ishenwei/nexus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update nexus: fix conflicts and sync local changes

Browse Source
This commit is contained in:
Shen Wei
2026-04-26 12:06:50 +08:00
parent 191797c01b
commit f09834b5a5
2443 changed files with 254323 additions and 255154 deletions
Download Patch File Download Diff File Expand all files Collapse all files

122
raw/Cloud & DevOps/Public-Cloud-Learning-Sessions/02_IAM/ctp-topic-11-ad-integration-and-login-using-ad-accounts.md
View File

@@ -1,61 +1,61 @@
---
title: "CTP Topic 11 AD Integration, and Login using AD accounts"
type: cloud-learning
source-type: video
category: "DevOps & SRE/02_IAM"
tags:
- AWS
- AD
- IAM
- SSO
- CTP
date-added: 2026-04-14
video-source: "nas:///volume2/work/Public Cloud Learning Sessions/CTP _ Topic 11_ AD Integration, and Login using AD accounts.mp4"
audio-source: ""
status: summarized (Gemini 摘要)
---
# CTP Topic 11 AD Integration, and Login using AD accounts
**Source:** NAS `/volume2/work/Public Cloud Learning Sessions/CTP _ Topic 11_ AD Integration, and Login using AD accounts.mp4`
**Type:** VIDEO | **Category:** 02_IAM
**Status:** ✅ 已完成Gemini 摘要)
---
## 摘要
> 本次 DevOps Cloud Learning Session 由 Niranjan 主讲,核心内容围绕 Jenkins 的身份认证优化以及 Terraform 代码的自动化质量检查展开。视频首先介绍了 Jenkins 与 SW Infra Active Directory (AD) 的集成。通过这一集成,团队告别了过去手动创建本地用户的繁琐流程,实现了基于 AD 账号的自动登录。这不仅简化了用户入职与离职的账号管理还为未来实施基于角色的访问控制RBAC奠定了基础。目前系统已实现认证集成下一步将通过 AD 组策略实现精细化的权限管理(如只读、读写、流水线创建权限)。
>
> 视频的第二部分重点展示了如何利用 `pre-commit` 框架在 CI/CD 流水线中嵌入自动化检查以防止“坏代码”或安全漏洞进入生产环境。Niranjan 详细演示了三个核心工具的应用:`terraform fmt` 用于统一代码格式,`TFLint` 用于验证配置逻辑与参数完整性,而 `Checkov` 则负责静态安全分析(例如检测未挂载到实例的安全组)。
>
> 在工作流设计上演讲者强调了“左移”思想在功能分支的每次提交Commit时仅触发自动化检查在拉取请求PR阶段触发检查与 `terraform plan`;只有在代码合并至 Master 分支并经过人工审核后,才会执行最终的 `terraform apply`。这种分层治理的模式极大地提升了基础设施即代码IaC的安全性和稳定性。
---
## 关键概念
- **Active Directory (AD) Integration**: 将 Jenkins 的安全域Security Realm与企业活动目录关联实现用户身份的统一认证与自动化管理。
- **RBAC (Role-Based Access Control)**: 基于角色的访问控制,通过 AD 组策略决定用户在 Jenkins 中拥有的具体操作权限。
- **Pre-commit Framework**: 一个用于管理和维护多语言预提交钩子的框架,旨在代码提交至仓库前识别简单问题。
- **terraform fmt**: Terraform 内置的格式化工具,用于将配置文件重写为符合官方规范的标准格式。
- **TFLint**: 一种针对 Terraform 的静态分析工具,用于检查代码中的人为错误、过时语法及缺失的参数。
