存储连接字符串Storage connection strings

一些 Kusto 命令可指示 Kusto 与外部存储服务交互。A few Kusto commands instruct Kusto to interact with external storage services. 例如,可以指示 Kusto 将数据导出到 Azure 存储 Blob,在这种情况下,需要提供特定的参数(例如,存储帐户名称或 Blob 容器)。For example, Kusto can be told to export data to an Azure Storage Blob, in which case the specific parameters (such as storage account name or blob container) need to be provided.

Kusto 支持以下存储提供程序:Kusto supports the following storage providers:

  • Azure 存储 Blob 存储提供程序Azure Storage Blob storage provider
  • Azure Data Lake Storage 存储提供程序Azure Data Lake Storage storage provider

每种类型的存储提供程序都定义了用于描述存储资源的连接字符串格式以及访问这些资源的方式。Each kind of a storage provider defines a connection string format used to describe the storage resources and how to access them. Kusto 使用 URI 格式描述这些存储资源以及访问这些资源所需的属性(如安全凭据)。Kusto uses a URI format to describe these storage resources and the properties necessary to access them (such as security credentials).

提供程序Provider SchemeScheme URI 模板URI template
Azure 存储 BlobAzure Storage Blob https:// https://Account.blob.core.chinacloudapi.cn/Container [/BlobName ][?SasKey | ;AccountKey ]https://Account.blob.core.chinacloudapi.cn/Container [/BlobName ][?SasKey | ;AccountKey ]
Azure Data Lake Store Gen 2Azure Data Lake Store Gen 2 abfss:// abfss://Filesystem@Account.dfs.core.chinacloudapi.cn/PathToDirectoryOrFile [;CallerCredentials ]abfss://Filesystem@Account.dfs.core.chinacloudapi.cn/PathToDirectoryOrFile [;CallerCredentials ]
Azure Data Lake Store Gen 1Azure Data Lake Store Gen 1 adl:// adl://Account .azuredatalakestore.net/ PathToDirectoryOrFile [;CallerCredentials ]adl://Account .azuredatalakestore.net/ PathToDirectoryOrFile [;CallerCredentials ]

Azure 存储 BlobAzure Storage Blob

此提供程序最常用,在所有方案中均受支持。This provider is the most commonly-used and is supported in all scenarios. 访问资源时,必须为提供程序提供凭据。The provider must be given credentials when accessing the resource. 支持通过两种机制提供凭据:There are two supported mechanisms for providing credentials:

  • 使用 Azure 存储 Blob 的标准查询 (?sig=...) 提供共享访问签名 (SAS) 密钥。Provide a Shared Access (SAS) key, using the Azure Storage Blob's standard query (?sig=...). 当 Kusto 需要在有限的时间内访问资源时,请使用此方法。Use this method when Kusto needs to access the resource for a limited time.
  • 提供存储帐户密钥 (;ljkAkl...==)。Provide the storage account key (;ljkAkl...==). 当 Kusto 需要持续访问资源时,请使用此方法。Use this method when Kusto needs to access the resource on an ongoing basis.

示例(请注意,这会显示经过模糊处理的字符串文本,以免公开帐户密钥或 SAS):Examples (note that this is showing obfuscated string literals, so as not to expose the account key or SAS):

h"https://fabrikam.blob.core.chinacloudapi.cn/container/path/to/file.csv;<storage_account_key_text, ends with '=='>" h"https://fabrikam.blob.core.chinacloudapi.cn/container/path/to/file.csv?sv=...&sp=rwd"

Azure Data Lake StoreAzure Data Lake Store

Azure Data Lake Store Gen 2Azure Data Lake Store Gen 2

此提供程序支持访问 Azure Data Lake Store Gen 2 中的数据。This provider supports accessing data in Azure Data Lake Store Gen 2.

URI 的格式为:The format of the URI is:

abfss:// Filesystem @ StorageAccountName .dfs.core.chinacloudapi.cn/ Path ; CallerCredentialsabfss:// Filesystem @ StorageAccountName .dfs.core.chinacloudapi.cn/ Path ; CallerCredentials

其中:Where:

  • Filesystem 是 ADLS 文件系统对象(大致等效于 Blob 容器)的名称Filesystem is the name of the ADLS filesystem object (roughly equivalent to Blob Container)
  • StorageAccountName 是存储帐户的名称StorageAccountName is the name of the storage account
  • Path 是所访问的目录或文件的路径,斜杠 (/) 字符用作分隔符。Path is the path to the directory or file being accessed The slash (/) character is used as a delimiter.
  • CallerCredentials 表示用于访问服务的凭据,如下所述。CallerCredentials indicates the credentials used to access the service, as described below.

访问 Azure Data Lake Store Gen 2 时,调用方必须提供用于访问服务的有效凭据。When accessing Azure Data Lake Store Gen 2, the caller must provide valid credentials for accessing the service. 支持以下提供凭据的方法:The following methods of providing credentials are supported:

  • ;sharedkey=AccountKey 追加到 URI(其中 AccountKey 为存储帐户密钥)Append ;sharedkey=AccountKey to the URI, with AccountKey being the storage account key
  • ;impersonate 追加到 URI。Append ;impersonate to the URI. Kusto 将使用请求者的主体标识并模拟它来访问资源。Kusto will use the requestor's principal identity and impersonate it to access the resource. 主体需要具有相应的 RBAC 角色分配才能执行读/写操作,如此文所述。Principal needs to have the appropriate RBAC role assignments to be able to perform the read/write operations, as documented here. (例如,读取操作的最小角色是 Storage Blob Data Reader 角色)。(For example, the minimal role for read operations is the Storage Blob Data Reader role).
  • ;token=AadToken 追加到 URI,其中的 AadToken 为 base-64 编码的 AAD 访问令牌(请确保该令牌适用于资源 https://storage.azure.com/)。Append ;token=AadToken to the URI, with AadToken being a base-64 encoded AAD access token (make sure the token is for the resource https://storage.azure.com/).
  • ;prompt 追加到 URI。Append ;prompt to the URI. Kusto 在需要访问资源时请求用户凭据。Kusto requests user credentials when it needs to access the resource. (“提示用户”功能禁止用于云部署,仅在测试环境中启用。)(Prompting the user is disabled for cloud deployments and is only enabled in test environments.)
  • 使用 Azure Data Lake Storage Gen 2 的标准查询 (?sig=...) 提供共享访问签名 (SAS) 密钥。Provide a Shared Access (SAS) key, using the Azure Data Lake Storage Gen 2's standard query (?sig=...). 当 Kusto 需要在有限的时间内访问资源时,请使用此方法。Use this method when Kusto needs to access the resource for a limited time.