Kusto 访问控制概述Kusto Access Control Overview

Azure 数据资源管理器中的访问控制基于两个关键因素。Access Control in Azure Data Explorer is based on two key factors.

  • 身份验证:验证进行请求的安全主体的标识Authentication: Validates the identity of the security principal making a request
  • 授权:验证进行请求的安全主体是否获允在目标资源上进行该请求Authorization: Validates that the security principal making a request is permitted to make that request on the target resource

Azure 数据资源管理器群集、数据库或表上的查询或控制命令必须同时通过身份验证和授权检查。A query or a control command on an Azure Data Explorer cluster, database, or table, must pass both authentication and authorization checks.


Azure Active Directory (Azure AD) 是 Azure 的首选多租户云目录服务。Azure Active Directory (Azure AD) is Azure's preferred multi-tenant cloud directory service. 它可对安全主体进行身份验证或与其他标识提供者联合。It can authenticate security principals or federate with other identity providers.

Azure AD 是在 Microsoft 中向 Azure 数据资源管理器进行身份验证的首选方法。Azure AD is the preferred method for authenticating to Azure Data Explorer in Microsoft. 它支持多种身份验证方案。It supports a number of authentication scenarios.

  • 用户身份验证(交互式登录):用于对人类主体进行身份验证。User authentication (interactive sign-in): Used to authenticate human principals.
  • 应用程序身份验证(非交互式登录):用于对必须在没有人类用户参与的情况下运行或进行身份验证的服务和应用程序进行身份验证。Application authentication (non-interactive sign-in): Used to authenticate services and applications that have to run and authenticate with no human user present.

用户身份验证User authentication

用户身份验证是在用户向以下应用提供凭据时完成的:User authentication is done when the user presents credentials to:

  • Azure ADAzure AD
  • 与 Azure AD 一起使用的标识提供者an identity provider that works with Azure AD

如果成功,用户将收到一个安全令牌,它可提供给 Azure 数据资源管理器服务。If successful, the user receives a security token that can be presented to the Azure Data Explorer service. Azure 数据资源管理器服务并不关心安全令牌是如何获取的。The Azure Data Explorer service doesn't care how the security token was obtained. 它关心的是令牌是否有效,以及 Azure AD(或进行联合身份验证的 IdP)在令牌中放入了哪些信息。It cares about whether the token is valid and what information is put there by Azure AD (or the federated IdP).

在客户端,Azure 数据资源管理器支持交互式身份验证,而 Microsoft 身份验证库或类似的代码会要求用户输入凭据。On the client side, Azure Data Explorer supports interactive authentication, where the Microsoft Authentication Library or similar code, requests the user to enter credentials. 它还支持基于令牌的身份验证,其中使用 Azure 数据资源管理器的应用程序会获取有效的用户令牌。It also supports token-based authentication, where the application using Azure Data Explorer obtains a valid user token. 使用 Azure 数据资源管理器的应用程序也可为其他服务获取有效的用户令牌。The application that uses Azure Data Explorer can also obtain a valid user token for another service. 只有当该资源与 Azure 数据资源管理器之间存在信任关系时,才可获取用户令牌。The user token is obtainable only if a trust relationship between that resource and Azure Data Explorer exists.

有关详细信息,请参阅 Kusto 连接字符串,详细了解如何使用 Kusto 客户端库并使用 Azure AD 向 Azure 数据资源管理器进行身份验证。For more information, see Kusto connection strings for details on how to use the Kusto client libraries and authenticate by using Azure AD to Azure Data Explorer.

应用程序身份验证Application authentication

如果请求与特定用户不相关,或者没有用户来输入凭据,则请使用 Azure AD 应用程序身份验证流。Use the Azure AD application authentication flow when requests aren't associated with a specific user or there's no user available to enter credentials. 在该流中,应用程序通过提供某种机密信息向 Azure AD(或进行联合身份验证的 IdP)进行身份验证。In the flow, the application authenticates to Azure AD (or the federated IdP) by presenting some secret information. 可使用各种 Azure 数据资源管理器客户端实现以下方案。The following scenarios are supported by the various Azure Data Explorer clients.

  • 使用安装在本地的 X.509v2 证书进行的应用程序身份验证Application authentication using an X.509v2 certificate installed locally

  • 使用作为字节流提供给客户端库的 X.509v2 证书进行的应用程序身份验证Application authentication using an X.509v2 certificate given to the client library as a byte stream

  • 使用 Azure AD 身份验证 ID 和 Azure AD 身份验证密钥进行的应用程序身份验证。Application authentication using an Azure AD application ID and an Azure AD application key.


    这里的 ID 和密钥等效于用户名和密码The ID and key are the equivalent of a username and password

  • 使用之前获得的有效的 Azure AD 令牌(颁发给 Azure 数据资源管理器)进行的应用程序身份验证。Application authentication using a previously obtained valid Azure AD token, issued to Azure Data Explorer.

  • 使用之前获得的有效的 Azure AD 令牌(颁发给其他某项资源)进行的应用程序身份验证。Application authentication using a previously obtained valid Azure AD token, issued to some other resource. 如果该资源与 Azure 数据资源管理器之间存在信任关系,则可使用此方法。This method will work if there's a trust relationship between that resource and Azure Data Explorer.

Microsoft 帐户 (MSA)Microsoft Accounts (MSAs)

Microsoft 帐户 (MSA) 这个术语是指所有由 Microsoft 托管的非组织用户帐户,例如 hotmail.comlive.comoutlook.comMicrosoft Account (MSA) is the term used for all the Microsoft-managed non-organizational user accounts, such as hotmail.com, live.com, outlook.com. Kusto 支持对 MSA 进行用户身份验证(这里没有“安全组”这一概念),其中 MSA 按通用主体名称 (UPN) 进行标识。Kusto supports user authentication for MSAs (there's no security groups concept) that are identified by their Universal Principal Name (UPN).

在 Azure 数据资源管理器资源上配置 MSA 主体时,该资源管理器不会尝试解析所提供的 UPN。When an MSA principal is configured on an Azure Data Explorer resource, Azure Data Explorer won't attempt to resolve the UPN provided.

经过身份验证的 SDK 或 REST 调用Authenticated SDK or REST calls

  • 使用 REST API 时,身份验证是通过标准 HTTP Authorization 标头进行的When using the REST API, authentication is done with the standard HTTP Authorization header
  • 使用任何 Azure 数据资源管理器 .NET 库时,可通过在连接字符串中指定身份验证方法和参数来控制身份验证。When using any of the Azure Data Explorer .NET libraries, authentication is controlled by specifying the authentication method and parameters in the connection string. 另一种方法是在客户端请求属性对象上设置属性。Another method is to set the properties on the client request properties object.

Azure 数据资源管理器客户端 SDK 用作 Azure AD 客户端应用程序Azure Data Explorer client SDK as an Azure AD client application

Kusto 客户端库在调用 Microsoft 身份验证库来获取与 Kusto 通信所需的令牌时,会提供以下信息:When the Kusto client libraries invoke the Microsoft Authentication Library to acquire a token for communicating with Kusto, it provides the following information:

  • 资源(群集 URI,例如 https://Cluster-and-region.kusto.chinacloudapi.cnThe Resource (Cluster URI, such as, https://Cluster-and-region.kusto.chinacloudapi.cn)
  • Azure AD 客户端应用程序 IDThe Azure AD Client Application ID
  • Azure AD 客户端应用程序重定向 URIThe Azure AD Client Application Redirect URI
  • Azure AD 租户,它会影响用于身份验证的 Azure AD 终结点。The Azure AD Tenant, that affects the Azure AD endpoint used for authentication. 例如,对于 Azure AD 租户 microsoft.com,Azure AD 终结点为 https://login.partner.microsoftonline.cn/microsoft.comFor example, for Azure AD tenant microsoft.com, the Azure AD endpoint is https://login.partner.microsoftonline.cn/microsoft.com)

Microsoft 身份验证库向 Azure 数据资源管理器客户端库返回的令牌具有适当的 Azure 数据资源管理器群集 URL 作为受众,且具有“访问 Azure 数据资源管理器”权限作为范围。The token returned by the Microsoft Authentication Library to the Azure Data Explorer Client Library has the appropriate Azure Data Explorer cluster URL as the audience, and the "Access Azure Data Explorer" permission as the scope.

示例:为 Azure 数据资源管理器群集获取 Azure AD 用户令牌Example: Obtain an Azure AD User token for an Azure Data Explorer cluster

// Create Auth Context for Azure AD (common or tenant-specific endpoint):
AuthenticationContext authContext = new AuthenticationContext("https://login.partner.microsoftonline.cn/{Azure AD TenantID or name}");

// Provide your Application ID and redirect URI
var clientAppID = "{your client app id}";
var redirectUri = new Uri("{your client app redirect uri}");

// acquireTokenTask will receive the bearer token for the authenticated user
var acquireTokenTask = authContext.AcquireTokenAsync(
    new PlatformParameters(PromptBehavior.Auto, null)).GetAwaiter().GetResult();


所有经过身份验证的主体都要先接受授权检查,然后才能对 Azure 数据资源管理器资源执行操作。All authenticated principals undergo an authorization check before they may carry out an action on an Azure Data Explorer resource. Azure 数据资源管理器使用一种基于角色的授权模型,其中主体归属一个或多个安全角色。Azure Data Explorer uses a role-based authorization model, where principals are ascribed to one or more security roles. 只要主体的一个角色获得授权,授权就会成功。Authorization succeeds as long as one of the principal's roles is authorized.

例如,数据库用户角色会向安全主体、用户或服务授予以下权限:For example, the database user role grants security principals, users, or services, the right to:

  • 读取特定数据库的数据read the data of a particular database
  • 在数据库中创建表create tables in the database
  • 在数据库中创建函数create functions in the database

将安全主体关联到安全角色时,可单独进行定义,也可使用安全组进行定义(在 Azure AD 中定义)。The association of security principals to security roles can be defined individually, or by using security groups that are defined in Azure AD. 这些命令是在设置基于角色的授权规则中定义的。The commands are defined in Setting role based authorization rules.