在数据科学虚拟机上设置通用标识Set up a common identity on a Data Science Virtual Machine

在 Microsoft Azure 虚拟机 (VM)(包括数据科学虚拟机 (DSVM))上,可以在预配 VM 时创建本地用户帐户。On a Microsoft Azure virtual machine (VM), including a Data Science Virtual Machine (DSVM), you create local user accounts while provisioning the VM. 然后,用户使用这些凭据对 VM 进行身份验证。Users then authenticate to the VM by using these credentials. 如果用户需要访问多个 VM,凭据管理可能会非常麻烦。If you have multiple VMs that your users need to access, managing credentials can get very cumbersome. 一个很好的解决方案是通过基于标准的标识提供者来部署常见用户帐户和管理措施。An excellent solution is to deploy common user accounts and management through a standards-based identity provider. 通过此方法,只需使用一组凭据就能访问 Azure 上的多个资源,包括多个 DSVM。Through this approach, you can use a single set of credentials to access multiple resources on Azure, including multiple DSVMs.

Active Directory 是常用的标识提供者,可以在 Azure 上同时充当云服务和本地目录。Active Directory is a popular identity provider and is supported on Azure both as a cloud service and as an on-premises directory. 你可以使用 Azure Active Directory (Azure AD) 或本地 Active Directory 对 Azure 虚拟机规模集中的独立 DSVM 或 DSVM 群集上的用户进行身份验证。You can use Azure Active Directory (Azure AD) or on-premises Active Directory to authenticate users on a standalone DSVM or a cluster of DSVMs in an Azure virtual machine scale set. 你可以通过将 DSVM 实例加入 Active Directory 域来完成此操作。You do this by joining the DSVM instances to an Active Directory domain.

如果已有 Active Directory,可以将它用作通用标识提供者。If you already have Active Directory, you can use it as your common identity provider. 如果没有 Active Directory,则可以通过 Azure Active Directory 域服务 (Azure AD DS) 在 Azure 上运行托管的 Active Directory 实例。If you don't have Active Directory, you can run a managed Active Directory instance on Azure through Azure Active Directory Domain Services (Azure AD DS).

Azure AD 的文档提供了详细的托管说明,包括如何将 Azure AD 连接到本地目录的相关指南(如果有)。The documentation for Azure AD provides detailed management instructions, including guidance about connecting Azure AD to your on-premises directory if you have one.

本文介绍如何使用 Azure AD DS 在 Azure 上设置完全托管的 Active Directory 域服务。This article describes how to set up a fully managed Active Directory domain service on Azure by using Azure AD DS. 然后可以将 DSVM 加入托管的 Active Directory 域。You can then join your DSVMs to the managed Active Directory domain. 此方法使用户能够通过通用用户帐户和凭据访问 DSVM 池(和其他 Azure 资源)。This approach enables users to access a pool of DSVMs (and other Azure resources) through a common user account and credentials.

在 Azure 上设置完全托管的 Active Directory 域Set up a fully managed Active Directory domain on Azure

Azure AD DS 在 Azure 上提供完全托管的服务,简化了标识管理。Azure AD DS makes it simple to manage your identities by providing a fully managed service on Azure. 在此 Active Directory 域上,可以管理用户和组。On this Active Directory domain, you manage users and groups. 若要在目录中设置 Azure 托管的 Active Directory 域和用户帐户,请执行以下步骤:To set up an Azure-hosted Active Directory domain and user accounts in your directory, follow these steps:

  1. 在 Azure 门户中,将用户添加到 Active Directory:In the Azure portal, add the user to Active Directory:

    1. 使用属于目录全局管理员的帐户登录到 Azure Active Directory 管理中心Sign in to the Azure Active Directory admin center by using an account that's a global admin for the directory.

    2. 选择“Azure Active Directory”,然后选择“用户和组”。 Select Azure Active Directory and then Users and groups.

    3. 在“用户和组”中,选择“所有用户”,然后选择“新建用户” 。In Users and groups, select All users, and then select New user.

       The **User** pane opens:


    4. 输入用户的详细信息,如名称用户名Enter details for the user, such as Name and User name. 用户名的域名部分必须是初始默认域名“[domain name].onmicrosoft.com”,或已验证的非联合自定义域名(例如“contoso.com”)。The domain name portion of the user name must be either the initial default domain name "[domain name].onmicrosoft.com" or a verified, non-federated custom domain name such as "contoso.com."

    5. 复制或以其他方式记下生成的用户密码,以便在此过程完成后可以提供给用户。Copy or otherwise note the generated user password so that you can provide it to the user after this process is complete.

