为 Azure 机器学习资源和工作流设置身份验证Set up authentication for Azure Machine Learning resources and workflows

适用于:是基本版是企业版               (升级到企业版APPLIES TO: yesBasic edition yesEnterprise edition                    (Upgrade to Enterprise edition)

本文介绍了如何为 Azure 机器学习中的各种资源和工作流程设置和配置身份验证。In this article, you learn how to set up and configure authentication for various resources and workflows in Azure Machine Learning. 可以通过多种方式对服务进行身份验证,范围从出于开发或测试目的而进行的基于 UI 的简单身份验证,到完整的 Azure Active Directory 服务主体身份验证不等。There are multiple ways to authenticate to the service, ranging from simple UI-based auth for development or testing purposes to full Azure Active Directory service principal authentication. 本文还介绍了 Web 服务身份验证的工作原理,以及如何对 Azure 机器学习 REST API 进行身份验证。This article also explains the differences in how web-service authentication works, as well as how to authenticate to the Azure Machine Learning REST API.

该操作说明展示了如何执行以下任务:This how-to shows you how to do the following tasks:

  • 使用交互式 UI 身份验证进行测试/开发Use interactive UI authentication for testing/development
  • 设置服务主体身份验证Set up service principal authentication
  • 对工作区进行身份验证Authenticating to your workspace
  • 获取 Azure 机器学习 REST API 的 OAuth2.0 持有者类型令牌Get OAuth2.0 bearer-type tokens for Azure Machine Learning REST API
  • 了解 Web 服务身份验证Understand web-service authentication

有关 Azure 机器学习内的安全性和身份验证的一般性概述,请参阅概念文章See the concept article for a general overview of security and authentication within Azure Machine Learning.

必备条件Prerequisites

交互式身份验证Interactive authentication

此服务文档中的大多示例都使用 Jupyter Notebook 中的交互式身份验证作为测试和演示的一种简单方法。Most examples in the documentation for this service use interactive authentication in Jupyter notebooks as a simple method for testing and demonstration. 这是一种测试正在生成的内容的轻量级方法。This is a lightweight way to test what you're building. 有两个函数调用会自动提示你使用基于 UI 的身份验证流。There are two function calls that will automatically prompt you with a UI-based authentication flow.

调用 from_config() 函数会触发提示。Calling the from_config() function will issue the prompt.

from azureml.core import Workspace
ws = Workspace.from_config()

函数 from_config() 查找包含工作区连接信息的 JSON 文件。The from_config() function looks for a JSON file containing your workspace connection information. 也可使用 Workspace 构造函数显式指定连接详细信息,这也会提示进行交互式身份验证。You can also specify the connection details explicitly by using the Workspace constructor, which will also prompt for interactive authentication. 这两个调用都是等效的。Both calls are equivalent.

ws = Workspace(subscription_id="your-sub-id",
               resource_group="your-resource-group-id",
               workspace_name="your-workspace-name"
              )

如果你可访问多个租户,则可能需要导入类并显式定义目标租户。If you have access to multiple tenants, you may need to import the class and explicitly define what tenant you are targeting. 与上述调用类似,为 InteractiveLoginAuthentication 调用构造函数也会提示你登录。Calling the constructor for InteractiveLoginAuthentication will also prompt you to login similar to the calls above.

from azureml.core.authentication import InteractiveLoginAuthentication
interactive_auth = InteractiveLoginAuthentication(tenant_id="your-tenant-id")

尽管交互式身份验证对测试和学习很有帮助,但它对于你构建自动化工作流或无外设工作流并没有什么用。While useful for testing and learning, interactive authentication will not help you with building automated or headless workflows. 对于使用 SDK 的自动化流程,最佳做法是设置服务主体身份验证。Setting up service principal authentication is the best approach for automated processes that use the SDK.

设置服务主体身份验证Set up service principal authentication

如果需要启用与特定用户登录相互独立的身份验证,则需要此流程,以便在自动化工作流中对 Azure 机器学习 Python SDK 进行身份验证。This process is necessary for enabling authentication that is decoupled from a specific user login, which allows you to authenticate to the Azure Machine Learning Python SDK in automated workflows. 服务主体身份验证还可对 REST API 进行身份验证Service principal authentication will also allow you to authenticate to the REST API.

