Azure Active Directory (AAD) 身份验证Azure Active Directory (AAD) Authentication

Azure Active Directory (AAD) 是 Azure 的首选多租户云目录服务,可以对安全主体单独进行身份验证,还可以与其他标识提供者(例如 Microsoft 的 Active Directory)联合进行身份验证。Azure Active Directory (AAD) is Azure's preferred multi-tenant cloud directory service, capable of authenticating security principals or federating with other identity providers, such as Microsoft's Active Directory.

各种应用程序(Web 应用程序、Windows 桌面应用程序、通用应用程序、移动应用程序等)可以通过 AAD 进行统一身份验证和使用 Kusto 服务。AAD allows application of various kinds (web application, Windows desktop application, Universal applications, mobile applications, etc.) to uniformly authenticate and use Kusto services.

AAD 支持多种身份验证方案。AAD supports a number of authentication scenarios. 如果在身份验证过程中存在用户,则应通过 AAD 用户身份验证向 AAD 验证该用户的身份。If there is a user present during the authentication, one should authenticate the user to AAD by AAD User Authentication. 在某些情况下,即使没有用户交互,也需要通过服务来使用 Kusto。In some cases, one wants a service to use Kusto even when no user is interactively present. 在这种情况下,应通过使用应用程序机密来验证应用程序,如“AAD 应用程序身份验证”中所述。In such cases, one should authenticate the application through the use of an application secret, as described in AAD Application Authentication.

通常,Kusto 支持以下身份验证方法(包括通过其 .NET 库进行的身份验证方法):The following methods of authentication are supported by Kusto in general, including through its .NET libraries:

  • 交互式用户身份验证 - 此模式需要交互,在需要的情况下登录 UI 会弹出Interactive user authentication - this mode requires interactivity, as if needed, logon UI will pop up
  • 使用之前为 Kusto 颁发的现有 AAD 令牌进行用户身份验证User authentication with an existing AAD token previously issued for Kusto
  • 使用 AppID 和共享机密进行应用程序身份验证Application authentication with AppID and shared secret
  • 使用本地安装的 X.509v2 证书或以内联方式提供的证书进行应用程序身份验证Application authentication with locally installed X.509v2 certificate or certificate provided inline
  • 使用之前为 Kusto 颁发的现有 AAD 令牌进行应用程序身份验证Application authentication with an existing AAD token previously issued for Kusto
  • 使用为另一资源颁发的 AAD 令牌进行用户或应用程序身份验证,前提是该资源与 Kusto 之间存在信任关系User or Application authentication with an AAD token issued for another resource, provided trust exists between that resource and Kusto

有关指导和示例,请查看 Kusto 连接字符串参考。Please see the Kusto connection strings reference for guidance and examples.

用户身份验证User authentication

当用户将凭据提交给 AAD(或某个与 AAD 联合的标识提供者,例如 ADFS)时,系统会进行用户身份验证,并会返回一个可以提交给 Kusto 服务的安全令牌。User authentication happens when the user presents credentials to AAD (or to some identity provide that federates with AAD, such as ADFS), and gets back a security token that can be presented to the Kusto service. Kusto 服务不关注安全令牌是如何获得的,它关注的是令牌是否有效,以及 AAD(或进行联合身份验证的 IdP)在其中放置了什么信息。The Kusto service doesn't care how the security token was obtained, it cares about whether the token is valid and what information is put there by AAD (or the federated IdP).

在客户端,Kusto 支持交互式身份验证,即通过 AAD 客户端库 ADAL 或类似的代码请求用户输入凭据。On the client side, Kusto supports both interactive authentication, in which the AAD client library ADAL or similar code requests the user to enter credentials. 它还支持基于令牌的身份验证,即通过使用 Kusto 的应用程序获取并提交有效的用户令牌。It also supports token-based authentication, in which the application using Kusto obtains a valid user token and presents it. 最后,它还支持这样一种方案:可以通过使用 Kusto 的应用程序获得其他服务(不是 Kusto)的有效用户令牌,前提是该服务资源与 Kusto 之间存在信任关系。Last, it supports a scenario in which the application using Kusto obtains a valid user token for some other service (not Kusto), provided there's a trust relationship between that resource and Kusto.

请参阅 Kusto 连接字符串,详细了解如何使用 Kusto 客户端库,以及如何使用 AAD 向 Kusto 进行身份验证。Please see Kusto connection strings for details on how to use the Kusto client libraries and authenticate by using AAD to Kusto.