- **Checkov**: 一种静态代码分析工具,专门用于扫描基础设施即代码 (IaC) 中的安全性与合规性配置错误。
- **Static Analysis**: 在不实际运行代码的情况下,通过检查源代码来发现程序中潜在错误或安全漏洞的过程。
---
## 相关视频
> [!info]+ 交叉引用
> [[GitHub and Jenkins Integration]] — 本视频提到的前置基础,介绍了 GitHub 仓库与 Jenkins 流水线的触发与反馈机制。
## 相关视频
> 配对视频笔记链接(生成后填入)
---
*最后更新: 2026-04-14*
---
title: "CTP Topic 11 AD Integration, and Login using AD accounts"
type: cloud-learning
source-type: video
category: "DevOps & SRE/02_IAM"
tags:
- AWS
- AD
- IAM
- SSO
- CTP
date-added: 2026-04-14
video-source: "nas:///volume2/work/Public Cloud Learning Sessions/CTP _ Topic 11_ AD Integration, and Login using AD accounts.mp4"
audio-source: ""
status: summarized (Gemini 摘要)
---
# CTP Topic 11 AD Integration, and Login using AD accounts
**Source:** NAS `/volume2/work/Public Cloud Learning Sessions/CTP _ Topic 11_ AD Integration, and Login using AD accounts.mp4`
**Type:** VIDEO | **Category:** 02_IAM
**Status:** ✅ 已完成Gemini 摘要)
---
## 摘要
> 本次 DevOps Cloud Learning Session 由 Niranjan 主讲,核心内容围绕 Jenkins 的身份认证优化以及 Terraform 代码的自动化质量检查展开。视频首先介绍了 Jenkins 与 SW Infra Active Directory (AD) 的集成。通过这一集成,团队告别了过去手动创建本地用户的繁琐流程,实现了基于 AD 账号的自动登录。这不仅简化了用户入职与离职的账号管理还为未来实施基于角色的访问控制RBAC奠定了基础。目前系统已实现认证集成下一步将通过 AD 组策略实现精细化的权限管理(如只读、读写、流水线创建权限)。
>
> 视频的第二部分重点展示了如何利用 `pre-commit` 框架在 CI/CD 流水线中嵌入自动化检查以防止“坏代码”或安全漏洞进入生产环境。Niranjan 详细演示了三个核心工具的应用:`terraform fmt` 用于统一代码格式,`TFLint` 用于验证配置逻辑与参数完整性,而 `Checkov` 则负责静态安全分析(例如检测未挂载到实例的安全组)。
>
> 在工作流设计上演讲者强调了“左移”思想在功能分支的每次提交Commit时仅触发自动化检查在拉取请求PR阶段触发检查与 `terraform plan`;只有在代码合并至 Master 分支并经过人工审核后,才会执行最终的 `terraform apply`。这种分层治理的模式极大地提升了基础设施即代码IaC的安全性和稳定性。
---
## 关键概念
- **Active Directory (AD) Integration**: 将 Jenkins 的安全域Security Realm与企业活动目录关联实现用户身份的统一认证与自动化管理。
- **RBAC (Role-Based Access Control)**: 基于角色的访问控制,通过 AD 组策略决定用户在 Jenkins 中拥有的具体操作权限。
- **Pre-commit Framework**: 一个用于管理和维护多语言预提交钩子的框架,旨在代码提交至仓库前识别简单问题。
- **terraform fmt**: Terraform 内置的格式化工具,用于将配置文件重写为符合官方规范的标准格式。
- **TFLint**: 一种针对 Terraform 的静态分析工具,用于检查代码中的人为错误、过时语法及缺失的参数。
- **Checkov**: 一种静态代码分析工具,专门用于扫描基础设施即代码 (IaC) 中的安全性与合规性配置错误。
- **Static Analysis**: 在不实际运行代码的情况下,通过检查源代码来发现程序中潜在错误或安全漏洞的过程。
---
## 相关视频
> [!info]+ 交叉引用
> [[GitHub and Jenkins Integration]] — 本视频提到的前置基础,介绍了 GitHub 仓库与 Jenkins 流水线的触发与反馈机制。
## 相关视频
> 配对视频笔记链接(生成后填入)
---
*最后更新: 2026-04-14*