若要设置服务主体身份验证,首先请在 Azure Active Directory 中创建应用注册,然后向你的 ML 工作区授予应用基于角色的访问权限。To set up service principal authentication, you first create an app registration in Azure Active Directory, and then grant your app role-based access to your ML workspace.

需要创建存储帐户资源才能存储写入的任何文件。You need to create a storage account resource for storing any files that are written. 通常该存储帐户会产生每月成本,可忽略不计。In general this storage account will incur a negligible monthly cost. 此外,如果之前并未按以下命令使用过机器学习扩展,请安装该扩展。Additionally, install the machine learning extension if you haven't used it previously with the following command.

az extension add -n azure-cli-ml

Note

必须是订阅的管理员才能执行以下步骤。You must be an admin on the subscription to perform the following steps.

接下来,运行以下命令以创建服务主主体。Next, run the following command to create the service principal. 为该主体指定一个名称,在本例中为 ml-ayth 。Give it a name, in this case ml-auth.

az ad sp create-for-rbac --sdk-auth --name ml-auth

输出将是类似于如以下所示的 JSON。The output will be a JSON similar to the following. 记下 clientIdclientSecrettenantId 字段,因为在本文的其他步骤中你需要用到它们。Take note of the clientId, clientSecret, and tenantId fields, as you will need them for other steps in this article.

{
    "clientId": "your-client-id",
    "clientSecret": "your-client-secret",
    "subscriptionId": "your-sub-id",
    "tenantId": "your-tenant-id",
    "activeDirectoryEndpointUrl": "https://login.microsoftonline.com",
    "resourceManagerEndpointUrl": "https://management.azure.com",
    "activeDirectoryGraphResourceId": "https://graph.chinacloudapi.cn",
    "sqlManagementEndpointUrl": "https://management.core.chinacloudapi.cn:5555",
    "galleryEndpointUrl": "https://gallery.azure.com/",
    "managementEndpointUrl": "https://management.core.chinacloudapi.cn"
}

接下来,运行以下命令,获取刚创建的服务主体的详细信息,使用上述 clientId 值作为 --id 参数的输入。Next, run the following command to get the details on the service principal you just created, using the clientId value from above as the input to the --id parameter.

az ad sp show --id your-client-id

以下是来自命令的 JSON 输出的简化示例。The following is a simplified example of the JSON output from the command. 记下 objectId 字段,因为你将在接下来的步骤中用到它的值。Take note of the objectId field, as you will need its value for the next step.

{
    "accountEnabled": "True",
    "addIns": [],
    "appDisplayName": "ml-auth",
    ...
    ...
    ...
    "objectId": "your-sp-object-id",
    "objectType": "ServicePrincipal"
}

然后,使用以下命令将你的服务主体访问权限分配给机器学习工作区。Next, use the following command to assign your service principal access to your machine learning workspace. 你将需要工作区名称,以及分别针对 -w-g 参数的资源组名称。You will need your workspace name, and its resource group name for the -w and -g parameters, respectively. 对于 --user 参数,请使用 objectId 之前步骤中的 值。For the --user parameter, use the objectId value from the previous step. 可使用 --role 参数设置服务主体的访问角色,通常将使用“所有者”或“参与者” 角色。The --role parameter allows you to set the access role for the service principal, and in general you will use either owner or contributor. 两者都具有现有资源(如计算机群集和数据存储)的写权限,但只有“所有者”角色能预配这些资源 。Both have write access to existing resources like compute clusters and datastores, but only owner can provision these resources.

az ml workspace share -w your-workspace-name -g your-resource-group-name --user your-sp-object-id --role owner

该调用不会生成任何输出,但你现在已具有为工作区设置的服务主体身份验证。This call does not produce any output, but you now have service principal authentication set up for your workspace.

