使用 Azure Active Directory 为 Azure Cosmos DB 帐户配置基于角色的访问控制(预览)Configure role-based access control with Azure Active Directory for your Azure Cosmos DB account (Preview)

适用于: SQL API

重要

Azure Cosmos DB 基于角色的访问控制当前为预览版。Azure Cosmos DB role-based access control is currently in preview. 此预览版不附带服务级别协议,我们不建议将其用于生产工作负荷。This preview version is provided without a Service Level Agreement and is not recommended for production workloads. 有关详细信息,请参阅适用于 Azure 预览版的补充使用条款For more information, see Supplemental terms of use for Azure previews.

备注

本文介绍了有关 Azure Cosmos DB 中数据平面操作的基于角色的访问控制。This article is about role-based access control for data plane operations in Azure Cosmos DB. 如果使用管理平面操作,请参阅适用于管理平面操作的基于角色的访问控制一文。If you are using management plane operations, see role-based access control applied to your management plane operations article.

Azure Cosmos DB 公开了一种内置的基于角色的访问控制 (RBAC) 系统,可让你:Azure Cosmos DB exposes a built-in role-based access control (RBAC) system that lets you:

  • 使用 Azure Active Directory (Azure AD) 标识来验证数据请求。Authenticate your data requests with an Azure Active Directory (Azure AD) identity.
  • 使用细粒度的、基于角色的权限模型来授权数据请求。Authorize your data requests with a fine-grained, role-based permission model.

概念Concepts

Azure Cosmos DB 数据平面 RBAC 建立在其他 RBAC 系统(如 Azure RBAC)中常见的概念之上:The Azure Cosmos DB data plane RBAC is built on concepts that are commonly found in other RBAC systems like Azure RBAC:

  • 权限模型由一组操作组成;其中每个操作都映射到一个或多个数据库操作。The permission model is composed of a set of actions; each of these actions maps to one or multiple database operations. 操作的一些示例包括读取项、写入项或执行查询。Some examples of actions include reading an item, writing an item, or executing a query.

  • Azure Cosmos DB 用户创建包含允许操作列表的角色定义Azure Cosmos DB users create role definitions containing a list of allowed actions.

  • 角色定义通过角色分配分配给特定 Azure AD 标识。Role definitions get assigned to specific Azure AD identities through role assignments. 角色分配还定义了角色定义适用的范围;目前有三个范围:A role assignment also defines the scope that the role definition applies to; currently, three scopes are currently:

    • 一个 Azure Cosmos DB 帐户,An Azure Cosmos DB account,
    • 一个 Azure Cosmos DB 数据库,An Azure Cosmos DB database,
    • 一个 Azure Cosmos DB 容器。An Azure Cosmos DB container.

    RBAC 概念

备注

Azure Cosmos DB RBAC 当前不公开任何内置角色定义。The Azure Cosmos DB RBAC does not currently expose any built-in role definitions.

权限模型Permission model

重要

此权限模型仅涵盖可用于读取和写入数据的数据库操作。This permission model only covers database operations that let you read and write data. 它不包含任何类型的管理操作,例如创建容器或更改其吞吐量。It does not cover any kind of management operations, like creating containers or changing their throughput. 这意味着无法使用任何 Azure Cosmos DB 数据平面 SDK 通过 SDK 标识对管理操作进行身份验证。This means that you cannot use any Azure Cosmos DB data plane SDK to authenticate management operations with an AAD identity. 相反,必须通过以下项使用 Azure RBACInstead, you must use Azure RBAC through:

下表列出了权限模型公开的所有操作。The table below lists all the actions exposed by the permission model.

