Service Fabric 群集安全方案Service Fabric cluster security scenarios

Azure Service Fabric 群集是你拥有的资源。An Azure Service Fabric cluster is a resource that you own. 保护群集以阻止未经授权的用户连接到它们是你的职责。It is your responsibility to secure your clusters to help prevent unauthorized users from connecting to them. 当在群集上运行生产工作负荷时,安全的群集环境尤为重要。A secure cluster is especially important when you are running production workloads on the cluster. 尽管可以创建不安全的群集,但当该群集向公共 Internet 公开管理终结点时,匿名用户可与它建立连接。Although it's possible to create an unsecured cluster, if the cluster exposes management endpoints to the public internet, anonymous users can connect to it. 不支持将不安全群集用于生产工作负荷。Unsecured clusters are not supported for production workloads.

本文概述了适用于 Azure 群集和独立群集的安全性方案,以及用于实现它们的各种技术:This article is an overview of security scenarios for Azure clusters and standalone clusters, and the various technologies you can use to implement them:

  • 节点到节点安全性Node-to-node security
  • 客户端到节点安全性Client-to-node security
  • 基于角色的访问控制 (RBAC)Role-Based Access Control (RBAC)

节点到节点安全性Node-to-node security

节点到节点安全性可保护群集中 VM 或计算机之间的通信。Node-to-node security helps secure communication between the VMs or computers in a cluster. 这种安全性方案确保只有已获授权加入群集的计算机可以参与到托管群集中的应用程序和服务。This security scenario ensures that only computers that are authorized to join the cluster can participate in hosting applications and services in the cluster.

节点到节点通信示意图

在 Azure 上运行的群集和在 Windows 上运行的独立群集可以使用证书安全性或适用于 Windows Server 计算机的 Windows 安全性Clusters running on Azure and standalone clusters running on Windows both can use either certificate security or Windows security for Windows Server computers.

节点到节点的证书安全性Node-to-node certificate security

创建群集时,Service Fabric 将使用指定为节点类型配置一部分的 X.509 服务器证书。Service Fabric uses X.509 server certificates that you specify as part of the node-type configuration when you create a cluster. 本文末尾概述了这些证书是什么,以及如何获取或创建这些证书。At the end of this article, you can see a brief overview of what these certificates are and how you can acquire or create them.

证书安全性是在通过 Azure 门户、Azure 资源管理器模板或独立的 JSON 模板创建群集时配置的。Set up certificate security when you create the cluster, either in the Azure portal, by using an Azure Resource Manager template, or by using a standalone JSON template. Service Fabric SDK 的默认行为是部署并安装距未来过期证书最远的证书;经典行为允许定义主要证书和次要证书,允许手动发起的变换,故不推荐将其用于新功能之上。Service Fabric SDK's default behavior is to deploy and install the certificate with the furthest into the future expiring certificate; the classic behavior allowed the defining of primary and secondary certificates, to allow manually initiated rollovers, and is not recommended for use over the new functionality. 将要使用的距离未来到期日期最远的主证书应与为客户端到节点安全性设置的管理员客户端和只读客户端证书不同。The primary certificates that will be use has the furthest into the future expiring date, should be different from the admin client and read-only client certificates that you set for client-to-node security.

若要了解如何在群集中为 Azure 设置证书安全性,请参阅使用 Azure 资源管理器模板设置群集To learn how to set up certificate security in a cluster for Azure, see Set up a cluster by using an Azure Resource Manager template.

若要了解如何在群集中为独立 Windows Server 群集设置证书安全性,请参阅通过使用 X.509 证书在 Windows 上保护独立群集To learn how to set up certificate security in a cluster for a standalone Windows Server cluster, see Secure a standalone cluster on Windows by using X.509 certificates.

节点到节点的 Windows 安全性Node-to-node Windows security

若要了解如何为独立 Windows Server 群集设置 Windows 安全性,请参阅通过使用 Windows 安全性在 Windows 上保护独立群集To learn how to set up Windows security for a standalone Windows Server cluster, see Secure a standalone cluster on Windows by using Windows security.

客户端到节点安全性Client-to-node security

客户端到节点安全性对客户端进行身份验证,并保护客户端与群集中单个节点之间的通信。Client-to-node security authenticates clients and helps secure communication between a client and individual nodes in the cluster. 这种类型的安全性确保只有已获授权的用户可以访问群集与群集上部署的应用程序。This type of security helps ensure that only authorized users can access the cluster and the applications that are deployed on the cluster. 客户端通过其 Windows 安全性凭据或其证书安全性凭据进行唯一标识。Clients are uniquely identified through either their Windows security credentials or their certificate security credentials.

