使用 Azure Stack Hub 中的特权终结点Use the privileged endpoint in Azure Stack Hub

Azure Stack Hub 操作员应使用管理员门户、PowerShell 或 Azure 资源管理器 API 来完成大多数日常管理任务。As an Azure Stack Hub operator, you should use the administrator portal, PowerShell, or Azure Resource Manager APIs for most day-to-day management tasks. 但是,对于非常规操作,需要使用特权终结点 (PEP)。**However, for some less common operations, you need to use the privileged endpoint (PEP). PEP 是预配置的远程 PowerShell 控制台,可提供恰到好处的功能来帮助执行所需的任务。The PEP is a pre-configured remote PowerShell console that provides you with just enough capabilities to help you do a required task. 该终结点使用 PowerShell JEA (Just Enough Administration),只公开一组受限的 cmdlet。The endpoint uses PowerShell JEA (Just Enough Administration) to expose only a restricted set of cmdlets. 若要访问 PEP 并调用一组受限的 cmdlet,可以使用低特权帐户。To access the PEP and invoke the restricted set of cmdlets, a low-privileged account is used. 无需管理员帐户。No admin accounts are required. 为了提高安全性,不允许使用脚本。For additional security, scripting isn't allowed.

可以使用 PEP 执行以下任务:You can use the PEP to perform these tasks:

  • 低级任务,例如收集诊断日志Low-level tasks, such as collecting diagnostic logs.
  • 针对集成系统的许多部署后数据中心集成任务,例如在部署后添加域名系统 (DNS) 转发器、设置 Microsoft Graph 集成、Active Directory 联合身份验证服务 (AD FS) 集成、证书轮换,等等。Many post-deployment datacenter integration tasks for integrated systems, such as adding Domain Name System (DNS) forwarders after deployment, setting up Microsoft Graph integration, Active Directory Federation Services (AD FS) integration, certificate rotation, and so on.
  • 与支持人员合作,获取临时性的高级访问权限,以便对集成系统进行深入的故障排除。To work with support to obtain temporary, high-level access for in-depth troubleshooting of an integrated system.

PEP 记录你在 PowerShell 会话中执行的每项操作(及其相应的输出)。The PEP logs every action (and its corresponding output) that you perform in the PowerShell session. 这可以提供完全透明度和完整的操作审核。This provides full transparency and complete auditing of operations. 可以保留这些日志文件供以后审核。You can keep these log files for future audits.

备注

在 Azure Stack 开发工具包 (ASDK) 中,可以在开发工具包主机上,直接从 PowerShell 会话运行 PEP 中可用的某些命令。In the Azure Stack Development Kit (ASDK), you can run some of the commands available in the PEP directly from a PowerShell session on the development kit host. 但是,可能需要使用 PEP 来测试某些操作(例如日志收集),因为这是在集成系统环境中执行某些操作的唯一可行方法。However, you may want to test some operations using the PEP, such as log collection, because this is the only method available to perform certain operations in an integrated systems environment.

访问特权终结点Access the privileged endpoint

可在托管 PEP 的虚拟机 (VM) 上通过远程 PowerShell 会话来访问 PEP。You access the PEP through a remote PowerShell session on the virtual machine (VM) that hosts the PEP. 在 ASDK 中,此 VM 名为 AzS-ERCS01In the ASDK, this VM is named AzS-ERCS01. 如果使用集成系统,则有三个 PEP 实例,每个实例在不同主机上的 VM(Prefix-ERCS01、Prefix-ERCS02 或 Prefix**-ERCS03)中运行,以提供复原能力。If you're using an integrated system, there are three instances of the PEP, each running inside a VM (Prefix-ERCS01, Prefix-ERCS02, or Prefix-ERCS03) on different hosts for resiliency.

在开始针对集成系统执行此过程之前,请确保可以通过 IP 地址或 DNS 访问 PEP。Before you begin this procedure for an integrated system, make sure you can access the PEP either by IP address or through DNS. 完成 Azure Stack Hub 的初始部署之后,只能通过 IP 地址来访问 PEP,因为尚未设置 DNS 集成。After the initial deployment of Azure Stack Hub, you can access the PEP only by IP address because DNS integration isn't set up yet. OEM 硬件供应商将提供名为 AzureStackStampDeploymentInfo 的 JSON 文件,其中包含 PEP IP 地址。Your OEM hardware vendor will provide you with a JSON file named AzureStackStampDeploymentInfo that contains the PEP IP addresses.

