安全角色管理Security roles management

重要

在 Kusto 群集上更改授权规则之前,请阅读以下内容:Kusto 访问控制概述 基于角色的授权Before altering authorization rules on your Kusto cluster(s), read the following: Kusto access control overview role based authorization

本文介绍了用于管理安全角色的控制命令。This article describes the control commands used to manage security roles. 安全角色定义哪些安全主体(用户和应用程序)有权对受保护的资源(例如数据库或表)进行操作,以及允许进行哪些操作。Security roles define which security principals (users and applications) have permissions to operate on a secured resource such as a database or a table, and what operations are permitted. 例如,对于特定的数据库,具有 database viewer 安全角色的主体可以查询和查看该数据库的所有实体(受限制的表除外)。For example, principals that have the database viewer security role for a specific database can query and view all entities of that database (with the exception of restricted tables).

安全角色可以与安全主体或安全组(可以有其他安全主体或其他安全组)相关联。The security role can be associated with security principals or security groups (which can have other security principals or other security groups). 当安全主体尝试对受保护的资源进行操作时,系统将检查该主体是否与至少一个授权对资源执行此操作的安全角色相关联。When a security principal attempts to make an operation on a secured resource, the system checks that the principal is associated with at least one security role that grants permissions to perform this operation on the resource. 这称为授权检查This is called an authorization check. 授权检查失败会中止操作。Failing the authorization check aborts the operation.

语法Syntax

安全角色管理命令的语法:Syntax of security roles management commands:

Verb SecurableObjectType SecurableObjectName Role [( ListOfPrincipals ) [Description]]Verb SecurableObjectType SecurableObjectName Role [( ListOfPrincipals ) [Description]]

  • Verb 指示要执行的操作类型:.show.add.drop.setVerb indicates the kind of action to perform: .show, .add, .drop, and .set.

    谓词Verb 说明Description
    .show 返回当前的一个或多个值。Returns the current value or values.
    .add 将一个或多个主体添加到角色。Adds one or more principals to the role.
    .drop 从角色中删除一个或多个主体。Removes one or more principals from the role.
    .set 将角色设置为特定主体列表,并删除所有以前的主体(如果有)。Sets the role to the specific list of principals, removing all previous ones (if any).

  • SecurableObjectType 是指定了其角色的对象的类型。SecurableObjectType is the kind of object whose role is specified.

    SecurableObjectTypeSecurableObjectType 说明Description
    database 指定的数据库The specified database
    table 指定的表The specified table

  • SecurableObjectName 是对象的名称。SecurableObjectName is the name of the object.

  • Role 是相关角色的名称。Role is the name of the relevant role.

    角色Role 说明Description
    principals 只能作为 .show 谓词的一部分出现;返回可能影响安全对象的主体的列表。Can appear only as part of a .show verb; returns the list of principals that can affect the securable object.
    admins 对安全对象具有控制权,包括查看、修改和删除对象及所有子对象的功能。Have control over the securable object, including the ability to view, modify it, and remove the object and all sub-objects.
    users 可以查看安全对象,并在其下创建新对象。Can view the securable object, and create new objects underneath it.
    viewers 可以查看安全对象。Can view the securable object.
    unrestrictedviewers 仅在数据库级别允许查看受限制的表(这些表未向“普通”viewersusers 公开)。At the database level only, allows viewing of restricted tables (which are not exposed to "normal" viewers and users).
    ingestors 仅在数据库级别允许将数据引入到所有表中。At the database level only, allow data ingestion into all tables.
    monitors

  • ListOfPrincipals 是可选的、以逗号分隔的安全主体标识符列表(string 类型的值)。ListOfPrincipals is an optional, comma-delimited list of security principal identifiers (values of type string).

  • Description 是与关联一起存储的 string 类型的可选值,用于将来的审核。Description is an optional value of type string that is stored alongside the association, for future audit purposes.

示例Example

以下控制命令列出对数据库中的 StormEvents 表具有某些访问权限的所有安全主体:The following control command lists all security principals which have some access to the table StormEvents in the database:

.show table StormEvents principals

下面是此命令的可能结果:Here are potential results from this command:

角色Role PrincipalTypePrincipalType PrincipalDisplayNamePrincipalDisplayName PrincipalObjectIdPrincipalObjectId PrincipalFQNPrincipalFQN
Apsty 数据库管理员Database Apsty Admin AAD 用户AAD User Mark SmithMark Smith cd709aed-a26c-e3953dec735ecd709aed-a26c-e3953dec735e aaduser=msmith@fabrikam.comaaduser=msmith@fabrikam.com

管理数据库安全角色Managing database security roles

.set database DatabaseName Role none [skip-results].set database DatabaseName Role none [skip-results]

.set database DatabaseName Role ( Principal [, Principal...] ) [skip-results][description].set database DatabaseName Role ( Principal [, Principal...] ) [skip-results][description]

.add database DatabaseName Role ( Principal [, Principal...] ) [skip-results][description].add database DatabaseName Role ( Principal [, Principal...] ) [skip-results][description]

.drop database DatabaseName Role ( Principal [, Principal...] ) [skip-results][description].drop database DatabaseName Role ( Principal [, Principal...] ) [skip-results][description]

第一个命令从角色中删除所有主体。The first command removes all principals from the role. 第二个命令从角色中删除所有主体,并设置一组新的主体。The second removes all principals from the role, and sets a new set of principals. 第三个命令向角色中添加新的主体,不删除现有主体。The third adds new principals to the role without removing existing principals. 最后一个命令从角色中删除指定的主体,并保留其他主体。The last removes the indicated principals from the roles and keeps the others.

