“朕赐给你,才是你的;朕不给,你不能抢”--custome role在Azure权限管理中的简单实践
在开始详细讨论技术问题之前,有一些个人观点想发表一下:
---作为一个甲方云平台的掌控着,如果任何事情你都是让partner全部帮你搞定,自己既不审核也不研究,那无论是对于公司还是个人发展来说都是没任何实际上的帮助。对公司,有你没有你反正都能做事,因为说到底你甲方的云平台治理以及合规几乎等于没有,规则也都是别人说了算,要你有何用呢?还浪费公司的用人成本。对个人来说,你不仅没有从管理云平台中学习到任何东西,等哪天遇到职位变动,你跑到市场上也没有任何的竞争力,因为现在市场上即便是管理岗位也都需要一定的技术背景,更何况是要做事的。
---学习任何技能如果你都想着让别人来教你而不是自学思考,虽然短时间内可以掌握做某一件事情的方法,但是从长期来说你依然和一个战五渣没有任何区别。因为你根本没有掌握学习最本质的东西。作为一个IT从业人员,自学能力往往决定了你在技术层面能走多远。
---再忙也要沉淀下来思考总结。如果整天都在重复的劳动,没有去思考,总结,那你的知识体系永远是零散的,你的手中永远只有information而不是knowledge。
接下来我们进入正题。
在之前的文章“如何利用Azure Automation以及Tag自动开关VM” 一文中我们有提到如果利用Azure Automation做到自动开关机来节省开发测试VM的费用,但是你能做的只有仅仅如此么?
NoNoNo......即便你做到了每天早八点到晚八点的开关机,application vendor/owner 真的每天都会去用满么?可能他们一周也就两三天的时间进行开发和测试,其余时候都是空跑着。
如果突然哪天他们要晚上八点后或者周末开机,你还要手动从portal或者Azure手机控制端帮助他们进行start操作。即便你有partner,你也至少要发一条微信或者邮件来进行授权吧?何其低效!如果你正好在国外旅游呢?岂不是打扰了你度假的美好时光?
那我们换一个思路,假如Application team可以自己开关VM,然后你著需要每天晚上十一点你设定一个强制关机job,其实某种程度上既方便了自己和别人,也进一步起到了cost saving 的效果。
其实这个操作过程非常的简单,如果你有一定的自学领悟能力可以通过以下链接进行实际操作,只要有一定的powershell基础的基本都能够搞定:
https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles-powershell
那我在这里主要通过授权开机的案例来大概阐述一下整个思路。
1. 查看已有的role
也许会有人觉得现有的RBAC role难道解决不了问题么?呵呵,那我们一起看下
安装Azure Powershell和登陆azure中国环境的步骤我就不做阐述了。
首先我们先看一下目前有哪些role和VM是相关的,运行如下命令:
Get-AzureRmRoleDefinition | where name -like "*virtual machine*" | ConvertTo-Json
输出如下
[
{
"Name": "Classic Virtual Machine Contributor",
"Id": "d73bb868-a0df-4d4d-bd69-98a00b01fccb",
"IsCustom": false,
"Description": "Lets you manage classic virtual machines, but not access to them, and not the virtual network or storage account they’re connected to.",
"Actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ClassicCompute/domainNames/*",
"Microsoft.ClassicCompute/virtualMachines/*",
"Microsoft.ClassicNetwork/networkSecurityGroups/join/action",
"Microsoft.ClassicNetwork/reservedIps/link/action",
"Microsoft.ClassicNetwork/reservedIps/read",
"Microsoft.ClassicNetwork/virtualNetworks/join/action",
"Microsoft.ClassicNetwork/virtualNetworks/read",
"Microsoft.ClassicStorage/storageAccounts/disks/read",
"Microsoft.ClassicStorage/storageAccounts/images/read",
"Microsoft.ClassicStorage/storageAccounts/listKeys/action",
"Microsoft.ClassicStorage/storageAccounts/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"NotActions": [ ],
"AssignableScopes": [
"/"
]
},
{
"Name": "Virtual Machine Administrator Login",
"Id": "1c0163c0-47e6-4577-8991-ea5c82e286e4",
"IsCustom": false,
"Description": "View Virtual Machines in the portal and login as administrator",
"Actions": [
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Compute/virtualMachines/*/read"
],
"NotActions": [ ],
"AssignableScopes": [
"/"
]
},
{
"Name": "Virtual Machine Contributor",
"Id": "9980e02c-c2be-4d73-94e8-173b1dc7cf3c",
"IsCustom": false,
"Description": "Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they�re connected to.",
"Actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Compute/availabilitySets/*",
"Microsoft.Compute/locations/*",
"Microsoft.Compute/virtualMachines/*",
"Microsoft.Compute/virtualMachineScaleSets/*",
"Microsoft.DevTestLab/schedules/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/applicationGateways/backendAddressPools/join/action",
"Microsoft.Network/loadBalancers/backendAddressPools/join/action",
"Microsoft.Network/loadBalancers/inboundNatPools/join/action",
"Microsoft.Network/loadBalancers/inboundNatRules/join/action",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/loadBalancers/probes/join/action",
"Microsoft.Network/locations/*",
"Microsoft.Network/networkInterfaces/*",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/publicIPAddresses/join/action",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.RecoveryServices/locations/*",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/*/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write",
"Microsoft.RecoveryServices/Vaults/backupPolicies/read",
"Microsoft.RecoveryServices/Vaults/backupPolicies/write",
"Microsoft.RecoveryServices/Vaults/read",
"Microsoft.RecoveryServices/Vaults/usages/read",