还可以在 Azure Stack Hub 管理员门户中找到 IP 地址。You may also find the IP address in the Azure Stack Hub administrator portal. 打开门户,例如 https://adminportal.local.azurestack.externalOpen the portal, for example, https://adminportal.local.azurestack.external. 选择“区域管理”**** > ****“属性”。Select Region Management > Properties.

在运行特权终结点时,需要将当前区域性设置设置为 en-US,否则 cmdlet (如 Test-AzureStack 或 Get-AzureStackLog)无法按预期工作。You will need set your current culture setting to en-US when running the privileged endpoint, otherwise cmdlets such as Test-AzureStack or Get-AzureStackLog will not work as expected.

备注

出于安全原因,我们要求只从硬件生命周期主机上运行的强化 VM 或者从专用的安全计算机(例如特权访问工作站)连接到 PEP。For security reasons, we require that you connect to the PEP only from a hardened VM running on top of the hardware lifecycle host, or from a dedicated and secure computer, such as a Privileged Access Workstation. 不得修改硬件生命周期主机的原始配置(包括安装新软件),也不得使用该主机来连接 PEP。The original configuration of the hardware lifecycle host must not be modified from its original configuration (including installing new software) or used to connect to the PEP.

  1. 建立信任。Establish the trust.

    • 在集成系统中,从权限提升的 Windows PowerShell 会话运行以下命令,将 PEP 添加为硬件生命周期主机或特权访问工作站上运行的强化 VM 的受信任主机。On an integrated system, run the following command from an elevated Windows PowerShell session to add the PEP as a trusted host on the hardened VM running on the hardware lifecycle host or the Privileged Access Workstation.
    Set-Item WSMan:\localhost\Client\TrustedHosts -Value '<IP Address of Privileged Endpoint>' -Concatenate
    
    • 如果运行的是 ASDK,请登录到开发工具包主机。If you're running the ASDK, sign in to the development kit host.
  2. 在运行在硬件生命周期主机或特权访问工作站上的强化 VM 中,打开 Windows PowerShell 会话。On the hardened VM running on the hardware lifecycle host or the Privileged Access Workstation, open a Windows PowerShell session. 运行以下命令,在托管 PEP 的 VM 上建立远程会话:Run the following commands to establish a remote session on the VM that hosts the PEP:

  • 在集成系统上:On an integrated system:

    $cred = Get-Credential
    
    $pep = New-PSSession -ComputerName <IP_address_of_ERCS> -ConfigurationName PrivilegedEndpoint -Credential $cred -SessionOption (New-PSSessionOption -Culture en-US -UICulture en-US)
    Enter-PSSession $pep
    

    ComputerName 参数可以是托管 PEP 的某个 VM 的 IP 地址或 DNS 名称。The ComputerName parameter can be either the IP address or the DNS name of one of the VMs that hosts the PEP.

    备注

    验证 PEP 凭据时,Azure Stack Hub 不会进行远程调用。Azure Stack Hub doesn't make a remote call when validating the PEP credential. 它依赖于本地存储的 RSA 公钥来实现此目的。It relies on a locally-stored RSA public key to do that.

  • 如果运行的是 ASDK:If you're running the ASDK:

     $cred = Get-Credential
    
     $pep = New-PSSession -ComputerName azs-ercs01 -ConfigurationName PrivilegedEndpoint -Credential $cred -SessionOption (New-PSSessionOption -Culture en-US -UICulture en-US)
     Enter-PSSession $pep
    
  • 出现提示时,请使用以下凭据:When prompted, use the following credentials:

    • 用户名:指定 CloudAdmin 帐户,格式为 <Azure Stack Hub 域>\cloudadminUser name: Specify the CloudAdmin account, in the format <Azure Stack Hub domain>\cloudadmin. (对于 ASDK,用户名为 azurestack\cloudadmin。)(For ASDK, the user name is azurestack\cloudadmin.)

    • 密码:输入安装 AzureStackAdmin 域管理员帐户期间提供的相同密码。Password: Enter the same password that was provided during installation for the AzureStackAdmin domain administrator account.

    备注

    如果无法连接到 ERCS 终结点,请使用另一个 ERCS VM IP 地址重试步骤一和步骤二。If you're unable to connect to the ERCS endpoint, retry steps one and two with another ERCS VM IP address.