对工作区进行身份验证Authenticate to your workspace

启用服务主体身份验证后,可以在 SDK 中对工作区进行身份验证,而无需作为用户进行物理登录。Now that you have service principal auth enabled, you can authenticate to your workspace in the SDK without physically logging in as a user. 使用 ServicePrincipalAuthentication 类构造函数,并使用从之前步骤中获取的值作为参数。Use the ServicePrincipalAuthentication class constructor, and use the values you got from the previous steps as the parameters. tenant_id 参数映射到上述的 tenantIdservice_principal_id 映射到 clientIdservice_principal_password 映射到 clientSecretThe tenant_id parameter maps to tenantId from above, service_principal_id maps to clientId, and service_principal_password maps to clientSecret.

from azureml.core.authentication import ServicePrincipalAuthentication

sp = ServicePrincipalAuthentication(tenant_id="your-tenant-id", # tenantID
                                    service_principal_id="your-client-id", # clientId
                                    service_principal_password="your-client-secret") # clientSecret

sp 变量现在包含身份验证对象,可直接在 SDK 中使用。The sp variable now holds an authentication object that you use directly in the SDK. 通常,建议将上述 ID/机密存储在环境变量中,如下面的代码所示。In general, it is a good idea to store the ids/secrets used above in environment variables as shown in the following code.

import os 

sp = ServicePrincipalAuthentication(tenant_id=os.environ['AML_TENANT_ID'],
                                    service_principal_id=os.environ['AML_PRINCIPAL_ID'],
                                    service_principal_password=os.environ['AML_PRINCIPAL_PASS'])

对于在 Python 中运行并主要使用 SDK 的自动化工作流,在大多数情况下,都可按原样使用此对象进行身份验证。For automated workflows that run in Python and use the SDK primarily, you can use this object as-is in most cases for your authentication. 以下代码使用刚创建的身份验证对象对工作区进行身份验证。The following code authenticates to your workspace using the auth object you just created.

from azureml.core import Workspace

ws = Workspace.get(name="ml-example", 
                   auth=sp,
                   subscription_id="your-sub-id")
ws.get_details()

Azure 机器学习 REST API 身份验证Azure Machine Learning REST API auth

上述步骤中创建的服务主体也可以对 Azure 机器学习 REST API 进行身份验证。The service principal created in the steps above can also be used to authenticate to the Azure Machine Learning REST API. 如果使用 Azure Active Directory 客户端凭据授予流,则可在自动化工作流中进行无外设身份验证的服务到服务调用。You use the Azure Active Directory client credentials grant flow, which allow service-to-service calls for headless authentication in automated workflows. 这些示例都可通过 Python 和 Node.js 中的 ADAL 库实现,但你也可以使用任何支持 OpenID Connect 1.0 的开放源代码库。The examples are implemented with the ADAL library in both Python and Node.js, but you can also use any open-source library that supports OpenID Connect 1.0.

![NOTE] MSAL.js 库比 ADAL 更新,但不能使用 MSAL.js 的客户端凭据进行服务到服务的身份验证,因为它主要是一个客户端库,适用于与特定用户关联的交互式/UI 身份验证。![NOTE] MSAL.js is a newer library than ADAL, but you cannot do service-to-service authentication using client credentials with MSAL.js, since it is primarily a client-side library intended for interactive/UI authentication tied to a specific user. 我们建议使用如下所示的 ADAL,通过 REST API 创建自动化工作流。We recommend using ADAL as shown below to build automated workflows with the REST API.

Node.jsNode.js

使用以下步骤,通过 Node.js 生成身份验证令牌。Use the following steps to generate an auth token using Node.js. 在你的环境中运行 npm install adal-nodeIn your environment, run npm install adal-node. 然后,使用在上述步骤中创建的服务主体中的 tenantIdclientIdclientSecret,作为以下脚本中匹配变量的值。Then, use your tenantId, clientId, and clientSecret from the service principal you created in the steps above as values for the matching variables in the following script.

const adal = require('adal-node').AuthenticationContext;

const authorityHostUrl = 'https://login.microsoftonline.com/';
const tenantId = 'your-tenant-id';
const authorityUrl = authorityHostUrl + tenantId;
const clientId = 'your-client-id';
const clientSecret = 'your-client-secret';
const resource = 'https://management.azure.com/';

const context = new adal(authorityUrl);

context.acquireTokenWithClientCredentials(
  resource,
  clientId,
  clientSecret,
  (err, tokenResponse) => {
    if (err) {
      console.log(`Token generation failed due to ${err}`);
    } else {
      console.dir(tokenResponse, { depth: null, colors: true });
    }
  }
);

变量 tokenResponse 是包含令牌和关联元数据(如过期时间)的对象。The variable tokenResponse is an object that includes the token and associated metadata such as expiration time. 令牌的有效时间为 1 个小时,可以通过再次运行相同的调用检索一个新令牌来对令牌进行刷新。Tokens are valid for 1 hour, and can be refreshed by running the same call again to retrieve a new token. 以下内容是示例响应。The following is a sample response.

