RBAC

28. RBAC

28.1 Kubernetes API 鉴权流程

身份验证

 kubernetes API-Server验证客户端身份是不是合法的service account账户，如果不是则API服务器直接返回错误状态码401并终止请求，此步骤会检查头部报文和客户端证书如：client certificates,password,tokens

鉴权

 如果请求者有效，API服务器继续验证客户端是否有权限执行当前的请求操作，如果请求者未经授权则API服务器返回错误403并终止请求 此步骤会检测Policy与verbs，如get、delete

准入控制

 如果客户端权限验证通过，则API服务器的准入控制器判断请求是否呗允许执行
此步骤由控制器检测权限，如：DenyExecOnPrivileged、LimitRanger等

28.2 RBAC简介

 RBAC API声明了四种Kubernetes对象：Role、ClusterRole、RoleBinding和ClusterRoleBinding
 
Role:定义一组规则，用于访问命名空间中的Kubernetes资源
 
RoleBinding:定义用户和角色（Role）的绑定关系
 
ClusterRole:定义了一组访问集群中Kubernetes资源包括所有命名空间的规则
 
ClusterRoleBinding:定义了用户和集群角色（ClusterRole）的绑定关系

28.3 创建角色生成token授权并登录

 root@k8s-master1:~# kubectl create serviceaccount quyi -n demo
serviceaccount/quyi created
root@k8s-master1:~# kubectl get  sa -n demo
NAME      SECRETS   AGE
default   0         7d3h
quyi      0         8s

创建Role

 root@k8s-master1:~/20220814/RBAC-yaml-case# vim magedu-role.yaml 
 
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: demo
  name: quyi-role
rules:
- apiGroups: ["*"]	#api版本
  resources: ["pods/exec"]	#能在容器执行的命令
  #verbs: ["*"]	#执行的动作
  ##RO-Role
  verbs: ["get", "list", "watch", "create"]	#授权信息
 
 
- apiGroups: ["*"]
  resources: ["pods"]
  #verbs: ["*"]
  ##RO-Role
  verbs: ["get", "list", "watch", "delete"]
 
- apiGroups: ["apps/v1"]
  resources: ["deployments"]
  #verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  ##RO-Role
  verbs: ["get", "watch", "list"]
 
#查看
root@k8s-master1:~/20220814/RBAC-yaml-case# kubectl get role -n demo
NAME        CREATED AT
quyi-role   2022-12-17T06:27:20Z
 
#查看详细信息
root@k8s-master1:~/20220814/RBAC-yaml-case# kubectl get role -o yaml -n demo

RoleBinding

 kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: role-bind-quyi
  namespace: demo
subjects:
- kind: ServiceAccount  #服务账号
  name: quyi
  namespace: demo       #把demo名称空间下的quyi账号跟Role类型quyi-role进行绑定
roleRef:
  kind: Role    #类型
  name: quyi-role
  apiGroup: rbac.authorization.k8s.io
 
#查看账号信息
root@k8s-master1:~/20220814/RBAC-yaml-case# kubectl get sa -o yaml -n demo
#查看role信息
root@k8s-master1:~/20220814/RBAC-yaml-case# kubectl get role -o yaml -n demo
#查看rolebinding信息
root@k8s-master1:~/20220814/RBAC-yaml-case# kubectl get rolebindings.rbac.authorization.k8s.io -o yaml -n demo
 
#绑定成功了
root@k8s-master1:~/20220814/RBAC-yaml-case# kubectl get rolebindings.rbac.authorization.k8s.io role-bind-quyi   -o yaml -n demo
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"annotations":{},"name":"role-bind-quyi","namespace":"demo"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"Role","name":"quyi-role"},"subjects":[{"kind":"ServiceAccount","name":"quyi","namespace":"demo"}]}
  creationTimestamp: "2022-12-17T06:33:14Z"
  name: role-bind-quyi
  namespace: demo
  resourceVersion: "279142"
  uid: 6e261f82-1112-4cd9-b8e2-36aaf80e0426
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: quyi-role		#看这个账号
subjects:
- kind: ServiceAccount
  name: quyi			#这个名字
  namespace: demo		#这个名称空间

创建token

 root@k8s-master1:~/20220814/RBAC-yaml-case# cat quyi-tokem.yaml
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
  name: quyi-admin-user
  namespace: demo
  annotations:
    kubernetes.io/service-account.name: "quyi"
 