  1. 在连接后,提示符将更改为 [IP 地址或 ERCS VM 名称]:PS>[azs-ercs01]:PS> ,具体取决于环境。After you connect, the prompt will change to [IP address or ERCS VM name]: PS> or to [azs-ercs01]: PS>, depending on the environment. 在此处运行 Get-Command 可查看可用的 cmdlet 列表。From here, run Get-Command to view the list of available cmdlets.

    可以在 Azure Stack Hub 特权终结点参考中找到 cmdlet 的参考You can find a reference for cmdlets in at Azure Stack Hub privileged endpoint reference

    其中的许多 cmdlet 仅供集成系统环境使用(例如与数据中心集成相关的 cmdlet)。Many of these cmdlets are intended only for integrated system environments (such as the cmdlets related to datacenter integration). 在 ASDK 中,以下 cmdlet 已经过验证:In the ASDK, the following cmdlets have been validated:

    • Clear-HostClear-Host
    • Close-PrivilegedEndpointClose-PrivilegedEndpoint
    • Exit-PSSessionExit-PSSession
    • Get-AzureStackLogGet-AzureStackLog
    • Get-AzureStackStampInformationGet-AzureStackStampInformation
    • Get-CommandGet-Command
    • Get-FormatDataGet-FormatData
    • Get-HelpGet-Help
    • Get-ThirdPartyNoticesGet-ThirdPartyNotices
    • Measure-ObjectMeasure-Object
    • New-CloudAdminUserNew-CloudAdminUser
    • Out-DefaultOut-Default
    • Remove-CloudAdminUserRemove-CloudAdminUser
    • Select-ObjectSelect-Object
    • Set-CloudAdminUserPasswordSet-CloudAdminUserPassword
    • Test-AzureStackTest-AzureStack
    • Stop-AzureStackStop-AzureStack
    • Get-ClusterLogGet-ClusterLog

如何使用特权终结点How to use the privileged endpoint

如前所述,PEP 是一个 PowerShell JEA 终结点。As mentioned above, the PEP is a PowerShell JEA endpoint. 尽管 JEA 终结点提供强大的安全层,但也缩减了部分 PowerShell 基本功能,例如脚本编写或 Tab 键补全。While providing a strong security layer, a JEA endpoint reduces some of the basic PowerShell capabilities, such as scripting or tab completion. 尝试执行任何类型的脚本操作时,该操作会失败并出现错误 ScriptsNotAllowedIf you try any type of script operation, the operation fails with the error ScriptsNotAllowed. 此失败是预期行为。This failure is expected behavior.

例如,若要获取给定 cmdlet 的参数列表,请运行以下命令:For instance, to get the list of parameters for a given cmdlet, run the following command:

    Get-Command <cmdlet_name> -Syntax

或者,可以使用 Import-PSSession cmdlet 将所有 PEP cmdlet 导入到本地计算机上的当前会话中****。Alternatively, you can use the Import-PSSession cmdlet to import all the PEP cmdlets into the current session on your local machine. PEP 的 cmdlet 和函数,以及 Tab 键补全和更常用的脚本功能现在都可在本地计算机上使用。The cmdlets and functions of the PEP are now available on your local machine, together with tab completion and, more in general, scripting. 还可以运行 Get-Help 模块来查看 cmdlet 说明****。You can also run the Get-Help module to review cmdlet instructions.

若要在本地计算机上导入 PEP 会话,请执行以下步骤:To import the PEP session on your local machine, do the following steps:

  1. 建立信任。Establish the trust.

    • 在集成系统中,从权限提升的 Windows PowerShell 会话运行以下命令,将 PEP 添加为硬件生命周期主机或特权访问工作站上运行的强化 VM 的受信任主机。On an integrated system, run the following command from an elevated Windows PowerShell session to add the PEP as a trusted host on the hardened VM running on the hardware lifecycle host or the Privileged Access Workstation.
    winrm s winrm/config/client '@{TrustedHosts="<IP Address of Privileged Endpoint>"}'
    
    • 如果运行的是 ASDK,请登录到开发工具包主机。If you're running the ASDK, sign in to the development kit host.
  2. 在运行在硬件生命周期主机或特权访问工作站上的强化 VM 中,打开 Windows PowerShell 会话。On the hardened VM running on the hardware lifecycle host or the Privileged Access Workstation, open a Windows PowerShell session. 运行以下命令,在托管 PEP 的虚拟机上建立远程会话:Run the following commands to establish a remote session on the virtual machine that hosts the PEP:

    • 在集成系统上:On an integrated system:

        $cred = Get-Credential
      
        $session = New-PSSession -ComputerName <IP_address_of_ERCS> `
          -ConfigurationName PrivilegedEndpoint -Credential $cred
      

      ComputerName 参数可以是托管 PEP 的某个 VM 的 IP 地址或 DNS 名称。The ComputerName parameter can be either the IP address or the DNS name of one of the VMs that hosts the PEP.

    • 如果运行的是 ASDK:If you're running the ASDK:

        $cred = Get-Credential
      
        $session = New-PSSession -ComputerName azs-ercs01 `
           -ConfigurationName PrivilegedEndpoint -Credential $cred
      

    出现提示时,请使用以下凭据:When prompted, use the following credentials:

    • 用户名:指定 CloudAdmin 帐户,格式为 <Azure Stack Hub 域>\cloudadminUser name: Specify the CloudAdmin account, in the format <Azure Stack Hub domain>\cloudadmin. (对于 ASDK,用户名为 azurestack\cloudadmin。)(For ASDK, the user name is azurestack\cloudadmin.)
    • 密码:输入安装 AzureStackAdmin 域管理员帐户期间提供的相同密码。Password: Enter the same password that was provided during installation for the AzureStackAdmin domain administrator account.
  3. 将 PEP 会话导入本地计算机:Import the PEP session into your local machine:

      Import-PSSession $session
    
  4. 现在,可以在本地 PowerShell 会话中,配合 PEP 的所有函数和 cmdlet 如常使用 Tab 键补全和执行脚本操作,而无需降低 Azure Stack Hub 的安全级别。Now, you can use tab-completion and do scripting as usual on your local PowerShell session with all the functions and cmdlets of the PEP, without decreasing the security posture of Azure Stack Hub. 请尽情享受其中的乐趣!Enjoy!

关闭特权终结点会话Close the privileged endpoint session

如前所述,PEP 会记录你在 PowerShell 会话中执行的每项操作(及其相应的输出)。As mentioned earlier, the PEP logs every action (and its corresponding output) that you do in the PowerShell session. 必须使用 Close-PrivilegedEndpoint cmdlet 关闭会话。You must close the session by using the Close-PrivilegedEndpoint cmdlet. 此 cmdlet 会正常关闭终结点,并将日志文件传送到外部文件共享进行保留。This cmdlet correctly closes the endpoint, and transfers the log files to an external file share for retention.

关闭终结点会话:To close the endpoint session:

  1. 创建可供 PEP 访问的外部文件共享。Create an external file share that's accessible by the PEP. 在开发工具包环境中,只能在开发工具包主机上创建文件共享。In a development kit environment, you can just create a file share on the development kit host.
  2. 运行以下 cmdlet:Run the following cmdlet:
   Close-PrivilegedEndpoint -TranscriptsPathDestination "\\fileshareIP\SharedFolder" -Credential Get-Credential

该 cmdlet 使用下表中的参数:The cmdlet uses the parameters in the following table:

参数Parameter 说明Description 类型Type 必须Required
TranscriptsPathDestinationTranscriptsPathDestination 定义为“fileshareIP\sharefoldername”的外部文件共享的路径Path to the external file share defined as "fileshareIP\sharefoldername" StringString Yes
凭据Credential 用于访问文件共享的凭据Credentials to access the file share SecureStringSecureString Yes

将脚本日志文件成功传送到文件共享后,它们会自动从 PEP 中删除。After the transcript log files are successfully transferred to the file share, they're automatically deleted from the PEP.

备注

如果使用 Exit-PSSessionExit cmdlet 关闭 PEP 会话或只是关闭 PowerShell 控制台,则脚本日志不会传送到文件共享。If you close the PEP session by using the cmdlets Exit-PSSession or Exit, or you just close the PowerShell console, the transcript logs don't transfer to a file share. 它们会保留在 PEP 中。They remain in the PEP. 下次运行 Close-PrivilegedEndpoint 并包含文件共享时,也将传送前面会话中的脚本日志。The next time you run Close-PrivilegedEndpoint and include a file share, the transcript logs from the previous session(s) will also transfer. 不要使用 Exit-PSSessionExit 关闭 PEP 会话;请改用 Close-PrivilegedEndpointDon't use Exit-PSSession or Exit to close the PEP session; use Close-PrivilegedEndpoint instead.

后续步骤Next steps