名称Name 对应的数据库操作Corresponding database operation(s)
Microsoft.DocumentDB/databaseAccounts/readMetadata 读取帐户元数据。Read account metadata. 有关详细信息,请参阅元数据请求See Metadata requests for details.
Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/create 创建新项。Create a new item.
Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/read 通过 ID 和分区键读取单个项(点读)。Read an individual item by its ID and partition key (point-read).
Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/replace 替换现有项。Replace an existing item.
Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/upsert “Upsert”一个项,意味着如果项不存在就创建项,如果存在就替换它。"Upsert" an item, which means create it if it doesn't exist, or replace it if it exists.
Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/delete 删除项。Delete an item.
Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/executeQuery 执行 SQL 查询Execute a SQL query.
Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/readChangeFeed 从容器的更改源读取。Read from the container's change feed.
Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/executeStoredProcedure 执行存储过程Execute a stored procedure.
Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/manageConflicts 管理多写入区域帐户的冲突(即,列出并删除冲突源中的项)。Manage conflicts for multi-write region accounts (that is, list and delete items from the conflict feed).

容器和项级别均支持通配符:Wildcards are supported at both containers and items levels:

  • Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/*
  • Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/*

元数据请求Metadata requests

使用 Azure Cosmos DB SDK 时,这些 SDK 会在初始化期间发出只读元数据请求并为特定数据请求提供服务。When using Azure Cosmos DB SDKs, these SDKs issue read-only metadata requests during initialization and to serve specific data requests. 这些元数据请求提取各种配置详细信息,例如:These metadata requests fetch various configuration details such as:

  • 帐户的全局配置,其中包括帐户可用的 Azure 区域。The global configuration of your account, which includes the Azure regions the account is available in.
  • 容器或其索引策略的分区键。The partition key of your containers or their indexing policy.
  • 构成容器及其地址的物理分区列表。The list of physical partitions that make a container and their addresses.

它们不会提取你在帐户中存储的任何数据。They do not fetch any of the data that you've stored in your account.

为了确保最大程度地提高权限模型的透明度,这些元数据请求由 Microsoft.DocumentDB/databaseAccounts/readMetadata 操作显式覆盖。To ensure the best transparency of our permission model, these metadata requests are explicitly covered by the Microsoft.DocumentDB/databaseAccounts/readMetadata action. 在任何通过某个 Azure Cosmos DB SDK 访问 Azure Cosmos DB 帐户的情况下,都应允许此操作。This action should be allowed in every situation where your Azure Cosmos DB account is accessed through one of the Azure Cosmos DB SDKs. 它可以在 Azure Cosmos DB 层次结构的任何级别(即帐户、数据库或容器)中分配(通过角色分配)。It can be assigned (through a role assignment) at any level in the Azure Cosmos DB hierarchy (that is, account, database, or container).

Microsoft.DocumentDB/databaseAccounts/readMetadata 操作允许的实际元数据请求取决于分配操作的范围:The actual metadata requests allowed by the Microsoft.DocumentDB/databaseAccounts/readMetadata action depend on the scope that the action is assigned to:

范围Scope 操作允许的请求Requests allowed by the action
帐户Account - 列出帐户下的数据库- Listing the databases under the account
- 对于帐户下的每个数据库,数据库范围内允许的操作- For each database under the account, the allowed actions at the database scope
数据库Database - 读取数据库元数据- Reading database metadata
- 列出数据库下的容器- Listing the containers under the database
- 对于数据库下的每个容器,容器范围内允许的操作- For each container under the database, the allowed actions at the container scope
容器Container - 读取容器元数据- Reading container metadata
- 列出容器下的物理分区- Listing physical partitions under the container
- 解析每个物理分区的地址- Resolving the address of each physical partition

创建角色定义Create role definitions

创建角色定义时,需要提供:When creating a role definition, you need to provide:

  • Azure Cosmos DB 帐户的名称。The name of your Azure Cosmos DB account.
  • 包含帐户的资源组。The resource group containing your account.
  • 角色定义的类型;目前仅支持 CustomRoleThe type of the role definition; only CustomRole is currently supported.
  • 角色定义的名称。The name of the role definition.
  • 希望角色允许的操作列表。A list of actions that you want the role to allow.
  • 可分配角色定义的一个或多个范围;支持的范围包括:One or multiple scope(s) that the role definition can be assigned at; supported scopes are:
    • /(帐户级别)、/ (account-level),
    • /dbs/<database-name>(数据库级别)、/dbs/<database-name> (database-level),
    • /dbs/<database-name>/colls/<container-name>(容器级别)。/dbs/<database-name>/colls/<container-name> (container-level).