{ 
    tokenType: 'Bearer',
    expiresIn: 3599,
    expiresOn: 2019-12-17T19:15:56.326Z,
    resource: 'https://management.azure.com/',
    accessToken: "random-oauth-token",
    isMRRT: true,
    _clientId: 'your-client-id',
    _authority: 'https://login.microsoftonline.com/your-tenant-id' 
}

使用 accessToken 属性获取身份验证令牌。Use the accessToken property to fetch the auth token. 请参阅 REST API 文档,获取如何使用令牌进行 API 调用的示例。See the REST API documentation for examples on how to use the token to make API calls.

PythonPython

使用以下步骤,通过 Python 生成身份验证令牌。Use the following steps to generate an auth token using Python. 在你的环境中运行 pip install adalIn your environment, run pip install adal. 然后,使用在上述步骤中创建的服务主体中的 tenantIdclientIdclientSecret,作为以下脚本中适合的变量的值。Then, use your tenantId, clientId, and clientSecret from the service principal you created in the steps above as values for the appropriate variables in the following script.

from adal import AuthenticationContext

client_id = "your-client-id"
client_secret = "your-client-secret"
resource_url = "https://login.microsoftonline.com"
tenant_id = "your-tenant-id"
authority = "{}/{}".format(resource_url, tenant_id)

auth_context = AuthenticationContext(authority)
token_response = auth_context.acquire_token_with_client_credentials("https://management.azure.com/", client_id, client_secret)
print(token_response)

变量 token_response 是包含令牌和关联元数据(如过期时间)的字典。The variable token_response is a dictionary that includes the token and associated metadata such as expiration time. 令牌的有效时间为 1 个小时,可以通过再次运行相同的调用检索一个新令牌来对令牌进行刷新。Tokens are valid for 1 hour, and can be refreshed by running the same call again to retrieve a new token. 以下内容是示例响应。The following is a sample response.

{
    'tokenType': 'Bearer', 
    'expiresIn': 3599, 
    'expiresOn': '2019-12-17 19:47:15.150205', 
    'resource': 'https://management.azure.com/', 
    'accessToken': 'random-oauth-token', 
    'isMRRT': True, 
    '_clientId': 'your-client-id', 
    '_authority': 'https://login.microsoftonline.com/your-tenant-id'
}

使用 token_response["accessToken"] 获取身份验证令牌。Use token_response["accessToken"] to fetch the auth token. 请参阅 REST API 文档,获取如何使用令牌进行 API 调用的示例。See the REST API documentation for examples on how to use the token to make API calls.

Web 服务身份验证Web-service authentication

Azure 机器学习中的 Web 服务使用不同于上述的身份验证模式。Web-services in Azure Machine Learning use a different authentication pattern than what is described above. 要对部署的 Web 服务进行身份验证,最简单的方法是使用基于密钥的身份验证,这种身份验证会生成静态持有者类型身份验证密钥,无需刷新 。The easiest way to authenticate to deployed web-services is to use key-based authentication, which generates static bearer-type authentication keys that do not need to be refreshed. 如果你只需对部署的 Web 服务进行身份验证,则无需设置如上所述的服务主体身份验证。If you only need to authenticate to a deployed web-service, you do not need to set up service principle authentication as shown above.

