下图为Azure 基于用户角色控制的架构图,可以清楚的看出,通过三个层面进行控制;
- 安全主体:安全主体是一个对象,表示请求访问 Azure 资源的用户、组或服务主体。
- 角色定义:角色定义是权限的集合。 它有时简称为“角色”。 角色定义列出可以执行的操作,例如读取、写入和删除。Azure自带了几个角色,如果觉得不能满足企业需求,也可以创建自定义角色。
- 范围:范围是访问权限适用的边界。 分配角色时,可以通过定义范围来进一步限制允许的操作。
当我们创建角色的时候,也遵循以下三步。
Azure自带的角色定义,大家可以参考https://docs.azure.cn/zh-cn/role-based-access-control/built-in-roles 了解他们直接的区别。
了解了RBAC的过程以后,我们测试一下,企业需求的场景。
- 让某个外包项目的公司紧紧可以操作摸一个资源组下的所有资源,其他资源组均对其不可见。
- 在AAD创建用户的步骤省略
- 将创建好的用户分配到改资源组的IAM下,并分配权限。可以看出该用户仅仅可以对该资源组进行操作。
- 登录改账户验证,如果该订阅尝试创建新的资源组会提示失败。
- 创建自定义资源组,使用户rbacuser可以对资源组rbacgroup中的虚拟机进行开机,关机,重启操作。
- 了解适用于 Microsoft.Support 资源提供程序的操作列表。
Get-AzureRMProviderOperation "Microsoft.Compute/virtualMachines/*" | FT OperationName, Operation, Description -AutoSize
OperationName Operation Description
------------- --------- -----------
Get Virtual Machine Microsoft.Compute/virtualMachines/read Get the properties of a virtual machine
Create or Update Virtual Machine Microsoft.Compute/virtualMachines/write Creates a new virtual machine or updates ...
Delete Virtual Machine Microsoft.Compute/virtualMachines/delete Deletes the virtual machine
Start Virtual Machine Microsoft.Compute/virtualMachines/start/action Starts the virtual machine
Power Off Virtual Machine Microsoft.Compute/virtualMachines/powerOff/action Powers off the virtual machine. Note that...
Redeploy Virtual Machine Microsoft.Compute/virtualMachines/redeploy/action Redeploys virtual machine
Restart Virtual Machine Microsoft.Compute/virtualMachines/restart/action Restarts the virtual machine
Deallocate Virtual Machine Microsoft.Compute/virtualMachines/deallocate/action Powers off the virtual machine and releas...
Generalize Virtual Machine Microsoft.Compute/virtualMachines/generalize/action Sets the virtual machine state to General...
Capture Virtual Machine Microsoft.Compute/virtualMachines/capture/action Captures the virtual machine by copying v...
Run Command on Virtual Machine Microsoft.Compute/virtualMachines/runCommand/action Executes a predefined script on the virtu...
Convert Virtual Machine disks to Managed Disks Microsoft.Compute/virtualMachines/convertToManagedDisks/action Converts the blob based disks of the virt...
Perform Maintenance Redeploy Microsoft.Compute/virtualMachines/performMaintenance/action Performs Maintenance Operation on the VM.
Reimage Virtual Machine Microsoft.Compute/virtualMachines/reimage/action Reimages virtual machine which is using d...
Log in to Virtual Machine Microsoft.Compute/virtualMachines/login/action Log in to a virtual machine as a regular ...
Log in to Virtual Machine as administrator Microsoft.Compute/virtualMachines/loginAsAdmin/action Log in to a virtual machine with Windows ...
Get Virtual Machine Instance View Microsoft.Compute/virtualMachines/instanceView/read Gets the detailed runtime status of the v...
Lists Available Virtual Machine Sizes Microsoft.Compute/virtualMachines/vmSizes/read Lists available sizes the virtual machine...
Get Virtual Machine Extension Microsoft.Compute/virtualMachines/extensions/read Get the properties of a virtual machine e...
