設定輸出 Proxy 前，請先測試機構限制標頭

本頁說明管理員如何測試機構限制，而不必設定輸出 Proxy。 Trusted Cloud by S3NS

如要建立及測試機構限制標頭，請按照下列步驟操作：

1. 如要取得機構的 Trusted Cloud by S3NS 機構 ID，請使用 gcloud organizations list 指令：

       gcloud organizations list
   

   以下是輸出範例：

       DISPLAY_NAME: Organization A
       ID: 123456789
       DIRECTORY_CUSTOMER_ID: a1b2c3d4
   

2. 取得機構 ID 後，請依下列格式編寫標頭值的 JSON 表示法：

    {
    "resources": ["organizations/123456789"],
     "options": "strict"
    }
   

3. 請按照 RFC 4648 第 5 節的規格，對要求標頭的值進行編碼。

   舉例來說，如果標頭值的 JSON 表示法儲存在 authorized_orgs.json 檔案中，則透過 basenc 編碼如下：

    $ OR_HEADER=`cat authorized_orgs.json | basenc --base64url -w0`
    $ echo $OR_HEADER
   ewogInJlc291cmNlcyI6IFsib3JnYW5pemF0aW9ucy8xMjM0NTY3ODkiXQogIm9wdGlvbnMiOiAic3RyaWN0Igp9Cgo=
   

4. 如要測試標頭設定是否允許存取授權Trusted Cloud by S3NS 機構內的資源，請對授權Trusted Cloud by S3NS 機構內的資源建立 curl 要求。以下是 curl 要求範例：

   # Get auth token
   $ TOKEN=$(gcloud auth print-access-token)
   
   # Make a request that includes the organization restriction header; this call makes a request to the logging API for a project within the same organization listed in the header
   $ curl -H "X-Goog-Allowed-Resources: ${OR_HEADER}" -X POST -d '{"projectIds":
   ["my-project-123"]}' -H 'Content-Type: application/json' -H "Authorization: Bearer ${TOKEN}" "https://logging.googleapis.com/v2/entries:list"
   # A successful request returns log entries in this project
   

5. 如要測試標頭設定是否會拒絕存取授權Trusted Cloud by S3NS 機構以外的資源，請對授權Trusted Cloud by S3NS 機構以外的資源建立 curl 要求。以下是 curl 要求範例：

   # Get auth token
   $ TOKEN=$(gcloud auth print-access-token)
   
   # Make a request that includes the organization restriction header; this call makes a request to the logging API for a project not within the same organization listed in the header
   $ curl -H "X-Goog-Allowed-Resources: ${OR_HEADER}" -X POST -d '{"projectIds": ["other-project-123"]}' -H 'Content-Type: application/json' -H "Authorization: Bearer ${TOKEN}" "https://logging.googleapis.com/v2/entries:list" 
   {
     "error": {
    "code": 403,
       "message": "Access denied by organization restriction. Contact your administrator for additional information.",
       "status": "PERMISSION_DENIED",
       "details": [
         {
           "@type": "type.googleapis.com/google.rpc.ErrorInfo",
           "reason": "ORG_RESTRICTION_VIOLATION",
           "domain": "googleapis.com",
           "metadata": {
             "service": "logging.googleapis.com",
             "consumer": "other-project-123"
           }
         }
       ]
     }
   }
   
   

   如果收到「存取遭拒」錯誤訊息，表示系統拒絕存取資源的要求。

後續步驟

• 瞭解如何使用機構限制。
• 瞭解機構限制支援的服務。