaml",
      "hide": null,
      "id": "gslb5a748d8b7684846cf6c409ad7dea8ccf",
      "imported_by": "",
      "imported_datetime": "2018-05-25 17:20:32.848902",
      "name": "my-own-gslb",
      "namespace": "com.citrix.adc.stylebooks",
      "pkg_id": "gslb5a748d8b7684846cf6c409ad7dea8ccf",
      "primary_keys": "["name"]",
      "private": "false",
      "recompile": "false",
      "schema_version": "1.0",
      "source": "LS0tIApuYW1lOiBsYgpuYW1lc…",
      "system": null,
      "tags": "",
      "tenant_id": null,
      "user_sb": "false",
      "version": "1.0"
    },
    {
      
    }
  ]
}
<!--NeedCopy-->

注意

上述 API 返回与过滤器匹配的样书列表。确保从响应中选择正确的样书以检索 ID。

用于创建系统用户的 REST API

注意

此步骤是可选的。

URL: https://<MAS_IP>/nitro/v2/config/mpsuser
HTTPMETHOD: POST

Payload:
{
  "mpsuser": {
    "name": "John",
    "password": "welcome",
    "external_authentication": false,
    "enable_session_timeout": false,
    "groups": [
      "AppOwnerGroup1"
    ]
  }
}
<!--NeedCopy-->

应用程序所有者的工作流程

您的用户必须使用其凭据以应用程序用户身份登录。用户必须完成此任务才能创建自己的 DNS 域名并使用新的 GSLB 样书。

  1. 在 Citrix ADM 中,导航到 设置 > 域名

  2. 单击“添加”以创建新的 DNS 域。在 Citrix ADM 中创建 DNS 域。

    创建 DNS 域名

    注意

    作为管理员,您还可以创建这些域名并将它们分配给用户组。

  3. 导航到 应用程序 > 控制板 ,然后单击 定义自定义应用程序

    定义自定义应用程序

  4. 键入应用程序的名称并选择类别。选择“从样书创建新应用程序”, 然后单击“确定”。选择 我自己的 GSLB 样本 以在所选实例上部署配置。

    定义应用程序

  5. 在样本中键入所有参数所需的值。

    1. 从列表中选择域名。

    2. 根据需要添加应用程序的 GSLB 站点。

    3. 在所有 GSLB 站点中选择目标 Citrix ADC 实例。

    4. 单击 建以创建 GSLB 配置。

      创建 GSLB 配置

    **注

    意**样本参数“DNS 域名”仅显示属于 Citrix ADM 中用户的 DNS 域的列表。

适用于应用程序所有者工作流程的 Citrix ADM REST API

用于登录 Citrix ADM 的 REST API

URL: http: //<MAS_IP>/nitro/v2/config/login
HTTPMETHOD: POST

Payload:
{
  "login": {
    "username": "<USER_NAME>",
    "password": "<PASSWORD>",
    "session_timeout": 1800
  }
}
<!--NeedCopy-->

用于创建 DNS 域名的 REST API

URL: https://<MAS_IP>/nitro/v2/config/dns_domain_entry
HTTP METHOD: POST
PAYLOAD: {"dns_domain_entry":{"name":"app1.acme.com","description":"app1 acme domain"
}
}
<!--NeedCopy-->

使用样书创建应用程序的 REST API

URL: https://<MAS_IP>/nitro/v2/config/application
HTTPMETHOD: POST

Payload:
{
  "params": {
    "action": "app_discovery"
  },
  "application": {
    "id": "",
    "name": "app1",
    "app_c ategory": "ITOps",
    "stylebook_params": "{"name":"my-own-gslb","namespace":"com.citrix.adc.stylebooks","version":"1.0","configpack_payload":{"parameters":{"name":"app1","domain-name":"app1.acme.com",]"ttl":"30","algorithm":"ROUNDROBIN","protocol":"HTTP","sites":[{"name":"site1","ipaddress":"6.5.6.77","virtual-ip":"88.6.5.44","virtual-port":"80"}]},"targets":[ {"id":"72c178da-47df-4426-9acc-cd6316f92506"}, {"id":"0e4d0789-bffe-4266-ba1c-09adfc61db4e"}, {"id":"b5af4455-3f06-4f56-b0cb-3d9f868c1f94"}]}}"
  }
}
<!--NeedCopy-->

在上面的有效载荷中:

  • “stylebook_params”包含要使用的样书的名称、命名空间和版本。

  • “configpack_payload”包含样书的填充参数,如上面等效的 GUI 表单所示。Citrix ADM 确保只有用户有权访问的 DNS 域名可用作参数“域名”的值。

  • “目标”包含将在其上部署 GSLB 配置的 NetScaler ID 列表(GSLB 站点上的 ADC 实例)。

要获取给定 NetScaler 管理 IP 地址的 NetScaler ID,可以使用以下 Citrix ADM API:

URL: https://<MAS_IP>/nitro/v2/config/ns?filter=ip_address: 192.168.153.162
HTTPMETHOD: GET
<!--NeedCopy-->

响应负载包含有关此 NetScaler 的信息,包括其 ID:

{
  "errorcode": 0,
  "message": "Done",
  ….."tenant_id": "ec0eb868-0d6b-4729-bfbd-3005dd2694c1",
  "resourceName": "",
  "ns": [
    {
      "manufacturedate": "9/30/2009",
      "is_grace": "false",
      "hostname": "youcef-ns",
      "std_bw_config": "0",
      "gateway_deployment": "false",
      "gateway_ipv6": "",
      "ha_master_state": "Primary",
      "instance_available": "0",
      "device_finger_print": "",
      "instance_state": "Down",
      "reason": "Device not reachable",
      "name": "",
      "ent_bw_available": "0",
      "description": "",
      "id": "da9ffff2-c100-45f1-a913-c542718338b2",
      "mgmt_ip_address": "192.168.153.162",
      ….
    }
  ]
}
<!--NeedCopy-->

构建您的样本

文件“我的 own-gslb.yaml”样本的完整内容如下所示: 您可以按照现在的方式使用此自定义样本或根据需要自定义它来生成所需的 GSLB 配置。此样书中名为“域名”的重要参数必须存在于任何样书中才能使用 DNS 名称功能。

name: my-own-gslb
namespace: com.citrix.adc.stylebooks
version: "1.0"
display-name: My own GSLB StyleBook
description: This StyleBook is used to configure one or a number of NetScalers in different sites into a GSLB setup. It is assumed that the SNIP IP on each NetScaler to be used by this StyleBook as the Site IP is already configured on the appliance.
schema-version: "1.0"
import-stylebooks:
  -
    namespace: netscaler.nitro.config
    version: "10.5"
    prefix: ns
  -
    namespace: com.citrix.adc.commontypes
    version: "1.0"
    prefix: cmtypes
parameters:
  -
    name: name
    label: Application Name
    type: string
    required: true
    key: true
  
  -
    name: domain-name
    label: DNS Domain Name
    description: GSLB DNS Domain Name
    type: string
    required: true
    allowed-dynamic-values:
      source: local
      resource-type: dns_domain_entry

  -
    name: ttl
    label: TTL for the Domain
    description: Time-To-Live value (number of seconds) for the Domain
    type: number
    default: 30

  -
    name: algorithm
    label: LB Algorithm
    description: Global Load Balancing Algorithm
    type: string
    default: ROUNDROBIN
    allowed-values:
      - ROUNDROBIN
      - STATICPROXIMITY
      - SOURCEIPHASH

  -
    name: protocol
    label: Protocol
    description: The protocol of the GSLB VIP
    type: string
    default: HTTP
    allowed-values:
      - HTTP
      - FTP
      - TCP
      - UDP
      - SSL
      - SSL_BRIDGE
      - SSL_TCP
      - NNTP
      - ANY
      - SIP_UDP
      - SIP_TCP
      - SIP_SSL
      - RADIUS
      - RDP
      - RTSP
      - MYSQL
      - MSSQL
      - ORACLE

  -
    name: monitor
    label: LB Monitor
    description: Monitor to be bound to the GSLB service
    type: cmtypes::monitor

  -
    name: sites
    label: GSLB Sites
    description: Provide information about the GSLB Sites
    type: object[]
    required: true
    parameters:
      -
        name: name
        label: Site Name
        type: string
        required: true
      -
        name: ipaddress
        label: Site IP Address
        description: The IP Address of this Site. Use a SNIP IP address on the site's appliance.
        type: ipaddress
        required: true
      -
        name: public-ipaddress
        label: Site Public IP Address
        description: The Public IP Address of this Site. It NATs to the Site's IP address
        type: ipaddress
      -
        name: virtual-ip
        label: Site VIP IP
        description: The IP Address for the GSLB Service on this site (The VIP on this Site)
        type: ipaddress
        required: true
      -
        name: virtual-port
        label: Site VIP Port
        description: The port number for the GSLB Service (VIP) on this site
        type: tcp-port
        default: 80

components:
  -
    name: enable-gslb-comp
    type: ns::nsfeature
    description: Enables the GSLB feature
    meta-properties:
      action: enable
    properties:
      feature: ["GSLB", "LB"]
  -
    name: gslb-monitor-comp
    type: cmtypes::monitor
    condition: $parameters.monitor
    properties:
      monitorname: $parameters.name + "-" + $parameters.monitor.monitorname + "-gslbmon"
      type: $parameters.monitor.type
      destip?: $parameters.monitor.destip
      destport?: $parameters.monitor.destport
      httprequest?: $parameters.monitor.httprequest
      send?: $parameters.monitor.send
      customheaders?: $parameters.monitor.customheaders
      respcodes?: $parameters.monitor.respcodes
      recv?: $parameters.monitor.recv
      lrtm?: $parameters.monitor.lrtm
      secure?: $parameters.monitor.secure
      interval?: $parameters.monitor.interval
      interval_units?: $parameters.monitor.interval_units
      resptimeout?: $parameters.monitor.resptimeout
      retries?: $parameters.monitor.retries
      downtime?: $parameters.monitor.downtime
  -
    name: gslb-vserver-comp
    type: ns::gslbvserver
    description: Creates a GSLB VServer config object
    properties:
      name: $parameters.name + "-gslbvserver"
      servicetype: $parameters.protocol
      lbmethod: $parameters.algorithm
    components:
      -
        name: gslb-domain-comp
        type: ns::gslbvserver_domain_binding
        properties:
          name: $parent.properties.name
          domainname: $parameters.domain-name
          ttl: $parameters.ttl
  -
    name: gslb-site-comp
    type: ns::gslbsite
    description: Creates a GSLB Site config object
    repeat: $parameters.sites
    repeat-item: site
    properties:
      sitename: $parameters.name + "-" + $site.name + "-gslbsite"
      siteipaddress: $site.ipaddress
      publicip?: $site.public-ipaddress
    components:
      -
        name: gslb-service-comp
        type: ns::gslbservice
        description: Creates a GSLB Service
        properties:
          servicename: $parameters.name + "-" + $site.name + "-gslbservice"
          ip: $site.virtual-ip
          servicetype: $parameters.protocol
          port: $site.virtual-port
          sitename: $parent.properties.sitename
        components:
          -
            name: gslb-vserver-service-binding-comp
            type: ns::gslbvserver_gslbservice_binding
            description: Creates a Binding between the GSLB vserver and the GSLB Service
            properties:
              name: $components.gslb-vserver-comp.properties.name
              servicename: $parent.properties.servicename
          -
            name: gslb-service-monitor-binding-comp
            type: ns::gslbservice_lbmonitor_binding
            description: Creates a Binding between the GSLB service and the GSLB monitor
            condition: $parameters.monitor
            properties:
              servicename: $parent.properties.servicename
              monitor_name: $components.gslb-monitor-comp.properties.monitorname
<!--NeedCopy-->
使用 DNS 域名部署 GSLB 配置