安全角色管理Security roles management
重要
在 Kusto 群集上更改授权规则之前,请阅读以下内容:Kusto 访问控制概述 基于角色的授权Before altering authorization rules on your Kusto cluster(s), read the following: Kusto access control overview role based authorization
本文介绍了用于管理安全角色的控制命令。This article describes the control commands used to manage security roles.
安全角色定义哪些安全主体(用户和应用程序)有权对受保护的资源(例如数据库或表)进行操作,以及允许进行哪些操作。Security roles define which security principals (users and applications) have permissions to operate on a secured resource such as a database or a table, and what operations are permitted. 例如,对于特定的数据库,具有 database viewer
安全角色的主体可以查询和查看该数据库的所有实体(受限制的表除外)。For example, principals that have the database viewer
security role for a specific database can query and view all entities of that database (with the exception of restricted tables).
安全角色可以与安全主体或安全组(可以有其他安全主体或其他安全组)相关联。The security role can be associated with security principals or security groups (which can have other security principals or other security groups). 当安全主体尝试对受保护的资源进行操作时,系统将检查该主体是否与至少一个授权对资源执行此操作的安全角色相关联。When a security principal attempts to make an operation on a secured resource, the system checks that the principal is associated with at least one security role that grants permissions to perform this operation on the resource. 这称为 授权检查 。This is called an authorization check. 授权检查失败会中止操作。Failing the authorization check aborts the operation.
语法Syntax
安全角色管理命令的语法:Syntax of security roles management commands:
Verb SecurableObjectType SecurableObjectName Role [(
ListOfPrincipals )
[ Description ]]Verb SecurableObjectType SecurableObjectName Role [(
ListOfPrincipals )
[ Description ]]
Verb 指示要执行的操作类型:
.show
、.add
、.drop
和.set
。Verb indicates the kind of action to perform:.show
,.add
,.drop
, and.set
.谓词Verb 说明Description .show
返回当前的一个或多个值。Returns the current value or values. .add
将一个或多个主体添加到角色。Adds one or more principals to the role. .drop
从角色中删除一个或多个主体。Removes one or more principals from the role. .set
将角色设置为特定主体列表,并删除所有以前的主体(如果有)。Sets the role to the specific list of principals, removing all previous ones (if any). SecurableObjectType 是指定了其角色的对象的类型。SecurableObjectType is the kind of object whose role is specified.
SecurableObjectTypeSecurableObjectType 说明Description database
指定的数据库The specified database table
指定的表The specified table materialized-view
指定的具体化视图The specified materialized view SecurableObjectName 是对象的名称。SecurableObjectName is the name of the object.
Role 是相关角色的名称。Role is the name of the relevant role.
角色Role 说明Description principals
只能作为 .show
谓词的一部分出现;返回可能影响安全对象的主体的列表。Can appear only as part of a.show
verb; returns the list of principals that can affect the securable object.admins
对安全对象具有控制权,包括查看、修改和删除对象及所有子对象的功能。Have control over the securable object, including the ability to view, modify it, and remove the object and all sub-objects. users
可以查看安全对象,并在其下创建新对象。Can view the securable object, and create new objects underneath it. viewers
可以查看安全对象。Can view the securable object. unrestrictedviewers
仅在数据库级别允许查看受限制的表(这些表未向“普通” viewers
和users
公开)。At the database level only, allows viewing of restricted tables (which are not exposed to "normal"viewers
andusers
).ingestors
仅在数据库级别允许将数据引入到所有表中。At the database level only, allow data ingestion into all tables. monitors
ListOfPrincipals 是可选的、以逗号分隔的安全主体标识符列表(
string
类型的值)。ListOfPrincipals is an optional, comma-delimited list of security principal identifiers (values of typestring
).Description 是与关联一起存储的
string
类型的可选值,用于将来的审核。Description is an optional value of typestring
that is stored alongside the association, for future audit purposes.
示例Example
以下控制命令列出对数据库中的 StormEvents
表具有某些访问权限的所有安全主体:The following control command lists all security principals which have some access to the table StormEvents
in the database:
.show table StormEvents principals
下面是此命令的可能结果:Here are potential results from this command:
角色Role | PrincipalTypePrincipalType | PrincipalDisplayNamePrincipalDisplayName | PrincipalObjectIdPrincipalObjectId | PrincipalFQNPrincipalFQN |
---|---|---|---|---|
Apsty 数据库管理员Database Apsty Admin | Azure AD 用户Azure AD User | Mark SmithMark Smith | cd709aed-a26c-e3953dec735ecd709aed-a26c-e3953dec735e | aaduser=msmith@fabrikam.comaaduser=msmith@fabrikam.com |
管理数据库安全角色Managing database security roles
.set
database
DatabaseName Role none
[skip-results
].set
database
DatabaseName Role none
[skip-results
]
.set
database
DatabaseName Role (
Principal [,
Principal...] )
[skip-results
] [ Description ].set
database
DatabaseName Role (
Principal [,
Principal...] )
[skip-results
] [ Description ]
.add
database
DatabaseName Role (
Principal [,
Principal...] )
[skip-results
] [ Description ].add
database
DatabaseName Role (
Principal [,
Principal...] )
[skip-results
] [ Description ]
.drop
database
DatabaseName Role (
Principal [,
Principal...] )
[skip-results
] [ Description ].drop
database
DatabaseName Role (
Principal [,
Principal...] )
[skip-results
] [ Description ]
第一个命令从角色中删除所有主体。The first command removes all principals from the role. 第二个命令从角色中删除所有主体,并设置一组新的主体。The second removes all principals from the role, and sets a new set of principals. 第三个命令向角色中添加新的主体,不删除现有主体。The third adds new principals to the role without removing existing principals. 最后一个命令从角色中删除指定的主体,并保留其他主体。The last removes the indicated principals from the roles and keeps the others.
