使用服务主体获取 Azure Active Directory 令牌Get an Azure Active Directory token using a service principal

本文介绍在 Azure Active Directory (Azure AD) 中定义的服务主体如何还可以充当在 Azure Databricks 中强制执行身份验证和授权策略的主体。This article describes how a service principal defined in Azure Active Directory (Azure AD) can also act as a principal on which authentication and authorization policies can be enforced in Azure Databricks. Azure Databricks 工作区中的服务主体可以有不同于常规用户(用户主体)的精细访问控制。Service principals in an Azure Databricks workspace can have different fine-grained access control than regular users (user principals).

服务主体充当客户端角色,并使用 OAuth 2.0 代码授权流来授权 Azure Databricks 资源。A service principal acts as a client role and uses the OAuth 2.0 code grant flow to authorize to Azure Databricks resources.

可以使用 Databricks SCIM API (ServicePrincipals) API 管理服务主体,也可以在 Azure 门户中使用以下过程。You can manage service principals using the Databricks SCIM API (ServicePrincipals) API or use the following procedure in Azure portal.

还可以使用 Azure Active Directory 身份验证库 (ADAL) 以编程方式为用户获取 Azure AD 访问令牌。You can also use the Azure Active Directory Authentication Library (ADAL) to programmatically get an Azure AD access token for a user. 请参阅使用 Azure Active Directory 身份验证库获取 Azure Active Directory 令牌See Get an Azure Active Directory token using Azure Active Directory Authentication Library.

在 Azure 门户中预配服务主体 Provision a service principal in Azure portal

  1. 登录到 Azure 门户。Log in to Azure portal.

  2. 导航到“Azure Active Directory”>“应用注册”>“新建注册”。Navigate to Azure Active Directory > App Registrations > New Registrations. 应会显示如下所示的屏幕:You should see a screen similar to this:

    注册应用Register app

  3. 单击“证书和密码”,然后生成新的客户端密码。Click Certificates & secrets and generate a new client secret.

    注册应用Register app

  4. 复制此密码并将其存储在安全位置,因为此密码是应用程序的密码。Copy and store that secret in a secure place as this secret is the password for your application.

  5. 单击“概述”,以查看应用程序(客户端)ID 和目录(租户)ID 等详细信息。Click Overview to look at details like Application (client) ID and Directory (tenant) ID.

使用应用标识访问资源介绍如何在 Azure AD 中预配应用程序(服务主体)。Use an app identity to access resources covers how you can provision an application (service principal) in Azure AD.

获取 Azure Active Directory 访问令牌 Get an Azure Active Directory access token

如果要使用服务主体访问 Databricks REST API,需要获取服务主体的 Azure AD 访问令牌。To access the Databricks REST API with the service principal, you get an Azure AD access token for the service principal. 可以使用客户端凭据流获取访问令牌(使用 AzureDatabricks 登录应用程序作为资源)。You can use the client credentials flow to get an access token (with the AzureDatabricks login application as the resource).

curl 请求中,替换以下参数:Replace the following parameters in the curl request:

参数Parameter 说明Description
租户 IDTenant ID Azure AD 中的租户 ID。Tenant ID in Azure AD. 转到“Azure Active Directory”>“属性”>“目录 ID”。Go to Azure Active Directory > Properties > Directory ID.
客户端 IDClient ID Azure 门户预配服务主体中注册的应用程序的应用程序(服务主体)ID。The application (service principal) ID of the application you registered in Provision a service principal in Azure portal.
Azure Databricks 资源 IDAzure Databricks resource ID 2ff814a6-3304-4ab8-85cb-cd0e6f879c1d.2ff814a6-3304-4ab8-85cb-cd0e6f879c1d.
应用程序密码Application secret 为应用程序生成的机密。The secret generated for the application.
curl -X GET -H 'Content-Type: application/x-www-form-urlencoded' \
-d 'grant_type=client_credentials&client_id=<client-id>&resource=<azure_databricks_resource_id>&client_secret=<application-secret>' \
https://login.microsoftonline.com/<tenant-id>/oauth2/token

响应应如下所示:The response should look like:

{
  "token_type": "Bearer",
  "expires_in": "599",
  "ext_expires_in": "599",
  "expires_on": "1575500666",
  "not_before": "1575499766",
  "resource": "2ff8...f879c1d",
  "access_token": "ABC0eXAiOiJKV1Q......un_f1mSgCHlA"
}

响应中的 access_token 是 Azure AD 访问令牌。The access_token in the response is the Azure AD access token.

使用 Azure AD 访问令牌访问 Databricks REST API Use an Azure AD access token to access the Databricks REST API

在以下示例中,请将 <databricks-instance> 替换为 Azure Databricks 部署的每工作区 URLIn the following examples, replace <databricks-instance> with the per-workspace URL of your Azure Databricks deployment.