#查看
root@k8s-master1:~/20220814/RBAC-yaml-case# kubectl get secrets -n demo 
NAME              TYPE                                  DATA   AGE
quyi-admin-user   kubernetes.io/service-account-token   3      9s
root@k8s-master1:~/20220814/RBAC-yaml-case# kubectl describe secrets quyi-admin-user  -n demo 
Name:         quyi-admin-user
Namespace:    demo
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: quyi
              kubernetes.io/service-account.uid: 0e05998b-30d7-4749-a1a0-72da075b49d5
 
Type:  kubernetes.io/service-account-token
 
Data
====
ca.crt:     1302 bytes
#这个token就可以使用了
namespace:  4 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6Im1TckdJQzhDUVIxM2RqeWxCV211TXQ1b3M1N1hYSlljTEptU2lhanRWT2cifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZW1vIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InF1eWktYWRtaW4tdXNlciIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJxdXlpIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMGUwNTk5OGItMzBkNy00NzQ5LWExYTAtNzJkYTA3NWI0OWQ1Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlbW86cXV5aSJ9.JKebBWn7NiI3Dyz_etkks_6FMvawFqG2-V1VcH3Vu32xjLUs_9CbqSDBVoV2pF3Olp_KeMcRKypTDj5cPdMrNuvqX17DEfcuhZU11RgInwPtlx6otEf1I9Wsg5qRGByJZ1AKjLzpdsEk_zHBZQaRsr9aMD3Ao3Hir-UYwqrHR2UOGq-wvlmyZ9ODF5z4RRJYYDQxOFmWIXPZ7ch5iEo2cXiIvhdNb5uRdHoY1ucYusbWUQunBkeH5qZG3djAaigK3KE3YBlntK2_1xHvnjLGPqkCYj1RwO2YU17QfRK8gkSS7_yBcpQkEHJD3eV8-ovuq-_jOXbdRdSC5py124mSEw
root@k8s-master1:~/20220814/RBAC-yaml-case#

28.4 生成kubeconfig文件登录

 #找出超级管理员的token
root@k8s-master1:~/dashboard-v2.6.0#  kubectl get secrets -A | grep admin
#例如 复制出来token
root@k8s-master1:~/dashboard-v2.6.0# kubectl describe secrets -n kuboard kuboard-admin-token
#将这个token复制到/root/.kube/config下面 空格4个对齐放入即可强制保存退出

28.5 普通用户实现kubeconfig文件登录

创建csr文件

 root@k8s-master1:~/20220814/RBAC-yaml-case/certs# cat magedu-csr.json 
{
  "CN": "China",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}

找到ca-config.json

 root@k8s-deploy-ha:~# cat /etc/kubeasz/clusters/k8s-cluster1/ssl/ca-config.json 
{
  "signing": {
    "default": {
      "expiry": "438000h"
    },
    "profiles": {
      "kubernetes": {
        "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ],
        "expiry": "438000h"
      }
    },
    "profiles": {
      "kcfg": {
        "usages": [
            "signing",
            "key encipherment",
            "client auth"
        ],
        "expiry": "438000h"
      }
    }
  }
}

执行命令

 #这是同一个k8s集群证书签发的是可被信任的
cfssl gencert -ca=/etc/kubernetes/ssl/ca.pem -ca-key=/etc/kubernetes/ssl/ca-key.pem -config=./ca-config.json -profile=kubernetes ./quyi-csr.json | cfssljson -bare quyi

生成普通用户kubeconfig文件

 #里面的IP其实应该改成VIP
root@k8s-master1:~/20220814/RBAC-yaml-case/certs# vim /root/.kube/config
 
#生成普通用户kubeconfig文件
kubectl config set-cluster cluster1 --certificate-authority=/etc/kubernetes/ssl/ca.pem --embed-certs=true --server=https://127.0.0.1:6443 --kubeconfig=quyi.kubeconfig
 
#设置客户端认证参数:
cp *.pem /etc/kubernetes/ssl/
 
kubectl config set-credentials quyi \
--client-certificate=/etc/kubernetes/ssl/quyi.pem \
--client-key=/etc/kubernetes/ssl/quyi-key.pem \
--embed-certs=true \
--kubeconfig=quyi.kubeconfig
然后这个文件里面就会有一个用户了quyi.kubeconfig
 
#设置上下文参数(多集群使用上下文区分)
https://kubernetes.io/zh/docs/concepts/configuration/organize-cluster-access-kubeconfig/
 
kubectl config set-context cluster1 \
--cluster=cluster1 \
--user=quyi \
--namespace=demo \
--kubeconfig=quyi.kubeconfig
然后就有一些集群信息了
contexts:
- context:
    cluster: cluster1
    namespace: demo
    user: quyi
  name: cluster1
 