部署在 Azure Kubernetes 服务上的 Web 服务默认情况下会启用基于密钥的身份验证。Web-services deployed on Azure Kubernetes Service have key-based auth enabled by default. 默认情况下,Azure 容器实例部署的服务禁用基于密钥的身份验证,但你可以在创建 ACI Web 服务时通过设置 auth_enabled=True 来启用它 。Azure Container Instances deployed services have key-based auth disabled by default, but you can enable it by setting auth_enabled=Truewhen creating the ACI web-service. 以下是创建已启用基于密钥的身份验证的 ACI 部署配置的示例。The following is an example of creating an ACI deployment configuration with key-based auth enabled.

from azureml.core.webservice import AciWebservice

aci_config = AciWebservice.deploy_configuration(cpu_cores = 1,
                                                memory_gb = 1,
                                                auth_enabled=True)

然后可以通过 Model 类在部署中使用自定义 ACI 配置。Then you can use the custom ACI configuration in deployment using the Model class.

from azureml.core.model import Model, InferenceConfig


inference_config = InferenceConfig(entry_script="score.py",
                                   environment=myenv)
aci_service = Model.deploy(workspace=ws,
                       name="aci_service_sample",
                       models=[model],
                       inference_config=inference_config,
                       deployment_config=aci_config)
aci_service.wait_for_deployment(True)

使用 aci_service.get_keys() 获取身份验证密钥。To fetch the auth keys, use aci_service.get_keys(). 若要重新生成密钥,请使用 regen_key() 函数并传递“主要”或“辅助”密钥 。To regenerate a key, use the regen_key() function and pass either Primary or Secondary.

aci_service.regen_key("Primary")
# or
aci_service.regen_key("Secondary")

Web 服务还支持基于令牌的身份验证,但仅用于 Azure Kubernetes 服务部署。Web-services also support token-based authentication, but only for Azure Kubernetes Service deployments. 请参阅关于使用 Web 服务的操作说明,获取有关身份验证的其他信息。See the how-to on consuming web-services for additional information on authenticating.

基于令牌的 Web 服务身份验证Token-based web-service authentication

如果要为 Web 服务启用令牌身份验证,用户必须向 Web 服务提供 Azure 机器学习 JSON Web 令牌才能访问。When you enable token authentication for a web service, users must present an Azure Machine Learning JSON Web Token to the web service to access it. 令牌在指定的时间范围后过期,需要刷新才能继续调用。The token expires after a specified time-frame and needs to be refreshed to continue making calls.

  • 部署到 Azure Kubernetes 服务时,会默认禁用令牌身份验证 。Token authentication is disabled by default when you deploy to Azure Kubernetes Service.
  • 部署到 Azure 容器实例时,不支持令牌身份验证 。Token authentication isn't supported when you deploy to Azure Container Instances.

要控制令牌身份验证,请在创建或更新部署时使用 token_auth_enabled 参数。To control token authentication, use the token_auth_enabled parameter when you create or update a deployment.

如果启用了令牌身份验证,可以使用 get_token 方法检索 JSON Web (JWT) 令牌以及该令牌的到期时间:If token authentication is enabled, you can use the get_token method to retrieve a JSON Web Token (JWT) and that token's expiration time:

token, refresh_by = service.get_token()
print(token)

Important

需要在令牌的 refresh_by 时间后请求一个新令牌。You'll need to request a new token after the token's refresh_by time. 如果需要刷新 Python SDK 外的令牌,一个选择是使用服务主体身份验证的 REST API 定期进行 service.get_token() 调用,如前文所述。If you need to refresh tokens outside of the Python SDK, one option is to use the REST API with service-principal authentication to periodically make the service.get_token() call, as discussed previously.

我们强烈建议在 Azure Kubernetes 服务群集所在的相同区域中创建 Azure 机器学习工作区。We strongly recommend that you create your Azure Machine Learning workspace in the same region as your Azure Kubernetes Service cluster.

若要使用令牌进行身份验证,Web 服务将调用创建 Azure 机器学习工作区的区域。To authenticate with a token, the web service will make a call to the region in which your Azure Machine Learning workspace is created. 如果工作区的区域不可用,即使你的群集和工作区不在同一区域,你也无法获取 Web 服务的令牌。If your workspace's region is unavailable, you won't be able to fetch a token for your web service, even if your cluster is in a different region from your workspace. 结果是直到工作区的区域再次可用时,Azure AD 身份验证才可用。The result is that Azure AD Authentication is unavailable until your workspace's region is available again.

此外,群集区域和工作区区域的距离越远,获取令牌所需的时间就越长。Also, the greater the distance between your cluster's region and your workspace's region, the longer it will take to fetch a token.

后续步骤Next steps