管理员用户登录Admin user login

如果满足以下任一条件,那么必须是 Azure 中工作区资源的“参与者”或“所有者”角色,才能使用服务主体访问令牌登录:If any of the following are true, you must be in a Contributor or Owner role on the workspace resource in Azure to log in using the service principal access token:

  • 服务主体不属于工作区。The service principal does not belong to the workspace.
  • 服务主体属于工作区,但你希望以管理员用户身份进行自动添加。The service principal belongs to the workspace, but you want to add it automatically as an admin user.
  • 你不知道工作区的组织 ID,但知道 Azure 中的工作区资源 ID。You do not know the org ID of your workspace but you know the workspace resource ID in Azure.

必须提供:You must provide:

  • X-Databricks-Azure-Workspace-Resource-Id 标头,包含 Azure 中工作区资源的 ID。The X-Databricks-Azure-Workspace-Resource-Id header, which contains the ID of the workspace resource in Azure. 使用 Azure 订阅 ID、资源组名称以及工作区资源名称构造 ID。You construct the ID using the Azure subscription ID, resource group name, and workspace resource name.
  • Azure 资源管理终结点的管理访问令牌。A management access token for the Azure Resource Management endpoint.

获取 Azure 管理资源终结点令牌 Get the Azure Management Resource endpoint token

curl 请求中,替换以下参数:Replace the following parameters in the curl request:

参数Parameter 说明Description
租户 IDTenant ID Azure AD 中的租户 ID。Tenant ID in Azure AD. 转到“Azure Active Directory”>“属性”>“目录 ID”。Go to Azure Active Directory > Properties > Directory ID.
客户端 IDClient ID Azure 门户预配服务主体中注册的应用程序的应用程序(服务主体)ID。The application (service principal) ID of the application you registered in Provision a service principal in Azure portal.
管理资源终结点Management Resource endpoint https://management.core.chinacloudapi.cn/.https://management.core.chinacloudapi.cn/.
应用程序密码Application secret 为应用程序生成的机密。The secret generated for the application.
curl -X GET -H 'Content-Type: application/x-www-form-urlencoded' \
-d 'grant_type=client_credentials&client_id=<client-id>&resource=<management-resource-endpoint>&client_secret=<application-secret>' \
https://login.microsoftonline.com/<tenantid>/oauth2/token

响应应如下所示:The response should look like:

{
  "token_type": "Bearer",
  "expires_in": "599",
  "ext_expires_in": "599",
  "expires_on": "1575500666",
  "not_before": "1575499766",
  "resource": "https://management.core.chinacloudapi.cn/",
  "access_token": "LMN0eXAiOiJKV1Q......un_f1mSgCHlA"
}

响应中的 access_token 是管理终结点访问令牌。The access_token in the response is the management endpoint access token.

使用管理终结点访问令牌访问 Databricks REST APIUse the management endpoint access token to access the Databricks REST API

参数Parameter 描述Description
访问令牌Access token 获取 Azure Active Directory 访问令牌中获取的访问令牌。Access token obtained in Get an Azure Active Directory access token.
管理访问令牌Management access token 获取 Azure 管理资源终结点令牌中获取的管理终结点访问令牌。Management endpoint access token obtained in Get the Azure Management Resource endpoint token.
订阅 IDSubscription ID Azure Databricks 资源的订阅 ID。Subscription ID of the Azure Databricks resource.
资源组名称Resource group name Azure Databricks 资源组的名称。Name of the Azure Databricks resource group.
工作区名称Workspace name Azure Databricks 工作区的名称。Name of the Azure Databricks workspace.
curl -X GET \
-H 'Authorization: Bearer <access-token>' \
-H 'X-Databricks-Azure-SP-Management-Token: <management-access-token>' \
-H 'X-Databricks-Azure-Workspace-Resource-Id: /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Databricks/workspaces/<workspace-name>' \
https://<databricks-instance>/api/2.0/clusters/list

示例请求如下所示:A sample request will look like:

curl -X GET \
-H 'Authorization:Bearer ABC0eXAiOiJKV1Q......un_f1mSgCHlA' \
-H 'X-Databricks-Azure-SP-Management-Token: LMN0eXAiOiJKV1Q......un_f1mSgCHlA' \
-H 'X-Databricks-Azure-Workspace-Resource-Id: /subscriptions/3f2e4d...2328b/resourceGroups/Ene...RG/providers/Microsoft.Databricks/workspaces/demo-databricks' \
https://<databricks-instance>/api/2.0/clusters/list

非管理员用户登录Non-admin user login

备注

在此登录之前,必须将服务主体作为管理员用户登录的一部分添加到工作区,或使用添加服务主体终结点。Prior to this login, the service principal must be added to the workspace either as part of the admin user login or using the Add service principal endpoint.

使用访问令牌作为 Bearer 令牌。Use the access token as the Bearer token.

参数Parameter 描述Description
访问令牌Access token 获取 Azure Active Directory 访问令牌中的请求返回的令牌。Token returned from the request in Get an Azure Active Directory access token.

使用访问令牌访问 Databricks REST APIUse an access token to access the Databricks REST API

curl -X GET \
-H 'Authorization: Bearer <access-token>' \
https://<databricks-instance>/api/2.0/clusters/list