#设置默认上下文
kubectl config use-context cluster1 --kubeconfig=quyi.kubeconfig
 
#编辑追加token空格4
token: eyJhbGciOiJSUzI1NiIsImtpZCI6Im1TckdJQzhDUVIxM2RqeWxCV211TXQ1b3M1N1hYSlljTEptU2lhanRWT2cifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZW1vIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InF1eWktYWRtaW4tdXNlciIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJxdXlpIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMGUwNTk5OGItMzBkNy00NzQ5LWExYTAtNzJkYTA3NWI0OWQ1Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlbW86cXV5aSJ9.JKebBWn7NiI3Dyz_etkks_6FMvawFqG2-V1VcH3Vu32xjLUs_9CbqSDBVoV2pF3Olp_KeMcRKypTDj5cPdMrNuvqX17DEfcuhZU11RgInwPtlx6otEf1I9Wsg5qRGByJZ1AKjLzpdsEk_zHBZQaRsr9aMD3Ao3Hir-UYwqrHR2UOGq-wvlmyZ9ODF5z4RRJYYDQxOFmWIXPZ7ch5iEo2cXiIvhdNb5uRdHoY1ucYusbWUQunBkeH5qZG3djAaigK3KE3YBlntK2_1xHvnjLGPqkCYj1RwO2YU17QfRK8gkSS7_yBcpQkEHJD3eV8-ovuq-_jOXbdRdSC5py124mSEw

下载下来用文件登录就可以了

posted @ 2023-01-01 22:54 YIDADA-SRE 阅读(94) 评论(0) 编辑收藏举报

刷新页面返回顶部

登录后才能查看或发表评论，立即登录或者逛逛博客园首页

相关博文：

· EFK日志收集

· K8S网络通信

· K8S的RBAC实战案例

· Kubernetes(k8s)访问控制：权限管理之RBAC授权/鉴权

· K8s-安全_鉴权与准入控制

阅读排行：
· TypeScript + Deepseek 打造卜卦网站：技术与玄学的结合
· 阿里巴巴 QwQ-32B真的超越了 DeepSeek R-1吗？
· 【译】Visual Studio 中新的强大生产力特性
· 10年+ .NET Coder 心语 ── 封装的思维：从隐藏、稳定开始理解其本质意义
· 【设计模式】告别冗长if-else语句：使用策略模式优化代码结构

阅读目录(Content)

此页目录为空

YIDADA-SRE

念两句诗

RBAC

28. RBAC

28.1 Kubernetes API 鉴权流程

28.2 RBAC简介

28.3 创建角色生成token授权并登录

28.4 生成kubeconfig文件登录

28.5 普通用户实现kubeconfig文件登录

公告

个人信息

日历

搜索

常用链接

随笔分类

随笔档案

相册

阅读排行榜

评论排行榜

最新评论

	如果客户端权限验证通过，则API服务器的准入控制器判断请求是否呗允许执行
	此步骤由控制器检测权限，如：DenyExecOnPrivileged、LimitRanger等

	RBAC API声明了四种Kubernetes对象：Role、ClusterRole、RoleBinding和ClusterRoleBinding

	Role:定义一组规则，用于访问命名空间中的Kubernetes资源

	RoleBinding:定义用户和角色（Role）的绑定关系

	ClusterRole:定义了一组访问集群中Kubernetes资源包括所有命名空间的规则

	ClusterRoleBinding:定义了用户和集群角色（ClusterRole）的绑定关系

	root@k8s-master1:~# kubectl create serviceaccount quyi -n demo
	serviceaccount/quyi created
	root@k8s-master1:~# kubectl get sa -n demo
	NAME SECRETS AGE
	default 0 7d3h
	quyi 0 8s

	root@k8s-master1:~/20220814/RBAC-yaml-case# vim magedu-role.yaml

	kind: Role
	apiVersion: rbac.authorization.k8s.io/v1
	metadata:
	namespace: demo
	name: quyi-role
	rules:
	- apiGroups: ["*"] #api版本
	resources: ["pods/exec"] #能在容器执行的命令
	#verbs: ["*"] #执行的动作
	##RO-Role
	verbs: ["get", "list", "watch", "create"] #授权信息


	- apiGroups: ["*"]
	resources: ["pods"]
	#verbs: ["*"]
	##RO-Role
	verbs: ["get", "list", "watch", "delete"]

	- apiGroups: ["apps/v1"]
	resources: ["deployments"]
	#verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
	##RO-Role
	verbs: ["get", "watch", "list"]

