• Azure RBAC管理ASM资源


    上一篇文章介绍了Azure基于ARM的RBAC,给不同的用户分配不同的权限。

    但目前在国内使用的大部分用户还是以ASM的资源为主。比如:VM、Storage、Network、WebAPP、SQL Azure等等。

    如果客户希望对这些资源给不同用户授予不同的权限,基于ARM的RBAC是否可以实现呢?

    基于ARM的RBAC是可以对ASM的资源进行授权管理的。

    本文将以VM为例子,介绍如何针对ASM中的资源进行授权的配置和管理。

    1 建ASM的虚拟机

    通过老portal管理界面:http://manage.windowsazure.cn

    创建两台虚拟机,如下图:

    2 创建用户和Role

    根据前一篇文章介绍的方法,新建一个vmops@xxxx.partner.onmschina.cn的账户,同时新建一个Virtual Machine Operator的Role。

    具体方法请参考前面一篇文章:

    http://www.cnblogs.com/hengwei/p/5874776.html

    Virtual Machine Operator拥有的权限如下,查询命令采用的是Azure CLI:

    azure role show "Virtual Machine Operator" --json
    [
    {
    "Name": "Virtual Machine Operator",
    "Actions": [
    "Microsoft.Authorization/*/read",
    "Microsoft.ClassicCompute/*/read",
    "Microsoft.ClassicCompute/virtualMachines/attachDisk/action",
    "Microsoft.ClassicCompute/virtualMachines/detachDisk/action",
    "Microsoft.ClassicCompute/virtualMachines/downloadRemoteDesktopConnectionFile/action",
    "Microsoft.ClassicCompute/virtualMachines/restart/action",
    "Microsoft.ClassicCompute/virtualMachines/shutdown/action",
    "Microsoft.ClassicCompute/virtualMachines/start/action",
    "Microsoft.ClassicCompute/virtualMachines/stop/action",
    "Microsoft.Compute/*/read",
    "Microsoft.Compute/virtualMachines/deallocate/action",
    "Microsoft.Compute/virtualMachines/powerOff/action",
    "Microsoft.Compute/virtualMachines/restart/action",
    "Microsoft.Compute/virtualMachines/start/action",
    "Microsoft.Insights/alertRules/*",
    "Microsoft.Network/*/read",
    "Microsoft.Network/*/read",
    "Microsoft.Resources/subscriptions/resourceGroups/read",
    "Microsoft.Storage/*/read",
    "Microsoft.Storage/*/read"
    ],
    "NotActions": [],
    "Id": "xxxx",
    "AssignableScopes": [
    "/subscriptions/xxxx",
    "/subscriptions/xxxx"
    ],
    "Description": "Can monitor and start stop or restart virtual machines.",
    "IsCustom": "true"
    }
    ]

    其中Microsoft.ClassicCompute指的就是基于ASM的VM资源。通过Powershell命令或CLI命令可以看到相关信息:

    azure provider list
    
    info: Executing command provider list
    + Getting ARM registered providers
    data: Namespace Registered
    data: -------------------------------------- -------------
    data: Microsoft.ApiManagement Registered
    data: Microsoft.Batch Registered
    data: Microsoft.Cache Registered
    data: Microsoft.ClassicCompute Registered
    data: Microsoft.ClassicNetwork Registered
    data: Microsoft.ClassicStorage Registered
    data: Microsoft.Compute Registered
    data: Microsoft.Devices Registered
    data: Microsoft.DocumentDB Registered
    data: Microsoft.EventHub Registered
    data: Microsoft.HDInsight Registering
    data: Microsoft.insights Registered
    data: Microsoft.MySql Registered
    data: Microsoft.Network Registering
    data: Microsoft.SiteRecovery Registered
    data: Microsoft.Sql Registered
    data: Microsoft.Storage Registered
    data: Microsoft.StreamAnalytics Registered
    data: Microsoft.Web Registered
    data: Microsoft.Authorization Registered
    data: Microsoft.ClassicInfrastructureMigrate NotRegistered
    data: Microsoft.CognitiveServices NotRegistered
    data: Microsoft.Features Registered
    data: Microsoft.KeyVault NotRegistered
    data: Microsoft.Media NotRegistered
    data: Microsoft.Portal NotRegistered
    data: Microsoft.Resources Registered
    data: Microsoft.Scheduler Registered
    data: Microsoft.ServiceBus NotRegistered
    data: Microsoft.ServiceFabric NotRegistered
    info: provider list command OK

    或:

    Get-AzureRmResourceProvider | ft ProviderNamespace
    
    ProviderNamespace
    -----------------
    Microsoft.ApiManagement
    Microsoft.Batch
    Microsoft.Cache
    Microsoft.ClassicCompute
    Microsoft.ClassicNetwork
    Microsoft.ClassicStorage
    Microsoft.Compute
    Microsoft.Devices
    Microsoft.DocumentDB
    Microsoft.EventHub
    microsoft.insights
    Microsoft.MySql
    Microsoft.SiteRecovery
    Microsoft.Sql
    Microsoft.Storage
    Microsoft.StreamAnalytics
    Microsoft.Web
    Microsoft.Authorization
    Microsoft.Features
    Microsoft.Resources
    Microsoft.Scheduler

    3 把用户和Role关联

    在新Portal上:http://portal.azure.cn

    使用Admin登陆后,对两台虚拟机进行权限分配:

    将vmops用户对这台虚拟机的管理角色分配为Virtual Machine Operator。

    4 测试

    使用vmops登陆后,对这两台虚拟机进行操作:

    发现只有前面对ClassComputer拥有的Start、Stop、restart、connect权限。

    而admin拥有的权限有:Start、Stop、restart、connect、Caputre、Reset Remote Access、Delete。如下图:

    总结:

    通过对ClassComputer的资源进行操作的授权,可以控制用户对ASM VM的操作权限。

  • 相关阅读:
    Python-asyncio
    Python-异步编程
    软件工程个人作业01
    《构建之法》阅读笔记6
    《构建之法》阅读笔记5
    《构建之法》阅读笔记4
    《构建之法》阅读笔记3
    《构建之法》第二章阅读笔记
    《构建之法》第一章阅读笔记
    开发web信息管理系统用到的相关技术
  • 原文地址:https://www.cnblogs.com/hengwei/p/5897479.html
Copyright © 2020-2023  润新知