备注

下面所述的操作当前在以下环境中可用:The operations described below are currently available in:

使用 Azure PowerShellUsing Azure PowerShell

创建一个名为 MyReadOnlyRole 的角色,该角色只包含读取操作:Create a role named MyReadOnlyRole that only contains read actions:

$resourceGroupName = "<myResourceGroup>"
$accountName = "<myCosmosAccount>"
New-AzCosmosDBSqlRoleDefinition -AccountName $accountName `
    -ResourceGroupName $resourceGroupName `
    -Type CustomRole -RoleName MyReadOnlyRole `
    -DataAction @( `
        'Microsoft.DocumentDB/databaseAccounts/readMetadata',
        'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/read', `
        'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/executeQuery', `
        'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/readChangeFeed') `
    -AssignableScope "/"

创建一个名为 MyReadWriteRole 的角色,其中包含所有操作:Create a role named MyReadWriteRole that contains all actions:

New-AzCosmosDBSqlRoleDefinition -AccountName $accountName `
    -ResourceGroupName $resourceGroupName `
    -Type CustomRole -RoleName MyReadWriteRole `
    -DataAction @( `
        'Microsoft.DocumentDB/databaseAccounts/readMetadata',
        'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/*', `
        'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/*') `
    -AssignableScope "/"

列出已创建的用于提取其 ID 的角色定义:List the role definitions you've created to fetch their IDs:

Get-AzCosmosDBSqlRoleDefinition -AccountName $accountName `
    -ResourceGroupName $resourceGroupName
RoleName         : MyReadWriteRole
Id               : /subscriptions/<mySubscriptionId>/resourceGroups/<myResourceGroup>/providers/Microsoft.DocumentDB/databaseAcc
                   ounts/<myCosmosAccount>/sqlRoleDefinitions/<roleDefinitionId>
Type             : CustomRole
Permissions      : {Microsoft.Azure.Management.CosmosDB.Models.Permission}
AssignableScopes : {/subscriptions/<mySubscriptionId>/resourceGroups/<myResourceGroup>/providers/Microsoft.DocumentDB/databaseAc
                   counts/<myCosmosAccount>}

RoleName         : MyReadOnlyRole
Id               : /subscriptions/<mySubscriptionId>/resourceGroups/<myResourceGroup>/providers/Microsoft.DocumentDB/databaseAcc
                   ounts/<myCosmosAccount>/sqlRoleDefinitions/<roleDefinitionId>
Type             : CustomRole
Permissions      : {Microsoft.Azure.Management.CosmosDB.Models.Permission}
AssignableScopes : {/subscriptions/<mySubscriptionId>/resourceGroups/<myResourceGroup>/providers/Microsoft.DocumentDB/databaseAc
                   counts/<myCosmosAccount>}

使用 Azure CLIUsing the Azure CLI

创建一个名为 MyReadOnlyRole 的角色,该角色只包含读取操作:Create a role named MyReadOnlyRole that only contains read actions:

// role-definition-ro.json
{
    "RoleName": "MyReadOnlyRole",
    "Type": "CustomRole",
    "AssignableScopes": ["/"],
    "Permissions": [{
        "DataActions": [
            "Microsoft.DocumentDB/databaseAccounts/readMetadata",
            "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/read",
            "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/executeQuery",
            "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/readChangeFeed"
        ]
    }]
}
resourceGroupName='<myResourceGroup>'
accountName='<myCosmosAccount>'
az cosmosdb sql role definition create --account-name $accountName --resource-group $resourceGroupName --body @role-definition-ro.json

