“朕赐给你,才是你的;朕不给,你不能抢”--custome role在Azure权限管理中的简单实践
在开始详细讨论技术问题之前,有一些个人观点想发表一下:
---作为一个甲方云平台的掌控着,如果任何事情你都是让partner全部帮你搞定,自己既不审核也不研究,那无论是对于公司还是个人发展来说都是没任何实际上的帮助。对公司,有你没有你反正都能做事,因为说到底你甲方的云平台治理以及合规几乎等于没有,规则也都是别人说了算,要你有何用呢?还浪费公司的用人成本。对个人来说,你不仅没有从管理云平台中学习到任何东西,等哪天遇到职位变动,你跑到市场上也没有任何的竞争力,因为现在市场上即便是管理岗位也都需要一定的技术背景,更何况是要做事的。
---学习任何技能如果你都想着让别人来教你而不是自学思考,虽然短时间内可以掌握做某一件事情的方法,但是从长期来说你依然和一个战五渣没有任何区别。因为你根本没有掌握学习最本质的东西。作为一个IT从业人员,自学能力往往决定了你在技术层面能走多远。
---再忙也要沉淀下来思考总结。如果整天都在重复的劳动,没有去思考,总结,那你的知识体系永远是零散的,你的手中永远只有information而不是knowledge。
接下来我们进入正题。
在之前的文章“如何利用Azure Automation以及Tag自动开关VM” 一文中我们有提到如果利用Azure Automation做到自动开关机来节省开发测试VM的费用,但是你能做的只有仅仅如此么?
NoNoNo......即便你做到了每天早八点到晚八点的开关机,application vendor/owner 真的每天都会去用满么?可能他们一周也就两三天的时间进行开发和测试,其余时候都是空跑着。
如果突然哪天他们要晚上八点后或者周末开机,你还要手动从portal或者Azure手机控制端帮助他们进行start操作。即便你有partner,你也至少要发一条微信或者邮件来进行授权吧?何其低效!如果你正好在国外旅游呢?岂不是打扰了你度假的美好时光?
那我们换一个思路,假如Application team可以自己开关VM,然后你著需要每天晚上十一点你设定一个强制关机job,其实某种程度上既方便了自己和别人,也进一步起到了cost saving 的效果。
其实这个操作过程非常的简单,如果你有一定的自学领悟能力可以通过以下链接进行实际操作,只要有一定的powershell基础的基本都能够搞定:
https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles-powershell
那我在这里主要通过授权开机的案例来大概阐述一下整个思路。
1. 查看已有的role
也许会有人觉得现有的RBAC role难道解决不了问题么?呵呵,那我们一起看下
安装Azure Powershell和登陆azure中国环境的步骤我就不做阐述了。
首先我们先看一下目前有哪些role和VM是相关的,运行如下命令:
Get-AzureRmRoleDefinition | where name -like "*virtual machine*" | ConvertTo-Json
输出如下
[
{
"Name": "Classic Virtual Machine Contributor",
"Id": "d73bb868-a0df-4d4d-bd69-98a00b01fccb",
"IsCustom": false,
"Description": "Lets you manage classic virtual machines, but not access to them, and not the virtual network or storage account they’re connected to.",
"Actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ClassicCompute/domainNames/*",
"Microsoft.ClassicCompute/virtualMachines/*",
"Microsoft.ClassicNetwork/networkSecurityGroups/join/action",
"Microsoft.ClassicNetwork/reservedIps/link/action",
"Microsoft.ClassicNetwork/reservedIps/read",
"Microsoft.ClassicNetwork/virtualNetworks/join/action",
"Microsoft.ClassicNetwork/virtualNetworks/read",
"Microsoft.ClassicStorage/storageAccounts/disks/read",
"Microsoft.ClassicStorage/storageAccounts/images/read",
"Microsoft.ClassicStorage/storageAccounts/listKeys/action",
"Microsoft.ClassicStorage/storageAccounts/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"NotActions": [ ],
"AssignableScopes": [
"/"
]
},
{
"Name": "Virtual Machine Administrator Login",
"Id": "1c0163c0-47e6-4577-8991-ea5c82e286e4",
"IsCustom": false,
"Description": "View Virtual Machines in the portal and login as administrator",
"Actions": [
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Compute/virtualMachines/*/read"
],
"NotActions": [ ],
"AssignableScopes": [
"/"
]
},
{
"Name": "Virtual Machine Contributor",
"Id": "9980e02c-c2be-4d73-94e8-173b1dc7cf3c",
"IsCustom": false,
"Description": "Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they�re connected to.",
"Actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Compute/availabilitySets/*",
"Microsoft.Compute/locations/*",
"Microsoft.Compute/virtualMachines/*",
"Microsoft.Compute/virtualMachineScaleSets/*",
"Microsoft.DevTestLab/schedules/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/applicationGateways/backendAddressPools/join/action",
"Microsoft.Network/loadBalancers/backendAddressPools/join/action",
"Microsoft.Network/loadBalancers/inboundNatPools/join/action",
"Microsoft.Network/loadBalancers/inboundNatRules/join/action",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/loadBalancers/probes/join/action",
