将用户访问权限仅限于数据操作Restrict user access to data operations only

在 Azure Cosmos DB 中,可通过两种方式来验证与数据库服务的交互:In Azure Cosmos DB, there are two ways to authenticate your interactions with the database service:

  • 与 Azure 门户交互时使用 Azure Active Directory 标识;using your Azure Active Directory identity when interacting with the Azure portal,
  • 从 API 和 SDK 发出调用时使用 Azure Cosmos DB 密钥资源令牌using Azure Cosmos DB keys or resource tokens when issuing calls from APIs and SDKs.

每种身份验证方法授予对不同操作集的访问权限,但存在某种重叠:Each authentication method gives access to different sets of operations, with some overlap:

按身份验证类型拆分操作

在某些情况下,你可能希望仅限组织中的某些用户执行数据操作(即 CRUD 请求和查询)。In some scenarios, you may want to restrict some users of your organization to perform data operations (that is CRUD requests and queries) only. 不需要创建或删除资源,或者不需要更改所用容器的预配吞吐量的开发人员通常希望实施这种限制。This is typically the case for developers who don't need to create or delete resources, or change the provisioned throughput of the containers they are working on.

可通过应用以下步骤来限制访问:You can restrict the access by applying the following steps:

  1. 针对你要限制其访问权限的用户创建自定义的 Azure Active Directory 角色。Creating a custom Azure Active Directory role for the users whom you want to restrict access. 该自定义 Active Directory 角色应使用 Azure Cosmos DB 的粒度操作对操作进行精细粒度的访问。The custom Active Directory role should have fine-grained access level to operations using Azure Cosmos DB's granular actions.
  2. 不允许使用密钥执行非数据操作。Disallowing the execution of non-data operations with keys. 可以通过将这些操作仅限为 Azure 资源管理器调用来实现此目的。You can achieve this by restricting these operations to Azure Resource Manager calls only.

本文的后续部分将介绍如何执行这些步骤。The next sections of this article show how to perform these steps.

备注

若要执行后续部分所述的命令,需要安装 Azure PowerShell 模块 3.0.0 或更高版本,并且在尝试修改的订阅中需要具有 Azure 所有者角色In order to execute the commands in the next sections, you need to install Azure PowerShell Module 3.0.0 or later, as well as the Azure Owner Role on the subscription that you are trying to modify.

在后续部分所述的 PowerShell 脚本中,请将以下占位符替换为特定于环境的值:In the PowerShell scripts in the next sections, substitute the following placeholders with values specific to your environment:

  • $MySubscriptionId - 订阅 ID,包含要在其中限制权限的 Azure Cosmos 帐户。$MySubscriptionId - The subscription ID that contains the Azure Cosmos account where you want to limit the permissions. 例如:e5c8766a-eeb0-40e8-af56-0eb142ebf78eFor example: e5c8766a-eeb0-40e8-af56-0eb142ebf78e.
  • $MyResourceGroupName - 包含 Azure Cosmos 帐户的资源组。$MyResourceGroupName - The resource group containing the Azure Cosmos account. 例如:myresourcegroupFor example: myresourcegroup.
  • $MyAzureCosmosDBAccountName - Azure Cosmos 帐户的名称。$MyAzureCosmosDBAccountName - The name of your Azure Cosmos account. 例如:mycosmosdbsaccountFor example: mycosmosdbsaccount.
  • $MyUserName - 要限制其访问权限的用户的登录名 (username@domain)。$MyUserName - The login (username@domain) of the user for whom you want to limit access. 例如:cosmosdbuser@contoso.comFor example: cosmosdbuser@contoso.com.

选择 Azure 订阅Select your Azure subscription

Azure PowerShell 命令要求登录,并选择要执行命令的订阅:Azure PowerShell commands require you to login and select the subscription to execute the commands:

Connect-AzAccount -Environment AzureChinaCloud
Select-AzSubscription $MySubscriptionId

创建自定义 Azure Active Directory 角色Create the custom Azure Active Directory role

以下脚本为 Azure Cosmos 帐户创建具有“仅限密钥”访问权限的 Azure Active Directory 角色分配。The following script creates an Azure Active Directory role assignment with "Key Only" access for Azure Cosmos accounts. 该角色基于 Azure 自定义角色以及 Azure Cosmos DB 的粒度操作The role is based on Azure custom roles and Granular actions for Azure Cosmos DB. 这些角色和操作是 Microsoft.DocumentDB Azure Active Directory 命名空间的一部分。These roles and actions are part of the Microsoft.DocumentDB Azure Active Directory namespace.

  1. 首先,创建包含以下内容的名为 AzureCosmosKeyOnlyAccess.json 的 JSON 文档:First, create a JSON document named AzureCosmosKeyOnlyAccess.json with the following content:

    {
        "Name": "Azure Cosmos DB Key Only Access Custom Role",
        "Id": "00000000-0000-0000-0000-0000000000",
        "IsCustom": true,
        "Description": "This role restricts the user to read the account keys only.",
        "Actions":
        [
            "Microsoft.DocumentDB/databaseAccounts/listKeys/action"
        ],
        "NotActions": [],
        "DataActions": [],
        "NotDataActions": [],
        "AssignableScopes":
        [
            "/subscriptions/$MySubscriptionId"
        ]
    }
    
  2. 运行以下命令以创建角色分配,并将其分配给用户:Run the following commands to create the Role assignment and assign it to the user:

    New-AzRoleDefinition -InputFile "AzureCosmosKeyOnlyAccess.json"
    New-AzRoleAssignment -SignInName $MyUserName -RoleDefinitionName "Azure Cosmos DB Key Only Access Custom Role" -ResourceGroupName $MyResourceGroupName -ResourceName $MyAzureCosmosDBAccountName -ResourceType "Microsoft.DocumentDb/databaseAccounts"
    

不允许执行非数据操作Disallow the execution of non-data operations

以下命令消除使用密钥执行以下操作的能力:The following commands remove the ability to use keys to:

  • 创建、修改或删除资源create, modify or delete resources
  • 更新容器设置(包括索引策略、吞吐量等)。update container settings (including indexing policies, throughput etc.).
$cdba = Get-AzResource -ResourceType "Microsoft.DocumentDb/databaseAccounts" -ApiVersion "2015-04-08" -ResourceGroupName $MyResourceGroupName -ResourceName $MyAzureCosmosDBAccountName
$cdba.Properties.disableKeyBasedMetadataWriteAccess="True"
$cdba | Set-AzResource -Force

后续步骤Next steps