其中:Where:
DatabaseName 是要修改其安全角色的数据库的名称。DatabaseName is the name of the database whose security role is being modified.
Role 是
admins
、ingestors
、monitors
、unrestrictedviewers
、users
或viewers
。Role is:admins
,ingestors
,monitors
,unrestrictedviewers
,users
, orviewers
.Principal 是一个或多个主体。Principal is one or more principals. 请参阅主体和标识提供者,了解如何指定这些主体。See principals and identity providers for how to specify these principals.
skip-results
(如果已提供)会要求命令不返回更新的数据库主体列表。skip-results
, if provided, requests that the command will not return the updated list of database principals.Description(如果已提供)是将与更改关联的文本,可通过相应的
.show
命令进行检索。Description , if provided, is text that will be associated with the change and retrieved by the corresponding.show
command.
管理表安全角色Managing table security roles
.set
table
TableName Role none
[skip-results
].set
table
TableName Role none
[skip-results
]
.set
table
TableName Role (
Principal [,
Principal...] )
[skip-results
] [ Description ].set
table
TableName Role (
Principal [,
Principal...] )
[skip-results
] [ Description ]
.add
table
TableName Role (
Principal [,
Principal...] )
[skip-results
] [ Description ].add
table
TableName Role (
Principal [,
Principal...] )
[skip-results
] [ Description ]
.drop
table
TableName Role (
Principal [,
Principal...] )
[skip-results
] [ Description ].drop
table
TableName Role (
Principal [,
Principal...] )
[skip-results
] [ Description ]
第一个命令从角色中删除所有主体。The first command removes all principals from the role. 第二个命令从角色中删除所有主体,并设置一组新的主体。The second removes all principals from the role, and sets a new set of principals. 第三个命令向角色中添加新的主体,不删除现有主体。The third adds new principals to the role without removing existing principals. 最后一个命令从角色中删除指定的主体,并保留其他主体。The last removes the indicated principals from the roles and keeps the others.
其中:Where:
TableName 是要修改其安全角色的表的名称。TableName is the name of the table whose security role is being modified.
Role 是
admins
或ingestors
。Role is:admins
oringestors
.Principal 是一个或多个主体。Principal is one or more principals. 请参阅主体和标识提供者,了解如何指定这些主体。See principals and identity providers for how to specify these principals.
skip-results
(如果已提供)会要求命令不返回更新的表主体列表。skip-results
, if provided, requests that the command will not return the updated list of table principals.Description(如果已提供)是将与更改关联的文本,可通过相应的
.show
命令进行检索。Description , if provided, is text that will be associated with the change and retrieved by the corresponding.show
command.
示例Example
.add table Test admins ('aaduser=imike@fabrikam.com ')
管理具体化视图安全角色Managing materialized view security roles
.show
materialized-view
MaterializedViewName principals
.show
materialized-view
MaterializedViewName principals
.set
materialized-view
MaterializedViewName admins
(
Principal ,[
Principal... ])
.set
materialized-view
MaterializedViewName admins
(
Principal ,[
Principal... ])
.add
materialized-view
MaterializedViewName admins
(
Principal ,[
Principal... ])
.add
materialized-view
MaterializedViewName admins
(
Principal ,[
Principal... ])
.drop
materialized-view
MaterializedViewName admins
(
Principal ,[
Principal... ])
.drop
materialized-view
MaterializedViewName admins
(
Principal ,[
Principal... ])
其中:Where:
- MaterializedViewName 是要修改其安全角色的具体化视图的名称MaterializedViewName is the name of the materialized view whose security role is being modified
- Principal 是一个或多个主体。Principal is one or more principals. 请参阅主体和标识提供者See principals and identity providers
管理函数安全角色Managing function security roles
.set
function
FunctionName Role none
[skip-results
].set
function
FunctionName Role none
[skip-results
]
.set
function
FunctionName Role (
Principal [,
Principal...] )
[skip-results
] [ Description ].set
function
FunctionName Role (
Principal [,
Principal...] )
[skip-results
] [ Description ]
.add
function
FunctionName Role (
Principal [,
Principal...] )
[skip-results
] [ Description ].add
function
FunctionName Role (
Principal [,
Principal...] )
[skip-results
] [ Description ]
.drop
function
FunctionName Role (
Principal [,
Principal...] )
[skip-results
] [ Description ].drop
function
FunctionName Role (
Principal [,
Principal...] )
[skip-results
] [ Description ]
第一个命令从角色中删除所有主体。The first command removes all principals from the role. 第二个命令从角色中删除所有主体,并设置一组新的主体。The second removes all principals from the role, and sets a new set of principals. 第三个命令向角色中添加新的主体,不删除现有主体。The third adds new principals to the role without removing existing principals. 最后一个命令从角色中删除指定的主体,并保留其他主体。The last removes the indicated principals from the roles and keeps the others.
其中:Where:
FunctionName 是要修改其安全角色的函数的名称。FunctionName is the name of the function whose security role is being modified.
Role 始终为
admin
。Role is alwaysadmin
.Principal 是一个或多个主体。Principal is one or more principals. 请参阅主体和标识提供者,了解如何指定这些主体。See principals and identity providers for how to specify these principals.
skip-results
(如果已提供)会要求命令不返回更新的函数主体列表。skip-results
, if provided, requests that the command will not return the updated list of function principals.Description(如果已提供)是将与更改关联的文本,可通过相应的
.show
命令进行检索。Description , if provided, is text that will be associated with the change and retrieved by the corresponding.show
command.
示例Example
.add function MyFunction admins ('aaduser=imike@fabrikam.com') 'This user should have access'