上一篇文章介紹了Azure基於ARM的RBAC,給不同的使用者分配不同的許可權。
但目前在國內使用的大部分使用者還是以ASM的資源為主。比如:VM、Storage、Network、WebAPP、SQL Azure等等。
如果客戶希望對這些資源給不同使用者授予不同的許可權,基於ARM的RBAC是否可以實現呢?
基於ARM的RBAC是可以對ASM的資源進行授權管理的。
本文將以VM為例子,介紹如何針對ASM中的資源進行授權的配置和管理。
1 建ASM的虛擬機器
通過老portal管理介面:http://manage.windowsazure.cn
建立兩臺虛擬機器,如下圖:
2 建立使用者和Role
根據前一篇文章介紹的方法,新建一個vmops@xxxx.partner.onmschina.cn的賬戶,同時新建一個Virtual Machine Operator的Role。
具體方法請參考前面一篇文章:
http://www.cnblogs.com/hengwei/p/5874776.html
Virtual Machine Operator擁有的許可權如下,查詢命令採用的是Azure CLI:
azure role show "Virtual Machine Operator" --json [ { "Name": "Virtual Machine Operator", "Actions": [ "Microsoft.Authorization/*/read", "Microsoft.ClassicCompute/*/read", "Microsoft.ClassicCompute/virtualMachines/attachDisk/action", "Microsoft.ClassicCompute/virtualMachines/detachDisk/action", "Microsoft.ClassicCompute/virtualMachines/downloadRemoteDesktopConnectionFile/action", "Microsoft.ClassicCompute/virtualMachines/restart/action", "Microsoft.ClassicCompute/virtualMachines/shutdown/action", "Microsoft.ClassicCompute/virtualMachines/start/action", "Microsoft.ClassicCompute/virtualMachines/stop/action", "Microsoft.Compute/*/read", "Microsoft.Compute/virtualMachines/deallocate/action", "Microsoft.Compute/virtualMachines/powerOff/action", "Microsoft.Compute/virtualMachines/restart/action", "Microsoft.Compute/virtualMachines/start/action", "Microsoft.Insights/alertRules/*", "Microsoft.Network/*/read", "Microsoft.Network/*/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Storage/*/read", "Microsoft.Storage/*/read" ], "NotActions": [], "Id": "xxxx", "AssignableScopes": [ "/subscriptions/xxxx", "/subscriptions/xxxx" ], "Description": "Can monitor and start stop or restart virtual machines.", "IsCustom": "true" } ]
其中Microsoft.ClassicCompute指的就是基於ASM的VM資源。通過Powershell命令或CLI命令可以看到相關資訊:
azure provider list info: Executing command provider list + Getting ARM registered providers data: Namespace Registered data: -------------------------------------- ------------- data: Microsoft.ApiManagement Registered data: Microsoft.Batch Registered data: Microsoft.Cache Registered data: Microsoft.ClassicCompute Registered data: Microsoft.ClassicNetwork Registered data: Microsoft.ClassicStorage Registered data: Microsoft.Compute Registered data: Microsoft.Devices Registered data: Microsoft.DocumentDB Registered data: Microsoft.EventHub Registered data: Microsoft.HDInsight Registering data: Microsoft.insights Registered data: Microsoft.MySql Registered data: Microsoft.Network Registering data: Microsoft.SiteRecovery Registered data: Microsoft.Sql Registered data: Microsoft.Storage Registered data: Microsoft.StreamAnalytics Registered data: Microsoft.Web Registered data: Microsoft.Authorization Registered data: Microsoft.ClassicInfrastructureMigrate NotRegistered data: Microsoft.CognitiveServices NotRegistered data: Microsoft.Features Registered data: Microsoft.KeyVault NotRegistered data: Microsoft.Media NotRegistered data: Microsoft.Portal NotRegistered data: Microsoft.Resources Registered data: Microsoft.Scheduler Registered data: Microsoft.ServiceBus NotRegistered data: Microsoft.ServiceFabric NotRegistered info: provider list command OK
或:
Get-AzureRmResourceProvider | ft ProviderNamespace ProviderNamespace ----------------- Microsoft.ApiManagement Microsoft.Batch Microsoft.Cache Microsoft.ClassicCompute Microsoft.ClassicNetwork Microsoft.ClassicStorage Microsoft.Compute Microsoft.Devices Microsoft.DocumentDB Microsoft.EventHub microsoft.insights Microsoft.MySql Microsoft.SiteRecovery Microsoft.Sql Microsoft.Storage Microsoft.StreamAnalytics Microsoft.Web Microsoft.Authorization Microsoft.Features Microsoft.Resources Microsoft.Scheduler
3 把使用者和Role關聯
在新Portal上:http://portal.azure.cn
使用Admin登陸後,對兩臺虛擬機器進行許可權分配:
將vmops使用者對這臺虛擬機器的管理角色分配為Virtual Machine Operator。
4 測試
使用vmops登陸後,對這兩臺虛擬機器進行操作:
發現只有前面對ClassComputer擁有的Start、Stop、restart、connect許可權。
而admin擁有的許可權有:Start、Stop、restart、connect、Caputre、Reset Remote Access、Delete。如下圖:
總結:
通過對ClassComputer的資源進行操作的授權,可以控制使用者對ASM VM的操作許可權。