使用 Windows 安全性保护 Windows 上的独立群集Secure a standalone cluster on Windows by using Windows security

为了防止有人未经授权访问某个 Service Fabric 群集,必须保护该群集。To prevent unauthorized access to a Service Fabric cluster, you must secure the cluster. 当群集运行生产工作负荷时,安全性就尤为重要。Security is especially important when the cluster runs production workloads. 本文介绍如何在 ClusterConfig.JSON 文件中使用 Windows 安全性配置节点到节点和客户端到节点的安全性。 This article describes how to configure node-to-node and client-to-node security by using Windows security in the ClusterConfig.JSON file. 该过程对应于创建在 Windows 上运行的独立群集中的安全性配置步骤。The process corresponds to the configure security step of Create a standalone cluster running on Windows. 有关 Service Fabric 如何使用 Windows 安全性的详细信息,请参阅群集安全方案For more information about how Service Fabric uses Windows security, see Cluster security scenarios.

Note

由于升级群集后无法更改安全性选项,因此,应慎重地为节点到节点安全性选择适当的选项。You should consider the selection of node-to-node security carefully because there is no cluster upgrade from one security choice to another. 若要更改安全性选项,必须重建整个群集。To change the security selection, you have to rebuild the full cluster.

使用 gMSA 配置 Windows 安全性Configure Windows security using gMSA

Microsoft.Azure.ServiceFabric.WindowsServer.<version>.zip 独立群集包下载的 ClusterConfig.gMSA.Windows.MultiMachine.JSON 示例配置文件包含一个使用组托管服务帐户 (gMSA) 配置 Windows 安全性的模板:The sample ClusterConfig.gMSA.Windows.MultiMachine.JSON configuration file downloaded with the Microsoft.Azure.ServiceFabric.WindowsServer.<version>.zip standalone cluster package contains a template for configuring Windows security using Group Managed Service Account (gMSA):

"security": {
    "ClusterCredentialType": "Windows",
    "ServerCredentialType": "Windows",
    "WindowsIdentities": {  
        "ClustergMSAIdentity": "[gMSA Identity]",
        "ClusterSPN": "[Registered SPN for the gMSA account]",
        "ClientIdentities": [
            {
                "Identity": "domain\\username",
                "IsAdmin": true
            }
        ]
    }
}
配置设置Configuration setting 说明Description
ClusterCredentialTypeClusterCredentialType 设置为“Windows”可为节点到节点的通信启用 Windows 安全性 。 Set to Windows to enable Windows security for node-node communication. 
ServerCredentialTypeServerCredentialType 设置为“Windows”可为客户端到节点的通信启用 Windows 安全性 。Set to Windows to enable Windows security for client-node communication.
WindowsIdentitiesWindowsIdentities 包含群集和客户端标识。Contains the cluster and client identities.
ClustergMSAIdentityClustergMSAIdentity 配置节点到节点安全性。Configures node-to-node security. 组托管服务帐户。A group managed service account.
ClusterSPNClusterSPN gMSA 帐户的已注册 SPNRegistered SPN for gMSA account
ClientIdentitiesClientIdentities 配置客户端到节点安全性。Configures client-to-node security. 客户端用户帐户的数组。An array of client user accounts.
标识Identity 为客户端标识添加域用户 domain\username。Add the domain user, domain\username, for the client identity.
IsAdminIsAdmin 设置为 true 可指定域用户具有管理员客户端访问权限,设置为 false 可指定域用户具有用户客户端访问权限。Set to true to specify that the domain user has administrator client access or false for user client access.

Note

ClustergMSAIdentity 值的格式必须为“mysfgmsa@mydomain”。ClustergMSAIdentity value must be in format "mysfgmsa@mydomain".

若需要在 gMSA 下运行 Service Fabric,可通过设置“ClustergMSAIdentity”来配置节点到节点安全性Node to node security is configured by setting ClustergMSAIdentity when service fabric needs to run under gMSA. 若要在节点之间建立信任关系,这些节点必须能够相互识别。In order to build trust relationships between nodes, they must be made aware of each other. 这可以通过两种不同的方法实现:指定包含群集中所有节点的组托管服务帐户,或者指定包含群集中所有节点的域计算机组。This can be accomplished in two different ways: Specify the Group Managed Service Account that includes all nodes in the cluster or Specify the domain machine group that includes all nodes in the cluster. 强烈建议使用组托管服务帐户 (gMSA) 方法,尤其针对拥有 10 个以上节点的较大群集或可能会增大或收缩的群集。We strongly recommend using the Group Managed Service Account (gMSA) approach, particularly for larger clusters (more than 10 nodes) or for clusters that are likely to grow or shrink.
此方法不需要创建群集管理员对其有访问权限、可在其中添加和删除成员的域组。This approach does not require the creation of a domain group for which cluster administrators have been granted access rights to add and remove members. 这些帐户还可用于自动密码管理。These accounts are also useful for automatic password management. 有关详细信息,请参阅组托管服务帐户入门For more information, see Getting Started with Group Managed Service Accounts.

使用 ClientIdentities 配置客户端到节点安全性Client to node security is configured using ClientIdentities. 若要在客户端与群集之间建立信任关系,必须对群集进行配置,使其知道可以信任哪些客户端标识。In order to establish trust between a client and the cluster, you must configure the cluster to know which client identities that it can trust. 可以通过两种不同方法实现此目的:指定可以连接的域组用户,或者指定可以连接的域节点用户。This can be done in two different ways: Specify the domain group users that can connect or specify the domain node users that can connect. Service Fabric 针对连接到 Service Fabric 群集的客户端支持两种不同的访问控制类型:管理员和用户。Service Fabric supports two different access control types for clients that are connected to a Service Fabric cluster: administrator and user. 访问控制可让群集管理员针对不同的用户组限制某些类型的特定群集操作的访问权限,使群集更加安全。Access control provides the ability for the cluster administrator to limit access to certain types of cluster operations for different groups of users, making the cluster more secure. 管理员拥有对管理功能(包括读取/写入功能)的完全访问权限。Administrators have full access to management capabilities (including read/write capabilities). 默认情况下,用户只有管理功能的读取访问权限(例如查询功能),以及解析应用程序和服务的能力。Users, by default, have only read access to management capabilities (for example, query capabilities), and the ability to resolve applications and services. 有关访问控制的详细信息,请参阅 Service Fabric 客户端基于角色的访问控制For more information on access controls, see Role based access control for Service Fabric clients.

以下示例安全性部分使用 gMSA 配置 Windows 安全性,并指定 ServiceFabric.clusterA.contoso.com gMSA 中的计算机位于群集中,同时还指定 CONTOSO\usera 拥有管理客户端访问权限:The following example security section configures Windows security using gMSA and specifies that the machines in ServiceFabric.clusterA.contoso.com gMSA are part of the cluster and that CONTOSO\usera has admin client access:

"security": {
    "ClusterCredentialType": "Windows",
    "ServerCredentialType": "Windows",
    "WindowsIdentities": {
        "ClustergMSAIdentity" : "ServiceFabric.clusterA.contoso.com",
        "ClusterSPN" : "http/servicefabric/clusterA.contoso.com",
        "ClientIdentities": [{
            "Identity": "CONTOSO\\usera",
            "IsAdmin": true
        }]
    }
}

使用计算机组配置 Windows 安全性Configure Windows security using a machine group

将弃用此模型。This model is being deprecated. 建议使用上文详述的 gMSA。The recommendation is to use gMSA as detailed above. Microsoft.Azure.ServiceFabric.WindowsServer.<version>.zip 独立群集包下载的 ClusterConfig.Windows.MultiMachine.JSON 示例配置文件包含用于配置 Windows 安全性的模板。The sample ClusterConfig.Windows.MultiMachine.JSON configuration file downloaded with the Microsoft.Azure.ServiceFabric.WindowsServer.<version>.zip standalone cluster package contains a template for configuring Windows security. 在“属性” 部分中配置 Windows 安全性:Windows security is configured in the Properties section:

"security": {
    "ClusterCredentialType": "Windows",
    "ServerCredentialType": "Windows",
    "WindowsIdentities": {
        "ClusterIdentity" : "[domain\machinegroup]",
        "ClientIdentities": [{
            "Identity": "[domain\username]",
            "IsAdmin": true
        }]
    }
}
配置设置Configuration setting 说明Description
ClusterCredentialTypeClusterCredentialType 设置为“Windows”可为节点到节点的通信启用 Windows 安全性 。 Set to Windows to enable Windows security for node-node communication. 
ServerCredentialTypeServerCredentialType 设置为“Windows”可为客户端到节点的通信启用 Windows 安全性 。Set to Windows to enable Windows security for client-node communication.
WindowsIdentitiesWindowsIdentities 包含群集和客户端标识。Contains the cluster and client identities.
ClusterIdentityClusterIdentity 使用计算机组名 domain\machinegroup 配置节点到节点安全性。Use a machine group name, domain\machinegroup, to configure node-to-node security.
ClientIdentitiesClientIdentities 配置客户端到节点安全性。Configures client-to-node security. 客户端用户帐户的数组。An array of client user accounts.
标识Identity 为客户端标识添加域用户 domain\username。Add the domain user, domain\username, for the client identity.
IsAdminIsAdmin 设置为 true 可指定域用户具有管理员客户端访问权限,设置为 false 可指定域用户具有用户客户端访问权限。Set to true to specify that the domain user has administrator client access or false for user client access.

如果希望在 Active Directory 域内使用计算机组,可通过设置“ClusterIdentity”来配置节点到节点安全性Node to node security is configured by setting using ClusterIdentity if you want to use a machine group within an Active Directory Domain. 有关详细信息,请参阅在 Active Directory 中创建计算机组For more information, see Create a Machine Group in Active Directory.

使用 ClientIdentities 配置客户端到节点安全性Client-to-node security is configured by using ClientIdentities. 若要在客户端与群集之间建立信任关系,必须对群集进行配置,使群集知道可以信任哪些客户端标识。To establish trust between a client and the cluster, you must configure the cluster to know the client identities that the cluster can trust. 可通过两种不同的方式建立信任:You can establish trust in two different ways:

  • 指定用户可以连接到的域组。Specify the domain group users that can connect.
  • 指定用户可以连接到的域节点。Specify the domain node users that can connect.

Service Fabric 针对连接到 Service Fabric 群集的客户端支持两种不同的访问控制类型:管理员和用户。Service Fabric supports two different access control types for clients that are connected to a Service Fabric cluster: administrator and user. 访问控制可让群集管理员针对不同的用户组限制某些类型的特定群集操作的访问权限,使群集更加安全。Access control enables the cluster administrator to limit access to certain types of cluster operations for different groups of users, which makes the cluster more secure. 管理员拥有对管理功能(包括读取/写入功能)的完全访问权限。Administrators have full access to management capabilities (including read/write capabilities). 默认情况下,用户只有管理功能的读取访问权限(例如查询功能),以及解析应用程序和服务的能力。Users, by default, have only read access to management capabilities (for example, query capabilities), and the ability to resolve applications and services.

以下示例安全性部分配置 Windows 安全性,指定 ServiceFabric/clusterA.contoso.com 中的计算机位于群集中,并指定 CONTOSO\usera 拥有管理客户端访问权限: The following example security section configures Windows security, specifies that the machines in ServiceFabric/clusterA.contoso.com are part of the cluster, and specifies that CONTOSO\usera has admin client access:

"security": {
    "ClusterCredentialType": "Windows",
    "ServerCredentialType": "Windows",
    "WindowsIdentities": {
        "ClusterIdentity" : "ServiceFabric/clusterA.contoso.com",
        "ClientIdentities": [{
            "Identity": "CONTOSO\\usera",
            "IsAdmin": true
        }]
    }
},

Note

不应在域控制器上部署 Service Fabric。Service Fabric should not be deployed on a domain controller. 使用计算机组或组托管服务帐户 (gMSA) 时,请确保 ClusterConfig.json 不包含域控制器的 IP 地址。Make sure that ClusterConfig.json does not include the IP address of the domain controller when using a machine group or group Managed Service Account (gMSA).

后续步骤Next steps

在 ClusterConfig.JSON 文件中配置 Windows 安全性之后,请继续执行创建 Windows 上运行的独立群集中的群集创建过程。After configuring Windows security in the ClusterConfig.JSON file, resume the cluster creation process in Create a standalone cluster running on Windows.

有关节点到节点安全性、客户端到节点安全性和基于角色的访问控制的详细信息,请参阅群集安全方案For more information about how node-to-node security, client-to-node security, and role-based access control, see Cluster security scenarios.

有关使用 PowerShell 或 FabricClient 进行连接的示例,请参阅连接到安全群集See Connect to a secure cluster for examples of connecting by using PowerShell or FabricClient.