应用程序身份验证Application authentication

如果请求不与特定用户相关联,或者没有用户输入凭据,则可使用 AAD 应用程序身份验证流。When requests are not associated with a specific user, or there's no user available to enter credentials, the AAD application authentication flow may be used. 在该流中,应用程序通过提供某种机密信息向 AAD(或进行联合身份验证的 IdP)进行身份验证。In this flow, the application authenticates to AAD (or the federated IdP) by presenting some secret information. 以下方案受各种 Kusto 客户端的支持:The following scenarios are supported by the various Kusto clients:

  • 使用安装在本地的 X.509v2 证书进行的应用程序身份验证。Application authentication using an X.509v2 certificate installed locally.
  • 使用作为字节流提供给客户端库的 X.509v2 证书进行的应用程序身份验证。Application authentication using an X.509v2 certificate given to the client library as a byte stream.
  • 使用 AAD 应用程序 ID 和 AAD 应用程序密钥进行的应用程序身份验证(相当于应用程序的用户名/密码身份验证)。Application authentication using an AAD application ID and an AAD application key (the equivalent of username/password authentication for applications).
  • 使用以前获得的有效的 AAD 令牌(颁发给 Kusto)进行的应用程序身份验证。Application authentication using a previously-obtained valid AAD token (issued to Kusto).
  • 使用以前获得的颁发给其他资源的有效 AAD 令牌进行的应用程序身份验证,前提是该资源与 Kusto 之间存在信任关系。Application authentication using a previously-obtained valid AAD token issued to some other resource, provided that there's a trust relationship between that resource and Kusto.

AAD 服务器应用程序权限AAD Server Application Permissions

通常情况下,AAD 服务器应用程序可以定义多个权限(例如,只读权限和读写权限),且 AAD 客户端应用程序可以确定它在请求授权令牌时所需的权限。In the general case, an AAD Server Application can define multiple permissions (e.g., read-only permission and a read-writer permission) and the AAD client application may decide which permissions it needs when it requests an authorization token. 在令牌获取的过程中,系统会要求用户授权 AAD 客户端应用程序代表用户执行操作,以获得这些权限。As part of token acquisition, the user will be asked to authorize the AAD client application to be act on the user's behalf with authorization to have these permissions. 如果用户同意,则这些权限将在颁发给 AAD 客户端应用程序的令牌的范围声明中列出。Should the user approve, these permissions will be listed in the scope claim of the token that is issued to the AAD client application.

AAD 客户端应用程序配置为从用户(AAD 称之为“资源所有者”)请求“访问 Kusto”权限。The AAD client application is configured to request the "Access Kusto" permission from the user (which AAD calls "the resource owner").

Kusto 客户端 SDK 充当 AAD 客户端应用程序Kusto Client SDK as an AAD Client Application

Kusto 客户端库在通过调用 ADAL (the AAD client library) 获取与 Kusto 通信所需的令牌时,会提供以下信息:When the Kusto client libraries invoke ADAL (the AAD client library) to acquire a token for communicating with Kusto, it provides the following information:

  1. 从调用方收到的 AAD 租户The AAD Tenant, as received from the caller
  2. AAD 客户端应用程序 IDThe AAD Client Application ID
  3. AAD 客户端资源 IDThe AAD Client Resource ID
  4. AAD ReplyUrl(身份验证成功完成后 AAD 服务将重定向到的 URL;ADAL 随后会捕获此重定向并从中提取授权代码)。The AAD ReplyUrl (the URL that the AAD service will redirect-to after authentication completes successfully; ADAL then captures this redirect and extracts the authorization code from it).
  5. 群集 URI(“https://Cluster-and-region.kusto.chinacloudapi.cn”)。The Cluster URI ('https://Cluster-and-region.kusto.chinacloudapi.cn').

ADAL 返回给 Kusto 客户端库的令牌以 Kusto AAD 服务器应用程序作为受众,以“访问 Kusto”权限作为范围。The token returned by ADAL to the Kusto Client Library has the Kusto AAD Server Application as the audience, and the "Access Kusto" permission as the scope.

以编程方式通过 AAD 进行身份验证Authenticating with AAD Programmatically

以下文章介绍了如何以编程方式通过 AAD 向 Kusto 进行身份验证:The following articles explain how to programmatically authenticate to Kusto with AAD: