以本地用户帐户或本地系统帐户运行服务Run a service as a local user account or local system account

使用 Azure Service Fabric,可以保护群集中以不同用户帐户运行的应用程序。By using Azure Service Fabric, you can secure applications that are running in the cluster under different user accounts. 默认情况下,Service Fabric 应用程序在运行 Fabric.exe 程序的帐户之下运行。By default, Service Fabric applications run under the account that the Fabric.exe process runs under. Service Fabric 还提供了在本地用户或系统帐户下运行应用程序的功能。Service Fabric also provides the capability to run applications under a local user or system account. 受支持的本地系统帐户类型为 LocalUserNetworkServiceLocalServiceLocalSystemSupported local system account types are LocalUser, NetworkService, LocalService, and LocalSystem. 如果在 Windows 独立群集上运行 Service Fabric,可以使用 Active Directory 域帐户组托管服务帐户运行服务。If you're running Service Fabric on a Windows standalone cluster, you can run a service under Active Directory domain accounts or group managed service accounts.

在应用程序清单中,在 Principals 部分中定义运行服务或保护资源时所需的用户帐户。In the application manifest, you define the user accounts required to run services or secure resources in the Principals section. 还可以定义并创建用户组,以便统一管理一个或多个用户。You can also define and create user groups so that one or more users can be managed together. 如果不同的服务入口点有多个用户,而且这些用户需要拥有可在组级别使用的常用权限,则这种做法特别有用。This is useful when there are multiple users for different service entry points and they need common privileges that are available at the group level. 然后,可以在 RunAs 策略中引用用户,该策略应用于应用程序中的特定服务或所有服务。The users are then referenced in a RunAs policy, which is applied to a specific service or all the services in the application.

默认情况下,RunAs 策略应用于主入口点。By default, the RunAs policy is applied to the main entry point. 如果需要在系统帐户下运行特定的高权限设置操作,则还可以将 RunAs 策略应用于安装程序入口点,或者同时应用于主入口点和安装程序入口点。You can also apply a RunAs policy to the setup entry point, if you need to run certain high-privilege setup operations under a system account, or both main and setup entry points.

备注

如果将 RunAs 策略应用到服务,且服务清单使用 HTTP 协议声明终结点资源,则必须指定 SecurityAccessPolicy 。If you apply a RunAs policy to a service and the service manifest declares endpoint resources with the HTTP protocol, you must specify a SecurityAccessPolicy. 有关详细信息,请参阅为 HTTP 和 HTTPS 终结点分配安全访问策略For more information, see Assign a security access policy for HTTP and HTTPS endpoints.

以本地用户身份运行服务Run a service as a local user

可以创建一个本地用户,用于帮助保护应用程序中的服务。You can create a local user that can be used to help secure a service within the application. 当在应用程序清单的主体部分中指定 LocalUser 帐户类型时,Service Fabric 在部署应用程序的计算机上创建本地用户帐户。When a LocalUser account type is specified in the principals section of the application manifest, Service Fabric creates local user accounts on machines where the application is deployed. 默认情况下,这些帐户的名称与应用程序清单中指定的名称不相同(例如,以下应用程序清单示例中的 Customer3)。By default, these accounts do not have the same names as those specified in the application manifest (for example, Customer3 in the following application manifest example). 相反,它们是动态生成的并带有随机密码。Instead, they are dynamically generated and have random passwords.

ServiceManifestImportRunAsPolicy 部分中,从 Principals 部分中指定用来运行服务代码包的用户帐户。In the RunAsPolicy section for a ServiceManifestImport, specify the user account from the Principals section to run the service code package. 以下示例展示了如何创建本地用户并将 RunAs 策略应用于主入口点:The following example shows how to create a local user and apply a RunAs policy to the main entry point:

<?xml version="1.0" encoding="utf-8"?>
<ApplicationManifest xmlns:xsd="https://www.w3.org/2001/XMLSchema" xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance" ApplicationTypeName="Application7Type" ApplicationTypeVersion="1.0.0" xmlns="http://schemas.microsoft.com/2011/01/fabric">
  <Parameters>
    <Parameter Name="Web1_InstanceCount" DefaultValue="-1" />
  </Parameters>
  <ServiceManifestImport>
    <ServiceManifestRef ServiceManifestName="Web1Pkg" ServiceManifestVersion="1.0.0" />
    <ConfigOverrides />
    <Policies>
      <RunAsPolicy CodePackageRef="Code" UserRef="Customer3" EntryPointType="Main" />
    </Policies>
  </ServiceManifestImport>
  <DefaultServices>    
    <Service Name="Web1" ServicePackageActivationMode="ExclusiveProcess">
      <StatelessService ServiceTypeName="Web1Type" InstanceCount="[Web1_InstanceCount]">
        <SingletonPartition />
      </StatelessService>
    </Service>
  </DefaultServices>
  <Principals>
    <Users>
      <User Name="Customer3" />
    </Users>
  </Principals>
</ApplicationManifest>

创建本地用户组Create a local user group

可以创建用户组并向组中添加一个或多个用户。You can create user groups and add one or more users to the group. 如果不同的服务入口点对应有多个用户,而且这些用户需要拥有特定的常见组级别权限,这种做法就特别有用。This is useful if there are multiple users for different service entry points and they need to have certain common privileges that are available at the group level. 下面的应用程序清单示例展示了一个名为 LocalAdminGroup 的具有管理员权限的本地组。The following application manifest example shows a local group named LocalAdminGroup that has administrator privileges. Customer1Customer2 这两个用户已成为此本地组的成员。Two users, Customer1 and Customer2, are made members of this local group. ServiceManifestImport 部分中,应用了一个 RunAs 策略来以 Customer2 身份运行 Stateful1Pkg 代码包。In the ServiceManifestImport section, a RunAs policy is applied to run the Stateful1Pkg code package as Customer2. 应用了另一个 RunAs 策略来以 Customer1 身份运行 Web1Pkg 代码包。Another RunAs policy is applied to run the Web1Pkg code package as Customer1.

<?xml version="1.0" encoding="utf-8"?>
<ApplicationManifest xmlns:xsd="https://www.w3.org/2001/XMLSchema" xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance" ApplicationTypeName="Application7Type" ApplicationTypeVersion="1.0.0" xmlns="http://schemas.microsoft.com/2011/01/fabric">
  <Parameters>
    <Parameter Name="Stateful1_MinReplicaSetSize" DefaultValue="3" />
    <Parameter Name="Stateful1_PartitionCount" DefaultValue="1" />
    <Parameter Name="Stateful1_TargetReplicaSetSize" DefaultValue="3" />
    <Parameter Name="Web1_InstanceCount" DefaultValue="-1" />
  </Parameters>
  <ServiceManifestImport>
    <ServiceManifestRef ServiceManifestName="Stateful1Pkg" ServiceManifestVersion="1.0.0" />
    <ConfigOverrides />
    <Policies>
      <RunAsPolicy CodePackageRef="Code" UserRef="Customer2" EntryPointType="Main"/>
    </Policies>
  </ServiceManifestImport>
  <ServiceManifestImport>
    <ServiceManifestRef ServiceManifestName="Web1Pkg" ServiceManifestVersion="1.0.0" />
    <ConfigOverrides />
    <Policies>
      <RunAsPolicy CodePackageRef="Code" UserRef="Customer1" EntryPointType="Main"/>
    </Policies>
  </ServiceManifestImport>
  <DefaultServices>
    <Service Name="Stateful1" ServicePackageActivationMode="ExclusiveProcess">
      <StatefulService ServiceTypeName="Stateful1Type" TargetReplicaSetSize="[Stateful1_TargetReplicaSetSize]" MinReplicaSetSize="[Stateful1_MinReplicaSetSize]">
        <UniformInt64Partition PartitionCount="[Stateful1_PartitionCount]" LowKey="-9223372036854775808" HighKey="9223372036854775807" />
      </StatefulService>
    </Service>
    <Service Name="Web1" ServicePackageActivationMode="ExclusiveProcess">
      <StatelessService ServiceTypeName="Web1Type" InstanceCount="[Web1_InstanceCount]">
        <SingletonPartition />
      </StatelessService>
    </Service>
  </DefaultServices>
  <Principals>
    <Groups>
      <Group Name="LocalAdminGroup">
        <Membership>
          <SystemGroup Name="Administrators" />
        </Membership>
      </Group>
    </Groups>
    <Users>
      <User Name="Customer1">
        <MemberOf>
          <Group NameRef="LocalAdminGroup" />
        </MemberOf>
      </User>
      <User Name="Customer2">
        <MemberOf>
          <Group NameRef="LocalAdminGroup" />
        </MemberOf>
      </User>
    </Users>
  </Principals>
</ApplicationManifest>