客户端到节点通信示意图

在 Azure 上运行的群集和在 Windows 上运行的独立群集可以使用证书安全性Windows 安全性Clusters running on Azure and standalone clusters running on Windows both can use either certificate security or Windows security.

客户端到节点的证书安全性Client-to-node certificate security

客户端到节点证书安全性是在通过 Azure 门户、资源管理器模板或独立的 JSON 模板创建群集时设置的。Set up client-to-node certificate security when you create the cluster, either in the Azure portal, by using a Resource Manager template, or by using a standalone JSON template. 要创建证书,请指定管理员客户端证书或用户客户端证书。To create the certificate, specify an admin client certificate or a user client certificate. 作为最佳做法,指定的管理员客户端证书和用户客户端证书应该不同于为节点到节点安全性指定的主证书和辅助证书。As a best practice, the admin client and user client certificates you specify should be different from the primary and secondary certificates you specify for node-to-node security. 默认情况下,用于实现节点到节点安全性的群集证书会添加到允许的客户端管理员证书列表中。By default, the cluster certificates for node-to-node security are added to the allowed client admin certificates list.

客户端如果使用管理员证书连接到群集,则拥有管理功能的完全访问权限。Clients that connect to the cluster by using the admin certificate have full access to management capabilities. 客户端如果使用只读的用户客户端证书连接到群集,则只拥有管理功能的只读访问权限。Clients that connect to the cluster by using the read-only user client certificate have only read access to management capabilities. 这些证书用于本文中后面介绍的 RBAC。These certificates are used for the RBAC that is described later in this article.

若要了解如何在群集中为 Azure 设置证书安全性,请参阅使用 Azure 资源管理器模板设置群集To learn how to set up certificate security in a cluster for Azure, see Set up a cluster by using an Azure Resource Manager template.

若要了解如何在群集中为独立 Windows Server 群集设置证书安全性,请参阅通过使用 X.509 证书在 Windows 上保护独立群集To learn how to set up certificate security in a cluster for a standalone Windows Server cluster, see Secure a standalone cluster on Windows by using X.509 certificates.

Azure 上客户端到节点的 Azure Active Directory 安全性Client-to-node Azure Active Directory security on Azure

通过 Azure AD,组织(称为租户)可管理用户对应用程序的访问。Azure AD enables organizations (known as tenants) to manage user access to applications. 应用程序分为采用基于 Web 的登录 UI 的应用程序和采用本地客户端体验的应用程序。Applications are divided into those with a web-based sign-in UI and those with a native client experience. 如果尚未创建租户,请先阅读如何获取 Azure Active Directory 租户If you have not already created a tenant, start by reading How to get an Azure Active Directory tenant.

Service Fabric 群集提供其管理功能的各种入口点,包括基于 Web 的 Service Fabric ExplorerVisual StudioA Service Fabric cluster offers several entry points to its management functionality, including the web-based Service Fabric Explorer and Visual Studio. 因此,需要创建两个 Azure AD 应用程序来控制对群集的访问:一个 Web 应用程序和一个本机应用程序。As a result, you create two Azure AD applications to control access to the cluster, one web application and one native application.

对在 Azure 上运行的群集,也可使用 Azure Active Directory (Azure AD) 来保护对管理终结点的访问。For clusters running on Azure, you also can secure access to management endpoints by using Azure Active Directory (Azure AD). 若要了解如何创建所需的 Azure AD 项目以及如何在创建群集时填充项目,请参阅设置 Azure AD 以对客户端进行身份验证To learn how to create the required Azure AD artifacts and how to populate them when you create the cluster, see Set up Azure AD to authenticate clients.

安全建议Security recommendations

如果将 Service Fabric 群集部署在某个公共网络中,而该网络托管在 Azure 上,则对于客户端到节点型相互身份验证,建议如下:For Service Fabric clusters deployed in a public network hosted on Azure, the recommendation for client-to-node mutual authentication is:

  • 对客户端标识使用 Azure Active DirectoryUse Azure Active Directory for client identity
  • 对服务器标识使用证书,并对 http 通信进行 SSL 加密A certificate for server identity and SSL encryption of http communication

如果将 Service Fabric 群集部署在某个公共网络中,而该网络托管在 Azure 上,则对于节点到节点安全,建议使用群集证书对节点进行身份验证。For Service Fabric clusters deployed in a public network hosted on Azure, the recommendation for node-to-node security is to use a Cluster certificate to authenticate nodes.

对于独立 Windows Server 群集,如果有 Windows Server 2012 R2 和 Windows Active Directory,建议结合使用 Windows 安全性和组托管服务帐户。For standalone Windows Server clusters, if you have Windows Server 2012 R2 and Windows Active Directory, we recommend that you use Windows security with group Managed Service Accounts. 否则,可以结合使用 Windows 安全性和 Windows 帐户。Otherwise, use Windows security with Windows accounts.

基于角色的访问控制 (RBAC)Role-Based Access Control (RBAC)

可以使用访问控制限制对不同用户组的某些群集操作的访问。You can use access control to limit access to certain cluster operations for different groups of users. 这就使得群集更加安全。This helps make the cluster more secure. 连接到群集的客户端支持两种访问控制类型:管理员角色和用户角色。Two access control types are supported for clients that connect to a cluster: Administrator role and User role.

被分配为管理员角色的用户对管理功能(包括读取和写入功能)拥有完全访问权限。Users who are assigned the Administrator role have full access to management capabilities, including read and write capabilities. 默认情况下,被分配为用户角色的用户只有管理功能的读取访问权限(例如查询功能),Users who are assigned the User role, by default, have only read access to management capabilities (for example, query capabilities). 以及解析应用程序和服务的能力。They also can resolve applications and services.

创建群集时,请设置管理员和用户客户端角色。Set the Administrator and User client roles when you create the cluster. 通过提供单独的标识(例如使用证书或 Azure AD),为每种角色类型分配角色。Assign roles by providing separate identities (for example, by using certificates or Azure AD) for each role type. 若要详细了解默认访问控制设置以及如何更改默认设置,请参阅 Service Fabric 客户端的基于角色的访问控制For more information about default access control settings and how to change default settings, see Role-Based Access Control for Service Fabric clients.

X.509 证书和 Service FabricX.509 certificates and Service Fabric

X.509 数字证书通常用于验证客户端与服务器。X.509 digital certificates commonly are used to authenticate clients and servers. 它们还用于对消息进行加密和数字签名。They also are used to encrypt and digitally sign messages. Service Fabric 使用 X.509 证书保护群集,提供应用程序安全功能。Service Fabric uses X.509 certificates to secure a cluster and provide application security features. 有关 X.509 数字证书的详细信息,请参阅使用证书For more information about X.509 digital certificates, see Working with certificates. 可以使用 Key Vault 管理 Azure 中 Service Fabric 群集的证书。You use Key Vault to manage certificates for Service Fabric clusters in Azure.

要考虑的几个要点:Some important things to consider:

  • 要为运行生产工作负荷的群集创建证书,请使用正确配置的 Windows Server 证书服务,或从已批准的证书颁发机构 (CA) 获取。To create certificates for clusters that are running production workloads, use a correctly configured Windows Server certificate service, or one from an approved certificate authority (CA).
  • 请勿在生产环境中使用任何由 MakeCert.exe 等工具创建的临时或测试证书。Never use any temporary or test certificates that you create by using tools like MakeCert.exe in a production environment.
  • 可使用自签名证书,但仅限在测试群集中使用。You can use a self-signed certificate, but only in a test cluster. 请勿在生产中使用自签名证书。Do not use a self-signed certificate in production.
  • 生成证书指纹时,请确保生成 SHA1 指纹。When generating the certificate thumbprint, be sure to generate a SHA1 thumbprint. SHA1 是配置客户端和群集证书指纹时使用的。SHA1 is what's used when configuring the Client and Cluster certificate thumbprints.

群集和服务器证书(必需)Cluster and server certificate (required)

必须使用这些证书(一个主要证书,以及一个可选的辅助证书)来保护群集,并防止未经授权的访问。These certificates (one primary and optionally a secondary) are required to secure a cluster and prevent unauthorized access to it. 这些证书提供了群集和服务器身份验证。These certificates provide cluster and server authentication.

群集身份验证在群集联合的情况下对节点间的通信进行身份验证。Cluster authentication authenticates node-to-node communication for cluster federation. 只有可以使用此证书自我证明身份的节点才能加入群集。Only nodes that can prove their identity with this certificate can join the cluster. 服务器身份验证在管理客户端上对群集管理终结点进行身份验证,使管理客户端知道它正在与真正的群集而不是“中间人”通信。Server authentication authenticates the cluster management endpoints to a management client, so that the management client knows it is talking to the real cluster and not a 'man in the middle'. 此证书还通过 HTTPS 为 HTTPS 管理 API 和 Service Fabric Explorer 提供 SSL。This certificate also provides an SSL for the HTTPS management API and for Service Fabric Explorer over HTTPS. 客户端或节点对节点进行身份验证时,一项初始检查是检查“使用者”字段中的公用名值。When a client or node authenticates a node, one of the initial checks is the value of the common name in the Subject field. 此公用名或某个证书的使用者可选名称 (SAN) 必须存在于允许的公用名列表中。Either this common name or one of the certificates' Subject Alternative Names (SANs) must be present in the list of allowed common names.

