Kusto 中基于角色的授权Role-based Authorization in Kusto

授权是允许或禁止执行操作所需的安全主体权限的过程。Authorization is the process of allowing or disallowing a security principal permission to carry out an action. Kusto 使用“基于角色的访问控制”模型。在该模型中,经过身份验证的主体会被映射到角色,并根据分配的角色获得访问权限。Kusto uses a role-based access control model, under which authenticated principals are mapped to roles, and get access according to the roles they're assigned.

Kusto 引擎服务具有以下角色:The Kusto Engine service has the following roles:

角色Role 权限Permissions
所有数据库管理员All Databases admin 可以在任何数据库的范围内执行任何操作。Can do anything in the scope of any database. 可以显示和更改某些群集级别策略Can show and alter certain cluster-level policies
数据库管理员Database admin 可以在特定数据库的范围内执行任何操作Can do anything in the scope of a particular database
数据库用户Database user 可以读取数据库的所有数据和元数据。Can read all data and metadata of the database. 此外,可以创建表并成为这些表的表管理员,并在数据库中创建函数。Additionally, can create tables and become the table admin for those tables, and create functions in the database.
所有数据库查看者All Databases viewer 可以读取任何数据库的所有数据和元数据Can read all data and metadata of any database
数据库查看器Database viewer 可以读取特定数据库的所有数据和元数据Can read all data and metadata of a particular database
数据库引入器Database ingestor 可以将数据引入到数据库中的所有现有表,但不能查询数据Can ingest data to all existing tables in the database, but can't query the data
数据库无限制查看器Database unrestrictedviewer 可以查询数据库中已启用 RestrictedViewAccess 策略的所有表Can query all tables in the database that have the RestrictedViewAccess policy enabled
数据库监视器Database monitor 可以在数据库及其子实体的上下文中执行 .show 命令Can execute .show commands in the context of the database and its child entities
函数管理员Function admin 可以更改函数、删除函数或向其他主体授予管理员权限Can alter function, delete function, or grant admin permissions to another principal
表管理员Table admin 可以在特定表的范围内执行任何操作Can do anything in the scope of a particular table
表引入器Table ingestor 可以在特定表的范围内引入数据,但不能查询数据Can ingest data in the scope of a particular table, but can't query the data