上一篇文章介绍了Azure基于ARM的RBAC,给不同的用户分配不同的权限。
但目前在国内使用的大部分用户还是以ASM的资源为主。比如:VM、Storage、Network、WebAPP、SQL Azure等等。
如果客户希望对这些资源给不同用户授予不同的权限,基于ARM的RBAC是否可以实现呢?
基于ARM的RBAC是可以对ASM的资源进行授权管理的。
本文将以VM为例子,介绍如何针对ASM中的资源进行授权的配置和管理。
1 建ASM的虚拟机
通过老portal管理界面:http://manage.windowsazure.cn
创建两台虚拟机,如下图:
2 创建用户和Role
根据前一篇文章介绍的方法,新建一个vmops@xxxx.partner.onmschina.cn的账户,同时新建一个Virtual Machine Operator的Role。
具体方法请参考前面一篇文章:
http://www.cnblogs.com/hengwei/p/5874776.html
Virtual Machine Operator拥有的权限如下,查询命令采用的是Azure CLI:
azure role show "Virtual Machine Operator" --json [ { "Name": "Virtual Machine Operator", "Actions": [ "Microsoft.Authorization/*/read", "Microsoft.ClassicCompute/*/read", "Microsoft.ClassicCompute/virtualMachines/attachDisk/action", "Microsoft.ClassicCompute/virtualMachines/detachDisk/action", "Microsoft.ClassicCompute/virtualMachines/downloadRemoteDesktopConnectionFile/action", "Microsoft.ClassicCompute/virtualMachines/restart/action", "Microsoft.ClassicCompute/virtualMachines/shutdown/action", "Microsoft.ClassicCompute/virtualMachines/start/action", "Microsoft.ClassicCompute/virtualMachines/stop/action", "Microsoft.Compute/*/read", "Microsoft.Compute/virtualMachines/deallocate/action", "Microsoft.Compute/virtualMachines/powerOff/action", "Microsoft.Compute/virtualMachines/restart/action", "Microsoft.Compute/virtualMachines/start/action", "Microsoft.Insights/alertRules/*", "Microsoft.Network/*/read", "Microsoft.Network/*/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Storage/*/read", "Microsoft.Storage/*/read" ], "NotActions": [], "Id": "xxxx", "AssignableScopes": [ "/subscriptions/xxxx", "/subscriptions/xxxx" ], "Description": "Can monitor and start stop or restart virtual machines.", "IsCustom": "true" } ]
其中Microsoft.ClassicCompute指的就是基于ASM的VM资源。通过Powershell命令或CLI命令可以看到相关信息:
azure provider list info: Executing command provider list + Getting ARM registered providers data: Namespace Registered data: -------------------------------------- ------------- data: Microsoft.ApiManagement Registered data: Microsoft.Batch Registered data: Microsoft.Cache Registered data: Microsoft.ClassicCompute Registered data: Microsoft.ClassicNetwork Registered data: Microsoft.ClassicStorage Registered data: Microsoft.Compute Registered data: Microsoft.Devices Registered data: Microsoft.DocumentDB Registered data: Microsoft.EventHub Registered data: Microsoft.HDInsight Registering data: Microsoft.insights Registered data: Microsoft.MySql Registered data: Microsoft.Network Registering data: Microsoft.SiteRecovery Registered data: Microsoft.Sql Registered data: Microsoft.Storage Registered data: Microsoft.StreamAnalytics Registered data: Microsoft.Web Registered data: Microsoft.Authorization Registered data: Microsoft.ClassicInfrastructureMigrate NotRegistered data: Microsoft.CognitiveServices NotRegistered data: Microsoft.Features Registered data: Microsoft.KeyVault NotRegistered data: Microsoft.Media NotRegistered data: Microsoft.Portal NotRegistered data: Microsoft.Resources Registered data: Microsoft.Scheduler Registered data: Microsoft.ServiceBus NotRegistered data: Microsoft.ServiceFabric NotRegistered info: provider list command OK
或:
Get-AzureRmResourceProvider | ft ProviderNamespace ProviderNamespace ----------------- Microsoft.ApiManagement Microsoft.Batch Microsoft.Cache Microsoft.ClassicCompute Microsoft.ClassicNetwork Microsoft.ClassicStorage Microsoft.Compute Microsoft.Devices Microsoft.DocumentDB Microsoft.EventHub microsoft.insights Microsoft.MySql Microsoft.SiteRecovery Microsoft.Sql Microsoft.Storage Microsoft.StreamAnalytics Microsoft.Web Microsoft.Authorization Microsoft.Features Microsoft.Resources Microsoft.Scheduler
3 把用户和Role关联
在新Portal上:http://portal.azure.cn
使用Admin登陆后,对两台虚拟机进行权限分配:
将vmops用户对这台虚拟机的管理角色分配为Virtual Machine Operator。
4 测试
使用vmops登陆后,对这两台虚拟机进行操作:
发现只有前面对ClassComputer拥有的Start、Stop、restart、connect权限。
而admin拥有的权限有:Start、Stop、restart、connect、Caputre、Reset Remote Access、Delete。如下图:
总结:
通过对ClassComputer的资源进行操作的授权,可以控制用户对ASM VM的操作权限。