发布 Azure 托管应用程序定义Publish an Azure managed application definition

本快速入门简单介绍了如何使用托管应用程序。This quickstart provides an introduction to working with managed applications. 请先向组织中用户的内部目录添加托管应用程序定义,You add a managed application definition to an internal catalog for users in your organization. 为简单起见,我们已为托管应用程序生成了文件。To simplify the introduction, we have already built the files for your managed application. 这些文件可通过 GitHub 获取。Those files are available through GitHub. 可以在创建服务目录应用程序教程中了解如何生成这些文件。You learn how to build those files in the Create service catalog application tutorial.

完成后,你将拥有一个名为 appDefinitionGroup 且具有托管应用程序定义的资源组。When you're finished, you have a resource group named appDefinitionGroup that has the managed application definition.

Note

在 Azure China 中使用 Azure CLI 2.0 之前,请首先运行 az cloud set -n AzureChinaCloud 更改云环境。Before you can use Azure CLI 2.0 in Azure China, please run az cloud set -n AzureChinaCloud first to change the cloud environment. 如果要切换回全局 Azure,请再次运行 az cloud set -n AzureCloudIf you want to switch back to Global Azure, run az cloud set -n AzureCloud again.

为定义创建资源组Create a resource group for definition

托管应用程序定义存在于资源组中。Your managed application definition exists in a resource group. 该资源组是在其中部署和管理 Azure 资源的逻辑集合。The resource group is a logical collection into which Azure resources are deployed and managed.

若要创建资源组,请使用以下命令:To create a resource group, use the following command:

az group create --name appDefinitionGroup --location chinaeast

创建托管应用程序定义Create the managed application definition

定义托管应用程序时,选择为使用者管理资源的用户、组或应用程序。When defining the managed application, you select a user, group, or application that manages the resources for the consumer. 此标识对托管资源组的权限与所分配的角色相对应。This identity has permissions on the managed resource group according to the role that is assigned. 通常创建 Azure Active Directory 组来管理资源。Typically, you create an Azure Active Directory group to manage the resources. 但在本文中,请使用自己的标识。However, for this article, use your own identity.

若要获取标识的对象 ID,请在以下命令中提供用户主体名称:To get the object ID of your identity, provide your user principal name in the following command:

userid=$(az ad user show --id example@contoso.org --query objectId --output tsv)

接下来,需要获取希望将其访问权限授予用户的 RBAC 内置角色的角色定义 ID。Next, you need the role definition ID of the RBAC built-in role you want to grant access to the user. 以下命令展示了如何获取“Owner”角色的角色定义 ID:The following command shows how to get the role definition ID for the Owner role:

roleid=$(az role definition list --name Owner --query [].name --output tsv)

现在,创建托管应用程序定义资源。Now, create the managed application definition resource. 托管应用程序只包含存储帐户。The managed application contains only a storage account.

az managedapp definition create \
  --name "ManagedStorage" \
  --location "chinaeast" \
  --resource-group appDefinitionGroup \
  --lock-level ReadOnly \
  --display-name "Managed Storage Account" \
  --description "Managed Azure Storage Account" \
  --authorizations "$userid:$roleid" \
  --package-file-uri "https://github.com/Azure/azure-managedapp-samples/raw/master/Managed%20Application%20Sample%20Packages/201-managed-storage-account/managedstorage.zip"

命令完成后,资源组中会有一个托管应用程序定义。When the command completes, you have a managed application definition in your resource group.

前述示例中使用的部分参数包括:Some of the parameters used in the preceding example are:

  • resource-group:在其中创建托管应用程序定义的资源组的名称。resource-group: The name of the resource group where the managed application definition is created.
  • lock-level:在托管资源组上放置的锁的类型。lock-level: The type of lock placed on the managed resource group. 它防止客户对此资源组执行不良操作。It prevents the customer from performing undesirable operations on this resource group. 当前,ReadOnly 是唯一受支持的锁级别。Currently, ReadOnly is the only supported lock level. 当指定了 ReadOnly 时,客户只能读取托管资源组中存在的资源。When ReadOnly is specified, the customer can only read the resources present in the managed resource group. 授予对托管资源组的访问权限的发布者标识不受该锁控制。The publisher identities that are granted access to the managed resource group are exempt from the lock.
  • authorizations:描述用于授予对托管资源组权限的主体 ID 和角色定义 ID。authorizations: Describes the principal ID and the role definition ID that are used to grant permission to the managed resource group. 它是以 <principalId>:<roleDefinitionId> 格式指定的。It's specified in the format of <principalId>:<roleDefinitionId>. 如果需要多个值,请以 <principalId1>:<roleDefinitionId1> <principalId2>:<roleDefinitionId2> 格式指定它们。If more than one value is needed, specify them in the form <principalId1>:<roleDefinitionId1> <principalId2>:<roleDefinitionId2>. 请以空格分隔这些值。The values are separated by a space.
  • package-file-uri:包含所需文件的 .zip 包的位置。package-file-uri: The location of a .zip package that contains the required files. 该包必须包含 mainTemplate.jsoncreateUiDefinition.json 文件。The package must have the mainTemplate.json and createUiDefinition.json files. mainTemplate.json 定义作为托管应用程序的一部分创建的 Azure 资源。mainTemplate.json defines the Azure resources that are created as part of the managed application. 该模板与常规资源管理器模板并没有不同。The template is no different than a regular Resource Manager template. createUiDefinition.json:生成用户界面,供用户通过门户创建托管应用程序。createUiDefinition.json generates the user interface for users who create the managed application through the portal.

后续步骤Next steps

已发布托管应用程序定义。You've published the managed application definition. 现在,了解如何部署该定义的实例。Now, learn how to deploy an instance of that definition.