"Microsoft.Network/locations/*",
"Microsoft.Network/networkInterfaces/*",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/publicIPAddresses/join/action",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.RecoveryServices/locations/*",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/*/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write",
"Microsoft.RecoveryServices/Vaults/backupPolicies/read",
"Microsoft.RecoveryServices/Vaults/backupPolicies/write",
"Microsoft.RecoveryServices/Vaults/read",
"Microsoft.RecoveryServices/Vaults/usages/read",
"Microsoft.RecoveryServices/Vaults/write",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/storageAccounts/listKeys/action",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Support/*"
],
"NotActions": [ ],
"AssignableScopes": [
"/"
]
},
{
"Name": "Virtual Machine User Login",
"Id": "fb879df8-f326-4884-b1cf-06f3ad86be52",
"IsCustom": false,
"Description": "View Virtual Machines in the portal and login as a regular user.",
"Actions": [
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Compute/virtualMachines/*/read"
],
"NotActions": [ ],
"AssignableScopes": [
"/"
]
}
]
最接近我们需求的是Azure Virtual Machine Contributor这个role,但是你在action中你会发现有一些多余的权限是和开关机是没有任何关系的,所以我们依然需要尽可能控制好权限的颗粒度
2.确定你需要哪些权限,并准备JSON文件。
运行以下命令来get所有VM的action:
Get-AzureRmProviderOperation "Microsoft.Compute/virtualMachines/*" | FT OperationName, Operation, Description -AutoSize
输出如下:
OperationName Operation Description
------------- --------- -----------
Get Virtual Machine Microsoft.Compute/virtualMachines/read Get the properties of a virtual machine
Create or Update Virtual Machine Microsoft.Compute/virtualMachines/write Creates a new virtual machine or updates an existing virtual machine
Delete Virtual Machine Microsoft.Compute/virtualMachines/delete Deletes the virtual machine
Start Virtual Machine Microsoft.Compute/virtualMachines/start/action Starts the virtual machine
Power Off Virtual Machine Microsoft.Compute/virtualMachines/powerOff/action Powers off the virtual machine. Note that the virtual machine will continue to be billed.
Redeploy Virtual Machine Microsoft.Compute/virtualMachines/redeploy/action Redeploys virtual machine
Restart Virtual Machine Microsoft.Compute/virtualMachines/restart/action Restarts the virtual machine
Deallocate Virtual Machine Microsoft.Compute/virtualMachines/deallocate/action Powers off the virtual machine and releases the compute resources
Generalize Virtual Machine Microsoft.Compute/virtualMachines/generalize/action Sets the virtual machine state to Generalized and prepares the virtual machine for capture
Capture Virtual Machine Microsoft.Compute/virtualMachines/capture/action Captures the virtual machine by copying virtual hard disks and generates a template that can be used to create similar virtual machines
Run Command on Virtual Machine Microsoft.Compute/virtualMachines/runCommand/action Executes a predefined script on the virtual machine
Convert Virtual Machine disks to Managed Disks Microsoft.Compute/virtualMachines/convertToManagedDisks/action Converts the blob based disks of the virtual machine to managed disks
Perform Maintenance Redeploy Microsoft.Compute/virtualMachines/performMaintenance/action Performs Maintenance Operation on the VM.
Reimage Virtual Machine Microsoft.Compute/virtualMachines/reimage/action Reimages virtual machine which is using differencing disk.
Log in to Virtual Machine Microsoft.Compute/virtualMachines/login/action Log in to a virtual machine as a regular user
Log in to Virtual Machine as administrator Microsoft.Compute/virtualMachines/loginAsAdmin/action Log in to a virtual machine with Windows administrator or Linux root user privileges
Get Virtual Machine Instance View Microsoft.Compute/virtualMachines/instanceView/read Gets the detailed runtime status of the virtual machine and its resources
Lists Available Virtual Machine Sizes Microsoft.Compute/virtualMachines/vmSizes/read Lists available sizes the virtual machine can be updated to
Get Virtual Machine Extension Microsoft.Compute/virtualMachines/extensions/read Get the properties of a virtual machine extension
Create or Update Virtual Machine Extension Microsoft.Compute/virtualMachines/extensions/write Creates a new virtual machine extension or updates an existing one
Delete Virtual Machine Extension Microsoft.Compute/virtualMachines/extensions/delete Deletes the virtual machine extension
结合之前的Azure Virtual Machine contributor其中我们筛选了一些action,并自定义如下的json文件,
{
"Name": "Azure VM Power Operator",
"Id": null,
"IsCustom": true,
"Description": "Allows for Start/Power Off VMs",
"Actions": [
"Microsoft.Compute/*/read",
"Microsoft.Storage/*/read",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/powerOff/action ",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Compute/virtualMachines/deallocate/action"
],
"NotActions": [],
"AssignableScopes": [
"/subscriptions/11111111-1111-1111-1111-111111111111"
]
}
具体的action可以根据自己的需求来选择,其中assignablescope里要填写自己想要使用此role的订阅
3. 创建custom role
创建好后保存为json文件到某个路径比如C:\CustomRoles\customrole1.json, 然后运行如下脚本创建custom role
New-AzureRmRoleDefinition -InputFile "C:\CustomRoles\customrole1.json"
创建好后你可以get一下看是否生效:
Get-AzureRmRoleDefinition -Name "Azure VM Power Operator" | ConvertTo-Json
输出如下:
{
"Name": "Azure VM Power Operator",
"Id": "67eb4d22-9063-411c-8be2-75b800b07625",
"IsCustom": true,
"Description": "Allows for Start/Power Off VMs",
"Actions": [
"Microsoft.Compute/*/read",
"Microsoft.Storage/*/read",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/powerOff/action",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Compute/virtualMachines/deallocate/action"
],
"NotActions": [
],
"AssignableScopes": [
"/subscriptions/11111111-1111-1111-1111-111111111111"
]
}
你也可以通过一些powershell命令去增删改你的custome role,具体操作文章开始的连接中也都有,这里不多作详细阐述,主要以介绍思路为主
4. 授权
通过Azure portal或者powershell在相应的VM上对特定账号进行授权:
可以看到role的下拉菜单里已经有我们自定义的“Azure VM Power Operator”
总的来说azure RBAC的custom role可以满足绝大多数企业对Azure的权限管控需求,但具体的哪些role需要哪些action,依然还是要企业云平台的管理者根据自身的情况自己去定义。
如果有哪些更好的使用场景也欢迎大家留言讨论。
“朕赐给你,才是你的;朕不给,你不能抢”--custome role在Azure权限管理中的简单实践的更多相关文章
- [THINKING IN JAVA]复用类
7 复用类 7.1 组合 即在一个类中使用另一个类作为成员变量,这是复用了现有程序代码的功能,而非形式. 7.2 继承 关键字:extends,这种复用是形式的复用,是一种可扩展和限制的复用: 复用: ...
- 网页样式——各种炫酷效果持续更新ing...
1.evanyou效果-彩带的实现,效果如下 注:这个主要用的是Canvas画布实现的,点击背景绘制新的图形,代码如下: /*Html代码:*/ <canvas id=">< ...
- 10、ERP设计之系统基础管理(BS)- 平台化设计
ShareERP 2013-09-03 ERP业务平台化是每个软件提供商必须要进行的趋势,传统定制化路线已死,不能走定制化的老路了.以往最大问的题是不能累积和沉淀技术及提升项目业务管理能力,其次是管理 ...