将默认策略应用到所有服务代码包Apply a default policy to all service code packages

DefaultRunAsPolicy 部分用于针对未定义特定 RunAsPolicy 的所有代码包指定默认用户帐户。You use the DefaultRunAsPolicy section to specify a default user account for all code packages that don't have a specific RunAsPolicy defined. 如果在应用程序所用的服务清单中指定的大多数代码包必须以同一用户运行,则应用程序可以只定义该用户帐户的默认 RunAs 策略。If most of the code packages that are specified in the service manifest used by an application need to run under the same user, the application can just define a default RunAs policy with that user account. 以下示例指定如果代码包未指定 RunAsPolicy,则此代码包应该以 principals 部分中指定的 MyDefaultAccount 用户身份运行。The following example specifies that if a code package does not have a RunAsPolicy specified, the code package should run under the MyDefaultAccount user specified in the principals section. 支持的帐户类型为 LocalUser、NetworkService、LocalSystem 和 LocalService。Supported account types are LocalUser, NetworkService, LocalSystem, and LocalService. 如果使用本地用户或服务,则还需要指定帐户名称和密码。If using a local user or service, also specify the account name and password.

<?xml version="1.0" encoding="utf-8"?>
<ApplicationManifest xmlns:xsd="https://www.w3.org/2001/XMLSchema" xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance" ApplicationTypeName="Application7Type" ApplicationTypeVersion="1.0.0" xmlns="http://schemas.microsoft.com/2011/01/fabric">
  <Parameters>
    <Parameter Name="Web1_InstanceCount" DefaultValue="-1" />
  </Parameters>
  <ServiceManifestImport>
    <ServiceManifestRef ServiceManifestName="Web1Pkg" ServiceManifestVersion="1.0.0" />
    <ConfigOverrides />

  </ServiceManifestImport>
  <DefaultServices>    
    <Service Name="Web1" ServicePackageActivationMode="ExclusiveProcess">
      <StatelessService ServiceTypeName="Web1Type" InstanceCount="[Web1_InstanceCount]">
        <SingletonPartition />
      </StatelessService>
    </Service>
  </DefaultServices>
  <Principals>
    <Users>
      <User Name="MyDefaultAccount" AccountType="NetworkService" />      
    </Users>
  </Principals>
  <Policies>
    <DefaultRunAsPolicy UserRef="MyDefaultAccount" />
  </Policies>
</ApplicationManifest>

使用控制台重定向在本地调试代码包Debug a code package locally using console redirection

有时,查看正在运行的服务的控制台输出对于调试很有帮助。Occasionally, it's useful for debugging purposes to see the console output from a running service. 可以在服务清单中的入口点上设置控制台重定向策略,以便将输出写入到文件。You can set a console redirection policy on the entry point in the service manifest, which writes the output to a file. 文件输出将写入到部署和运行应用程序的群集节点上名为 log 的应用程序文件夹中。The file output is written to the application folder called log on the cluster node where the application is deployed and run.

警告

永远不要在生产中部署的应用程序中使用控制台重定向策略,因为这可能会影响应用程序故障转移。Never use the console redirection policy in an application that is deployed in production because this can affect the application failover. 将其用于本地开发和调试目的。Only use this for local development and debugging purposes.

下面的服务清单示例展示了如何使用 FileRetentionCount 值启用控制台重定向:The following service manifest example shows enabling console redirection with a FileRetentionCount value:

<CodePackage Name="Code" Version="1.0.0">
    <EntryPoint>
      <ExeHost>
        <Program>VotingWeb.exe</Program>
        <WorkingFolder>CodePackage</WorkingFolder>
        <ConsoleRedirection FileRetentionCount="10"/>
      </ExeHost>
    </EntryPoint>
</CodePackage>

后续步骤Next steps