Kusto.Ingest - 引入权限Kusto.Ingest - Ingestion permissions

本文介绍了为使 Native 引入正常工作而需要在服务上设置的权限。This article explains what permissions to set up on your service, for Native ingestion to work.

先决条件Prerequisites

  • 若要查看和修改 Kusto 服务和数据库的授权设置,请参阅 Kusto 控制命令To view and modify authorization settings on Kusto services and databases, see Kusto control commands.

  • 在以下示例中用作示例主体的 Azure Active Directory (Azure AD) 应用程序:Azure Active Directory (Azure AD) applications used as sample principals in the following examples:

    • 测试 Azure AD 应用 (2a904276-1234-5678-9012-66fc53add60b; microsoft.com)Test Azure AD App (2a904276-1234-5678-9012-66fc53add60b; microsoft.com)
    • Kusto 内部引入 Azure AD 应用 (76263cdb-1234-5678-9012-545644e9c404; microsoft.com)Kusto Internal Ingestion Azure AD App (76263cdb-1234-5678-9012-545644e9c404; microsoft.com)

排队引入的引入权限模式Ingestion permission mode for queued ingestion

引入权限模式在 IKustoQueuedIngestClient 中定义。Ingestion permission mode is defined in IKustoQueuedIngestClient. 此模式使客户端代码仅依赖 Azure 数据资源管理器服务。This mode limits the client code dependency on the Azure Data Explorer service. 引入是通过将 Kusto 引入消息发布到 Azure 队列来完成的。Ingestion is done by posting a Kusto ingestion message to an Azure queue. 队列(也称为引入服务)从 Azure 数据资源管理器服务获得。The queue, also known as the Ingestion service, is gotten from the Azure Data Explorer service. 中间存储项目将由引入客户端使用 Azure 数据资源管理器服务分配的资源创建。Intermediate storage artifacts will be created by the ingest client using the resources allocated by the Azure Data Explorer service.

此关系图概述了排队引入客户端与 Kusto 的交互。The diagram outlines the queued ingestion client interaction with Kusto.

排队引入

引擎服务的权限Permissions on the Engine Service

若要符合将数据引入数据库 DB1 的表 T1 中的条件,执行引入操作的主体必须获得授权。To qualify for data ingestion into table T1 on database DB1, the principal doing the ingest operation must have authorization. 所需的最小权限级别是 Database IngestorTable Ingestor,它们可以将数据引入到某个数据库的所有现有表中,或者引入到特定的现有表中。Minimal required permission levels are Database Ingestor and Table Ingestor that can ingest data into all existing tables in a database or into a specific existing table. 如果需要创建表,则还必须分配 Database User 或更高的访问权限角色。If table creation is required, Database User or a higher access role must also be assigned.

角色Role PrincipalTypePrincipalType PrincipalDisplayNamePrincipalDisplayName
Database Ingestor Azure AD 应用程序Azure AD Application Test App (app id: 2a904276-1234-5678-9012-66fc53add60b)
Table Ingestor Azure AD 应用程序Azure AD Application Test App (app id: 2a904276-1234-5678-9012-66fc53add60b)

Kusto Internal Ingestion Azure AD App (76263cdb-1234-5678-9012-545644e9c404) 主体(Kusto 的内部引入应用)一成不变地映射到 Cluster Admin 角色。Kusto Internal Ingestion Azure AD App (76263cdb-1234-5678-9012-545644e9c404) principal, the Kusto internal ingestion app, is immutably mapped to the Cluster Admin role. 这样,它就有权将数据引入到任何表。It is thus authorized to ingest data to any table. 这种情况适用于 Kusto 托管的引入管道。This is what's happening on the Kusto-managed ingestion pipelines.

向 Azure AD 应用 Test App (2a904276-1234-5678-9012-66fc53add60b in Azure AD tenant microsoft.com) 授予数据库 DB1 或表 T1 上的必需权限的代码如下所示:Granting required permissions on database DB1 or table T1 to Azure AD App Test App (2a904276-1234-5678-9012-66fc53add60b in Azure AD tenant microsoft.com) would look like this:

.add database DB1 ingestors ('aadapp=2a904276-1234-5678-9012-66fc53add60b;microsoft.com') 'Test Azure AD App'
.add table T1 ingestors ('aadapp=2a904276-1234-5678-9012-66fc53add60b;microsoft.com') 'Test Azure AD App'