	#查看
	root@k8s-master1:~/20220814/RBAC-yaml-case# kubectl get role -n demo
	NAME CREATED AT
	quyi-role 2022-12-17T06:27:20Z

	#查看详细信息
	root@k8s-master1:~/20220814/RBAC-yaml-case# kubectl get role -o yaml -n demo

	kind: RoleBinding
	apiVersion: rbac.authorization.k8s.io/v1
	metadata:
	name: role-bind-quyi
	namespace: demo
	subjects:
	- kind: ServiceAccount #服务账号
	name: quyi
	namespace: demo #把demo名称空间下的quyi账号跟Role类型quyi-role进行绑定
	roleRef:
	kind: Role #类型
	name: quyi-role
	apiGroup: rbac.authorization.k8s.io

	#查看账号信息
	root@k8s-master1:~/20220814/RBAC-yaml-case# kubectl get sa -o yaml -n demo
	#查看role信息
	root@k8s-master1:~/20220814/RBAC-yaml-case# kubectl get role -o yaml -n demo
	#查看rolebinding信息
	root@k8s-master1:~/20220814/RBAC-yaml-case# kubectl get rolebindings.rbac.authorization.k8s.io -o yaml -n demo

	#绑定成功了
	root@k8s-master1:~/20220814/RBAC-yaml-case# kubectl get rolebindings.rbac.authorization.k8s.io role-bind-quyi -o yaml -n demo
	apiVersion: rbac.authorization.k8s.io/v1
	kind: RoleBinding
	metadata:
	annotations:
	kubectl.kubernetes.io/last-applied-configuration: \|
	{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"annotations":{},"name":"role-bind-quyi","namespace":"demo"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"Role","name":"quyi-role"},"subjects":[{"kind":"ServiceAccount","name":"quyi","namespace":"demo"}]}
	creationTimestamp: "2022-12-17T06:33:14Z"
	name: role-bind-quyi
	namespace: demo
	resourceVersion: "279142"
	uid: 6e261f82-1112-4cd9-b8e2-36aaf80e0426
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: Role
	name: quyi-role #看这个账号
	subjects:
	- kind: ServiceAccount
	name: quyi #这个名字
	namespace: demo #这个名称空间

	root@k8s-master1:~/20220814/RBAC-yaml-case# cat quyi-tokem.yaml
	apiVersion: v1
	kind: Secret
	type: kubernetes.io/service-account-token
	metadata:
	name: quyi-admin-user
	namespace: demo
	annotations:
	kubernetes.io/service-account.name: "quyi"

	#查看
	root@k8s-master1:~/20220814/RBAC-yaml-case# kubectl get secrets -n demo
	NAME TYPE DATA AGE
	quyi-admin-user kubernetes.io/service-account-token 3 9s
	root@k8s-master1:~/20220814/RBAC-yaml-case# kubectl describe secrets quyi-admin-user -n demo
	Name: quyi-admin-user
	Namespace: demo
	Labels: <none>
	Annotations: kubernetes.io/service-account.name: quyi
	kubernetes.io/service-account.uid: 0e05998b-30d7-4749-a1a0-72da075b49d5

	Type: kubernetes.io/service-account-token

	Data
	====
	ca.crt: 1302 bytes
	#这个token就可以使用了
	namespace: 4 bytes
	token: eyJhbGciOiJSUzI1NiIsImtpZCI6Im1TckdJQzhDUVIxM2RqeWxCV211TXQ1b3M1N1hYSlljTEptU2lhanRWT2cifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZW1vIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InF1eWktYWRtaW4tdXNlciIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJxdXlpIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMGUwNTk5OGItMzBkNy00NzQ5LWExYTAtNzJkYTA3NWI0OWQ1Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlbW86cXV5aSJ9.JKebBWn7NiI3Dyz_etkks_6FMvawFqG2-V1VcH3Vu32xjLUs_9CbqSDBVoV2pF3Olp_KeMcRKypTDj5cPdMrNuvqX17DEfcuhZU11RgInwPtlx6otEf1I9Wsg5qRGByJZ1AKjLzpdsEk_zHBZQaRsr9aMD3Ao3Hir-UYwqrHR2UOGq-wvlmyZ9ODF5z4RRJYYDQxOFmWIXPZ7ch5iEo2cXiIvhdNb5uRdHoY1ucYusbWUQunBkeH5qZG3djAaigK3KE3YBlntK2_1xHvnjLGPqkCYj1RwO2YU17QfRK8gkSS7_yBcpQkEHJD3eV8-ovuq-_jOXbdRdSC5py124mSEw
	root@k8s-master1:~/20220814/RBAC-yaml-case#