其中:Where:

  • DatabaseName 是要修改其安全角色的数据库的名称。DatabaseName is the name of the database whose security role is being modified.

  • Role 是 adminsingestorsmonitorsunrestrictedviewersusersviewersRole is: admins, ingestors, monitors, unrestrictedviewers, users, or viewers.

  • Principal 是一个或多个主体。Principal is one or more principals. 请参阅主体和标识提供者,了解如何指定这些主体。See principals and identity providers for how to specify these principals.

  • skip-results(如果已提供)会要求命令不返回更新的数据库主体列表。skip-results, if provided, requests that the command will not return the updated list of database principals.

  • Description(如果已提供)是将与更改关联的文本,可通过相应的 .show 命令进行检索。Description, if provided, is text that will be associated with the change and retrieved by the corresponding .show command.

管理表安全角色Managing table security roles

.set table TableName Role none [skip-results].set table TableName Role none [skip-results]

.set table TableName Role ( Principal [, Principal...] ) [skip-results][description].set table TableName Role ( Principal [, Principal...] ) [skip-results][description]

.add table TableName Role ( Principal [, Principal...] ) [skip-results][description].add table TableName Role ( Principal [, Principal...] ) [skip-results][description]

.drop table TableName Role ( Principal [, Principal...] ) [skip-results][description].drop table TableName Role ( Principal [, Principal...] ) [skip-results][description]

第一个命令从角色中删除所有主体。The first command removes all principals from the role. 第二个命令从角色中删除所有主体,并设置一组新的主体。The second removes all principals from the role, and sets a new set of principals. 第三个命令向角色中添加新的主体,不删除现有主体。The third adds new principals to the role without removing existing principals. 最后一个命令从角色中删除指定的主体,并保留其他主体。The last removes the indicated principals from the roles and keeps the others.

其中:Where:

  • TableName 是要修改其安全角色的表的名称。TableName is the name of the table whose security role is being modified.

  • Role 是 adminsingestorsRole is: admins or ingestors.

  • Principal 是一个或多个主体。Principal is one or more principals. 请参阅主体和标识提供者,了解如何指定这些主体。See principals and identity providers for how to specify these principals.

  • skip-results(如果已提供)会要求命令不返回更新的表主体列表。skip-results, if provided, requests that the command will not return the updated list of table principals.

  • Description(如果已提供)是将与更改关联的文本,可通过相应的 .show 命令进行检索。Description, if provided, is text that will be associated with the change and retrieved by the corresponding .show command.

示例Example

.add table Test admins ('aaduser=imike@fabrikam.com ')

管理函数安全角色Managing function security roles

.set function FunctionName Role none [skip-results].set function FunctionName Role none [skip-results]

.set function FunctionName Role ( Principal [, Principal...] ) [skip-results][description].set function FunctionName Role ( Principal [, Principal...] ) [skip-results][description]

.add function FunctionName Role ( Principal [, Principal...] ) [skip-results][description].add function FunctionName Role ( Principal [, Principal...] ) [skip-results][description]

.drop function FunctionName Role ( Principal [, Principal...] ) [skip-results][description].drop function FunctionName Role ( Principal [, Principal...] ) [skip-results][description]

第一个命令从角色中删除所有主体。The first command removes all principals from the role. 第二个命令从角色中删除所有主体,并设置一组新的主体。The second removes all principals from the role, and sets a new set of principals. 第三个命令向角色中添加新的主体,不删除现有主体。The third adds new principals to the role without removing existing principals. 最后一个命令从角色中删除指定的主体,并保留其他主体。The last removes the indicated principals from the roles and keeps the others.

其中:Where:

  • FunctionName 是要修改其安全角色的函数的名称。FunctionName is the name of the function whose security role is being modified.

  • Role 始终为 adminRole is always admin.

  • Principal 是一个或多个主体。Principal is one or more principals. 请参阅主体和标识提供者,了解如何指定这些主体。See principals and identity providers for how to specify these principals.

  • skip-results(如果已提供)会要求命令不返回更新的函数主体列表。skip-results, if provided, requests that the command will not return the updated list of function principals.

  • Description(如果已提供)是将与更改关联的文本,可通过相应的 .show 命令进行检索。Description, if provided, is text that will be associated with the change and retrieved by the corresponding .show command.

示例Example

.add function MyFunction admins ('aaduser=imike@fabrikam.com') 'This user should have access'