创建一个名为 MyReadWriteRole 的角色,其中包含所有操作:Create a role named MyReadWriteRole that contains all actions:

// role-definition-rw.json
{
    "RoleName": "MyReadWriteRole",
    "Type": "CustomRole",
    "AssignableScopes": ["/"],
    "Permissions": [{
        "DataActions": [
            "Microsoft.DocumentDB/databaseAccounts/readMetadata",
            "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/*",
            "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/*"
        ]
    }]
}
az cosmosdb sql role definition create --account-name $accountName --resource-group $resourceGroupName --body @role-definition-rw.json

列出已创建的用于提取其 ID 的角色定义:List the role definitions you've created to fetch their IDs:

az cosmosdb sql role definition list --account-name $accountName --resource-group $resourceGroupName
[
  {
    "assignableScopes": [
      "/subscriptions/<mySubscriptionId>/resourceGroups/<myResourceGroup>/providers/Microsoft.DocumentDB/databaseAccounts/<myCosmosAccount>"
    ],
    "id": "/subscriptions/<mySubscriptionId>/resourceGroups/<myResourceGroup>/providers/Microsoft.DocumentDB/databaseAccounts/<myCosmosAccount>/sqlRoleDefinitions/<roleDefinitionId>",
    "name": "<roleDefinitionId>",
    "permissions": [
      {
        "dataActions": [
          "Microsoft.DocumentDB/databaseAccounts/readMetadata",
          "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/*",
          "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/*"
        ],
        "notDataActions": []
      }
    ],
    "resourceGroup": "<myResourceGroup>",
    "roleName": "MyReadWriteRole",
    "sqlRoleDefinitionGetResultsType": "CustomRole",
    "type": "Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions"
  },
  {
    "assignableScopes": [
      "/subscriptions/<mySubscriptionId>/resourceGroups/<myResourceGroup>/providers/Microsoft.DocumentDB/databaseAccounts/<myCosmosAccount>"
    ],
    "id": "/subscriptions/<mySubscriptionId>/resourceGroups/<myResourceGroup>/providers/Microsoft.DocumentDB/databaseAccounts/<myCosmosAccount>/sqlRoleDefinitions/<roleDefinitionId>",
    "name": "<roleDefinitionId>",
    "permissions": [
      {
        "dataActions": [
          "Microsoft.DocumentDB/databaseAccounts/readMetadata",
          "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/read",
          "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/executeQuery",
          "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/readChangeFeed"
        ],
        "notDataActions": []
      }
    ],
    "resourceGroup": "<myResourceGroup>",
    "roleName": "MyReadOnlyRole",
    "sqlRoleDefinitionGetResultsType": "CustomRole",
    "type": "Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions"
  }
]

创建角色分配Create role assignments

创建角色定义后,可以将其与 AAD 标识关联。Once you've created your role definitions, you can associate them with your AAD identities. 创建角色分配时,需要提供:When creating a role assignment, you need to provide:

  • Azure Cosmos DB 帐户的名称。The name of your Azure Cosmos DB account.

  • 包含帐户的资源组。The resource group containing your account.

  • 要分配的角色定义的 ID。The ID of the role definition to assign.

  • 应为角色定义分配的标识的主体 ID。The principal ID of the identity that the role definition should be assigned to.

  • 角色分配的范围;支持的范围包括:The scope of the role assignment; supported scopes are:

    • /(帐户级别)/ (account-level)
    • /dbs/<database-name>(数据库级别)/dbs/<database-name> (database-level)
    • /dbs/<database-name>/colls/<container-name>(容器级别)/dbs/<database-name>/colls/<container-name> (container-level)

    范围必须与角色定义的某个可分配范围匹配,或者是它的子范围。The scope must match or be a sub-scope of one of the role definition's assignable scopes.

备注

若要创建服务主体的角色分配,请确保使用“Azure Active Directory”门户边栏选项卡的“企业应用程序”部分中找到的“对象 ID”。If you want to create a role assignment for a service principal, make sure to use its Object ID as found in the Enterprise applications section of the Azure Active Directory portal blade.