    6. (可选)可以打开“个人资料”、“组”或“目录角色”并在其中填写用户信息 。Optionally, you can open and fill out the information in Profile, Groups, or Directory role for the user.

    7. 在“用户”下,选择“创建” 。Under User, select Create.

    8. 以安全方式将生成的密码分发给新用户,以便用户可以登录。Securely distribute the generated password to the new user so that they can sign in.

  2. 创建 Azure AD DS 实例。Create an Azure AD DS instance. 按照使用 Azure 门户启用 Azure Active Directory 域服务中的说明(“创建实例并配置基本设置 ”一节)操作。Follow the instructions in Enable Azure Active Directory Domain Services using the Azure portal (the "Create an instance and configure basic settings" section). 必须更新 Active Directory 中的现有用户密码,以便同步 Azure AD DS 中的密码。It's important to update the existing user passwords in Active Directory so that the password in Azure AD DS is synced. 还应按该节中的“完成 Azure 门户‘基本信息’窗口中的字段以创建 Azure AD DS 实例”这部分内容所述,将 DNS 添加到 Azure AD DS,这也很重要。It's also important to add DNS to Azure AD DS, as described under "Complete the fields in the Basics window of the Azure portal to create an Azure AD DS instance" in that section.

  3. 在上一步骤“创建和配置虚拟网络”部分中所创建的虚拟网络中创建单独的 DSVM 子网。Create a separate DSVM subnet in the virtual network created in the "Create and configure the virtual network" section of the preceding step.

  4. 在 DSVM 子网中创建一个或多个 DSVM 实例。Create one or more DSVM instances in the DSVM subnet.

  5. 请按照说明将 DSVM 添加到 Active Directory。Follow the instructions to add the DSVM to Active Directory.

  6. 装载用于托管主目录或笔记本目录的 Azure 文件共享,以便可以在任何计算机上装载工作区。Mount an Azure Files share to host your home or notebook directory so that your workspace can be mounted on any machine. (如果需要严格的文件级别权限,则需在一个或多个 VM 上运行网络文件系统 [NFS]。)(If you need tight file-level permissions, you'll need Network File System [NFS] running on one or more VMs.)

    1. 创建 Azure 文件共享Create an Azure Files share.

    2. 在 Linux DSVM 上装载此共享。Mount this share on the Linux DSVM. 在 Azure 门户的存储帐户中选择 Azure 文件共享所对应的“连接” 时,将会显示可以在 Linux DSVM 的 Bash Shell 中运行的命令。When you select Connect for the Azure Files share in your storage account in the Azure portal, the command to run in the bash shell on the Linux DSVM appears. 命令如下所示:The command looks like this:

    sudo mount -t cifs //[STORAGEACCT].file.core.chinacloudapi.cn/workspace [Your mount point] -o vers=3.0,username=[STORAGEACCT],password=[Access Key or SAS],dir_mode=0777,file_mode=0777,sec=ntlmssp
  7. 例如,假设已将共享 Azure 文件装载在 /data/workspace 中。For example, assume that you mounted your Azure Files share in /data/workspace. 现在,为共享中的每个用户创建目录:/data/workspace/user1、/data/workspace/user2,依次类推。Now, create directories for each of your users in the share: /data/workspace/user1, /data/workspace/user2, and so on. 在每个用户的工作区中创建 notebooks 目录。Create a notebooks directory in each user's workspace.

  8. notebooks 中为 $HOME/userx/notebooks/remote 创建符号链接。Create symbolic links for notebooks in $HOME/userx/notebooks/remote.

现在,这些用户已在 Azure 中托管的 Active Directory 实例中。You now have the users in your Active Directory instance hosted in Azure. 通过使用 Active Directory 凭据,用户可以登录到已加入 Azure AD DS 的任何 DSVM(SSH 或 JupyterHub)。By using Active Directory credentials, users can sign in to any DSVM (SSH or JupyterHub) that's joined to Azure AD DS. 由于用户工作区位于共享 Azure 文件上,因此用户在使用 JupyterHub 时,可以访问其笔记本以及 DSVM 中的任何其他工作。Because the user workspace is on an Azure Files share, users have access to their notebooks and other work from any DSVM when they're using JupyterHub.

若要进行自动缩放,可以使用虚拟机规模集创建 VM 池。这些 VM 全都以这种方式加入域,并且已装载了共享磁盘。For autoscaling, you can use a virtual machine scale set to create a pool of VMs that are all joined to the domain in this fashion and with the shared disk mounted. 用户可以登录到虚拟机规模集中的任何可用计算机,然后访问在其中保存了笔记本的共享磁盘。Users can sign in to any available machine in the virtual machine scale set and have access to the shared disk where their notebooks are saved.

后续步骤Next steps