配置 Azure 数据资源管理器群集的托管标识Configure managed identities for your Azure Data Explorer cluster

借助 Azure Active Directory 中的托管标识,群集可以轻松访问其他受 AAD 保护的资源(例如 Azure Key Vault)。A managed identity from Azure Active Directory allows your cluster to easily access other AAD-protected resources such as Azure Key Vault. 标识由 Azure 平台托管,无需预配或轮换任何机密。The identity is managed by the Azure platform and doesn't require you to provision or rotate any secrets. 本文介绍如何为 Azure 数据资源管理器群集创建托管标识。This article shows you how to create a managed identity for Azure Data Explorer clusters. 当前支持托管标识配置只是为了为群集启用客户管理的密钥Managed identity configuration is currently supported only to enable customer-managed keys for your cluster.

备注

如果在订阅或租户之间迁移了 Azure 数据资源管理器群集,Azure 数据资源管理器的托管标识将不会按预期工作。Managed identities for Azure Data Explorer won't behave as expected if your Azure Data Explorer cluster is migrated across subscriptions or tenants. 应用需要获取新标识,这可以通过禁用重新启用该功能来完成。The app will need to obtain a new identity, which can be done by disabling and re-enabling the feature. 还需要更新下游资源的访问策略才能使用新标识。Access policies of downstream resources will also need to be updated to use the new identity.

添加系统分配的标识Add a system-assigned identity

分配一个系统分配的标识,该标识绑定到群集,在群集被删除时删除。Assign a system-assigned identity that is tied to your cluster, and is deleted if your cluster is deleted. 一个群集只能有一个系统分配的标识。A cluster can only have one system-assigned identity. 使用系统分配的标识创建群集需要在该群集上设置一个额外的属性。Creating a cluster with a system-assigned identity requires an additional property to be set on the cluster. 系统分配的标识使用 C#、ARM 模板或 Azure 门户添加,详述如下。The system-assigned identity is added using C#, ARM templates, or the Azure portal as detailed below.

使用 Azure 门户添加系统分配的标识Add a system-assigned identity using the Azure portal

  1. 登录到 Azure 门户Sign in to the Azure portal.

新建 Azure 数据资源管理器群集New Azure Data Explorer cluster

  1. 创建 Azure 数据资源管理器群集Create an Azure Data Explorer cluster

  2. 在“安全性”选项卡>“系统分配的标识”中,选择“打开”。 In the Security tab > System assigned identity, select On. 若要删除系统分配的标识,请选择“关闭”。To remove the system assigned identity, select Off.

  3. 选择“下一步: 标记>”或“查看 + 创建”,创建此群集。Select Next:Tags> or Review + create to create the cluster.

    将系统分配的标识添加到新群集

现有的 Azure 数据资源管理器群集Existing Azure Data Explorer cluster

  1. 打开现有的 Azure 数据资源管理器群集。Open an existing Azure Data Explorer cluster.

  2. 在门户的左窗格中,选择“设置” > “标识”。 Select Settings > Identity in left pane of portal.

  3. 在“标识”窗格的“系统分配”选项卡中,执行以下操作: In the Identity pane > System assigned tab:

    1. 将“状态”滑块移到“打开”。 Move the Status slider to On.
    2. 选择“保存”Select Save
    3. 在弹出窗口中选择“是”In the pop-up window, select Yes

    添加系统分配标识

  4. 几分钟后,屏幕显示:After a few minutes, the screen shows:

  • 对象 ID - 用于客户托管密钥Object ID - used for customer managed keys

  • 角色分配 - 单击用于分配相关角色的链接Role assignments - click link to assign relevant roles

    系统分配标识处于打开状态

禁用系统分配的标识Disable a system-assigned identity

删除系统分配的标识也会将它从 AAD 中删除。Removing a system-assigned identity will also delete it from AAD. 删除群集资源时,也会自动从 AAD 中删除系统分配的标识。System-assigned identities are also automatically removed from AAD when the cluster resource is deleted. 可以通过禁用该功能来删除系统分配的标识。A system-assigned identity can be removed by disabling the feature. 系统分配的标识使用 C#、ARM 模板或 Azure 门户删除,详述如下。The system-assigned identity is removed using C#, ARM templates, or the Azure portal as detailed below.

使用 Azure 门户禁用系统分配的标识Disable a system-assigned identity using the Azure portal

  1. 登录到 Azure 门户Sign in to the Azure portal.

  2. 在门户的左窗格中,选择“设置” > “标识”。 Select Settings > Identity in left pane of portal.

  3. 在“标识”窗格的“系统分配”选项卡中,执行以下操作: In the Identity pane > System assigned tab:

    1. 将“状态”滑块移到“关闭”。 Move the Status slider to Off.
    2. 选择“保存”Select Save
    3. 在弹出窗口中选择“是”,禁用系统分配的标识。In the pop-up window, select Yes to disable the system-assigned identity. “标识”窗格恢复到与添加系统分配标识之前相同的状况。The Identity pane reverts to same condition as before the addition of the system-assigned identity.

    系统分配标识处于关闭状态

后续步骤Next steps