在开始详细讨论技术问题之前,有一些个人观点想发表一下:
---作为一个甲方云平台的掌控着,如果任何事情你都是让partner全部帮你搞定,自己既不审核也不研究,那无论是对于公司还是个人发展来说都是没任何实际上的帮助。对公司,有你没有你反正都能做事,因为说到底你甲方的云平台治理以及合规几乎等于没有,规则也都是别人说了算,要你有何用呢?还浪费公司的用人成本。对个人来说,你不仅没有从管理云平台中学习到任何东西,等哪天遇到职位变动,你跑到市场上也没有任何的竞争力,因为现在市场上即便是管理岗位也都需要一定的技术背景,更何况是要做事的。
---学习任何技能如果你都想着让别人来教你而不是自学思考,虽然短时间内可以掌握做某一件事情的方法,但是从长期来说你依然和一个战五渣没有任何区别。因为你根本没有掌握学习最本质的东西。作为一个IT从业人员,自学能力往往决定了你在技术层面能走多远。
---再忙也要沉淀下来思考总结。如果整天都在重复的劳动,没有去思考,总结,那你的知识体系永远是零散的,你的手中永远只有information而不是knowledge。
接下来我们进入正题。
在之前的文章“如何利用Azure Automation以及Tag自动开关VM” 一文中我们有提到如果利用Azure Automation做到自动开关机来节省开发测试VM的费用,但是你能做的只有仅仅如此么?
NoNoNo......即便你做到了每天早八点到晚八点的开关机,application vendor/owner 真的每天都会去用满么?可能他们一周也就两三天的时间进行开发和测试,其余时候都是空跑着。
如果突然哪天他们要晚上八点后或者周末开机,你还要手动从portal或者Azure手机控制端帮助他们进行start操作。即便你有partner,你也至少要发一条微信或者邮件来进行授权吧?何其低效!如果你正好在国外旅游呢?岂不是打扰了你度假的美好时光?
那我们换一个思路,假如Application team可以自己开关VM,然后你著需要每天晚上十一点你设定一个强制关机job,其实某种程度上既方便了自己和别人,也进一步起到了cost saving 的效果。
其实这个操作过程非常的简单,如果你有一定的自学领悟能力可以通过以下链接进行实际操作,只要有一定的powershell基础的基本都能够搞定:
https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles-powershell
那我在这里主要通过授权开机的案例来大概阐述一下整个思路。
1. 查看已有的role
也许会有人觉得现有的RBAC role难道解决不了问题么?呵呵,那我们一起看下
安装Azure Powershell和登陆azure中国环境的步骤我就不做阐述了。
首先我们先看一下目前有哪些role和VM是相关的,运行如下命令:
Get-AzureRmRoleDefinition | where name -like "*virtual machine*" | ConvertTo-Json
输出如下
[
{
"Name": "Classic Virtual Machine Contributor",
"Id": "d73bb868-a0df-4d4d-bd69-98a00b01fccb",
"IsCustom": false,
"Description": "Lets you manage classic virtual machines, but not access to them, and not the virtual network or storage account they’re connected to.",
"Actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ClassicCompute/domainNames/*",
"Microsoft.ClassicCompute/virtualMachines/*",
"Microsoft.ClassicNetwork/networkSecurityGroups/join/action",
"Microsoft.ClassicNetwork/reservedIps/link/action",
"Microsoft.ClassicNetwork/reservedIps/read",
"Microsoft.ClassicNetwork/virtualNetworks/join/action",
"Microsoft.ClassicNetwork/virtualNetworks/read",
"Microsoft.ClassicStorage/storageAccounts/disks/read",
"Microsoft.ClassicStorage/storageAccounts/images/read",
"Microsoft.ClassicStorage/storageAccounts/listKeys/action",
"Microsoft.ClassicStorage/storageAccounts/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"NotActions": [
],
"AssignableScopes": [
"/"
]
},
{
"Name": "Virtual Machine Administrator Login",
"Id": "1c0163c0-47e6-4577-8991-ea5c82e286e4",
"IsCustom": false,
"Description": "View Virtual Machines in the portal and login as administrator",
"Actions": [
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Compute/virtualMachines/*/read"
],
"NotActions": [
],
"AssignableScopes": [
"/"
]
},
{
"Name": "Virtual Machine Contributor",
"Id": "9980e02c-c2be-4d73-94e8-173b1dc7cf3c",
"IsCustom": false,
"Description": "Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they�re connected to.",
"Actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Compute/availabilitySets/*",
"Microsoft.Compute/locations/*",
"Microsoft.Compute/virtualMachines/*",
"Microsoft.Compute/virtualMachineScaleSets/*",
"Microsoft.DevTestLab/schedules/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/applicationGateways/backendAddressPools/join/action",
"Microsoft.Network/loadBalancers/backendAddressPools/join/action",
"Microsoft.Network/loadBalancers/inboundNatPools/join/action",
"Microsoft.Network/loadBalancers/inboundNatRules/join/action",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/loadBalancers/probes/join/action",
"Microsoft.Network/locations/*",
"Microsoft.Network/networkInterfaces/*",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/publicIPAddresses/join/action",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.RecoveryServices/locations/*",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/*/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write",
"Microsoft.RecoveryServices/Vaults/backupPolicies/read",
"Microsoft.RecoveryServices/Vaults/backupPolicies/write",
"Microsoft.RecoveryServices/Vaults/read",
"Microsoft.RecoveryServices/Vaults/usages/read",
"Microsoft.RecoveryServices/Vaults/write",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/storageAccounts/listKeys/action",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Support/*"
],
"NotActions": [
],
"AssignableScopes": [
"/"
]
},
{
"Name": "Virtual Machine User Login",
"Id": "fb879df8-f326-4884-b1cf-06f3ad86be52",
"IsCustom": false,
"Description": "View Virtual Machines in the portal and login as a regular user.",
"Actions": [
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Compute/virtualMachines/*/read"
],
"NotActions": [
],
"AssignableScopes": [
"/"
]
}
]
最接近我们需求的是Azure Virtual Machine Contributor这个role,但是你在action中你会发现有一些多余的权限是和开关机是没有任何关系的,所以我们依然需要尽可能控制好权限的颗粒度
2.确定你需要哪些权限,并准备JSON文件。
运行以下命令来get所有VM的action:
Get-AzureRmProviderOperation "Microsoft.Compute/virtualMachines/*" | FT OperationName, Operation, Description -AutoSize
输出如下:
OperationName Operation Description ------------- --------- ----------- Get Virtual Machine Microsoft.Compute/virtualMachines/read Get the properties of a virtual machine Create or Update Virtual Machine Microsoft.Compute/virtualMachines/write Creates a new virtual machine or updates an existing virtual machine Delete Virtual Machine Microsoft.Compute/virtualMachines/delete Deletes the virtual machine Start Virtual Machine Microsoft.Compute/virtualMachines/start/action Starts the virtual machine Power Off Virtual Machine Microsoft.Compute/virtualMachines/powerOff/action Powers off the virtual machine. Note that the virtual machine will continue to be billed. Redeploy Virtual Machine Microsoft.Compute/virtualMachines/redeploy/action Redeploys virtual machine Restart Virtual Machine Microsoft.Compute/virtualMachines/restart/action Restarts the virtual machine Deallocate Virtual Machine Microsoft.Compute/virtualMachines/deallocate/action Powers off the virtual machine and releases the compute resources Generalize Virtual Machine Microsoft.Compute/virtualMachines/generalize/action Sets the virtual machine state to Generalized and prepares the virtual machine for capture Capture Virtual Machine Microsoft.Compute/virtualMachines/capture/action Captures the virtual machine by copying virtual hard disks and generates a template that can be used to create similar virtual machines Run Command on Virtual Machine Microsoft.Compute/virtualMachines/runCommand/action Executes a predefined script on the virtual machine Convert Virtual Machine disks to Managed Disks Microsoft.Compute/virtualMachines/convertToManagedDisks/action Converts the blob based disks of the virtual machine to managed disks Perform Maintenance Redeploy Microsoft.Compute/virtualMachines/performMaintenance/action Performs Maintenance Operation on the VM. Reimage Virtual Machine Microsoft.Compute/virtualMachines/reimage/action Reimages virtual machine which is using differencing disk. Log in to Virtual Machine Microsoft.Compute/virtualMachines/login/action Log in to a virtual machine as a regular user Log in to Virtual Machine as administrator Microsoft.Compute/virtualMachines/loginAsAdmin/action Log in to a virtual machine with Windows administrator or Linux root user privileges Get Virtual Machine Instance View Microsoft.Compute/virtualMachines/instanceView/read Gets the detailed runtime status of the virtual machine and its resources Lists Available Virtual Machine Sizes Microsoft.Compute/virtualMachines/vmSizes/read Lists available sizes the virtual machine can be updated to Get Virtual Machine Extension Microsoft.Compute/virtualMachines/extensions/read Get the properties of a virtual machine extension Create or Update Virtual Machine Extension Microsoft.Compute/virtualMachines/extensions/write Creates a new virtual machine extension or updates an existing one Delete Virtual Machine Extension Microsoft.Compute/virtualMachines/extensions/delete Deletes the virtual machine extension
结合之前的Azure Virtual Machine contributor其中我们筛选了一些action,并自定义如下的json文件,
{
"Name": "Azure VM Power Operator",
"Id": null,
"IsCustom": true,
"Description": "Allows for Start/Power Off VMs",
"Actions": [
"Microsoft.Compute/*/read",
"Microsoft.Storage/*/read",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/powerOff/action ",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Compute/virtualMachines/deallocate/action"
],
"NotActions": [],
"AssignableScopes": [
"/subscriptions/11111111-1111-1111-1111-111111111111"
]
}
具体的action可以根据自己的需求来选择,其中assignablescope里要填写自己想要使用此role的订阅
3. 创建custom role
创建好后保存为json文件到某个路径比如C:CustomRolescustomrole1.json, 然后运行如下脚本创建custom role
New-AzureRmRoleDefinition -InputFile "C:CustomRolescustomrole1.json"
创建好后你可以get一下看是否生效:
Get-AzureRmRoleDefinition -Name "Azure VM Power Operator" | ConvertTo-Json
输出如下:
{
"Name": "Azure VM Power Operator",
"Id": "67eb4d22-9063-411c-8be2-75b800b07625",
"IsCustom": true,
"Description": "Allows for Start/Power Off VMs",
"Actions": [
"Microsoft.Compute/*/read",
"Microsoft.Storage/*/read",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/powerOff/action",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Compute/virtualMachines/deallocate/action"
],
"NotActions": [
],
"AssignableScopes": [
"/subscriptions/11111111-1111-1111-1111-111111111111"
]
}
你也可以通过一些powershell命令去增删改你的custome role,具体操作文章开始的连接中也都有,这里不多作详细阐述,主要以介绍思路为主
4. 授权
通过Azure portal或者powershell在相应的VM上对特定账号进行授权:
可以看到role的下拉菜单里已经有我们自定义的“Azure VM Power Operator”
总的来说azure RBAC的custom role可以满足绝大多数企业对Azure的权限管控需求,但具体的哪些role需要哪些action,依然还是要企业云平台的管理者根据自身的情况自己去定义。
如果有哪些更好的使用场景也欢迎大家留言讨论。