Kusto 中基于角色的授权Role-based Authorization in Kusto
授权是允许或禁止执行操作所需的安全主体权限的过程。Authorization is the process of allowing or disallowing a security principal permission to carry out an action. Kusto 使用“基于角色的访问控制”模型。在该模型中,经过身份验证的主体会被映射到角色,并根据分配的角色获得访问权限。Kusto uses a role-based access control model, under which authenticated principals are mapped to roles, and get access according to the roles they're assigned.
Kusto 引擎服务具有以下角色:The Kusto Engine service has the following roles:
| 角色Role | 权限Permissions |
|---|---|
| 所有数据库管理员All Databases admin | 可以在任何数据库的范围内执行任何操作。Can do anything in the scope of any database. 可以显示和更改某些群集级别策略Can show and alter certain cluster-level policies |
| 数据库管理员Database admin | 可以在特定数据库的范围内执行任何操作Can do anything in the scope of a particular database |
| 数据库用户Database user | 可以读取数据库的所有数据和元数据。Can read all data and metadata of the database. 此外,可以创建表并成为这些表的表管理员,并在数据库中创建函数。Additionally, can create tables and become the table admin for those tables, and create functions in the database. |
| 所有数据库查看者All Databases viewer | 可以读取任何数据库的所有数据和元数据Can read all data and metadata of any database |
| 数据库查看器Database viewer | 可以读取特定数据库的所有数据和元数据Can read all data and metadata of a particular database |
| 数据库引入器Database ingestor | 可以将数据引入到数据库中的所有现有表,但不能查询数据Can ingest data to all existing tables in the database, but can't query the data |
| 数据库无限制查看器Database unrestrictedviewer | 可以查询数据库中已启用 RestrictedViewAccess 策略的所有表Can query all tables in the database that have the RestrictedViewAccess policy enabled |
| 数据库监视器Database monitor | 可以在数据库及其子实体的上下文中执行 .show 命令Can execute .show commands in the context of the database and its child entities |
| 函数管理员Function admin | 可以更改函数、删除函数或向其他主体授予管理员权限Can alter function, delete function, or grant admin permissions to another principal |
| 表管理员Table admin | 可以在特定表的范围内执行任何操作Can do anything in the scope of a particular table |
| 表引入器Table ingestor | 可以在特定表的范围内引入数据,但不能查询数据Can ingest data in the scope of a particular table, but can't query the data |
备注
若要授予来自其他租户的主体对群集的访问权限,请参阅允许跨租户查询和命令。To grant a principal from a different tenant access to your cluster, see Allow cross-tenant queries and commands.