158
raw/Cloud & DevOps/Public-Cloud-Learning-Sessions/02_IAM/ctp-topic-5-aws-identity-and-access-management-iam.md
View File

@@ -1,79 +1,79 @@
---
title: CTP Topic 5 - AWS Identity and Access Management (IAM)
type: cloud-learning
source-type: video
category: DevOps & SRE/02_IAM
tags:
- AWS
- IAM
- Security
- CTP
date-added: 2026-04-14
video-source: nas:///volume2/work/Public Cloud Learning Sessions/CTP _ Topic 5 - AWS Identity and Access Management (IAM).mp4
audio-source: ""
status: summarized (Gemini 摘要)
---
# CTP Topic 5 - AWS Identity and Access Management (IAM)
**Source:** NAS `/volume2/work/Public Cloud Learning Sessions/CTP _ Topic 5 - AWS Identity and Access Management (IAM).mp4`
**Type:** VIDEO | **Category:** 02_IAM
**Status:** 🟡 Awaiting Whisper transcription → Summary
---
## 摘要
> ## AWS Identity and Access Management (IAM) Explained
This session covers AWS Identity and Access Management (IAM), focusing on users, groups, roles, and policies, and how they relate to accessing AWS via the CLI and federation. The discussion emphasizes accessing landing zone accounts and determining the appropriate method.
Key points include:
* IAM dashboard resources: users, groups, customer managed policies, roles, and identity providers.
* Federated access: Users gain access to accounts via Active Directory (AD) groups, which grant specific roles.
* `accounts.json`: This file, located in the root of every landing zone, contains a list of account numbers.
* IAM users are primarily for service accounts; federation is the preferred method for user management.
* User groups are less relevant due to the focus on federated user management.
* Roles are used by services or users and tie together permissions.
* Policies define permissions, specifying what actions are allowed or denied on resources.
* *Roles don't enable actions; they tie together who can do something and what they can do.*
* Policies can be AWS-managed or customer-managed.
Federated users log in via their organization's AD, which maps to an IAM role. Command-line access via federation requires a tool called PFSSO. *We only want to allow the access that is strictly required.* Least privilege model: Granting only the necessary permissions is crucial.
Configuring permissions typically involves a service accessing AWS resources, requiring a role and policy. Terraform modules can define IAM roles, including an assumed role policy and inline policy blocks. Policies should be fine-grained, limiting access to only the required resources. Inline policies are tied to a specific role, while managed policies can be reused across multiple roles.
Key takeaways:
* Federation is the primary method for user access.
* Roles and policies are central to managing permissions.
* Least privilege is a guiding principle when defining policies.
* Consider using inline policies for role-specific permissions and managed policies for reusable permissions.
* When defining pterogrant modules, ensure policies are not too wide open.
* VSM requests are required to gain account access through Federation.
* User attributes beyond usernames are supported, including additional STS values and tags.
* Cross-account role assumption is possible, where principles in specified accounts can assume a role.
---
## 关键概念
-
---
## 行动项
-
---
## 相关视频
> 配对视频笔记链接(生成后填入)
---
*最后更新: 2026-04-14*
---
title: CTP Topic 5 - AWS Identity and Access Management (IAM)
type: cloud-learning
source-type: video
category: DevOps & SRE/02_IAM
tags:
- AWS
- IAM
- Security
- CTP
date-added: 2026-04-14
video-source: nas:///volume2/work/Public Cloud Learning Sessions/CTP _ Topic 5 - AWS Identity and Access Management (IAM).mp4
audio-source: ""
status: summarized (Gemini 摘要)
---
# CTP Topic 5 - AWS Identity and Access Management (IAM)
**Source:** NAS `/volume2/work/Public Cloud Learning Sessions/CTP _ Topic 5 - AWS Identity and Access Management (IAM).mp4`
**Type:** VIDEO | **Category:** 02_IAM
**Status:** 🟡 Awaiting Whisper transcription → Summary
---
## 摘要
> ## AWS Identity and Access Management (IAM) Explained
This session covers AWS Identity and Access Management (IAM), focusing on users, groups, roles, and policies, and how they relate to accessing AWS via the CLI and federation. The discussion emphasizes accessing landing zone accounts and determining the appropriate method.
Key points include:
* IAM dashboard resources: users, groups, customer managed policies, roles, and identity providers.
* Federated access: Users gain access to accounts via Active Directory (AD) groups, which grant specific roles.
* `accounts.json`: This file, located in the root of every landing zone, contains a list of account numbers.
* IAM users are primarily for service accounts; federation is the preferred method for user management.
* User groups are less relevant due to the focus on federated user management.
* Roles are used by services or users and tie together permissions.
* Policies define permissions, specifying what actions are allowed or denied on resources.
* *Roles don't enable actions; they tie together who can do something and what they can do.*
* Policies can be AWS-managed or customer-managed.
Federated users log in via their organization's AD, which maps to an IAM role. Command-line access via federation requires a tool called PFSSO. *We only want to allow the access that is strictly required.* Least privilege model: Granting only the necessary permissions is crucial.
Configuring permissions typically involves a service accessing AWS resources, requiring a role and policy. Terraform modules can define IAM roles, including an assumed role policy and inline policy blocks. Policies should be fine-grained, limiting access to only the required resources. Inline policies are tied to a specific role, while managed policies can be reused across multiple roles.
Key takeaways:
* Federation is the primary method for user access.
* Roles and policies are central to managing permissions.
* Least privilege is a guiding principle when defining policies.
* Consider using inline policies for role-specific permissions and managed policies for reusable permissions.
* When defining pterogrant modules, ensure policies are not too wide open.
* VSM requests are required to gain account access through Federation.
* User attributes beyond usernames are supported, including additional STS values and tags.
* Cross-account role assumption is possible, where principles in specified accounts can assume a role.
---
## 关键概念
-
---
## 行动项
-
---
## 相关视频
> 配对视频笔记链接(生成后填入)
---
*最后更新: 2026-04-14*

