防止删除或更改 Azure Cosmos DB 资源Prevent Azure Cosmos DB resources from being deleted or changed

适用于: SQL API

作为管理员,可能需要锁定 Azure Cosmos 帐户、数据库和容器,以防止组织中的其他用户意外删除或修改关键资源。As an administrator, you may need to lock an Azure Cosmos account, database or container to prevent other users in your organization from accidentally deleting or modifying critical resources. 可以将锁定级别设置为 CanNotDelete 或 ReadOnly。You can set the lock level to CanNotDelete or ReadOnly.

  • CanNotDelete 味着经授权的用户仍可读取和修改资源,但不能删除资源。CanNotDelete means authorized users can still read and modify a resource, but they can't delete the resource.
  • ReadOnly 意味着经授权的用户可以读取资源,但不能删除或更新资源。ReadOnly means authorized users can read a resource, but they can't delete or update the resource. 应用此锁类似于将所有经授权的用户限制于“读者”角色授予的权限。Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.

锁的应用方式How locks are applied

在父范围应用锁时,该范围内所有资源都会继承相同的锁。When you apply a lock at a parent scope, all resources within that scope inherit the same lock. 即使是之后添加的资源也会从父作用域继承该锁。Even resources you add later inherit the lock from the parent. 继承中限制性最强的锁优先执行。The most restrictive lock in the inheritance takes precedence.

与 Azure 基于角色的访问控制不同,你可以使用管理锁来对所有用户和角色应用限制。Unlike Azure role-based access control, you use management locks to apply a restriction across all users and roles. 若要了解适用于 Azure Cosmos DB 的 Azure RBAC,请参阅 Azure Cosmos DB 中的 Azure 基于角色的访问控制To learn about Azure RBAC for Azure Cosmos DB see, Azure role-based access control in Azure Cosmos DB.

资源管理器锁仅适用于管理平面内发生的操作,包括发送到 https://management.chinacloudapi.cn 的操作。Resource Manager locks apply only to operations that happen in the management plane, which consists of operations sent to https://management.chinacloudapi.cn. 这类锁不会限制资源如何执行各自的函数。The locks don't restrict how resources perform their own functions. 资源更改将受到限制,但资源操作不受限制。Resource changes are restricted, but resource operations aren't restricted. 例如,Azure Cosmos 容器上的 ReadOnly 锁定会阻止你删除或修改容器。For example, a ReadOnly lock on an Azure Cosmos container prevents you from deleting or modifying the container. 它不会阻止你在容器中创建、更新或删除数据。It doesn't prevent you from creating, updating, or deleting data in the container. 会允许数据事务,因为这些操作不会发送到 https://management.chinacloudapi.cn。Data transactions are permitted because those operations aren't sent to https://management.chinacloudapi.cn.

管理锁定Manage locks

警告

资源锁定对于使用帐户密钥访问 Azure Cosmos DB 的用户所做的更改不起作用,除非首先通过启用 disableKeyBasedMetadataWriteAccess 属性锁定 Azure Cosmos 帐户。Resource locks do not work for changes made by users accessing Azure Cosmos DB using account keys unless the Azure Cosmos account is first locked by enabling the disableKeyBasedMetadataWriteAccess property. 在启用此属性之前,应注意确保它不会中断使用任何 SDK、Azure 门户或通过帐户密钥连接并修改资源(如更改吞吐量、更新索引策略等)的第三方工具对资源进行更改的现有应用程序。若要了解详细信息并检查清单以确保应用程序继续运行,请参阅阻止 Azure Cosmos DB SDK 的更改Care should be taken before enabling this property to ensure it does not break existing applications that make changes to resources using any SDK, Azure portal or 3rd party tools that connect via account keys and modify resources such as changing throughput, updating index policies, etc. To learn more and to go through a checklist to ensure your applications continue to function see, Preventing changes from the Azure Cosmos DB SDKs

PowerShellPowerShell

$resourceGroupName = "myResourceGroup"
$accountName = "my-cosmos-account"
$lockName = "$accountName-Lock"

# First, update the account to prevent changes by anything that connects via account keys
Update-AzCosmosDBAccount -ResourceGroupName $resourceGroupName -Name $accountName -DisableKeyBasedMetadataWriteAccess true

# Create a Delete Lock on an Azure Cosmos account resource and all child resources
New-AzResourceLock `
    -ApiVersion "2020-04-01" `
    -ResourceType "Microsoft.DocumentDB/databaseAccounts" `
    -ResourceGroupName $resourceGroupName `
    -ResourceName $accountName `
    -LockName $lockName `
    -LockLevel "CanNotDelete" # CanNotDelete or ReadOnly

Azure CLIAzure CLI

resourceGroupName='myResourceGroup'
accountName='my-cosmos-account'
$lockName="$accountName-Lock"

# First, update the account to prevent changes by anything that connects via account keys
az cosmosdb update  --name $accountName --resource-group $resourceGroupName  --disable-key-based-metadata-write-access true

# Create a Delete Lock on an Azure Cosmos account resource
az lock create --name $lockName \
    --resource-group $resourceGroupName \
    --resource-type Microsoft.DocumentDB/databaseAccount \
    --lock-type 'CanNotDelete' # CanNotDelete or ReadOnly \
    --resource $accountName

模板Template

将锁定应用于 Azure Cosmos DB 资源时,请使用以下格式:When applying a lock to an Azure Cosmos DB resource, use the following formats:

  • name - {resourceName}/Microsoft.Authorization/{lockName}name - {resourceName}/Microsoft.Authorization/{lockName}
  • type - {resourceProviderNamespace}/{resourceType}/providers/lockstype - {resourceProviderNamespace}/{resourceType}/providers/locks

重要

修改现有 Azure Cosmos 帐户时,请确保在使用此属性重新部署时包含帐户和子资源的其他属性。When modifying an existing Azure Cosmos account, make sure to include the other properties for your account and child resources when redploying with this property. 请勿按原样部署此模板,否则它将重置所有的帐户属性。Do not deploy this template as is or it will reset all of your account properties.

"resources": [
    {
        "type": "Microsoft.DocumentDB/databaseAccounts",
        "name": "[variables('accountName')]",
        "apiVersion": "2020-04-01",
        "kind": "GlobalDocumentDB",
        "location": "[parameters('location')]",
        "properties": {
            "consistencyPolicy": "[variables('consistencyPolicy')[parameters('defaultConsistencyLevel')]]",
            "locations": "[variables('locations')]",
            "databaseAccountOfferType": "Standard",
            "enableAutomaticFailover": "[parameters('automaticFailover')]",
            "disableKeyBasedMetadataWriteAccess": true
        }
    },
    {
        "type": "Microsoft.DocumentDB/databaseAccounts/providers/locks",
        "apiVersion": "2020-04-01",
        "name": "[concat(variables('accountName'), '/Microsoft.Authorization/siteLock')]",
        "dependsOn": [
        "[resourceId('Microsoft.DocumentDB/databaseAccounts', variables('accountName'))]"
        ],
        "properties": {
        "level": "CanNotDelete",
        "notes": "Cosmos account should not be deleted."
        }
    }
]

后续步骤Next steps