- Linux系列教程(十六)——Linux权限管理之ACL权限
通过前面的两篇博客我们介绍了Linux系统的用户管理,Linux用户和用户组管理之相关配置文件 讲解了用户管理的相关配置文件,包括用户信息文件/etc/passwd,用户密码文件/etc/shadow ...
- zabbix配置微信报警
首先我们先目睹下微信报警的效果 接下来我们正式开始操作. 一:注册企业微信. 打开企业微信注册:http://work.weixin.qq.com 根据以上提示填入相应的内容,然后注册即可. 二:登录 ...
- 全废话SQL Server统计信息(2)——统计信息基础
接上文:http://blog.csdn.net/dba_huangzj/article/details/52835958 我想在大地上画满窗子,让所有习惯黑暗的眼睛都习惯光明--顾城<我是一个 ...
- casbin-权限管理
概要 权限管理几乎是每个系统或者服务都会直接或者间接涉及的部分. 权限管理保障了资源(大部分时候就是数据)的安全, 权限管理一般都是和业务强关联, 每当有新的业务或者业务变化时, 不能将精力完全放在业 ...
- Linux基础知识之用户和用户组以及 Linux 权限管理
已经开始接触Linux用户管理,用户组管理,以及权限管理这几个逼格满满的关键字.这几个关键字对于前端程序猿的我来说真的是很高大上有木有,以前尝试学 Linux 的时候看到这些名词总是下意识的跳过不敢看 ...
- Linux权限管理之ACL权限
注:转载自:https://www.cnblogs.com/ysocean/p/7801329.html 目录 1.什么是 ACL 权限? 2.查看分区 ACL 权限是否开启:dump2fs ①.查看 ...
随机推荐
- 使用sikuli软件进行自动化编程
因为工作上的需要,某个信息系统不健全,因此仅仅需要一个一个的点击确认,客户端是网页版本的,抓包太复杂了,如何快速的能够自动化操作? 想到了之前学习python的时候,发现了一个基于java的图片编程软 ...
- C++与QML混合编程实现2048
http://blog.csdn.net/ieearth/article/details/42705305
- XPath概述
1. XPath 具体示例可参考网址: http://www.zvon.org/xxl/XPathTutorial/General/examples.html 1.1 概述 * 现节点下所有元素 * ...
- qtablewidget qss加上这个,QHeaderView::section
qtablewidget qss加上这个,QHeaderView::section { color: white; padding: 4px; height:24px; b ...
- Qt+VS编译器:默认库“library”与其他库的使用冲突;使用 /NODEFAULTLIB:library(我曾经碰到过,修改qmake.conf,但我修改的是VS的IDE配置)good
找到qt安装目录下的mkspecs文件夹,在里面找到你使用的对应版本编译器,打开qmake.conf.稍等: /MD:动态链接多线程库(msvcrt.lib).使用该选项时,需要用/NODEFAULT ...
- SYN6107型 GPS北斗双模子钟
SYN6107型 GPS北斗双模子钟 产品概述 SYN6107型GPS北斗双模子钟是由西安同步电子科技有限公司精心设计.自行研发生产的一套以接收北斗卫星信号的子钟,从北斗地球同步卫星上获取标准时钟信号 ...
- 设置windows服务依赖项
场景还原:python2.7开发的项目,制作成了windows服务,随系统启动.系统重启后发现服务未能自动启动,检查事件查看器日志发现服务先于Mysql数据库服务启动,由于服务中必须对MySQL进行访 ...
- ssh证书登录
前言 本文基于实际Linux管理工作,实例讲解工作中使用ssh证书登录的实际流程,讲解ssh证书登录的配置原理,基于配置原理,解决实际工作中,windows下使用SecureCRT证书登录的各种问题, ...
- HTTP Post之multipart/form-data和application/x-www-form-urlencoded
关于HttpPost,有这样两种可Post的数据载体,分别是MultipartEntity和UrlEncodedFormEntity,对这两者的共性和异性做如下解释和备忘: 共性: 1.都属于HTTP ...
- epoll模型的探索与实践
我们知道nginx的效率非常高,能处理上万级的并发,其之所以高效离不开epoll的支持, epoll是什么呢?,epoll是IO模型中的一种,属于多路复用IO模型; 到这里你应该想到了,select, ...