该证书必须满足以下要求:The certificate must meet the following requirements:

  • 证书必须包含私钥。The certificate must contain a private key. 这些证书通常使用扩展名 .pfx 或 .pemThese certificates typically have extensions .pfx or .pem
  • 必须为密钥交换创建证书,并且该证书可导出到个人信息交换 (.pfx) 文件。The certificate must be created for key exchange, which is exportable to a Personal Information Exchange (.pfx) file.
  • 证书的使用者名称必须与用于访问 Service Fabric 群集的域匹配The certificate's subject name must match the domain that you use to access the Service Fabric cluster. 只有满足此匹配,才能为群集的 HTTPS 管理终结点和 Service Fabric Explorer 提供 SSL。This matching is required to provide an SSL for the cluster's HTTPS management endpoint and Service Fabric Explorer. 无法从证书颁发机构 (CA) 处获取针对 *.cloudapp.chinacloudapi.cn 域的 SSL 证书。You cannot obtain an SSL certificate from a certificate authority (CA) for the *.cloudapp.chinacloudapi.cn domain. 必须获取群集的自定义域名。You must obtain a custom domain name for your cluster. 从 CA 请求证书时,该证书的使用者名称必须与用于群集的自定义域名匹配。When you request a certificate from a CA, the certificate's subject name must match the custom domain name that you use for your cluster.

其他注意事项:Some other things to consider:

  • “使用者”字段可有多个值。The Subject field can have multiple values. 每个值都以名称首字母为前缀,指示值的类型。Each value is prefixed with an initialization to indicate the value type. 常见的名称首字母是“CN”(表示公用名),例如 CN = www.contoso.com。Usually, the initialization is CN (for common name); for example, CN = www.contoso.com.
  • “使用者”字段可为空。The Subject field can be blank.
  • 如果可选的“使用者可选名称”字段已填充数据,则此字段必须包含证书的公用名,以及每个 SAN 的一个条目。If the optional Subject Alternative Name field is populated, it must have both the common name of the certificate and one entry per SAN. 这些内容作为“DNS 名称”值输入。These are entered as DNS Name values. 要了解如何生成具有 SAN 的证书,请参阅如何向安全 LDAP 证书添加使用者可选名称To learn how to generate certificates that have SANs, see How to add a Subject Alternative Name to a secure LDAP certificate.
  • 证书的“预期目的”字段值应包含适当的值,例如“服务器身份验证”或“客户端身份验证”。The value of the Intended Purposes field of the certificate should include an appropriate value, such as Server Authentication or Client Authentication.

应用程序证书(可选)Application certificates (optional)

可以出于应用程序安全目的,在群集上安装任意数量的附加证书。Any number of additional certificates can be installed on a cluster for application security purposes. 在创建群集之前,请考虑需要在节点上安装证书的应用程序安全方案,例如:Before creating your cluster, consider the application security scenarios that require a certificate to be installed on the nodes, such as:

  • 加密和解密应用程序配置值。Encryption and decryption of application configuration values.
  • 在复制期间跨节点加密数据。Encryption of data across nodes during replication.

无论是 Linux 或 Windows 群集,创建安全群集的概念是相同的。The concept of creating secure clusters is the same, whether they are Linux or Windows clusters.

客户端身份验证证书(可选)Client authentication certificates (optional)

可以指定任意数量的其他证书用于管理员客户端操作或用户客户端操作。Any number of additional certificates can be specified for admin or user client operations. 客户端可以在需要相互身份验证时使用此类证书。The client can use this certificate when mutual authentication is required. 客户端证书通常不由第三方 CA 颁发。Client certificates typically are not issued by a third-party CA. 当前用户位置的“个人”存储通常包含由根证书颁发机构放置的客户端证书。Instead, the Personal store of the current user location typically contains client certificates placed there by a root authority. 此证书的“预期目的”值应为“客户端身份验证”。The certificate should have an Intended Purposes value of Client Authentication.

默认情况下,群集证书具有管理客户端的特权。By default the cluster certificate has admin client privileges. 这些其他客户端证书不应安装到集群中,而应被指定为允许在群集配置中使用。These additional client certificates should not be installed into the cluster, but are specified as being allowed in the cluster configuration. 但是,客户端证书需要安装在客户端计算机上,以便连接到群集并执行操作。However, the client certificates need to be installed on the client machines to connect to the cluster and perform any operations.

Note

Service Fabric 群集上的所有管理操作都需要服务器证书。All management operations on a Service Fabric cluster require server certificates. 客户端证书不能用于管理。Client certificates cannot be used for management.

后续步骤Next steps