102
raw/Cloud & DevOps/Public-Cloud-Learning-Sessions/02_IAM/ctp-topic-5-aws-identity-and-access-management-iam.md.bak
View File

@@ -1,51 +1,51 @@
---
title: CTP Topic 5 - AWS Identity and Access Management (IAM)
type: cloud-learning
source-type: video
category: DevOps & SRE/02_IAM
tags:
- AWS
- IAM
- Security
- CTP
date-added: 2026-04-14
video-source: nas:///volume2/work/Public Cloud Learning Sessions/CTP _ Topic 5 - AWS Identity and Access Management (IAM).mp4
audio-source: ""
status: raw
---
# CTP Topic 5 - AWS Identity and Access Management (IAM)
**Source:** NAS `/volume2/work/Public Cloud Learning Sessions/CTP _ Topic 5 - AWS Identity and Access Management (IAM).mp4`
**Type:** VIDEO | **Category:** 02_IAM
**Status:** 🟡 Awaiting Whisper transcription → Summary
---
## 摘要
> 待转录后由 LLM 生成
---
## 关键概念
-
---
## 行动项
-
---
## 相关视频
> 配对视频笔记链接(生成后填入)
---
*最后更新: 2026-04-14*
---
title: CTP Topic 5 - AWS Identity and Access Management (IAM)
type: cloud-learning
source-type: video
category: DevOps & SRE/02_IAM
tags:
- AWS
- IAM
- Security
- CTP
date-added: 2026-04-14
video-source: nas:///volume2/work/Public Cloud Learning Sessions/CTP _ Topic 5 - AWS Identity and Access Management (IAM).mp4
audio-source: ""
status: raw
---
# CTP Topic 5 - AWS Identity and Access Management (IAM)
**Source:** NAS `/volume2/work/Public Cloud Learning Sessions/CTP _ Topic 5 - AWS Identity and Access Management (IAM).mp4`
**Type:** VIDEO | **Category:** 02_IAM
**Status:** 🟡 Awaiting Whisper transcription → Summary
---
## 摘要
> 待转录后由 LLM 生成
---
## 关键概念
-
---
## 行动项
-
---
## 相关视频
> 配对视频笔记链接(生成后填入)
---
*最后更新: 2026-04-14*

64
raw/Cloud & DevOps/Public-Cloud-Learning-Sessions/02_IAM/learning-sessions-identity-governance-vsm-replacement-20231128-160326-meeting-re.md
View File

@@ -1,32 +1,32 @@
---
title: "Learning Sessions Identity Governance VSM replacement -20231128 160326-Meeting Recording (1)"
type: cloud-learning
source-type: video
category: "DevOps & SRE/02_IAM"
tags:
- Identity-Governance
- VSM
- CTP
date-added: 2026-04-14
video-source: "nas:///volume2/work/Public Cloud Learning Sessions/Learning Sessions _ Identity Governance VSM replacement -20231128_160326-Meeting Recording (1).mp4"
audio-source: ""
status: summarized (Gemini 摘要)
---
# Learning Sessions Identity Governance VSM replacement -20231128 160326-Meeting Recording (1)
**Source:** NAS `/volume2/work/Public Cloud Learning Sessions/Learning Sessions _ Identity Governance VSM replacement -20231128_160326-Meeting Recording (1).mp4`
**Type:** VIDEO | **Category:** 02_IAM
**Status:** 🟡 Awaiting Whisper transcription → Summary
---
## Identity Governance and VSM Replacement
The learning session covers identity governance, focusing on the replacement of Virtual SM (VSM), a DXC tool, with identity governance (IG). The objective is to understand identity governance, its necessity, micro-focused IG, its utilization with control tower and counter-automation, the plan to replace VSM with IG, and how to use the IGA portal.
Identity governance is a framework for managing digital identities efficiently, minimizing risk, and maintaining compliance. Key questions addressed by identity governance include: *who currently has access to our systems, who should have access, and how is the access being done?* It comprises identity management, access management, and identity auditing. Microfocus's IGA governs access through resources, providing workflows for approving and revoking access, as well as monitoring and auditing access. IG is used to provide access to both internal and external users, including contractors, with time-limited access.
IG integrates with AWS Identity Center to provide access to resources via IAM. Groups in Active Directory represent roles, and IG governs access to these groups. A bridge is established using Azure AD domain services for authentication. IG controls Active Directory groups and workflows, while IAM connects to Azure to Cobdom domain. The plan is to replace VSM with IG for all accounts, using the same architecture as VSM, but with IG connected to Coptum domain. Changes include adding owner information to Active Directory groups and automating the account owner as the first-level approver. A POC is underway to validate the architecture and process. Gaining access involves searching for the resource in the IG portal, requesting access, and filling out a form. The request goes through an approval flow, and upon approval, access is granted automatically.
---
title: "Learning Sessions Identity Governance VSM replacement -20231128 160326-Meeting Recording (1)"
type: cloud-learning
source-type: video
category: "DevOps & SRE/02_IAM"
tags:
- Identity-Governance
- VSM
- CTP
date-added: 2026-04-14
video-source: "nas:///volume2/work/Public Cloud Learning Sessions/Learning Sessions _ Identity Governance VSM replacement -20231128_160326-Meeting Recording (1).mp4"
audio-source: ""
status: summarized (Gemini 摘要)
---
# Learning Sessions Identity Governance VSM replacement -20231128 160326-Meeting Recording (1)
**Source:** NAS `/volume2/work/Public Cloud Learning Sessions/Learning Sessions _ Identity Governance VSM replacement -20231128_160326-Meeting Recording (1).mp4`
**Type:** VIDEO | **Category:** 02_IAM
**Status:** 🟡 Awaiting Whisper transcription → Summary
---
## Identity Governance and VSM Replacement
The learning session covers identity governance, focusing on the replacement of Virtual SM (VSM), a DXC tool, with identity governance (IG). The objective is to understand identity governance, its necessity, micro-focused IG, its utilization with control tower and counter-automation, the plan to replace VSM with IG, and how to use the IGA portal.
Identity governance is a framework for managing digital identities efficiently, minimizing risk, and maintaining compliance. Key questions addressed by identity governance include: *who currently has access to our systems, who should have access, and how is the access being done?* It comprises identity management, access management, and identity auditing. Microfocus's IGA governs access through resources, providing workflows for approving and revoking access, as well as monitoring and auditing access. IG is used to provide access to both internal and external users, including contractors, with time-limited access.
IG integrates with AWS Identity Center to provide access to resources via IAM. Groups in Active Directory represent roles, and IG governs access to these groups. A bridge is established using Azure AD domain services for authentication. IG controls Active Directory groups and workflows, while IAM connects to Azure to Cobdom domain. The plan is to replace VSM with IG for all accounts, using the same architecture as VSM, but with IG connected to Coptum domain. Changes include adding owner information to Active Directory groups and automating the account owner as the first-level approver. A POC is underway to validate the architecture and process. Gaining access involves searching for the resource in the IG portal, requesting access, and filling out a form. The request goes through an approval flow, and upon approval, access is granted automatically.