备注

下面所述的操作当前在以下环境中可用:The operations described below are currently available in:

使用 Azure PowerShellUsing Azure PowerShell

为标识分配角色:Assign a role to an identity:

$resourceGroupName = "<myResourceGroup>"
$accountName = "<myCosmosAccount>"
$readOnlyRoleDefinitionId = "<roleDefinitionId>" // as fetched above
$principalId = "<aadPrincipalId>"
New-AzCosmosDBSqlRoleAssignment -AccountName $accountName `
    -ResourceGroupName $resourceGroupName `
    -RoleDefinitionId $readOnlyRoleDefinitionId `
    -Scope $accountName `
    -PrincipalId $principalId

使用 Azure CLIUsing the Azure CLI

为标识分配角色:Assign a role to an identity:

resourceGroupName='<myResourceGroup>'
accountName='<myCosmosAccount>'
readOnlyRoleDefinitionId = '<roleDefinitionId>' // as fetched above
principalId = '<aadPrincipalId>'
az cosmosdb sql role assignment create --account-name $accountName --resource-group $resourceGroupName --scope "/" --principal-id $principalId --role-definition-id $readOnlyRoleDefinitionId

用 Azure AD 初始化 SDKInitialize the SDK with Azure AD

若要在应用程序中使用 Azure Cosmos DB RBAC,必须更新初始化 Azure Cosmos DB SDK 的方式。To use the Azure Cosmos DB RBAC in your application, you have to update the way you initialize the Azure Cosmos DB SDK. 必须传递 TokenCredential 类的实例,而不是传递帐户的主键。Instead of passing your account's primary key, you have to pass an instance of a TokenCredential class. 此实例为 Azure Cosmos DB SDK 提供了在代表要使用的标识获取 AAD 令牌时所需的上下文。This instance provides the Azure Cosmos DB SDK with the context required to fetch an AAD token on behalf of the identity you wish to use.

创建 TokenCredential 实例的方式不在本文讨论范围。The way you create a TokenCredential instance is beyond the scope of this article. 有多种方法可以创建此类实例,具体取决于要使用的 AAD 标识类型(用户主体、服务主体、组等)。There are many ways to create such an instance depending on the type of AAD identity you want to use (user principal, service principal, group etc.). 最重要的是,TokenCredential 实例必须解析为已向其分配角色的标识(主体 ID)。Most importantly, your TokenCredential instance must resolve to the identity (principal ID) that you've assigned your roles to. 你可以找到创建 TokenCredential 类的示例:You can find examples of creating a TokenCredential class:

下面的示例使用带有 ClientSecretCredential 实例的服务主体。The examples below use a service principal with a ClientSecretCredential instance.

在 .NET 中In .NET

.NET SDK V3preview 版本当前支持 Azure Cosmos DB RBAC。The Azure Cosmos DB RBAC is currently supported in the preview version of the .NET SDK V3.

TokenCredential servicePrincipal = new ClientSecretCredential(
    "<azure-ad-tenant-id>",
    "<client-application-id>",
    "<client-application-secret>");
CosmosClient client = new CosmosClient("<account-endpoint>", servicePrincipal);

在 Java 中In Java

Java SDK V4 当前支持 Azure Cosmos DB RBAC。The Azure Cosmos DB RBAC is currently supported in the Java SDK V4.

TokenCredential ServicePrincipal = new ClientSecretCredentialBuilder()
    .authorityHost("https://login.chinacloudapi.cn")
    .tenantId("<azure-ad-tenant-id>")
    .clientId("<client-application-id>")
    .clientSecret("<client-application-secret>")
    .build();
CosmosAsyncClient Client = new CosmosClientBuilder()
    .endpoint("<account-endpoint>")
    .credential(ServicePrincipal)
    .build();

在 JavaScript 中In JavaScript

JavaScript SDK V3 当前支持 Azure Cosmos DB RBAC。The Azure Cosmos DB RBAC is currently supported in the JavaScript SDK V3.

const servicePrincipal = new ClientSecretCredential(
    "<azure-ad-tenant-id>",
    "<client-application-id>",
    "<client-application-secret>");
const client = new CosmosClient({
    "<account-endpoint>",
    aadCredentials: servicePrincipal
});

在 REST API 中In REST API

REST API 的 2021-03-15 版本当前支持 Azure Cosmos DB RBAC。The Azure Cosmos DB RBAC is currently supported with the 2021-03-15 version of REST API. 构造授权标头时,请将 type 参数设置为 aad,并将哈希签名 (sig) 设置为 oauth 令牌,如以下示例所示 :When constructing the authorization header, set the type parameter to aad and the hash signature (sig) to the oauth token as shown in the following example:

type=aad&ver=1.0&sig=<token-from-oauth>

审核数据请求Auditing data requests

使用 Azure Cosmos DB RBAC 时,诊断日志会扩充每个数据操作的标识和授权信息。When using the Azure Cosmos DB RBAC, diagnostic logs get augmented with identity and authorization information for each data operation. 这使你可以执行详细审核,并检索用于发送到 Azure Cosmos DB 帐户的每个数据请求的 AAD 标识。This lets you perform detailed auditing and retrieve the AAD identity used for every data request sent to your Azure Cosmos DB account.

此附加信息存在于 DataPlaneRequests 日志类别中,并包含两个额外的列:This additional information flows in the DataPlaneRequests log category and consists of two extra columns:

  • aadPrincipalId_g 显示用于对请求进行身份验证的 AAD 标识的主体 ID。aadPrincipalId_g shows the principal ID of the AAD identity that was used to authenticate the request.
  • aadAppliedRoleAssignmentId_g 显示在授权请求时接受的角色分配aadAppliedRoleAssignmentId_g shows the role assignment that was honored when authorizing the request.

限制Limits

  • 对于每个 Azure Cosmos DB 帐户,最多可以创建 100 个角色定义和 2,000 个角色分配。You can create up to 100 role definitions and 2,000 role assignments per Azure Cosmos DB account.

  • 只能将角色定义分配给与 Azure Cosmos DB 帐户属于同一 Azure AD 租户的 Azure AD 标识。You can only assign role definitions to Azure AD identities belonging to the same Azure AD tenant as your Azure Cosmos DB account.

  • 对于属于超过 200 个组的标识,目前不支持 Azure AD 组解析。Azure AD group resolution is not currently supported for identities that belong to more than 200 groups.

  • Azure AD 令牌当前以标头形式传递,每个请求发送到 Azure Cosmos DB 服务,从而增加总体有效负载大小。The Azure AD token is currently passed as a header with each individual request sent to the Azure Cosmos DB service, increasing the overall payload size.

常见问题Frequently asked questions

RBAC 支持哪些 Azure Cosmos DB API?Which Azure Cosmos DB APIs are supported by RBAC?

目前仅支持 SQL API。Only the SQL API is currently supported.

是否可以从 Azure 门户管理角色定义和角色分配?Is it possible to manage role definitions and role assignments from the Azure portal?

尚未提供对角色管理的 Azure 门户支持。Azure portal support for role management is not available yet.

Azure Cosmos DB SQL API 中的哪些 SDK 支持 RBAC?Which SDKs in Azure Cosmos DB SQL API support RBAC?

目前支持 .NET V3Java V4 SDK。The .NET V3 and Java V4 SDKs are currently supported.

Azure AD 令牌过期时,Azure Cosmos DB SDK 是否会自动刷新令牌?Is the Azure AD token automatically refreshed by the Azure Cosmos DB SDKs when it expires?

是。Yes.

使用 RBAC 时,是否可以禁用帐户主键的使用?Is it possible to disable the usage of the account primary key when using RBAC?

目前不能禁用帐户主键。Disabling the account primary key is not currently possible.

后续步骤Next steps