主体和标识提供者Principals and Identity Providers

Kusto 授权模型支持多个标识提供者 (IdP) 和多种主体类型。Kusto Authorization model supports several Identity Providers (IdPs) and multiple principal types. 本文回顾了支持的主体类型,并演示了如何将它们与角色分配命令配合使用。This article reviews the supported principal types and demonstrates their use with role assignment commands.

Azure Active DirectoryAzure Active Directory

Azure Active Directory (AAD) 是 Azure 的首选多租户云目录服务和标识提供者,可以对安全主体单独进行身份验证,还可以与其他标识提供者(例如 Microsoft 的 Active Directory)联合进行身份验证。Azure Active Directory (AAD) is Azure's preferred multi-tenant cloud directory service and Identity Provider, capable of authenticating security principals or federating with other identity providers, such as Microsoft's Active Directory.

AAD 是向 Kusto 进行身份验证的首选方法。AAD is the preferred method for authenticating to Kusto. 它支持多种身份验证方案:It supports a number of authentication scenarios:

  • 用户身份验证(交互式登录):用于对人类主体进行身份验证。User authentication (interactive logon): Used to authenticate human principals.
  • 应用程序身份验证(非交互式登录):用于对必须在没有人类用户参与的情况下运行或进行身份验证的服务和应用程序进行身份验证。Application authentication (non-interactive logon): Used to authenticate services and applications that have to run/authenticate with no human user being present.

备注

Azure Active Directory 不允许对服务帐户(根据定义,属于本地 AD 实体)进行身份验证。Azure Active Directory does not allow authentication of service accounts (that are by definition on-prem AD entities). AD 服务帐户的 AAD 等效项是 AAD 应用程序。The AAD equivalent of AD service account is the AAD application.

AAD 组主体AAD Group principals

Kusto 仅支持安全组主体(而不支持通讯组主体)。Kusto only supports Security Group principals (and not Distribution Group ones). 尝试为 Kusto 群集上的 DG 设置访问权限会导致错误。Attempt to set up access for a DG on a Kusto cluster will result in an error.

AAD 租户AAD Tenants

如果未显式指定 AAD 租户,Kusto 会尝试从 UPN(UniversalPrincipalName,例如 johndoe@fabrikam.com)(如果已提供)来解析 AAD 租户。If AAD tenant is not explicitly specified, Kusto will attempt to resolve it from the UPN (UniversalPrincipalName, e.g., johndoe@fabrikam.com), if provided. 如果你的主体不包含租户信息(未采用 UPN 格式),则必须通过将租户 ID 或名称追加到主体描述符来显式提及它。If your principal doesn't include the tenant information (not in UPN form), you must explicitly mention it by appending the tenant ID or name to the principal descriptor.

AAD 主体的示例Examples for AAD principals

AAD 租户AAD Tenant 类型Type 语法Syntax
隐式 (UPN)Implicit (UPN) UserUser aaduser=UserEmailAddressaaduser=UserEmailAddress
显式 (ID)Explicit (ID) UserUser aaduser=UserEmailAddress;TenantId 或 aaduser=ObjectID;TenantIdaaduser=UserEmailAddress;TenantId or aaduser=ObjectID;TenantId
显式(名称)Explicit (Name) UserUser aaduser=UserEmailAddress;TenantName 或 aaduser=ObjectID;TenantNameaaduser=UserEmailAddress;TenantName or aaduser=ObjectID;TenantName
隐式 (UPN)Implicit (UPN) Group aadgroup=GroupEmailAddressaadgroup=GroupEmailAddress
显式 (ID)Explicit (ID) Group aadgroup=GroupObjectId;TenantId 或 aadgroup=GroupDisplayName;TenantIdaadgroup=GroupObjectId;TenantId oraadgroup=GroupDisplayName;TenantId
显式(名称)Explicit (Name) Group aadgroup=GroupObjectId;TenantName 或 aadgroup=GroupDisplayName;TenantNameaadgroup=GroupObjectId;TenantName oraadgroup=GroupDisplayName;TenantName
显式 (UPN)Explicit (UPN) 应用App aadapp=ApplicationDisplayName;TenantIdaadapp=ApplicationDisplayName;TenantId
显式(名称)Explicit (Name) 应用App aadapp=ApplicationId;TenantNameaadapp=ApplicationId;TenantName
// No need to specify AAD tenant for UPN, as Kusto performs the resolution by itself
.add database Test users ('aaduser=imikeoein@fabrikam.com') 'Test user (AAD)'

// AAD SG on 'fabrikam.com' tenant
.add database Test users ('aadgroup=SGDisplayName;fabrikam.com') 'Test group @fabrikam.com (AAD)'

// AAD App on 'fabrikam.com' tenant - by tenant name
.add database Test users ('aadapp=4c7e82bd-6adb-46c3-b413-fdd44834c69b;fabrikam.com') 'Test app @fabrikam.com (AAD)'

Microsoft 帐户 (MSA)Microsoft Accounts (MSAs)

Microsoft 帐户 (MSA) 这个术语是指所有由 Microsoft 托管的非组织用户帐户,例如 hotmail.comlive.comoutlook.comMicrosoft Accounts (MSAs) is the term for all the Microsoft-managed non-organizational user accounts, e.g. hotmail.com, live.com, outlook.com. Kusto 支持对 MSA 进行用户身份验证(注意,这里没有“安全组”这一概念),按 UPN(通用主体名称)验证身份。Kusto supports user authentication for MSAs (note, that there is no security groups concept), which are identified by their UPN (Universal Principal Name). 在 Kusto 资源上配置 MSA 主体后,Kusto 不会尝试解析提供的 UPN。When an MSA principal is configured on a Kusto resource, Kusto will not attempt to resolve the UPN provided.

MSA 主体的示例Examples for MSA principals

IdPIdP 类型Type 语法Syntax
Live.comLive.com UserUser msauser=john.doe@live.com\`msauser=john.doe@live.com\`
.add database Test users ('msauser=john.doe@live.com') 'Test user (live.com)'