100
raw/Cloud & DevOps/Public-Cloud-Learning-Sessions/02_IAM/learning-sessions-identity-governance-vsm-replacement-20231128-160326-meeting-re.md.bak
View File

@@ -1,50 +1,50 @@
---
title: "Learning Sessions Identity Governance VSM replacement -20231128 160326-Meeting Recording (1)"
type: cloud-learning
source-type: video
category: "DevOps & SRE/02_IAM"
tags:
- Identity-Governance
- VSM
- CTP
date-added: 2026-04-14
video-source: "nas:///volume2/work/Public Cloud Learning Sessions/Learning Sessions _ Identity Governance VSM replacement -20231128_160326-Meeting Recording (1).mp4"
audio-source: ""
status: raw
---
# Learning Sessions Identity Governance VSM replacement -20231128 160326-Meeting Recording (1)
**Source:** NAS `/volume2/work/Public Cloud Learning Sessions/Learning Sessions _ Identity Governance VSM replacement -20231128_160326-Meeting Recording (1).mp4`
**Type:** VIDEO | **Category:** 02_IAM
**Status:** 🟡 Awaiting Whisper transcription → Summary
---
## 摘要
> 待转录后由 LLM 生成
---
## 关键概念
-
---
## 行动项
-
---
## 相关视频
> 配对视频笔记链接(生成后填入)
---
*最后更新: 2026-04-14*
---
title: "Learning Sessions Identity Governance VSM replacement -20231128 160326-Meeting Recording (1)"
type: cloud-learning
source-type: video
category: "DevOps & SRE/02_IAM"
tags:
- Identity-Governance
- VSM
- CTP
date-added: 2026-04-14
video-source: "nas:///volume2/work/Public Cloud Learning Sessions/Learning Sessions _ Identity Governance VSM replacement -20231128_160326-Meeting Recording (1).mp4"
audio-source: ""
status: raw
---
# Learning Sessions Identity Governance VSM replacement -20231128 160326-Meeting Recording (1)
**Source:** NAS `/volume2/work/Public Cloud Learning Sessions/Learning Sessions _ Identity Governance VSM replacement -20231128_160326-Meeting Recording (1).mp4`
**Type:** VIDEO | **Category:** 02_IAM
**Status:** 🟡 Awaiting Whisper transcription → Summary
---
## 摘要
> 待转录后由 LLM 生成
---
## 关键概念
-
---
## 行动项
-
---
## 相关视频
> 配对视频笔记链接(生成后填入)
---
*最后更新: 2026-04-14*