	#找出超级管理员的token
	root@k8s-master1:~/dashboard-v2.6.0# kubectl get secrets -A \| grep admin
	#例如复制出来token
	root@k8s-master1:~/dashboard-v2.6.0# kubectl describe secrets -n kuboard kuboard-admin-token
	#将这个token复制到/root/.kube/config下面空格4个对齐放入即可强制保存退出

	root@k8s-master1:~/20220814/RBAC-yaml-case/certs# cat magedu-csr.json
	{
	"CN": "China",
	"hosts": [],
	"key": {
	"algo": "rsa",
	"size": 2048
	},
	"names": [
	{
	"C": "CN",
	"ST": "BeiJing",
	"L": "BeiJing",
	"O": "k8s",
	"OU": "System"
	}
	]
	}

	root@k8s-deploy-ha:~# cat /etc/kubeasz/clusters/k8s-cluster1/ssl/ca-config.json
	{
	"signing": {
	"default": {
	"expiry": "438000h"
	},
	"profiles": {
	"kubernetes": {
	"usages": [
	"signing",
	"key encipherment",
	"server auth",
	"client auth"
	],
	"expiry": "438000h"
	}
	},
	"profiles": {
	"kcfg": {
	"usages": [
	"signing",
	"key encipherment",
	"client auth"
	],
	"expiry": "438000h"
	}
	}
	}
	}

	#这是同一个k8s集群证书签发的是可被信任的
	cfssl gencert -ca=/etc/kubernetes/ssl/ca.pem -ca-key=/etc/kubernetes/ssl/ca-key.pem -config=./ca-config.json -profile=kubernetes ./quyi-csr.json \| cfssljson -bare quyi

	#里面的IP其实应该改成VIP
	root@k8s-master1:~/20220814/RBAC-yaml-case/certs# vim /root/.kube/config

	#生成普通用户kubeconfig文件
	kubectl config set-cluster cluster1 --certificate-authority=/etc/kubernetes/ssl/ca.pem --embed-certs=true --server=https://127.0.0.1:6443 --kubeconfig=quyi.kubeconfig

	#设置客户端认证参数:
	cp *.pem /etc/kubernetes/ssl/

	kubectl config set-credentials quyi \
	--client-certificate=/etc/kubernetes/ssl/quyi.pem \
	--client-key=/etc/kubernetes/ssl/quyi-key.pem \
	--embed-certs=true \
	--kubeconfig=quyi.kubeconfig
	然后这个文件里面就会有一个用户了quyi.kubeconfig

	#设置上下文参数(多集群使用上下文区分)
	https://kubernetes.io/zh/docs/concepts/configuration/organize-cluster-access-kubeconfig/

	kubectl config set-context cluster1 \
	--cluster=cluster1 \
	--user=quyi \
	--namespace=demo \
	--kubeconfig=quyi.kubeconfig
	然后就有一些集群信息了
	contexts:
	- context:
	cluster: cluster1
	namespace: demo
	user: quyi
	name: cluster1

	#设置默认上下文
	kubectl config use-context cluster1 --kubeconfig=quyi.kubeconfig

	#编辑追加token空格4
	token: eyJhbGciOiJSUzI1NiIsImtpZCI6Im1TckdJQzhDUVIxM2RqeWxCV211TXQ1b3M1N1hYSlljTEptU2lhanRWT2cifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZW1vIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InF1eWktYWRtaW4tdXNlciIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJxdXlpIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMGUwNTk5OGItMzBkNy00NzQ5LWExYTAtNzJkYTA3NWI0OWQ1Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlbW86cXV5aSJ9.JKebBWn7NiI3Dyz_etkks_6FMvawFqG2-V1VcH3Vu32xjLUs_9CbqSDBVoV2pF3Olp_KeMcRKypTDj5cPdMrNuvqX17DEfcuhZU11RgInwPtlx6otEf1I9Wsg5qRGByJZ1AKjLzpdsEk_zHBZQaRsr9aMD3Ao3Hir-UYwqrHR2UOGq-wvlmyZ9ODF5z4RRJYYDQxOFmWIXPZ7ch5iEo2cXiIvhdNb5uRdHoY1ucYusbWUQunBkeH5qZG3djAaigK3KE3YBlntK2_1xHvnjLGPqkCYj1RwO2YU17QfRK8gkSS7_yBcpQkEHJD3eV8-ovuq-_jOXbdRdSC5py124mSEw