在现有 Service Fabric 群集中配置托管标识支持Configure managed identity support in an existing Service Fabric cluster

若要在 Service Fabric 应用程序中使用 Azure 资源托管标识,请首先在群集上启用“托管标识令牌服务”。To use Managed identities for Azure resources in your Service Fabric applications, first enable the Managed Identity Token Service on the cluster. 此服务负责使用 Service Fabric 应用程序的托管标识对这些应用程序进行身份验证,以及代表它们获取访问令牌。This service is responsible for the authentication of Service Fabric applications using their managed identities, and for obtaining access tokens on their behalf. 启用此服务以后,即可在 Service Fabric Explorer 中左侧窗格的“系统”部分看到它,它以 fabric:/System/ManagedIdentityTokenService 名称运行。Once the service is enabled, you can see it in Service Fabric Explorer under the System section in the left pane, running under the name fabric:/System/ManagedIdentityTokenService.

备注

若要启用托管标识令牌服务,必须使用 Service Fabric 运行时 6.5.658.9590 或更高版本。Service Fabric runtime version 6.5.658.9590 or higher is required to enable the Managed Identity Token Service.

可以在 Azure 门户中查找 Service Fabric 版群集,方法是:打开群集资源,然后在“基本信息”部分查找“Service Fabric 版本”属性。 You can find the Service Fabric version of a cluster from the Azure portal by opening the cluster resource and checking the Service Fabric version property in the Essentials section.

如果群集处于“手动”升级模式,则需先将其升级到 6.5.658.9590 或更高版本。If the cluster is on Manual upgrade mode, you will need to first upgrade it to 6.5.658.9590 or later.

在现有群集中启用“托管标识令牌服务”Enable Managed Identity Token Service in an existing cluster

若要在现有群集中启用托管标识令牌服务,需启动群集升级并指定两项更改:(1) 启用托管标识令牌服务,以及 (2) 请求重启每个节点。To enable the Managed Identity Token Service in an existing cluster, you will need to initiate a cluster upgrade specifying two changes: (1) Enabling the Managed Identity Token Service, and (2) requesting a restart of each node. 首先,将以下代码片段添加到群集 Azure 资源管理器模板:First, add the following snippet your cluster Azure Resource Manager template:

"fabricSettings": [
    {
        "name": "ManagedIdentityTokenService",
        "parameters": [
            {
                "name": "IsEnabled",
                "value": "true"
            }
        ]
    }
]

若要让更改生效,还需更改升级策略,指定在升级进展到群集时,在每个节点上以强制方式重启 Service Fabric 运行时。In order for the changes to take effect, you will also need to change the upgrade policy to specify a forceful restart of the Service Fabric runtime on each node as the upgrade progresses through the cluster. 此重启确保新启用的系统服务在每个节点上启动并运行。This restart ensures that the newly enabled system service is started and running on each node. 在下面的代码片段中,forceRestart 是启用重启功能的必要设置。In the snippet below, forceRestart is the essential setting to enable restart. 对于其余参数,请使用下面所述的值或使用已为群集资源指定的现有自定义值。For the remaining parameters, use values described below or use existing custom values already specified for the cluster resource. 通过在 Service Fabric 资源或 resources.azure.com 上选择“结构升级”选项,可以从 Azure 门户查看结构升级策略 ('upgradeDescription') 的自定义设置。Custom settings for Fabric Upgrade Policy ('upgradeDescription') can be viewed from Azure Portal by selecting 'Fabric Upgrades' option on the Service Fabric resource or resources.azure.com. 无法从 powershell 或 resources.azure.com 查看升级策略 ('upgradeDescription') 的默认选项。Default options for the upgrade policy ('upgradeDescription') are not viewable from powershell or resources.azure.com. 有关其他信息,请参阅 ClusterUpgradePolicySee ClusterUpgradePolicy for additional information.

"upgradeDescription": {
    "forceRestart": true,
    "healthCheckRetryTimeout": "00:45:00",
    "healthCheckStableDuration": "00:05:00",
    "healthCheckWaitDuration": "00:05:00",
    "upgradeDomainTimeout": "02:00:00",
    "upgradeReplicaSetCheckTimeout": "1.00:00:00",
    "upgradeTimeout": "12:00:00"
}

备注

成功完成升级以后,请勿忘记回退 forceRestart 设置,尽量减少后续升级的影响。Upon the successful completion of the upgrade, do not forget to roll back the forceRestart setting, to minimize the impact of subsequent upgrades.

错误和故障排除Errors and troubleshooting

如果部署失败并出现以下错误,则表明群集运行时所在的 Service Fabric 的版本不够高:If the deployment fails with the following message, it means the cluster is not running on a high enough Service Fabric version:

{
    "code": "ParameterNotAllowed",
    "message": "Section 'ManagedIdentityTokenService' and Parameter 'IsEnabled' is not allowed."
}

后续步骤Next steps