Create or Update Virtual Machine Extension Microsoft.Compute/virtualMachines/extensions/write Creates a new virtual machine extension o...
Delete Virtual Machine Extension Microsoft.Compute/virtualMachines/extensions/delete Deletes the virtual machine extension
- 准备订阅信息,资源组信息
Get-AzureRmSubscription | ft SubscriptionID
SubscriptionId
--------------
Xxxxxx
Get-AzureRmResourceGroup | ft ResourceId
- 本方案通过Virtual Machine Contributor的模板修改
- 查看Virtual Machine Contributor
Get-AzureRmRoleDefinition -Name "Virtual Machine Contributor"
Name : Virtual Machine Contributor
Id : 9980e02c-c2be-4d73-94e8-173b1dc7cf3c
IsCustom : False
Description : Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they're connected to.
Actions : {Microsoft.Authorization/*/read, Microsoft.Compute/availabilitySets/*, Microsoft.Compute/locations/*, Microsoft.Compute/virtualMachines
/*...}
NotActions : {}
DataActions : {}
NotDataActions : {}
AssignableScopes : {/}
- 修改virtual Machine Contributor
#获取"Virtual Machine Contributor"配置
$role = Get-AzureRmRoleDefinition "Virtual Machine Contributor"
$role.Id = $null
$role.Name = "Virtual Machine Operator"
$role.Description = "Can monitor and start stop or restart virtual machines."
$role.Actions.Clear()
#添加周边资源读的权限
$role.Actions.Add("Microsoft.Storage/*/read")
$role.Actions.Add("Microsoft.Network/*/read")
$role.Actions.Add("Microsoft.Compute/*/read")
$role.Actions.Add("Microsoft.Authorization/*/read")
$role.Actions.Add("Microsoft.Resources/subscriptions/resourceGroups/read")
#添加VM相关的操作权限
$role.Actions.Add("Microsoft.Compute/virtualMachines/start/action")
$role.Actions.Add("Microsoft.Compute/virtualMachines/restart/action")
$role.Actions.Add("Microsoft.Compute/virtualMachines/powerOff/action")
$role.Actions.Add("Microsoft.Compute/virtualMachines/deallocate/action")
$role.Actions.Add("Microsoft.Insights/alertRules/*")
#把两个Subscription加入到这个Role管理范围中
$role.AssignableScopes.Clear()
$role.AssignableScopes.Add("/subscriptions/xxxxx")
#添加角色
New-AzureRmRoleDefinition -Role $role
Name : Virtual Machine Operator
Id : 55aca895-61dc-4162-b7a6-fbab532d14a2
IsCustom : True
Description : Can monitor and start stop or restart virtual machines.
Actions : {Microsoft.Storage/*/read, Microsoft.Network/*/read, Microsoft.Compute/*/read, Microsoft.Compute/virtualMachines/start/action...}
NotActions : {}
AssignableScopes : {/subscriptions/xxxxx}
- 分配rbacuser到rbacgroup资源组中。
New-AzureRmRoleAssignment -SignInName rbacuser@xxxx.partner.onmschina.cn -Scope /subscriptions/xxxxxx/resourceGroups/rbacgroup -RoleDefinitionName "Virtual Machine Operator"
RoleAssignmentId : /subscriptions/xxxxx/resourceGroups/rbacgroup/providers/Microsoft.Authorization/roleAssignments/336b10
d9-4ae7-4832-87a8-7f3d1dccb834
Scope : /subscriptions/xxxxxx/resourceGroups/rbacgroup
DisplayName : RBACUSER
SignInName : rbacuser@xxxxxx.partner.onmschina.cn
RoleDefinitionName : Virtual Machine Operator
RoleDefinitionId : d0b203bd-37e1-4006-871c-8b0330d657f6
ObjectId : 42bfdd38-4d2c-4abb-8b4c-fcf5ab1e7f11
ObjectType : User
CanDelegate : False
- 验证
仅仅可以看到看到rbacgroup资源组,并且删除虚拟机的时候提示没有权限