"Microsoft.RecoveryServices/Vaults/write",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/storageAccounts/listKeys/action",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Support/*"
],
"NotActions": [ ],
"AssignableScopes": [
"/"
]
},
{
"Name": "Virtual Machine User Login",
"Id": "fb879df8-f326-4884-b1cf-06f3ad86be52",
"IsCustom": false,
"Description": "View Virtual Machines in the portal and login as a regular user.",
"Actions": [
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Compute/virtualMachines/*/read"
],
"NotActions": [ ],
"AssignableScopes": [
"/"
]
}
]
最接近我们需求的是Azure Virtual Machine Contributor这个role,但是你在action中你会发现有一些多余的权限是和开关机是没有任何关系的,所以我们依然需要尽可能控制好权限的颗粒度
2.确定你需要哪些权限,并准备JSON文件。
运行以下命令来get所有VM的action:
Get-AzureRmProviderOperation "Microsoft.Compute/virtualMachines/*" | FT OperationName, Operation, Description -AutoSize
输出如下:
OperationName Operation Description
------------- --------- -----------
Get Virtual Machine Microsoft.Compute/virtualMachines/read Get the properties of a virtual machine
Create or Update Virtual Machine Microsoft.Compute/virtualMachines/write Creates a new virtual machine or updates an existing virtual machine
Delete Virtual Machine Microsoft.Compute/virtualMachines/delete Deletes the virtual machine
Start Virtual Machine Microsoft.Compute/virtualMachines/start/action Starts the virtual machine
Power Off Virtual Machine Microsoft.Compute/virtualMachines/powerOff/action Powers off the virtual machine. Note that the virtual machine will continue to be billed.
Redeploy Virtual Machine Microsoft.Compute/virtualMachines/redeploy/action Redeploys virtual machine
Restart Virtual Machine Microsoft.Compute/virtualMachines/restart/action Restarts the virtual machine
Deallocate Virtual Machine Microsoft.Compute/virtualMachines/deallocate/action Powers off the virtual machine and releases the compute resources
Generalize Virtual Machine Microsoft.Compute/virtualMachines/generalize/action Sets the virtual machine state to Generalized and prepares the virtual machine for capture
Capture Virtual Machine Microsoft.Compute/virtualMachines/capture/action Captures the virtual machine by copying virtual hard disks and generates a template that can be used to create similar virtual machines
Run Command on Virtual Machine Microsoft.Compute/virtualMachines/runCommand/action Executes a predefined script on the virtual machine
Convert Virtual Machine disks to Managed Disks Microsoft.Compute/virtualMachines/convertToManagedDisks/action Converts the blob based disks of the virtual machine to managed disks
Perform Maintenance Redeploy Microsoft.Compute/virtualMachines/performMaintenance/action Performs Maintenance Operation on the VM.
Reimage Virtual Machine Microsoft.Compute/virtualMachines/reimage/action Reimages virtual machine which is using differencing disk.
Log in to Virtual Machine Microsoft.Compute/virtualMachines/login/action Log in to a virtual machine as a regular user
Log in to Virtual Machine as administrator Microsoft.Compute/virtualMachines/loginAsAdmin/action Log in to a virtual machine with Windows administrator or Linux root user privileges
Get Virtual Machine Instance View Microsoft.Compute/virtualMachines/instanceView/read Gets the detailed runtime status of the virtual machine and its resources
Lists Available Virtual Machine Sizes Microsoft.Compute/virtualMachines/vmSizes/read Lists available sizes the virtual machine can be updated to
Get Virtual Machine Extension Microsoft.Compute/virtualMachines/extensions/read Get the properties of a virtual machine extension
Create or Update Virtual Machine Extension Microsoft.Compute/virtualMachines/extensions/write Creates a new virtual machine extension or updates an existing one
Delete Virtual Machine Extension Microsoft.Compute/virtualMachines/extensions/delete Deletes the virtual machine extension
结合之前的Azure Virtual Machine contributor其中我们筛选了一些action,并自定义如下的json文件,
{
"Name": "Azure VM Power Operator",
"Id": null,
"IsCustom": true,
"Description": "Allows for Start/Power Off VMs",
"Actions": [
"Microsoft.Compute/*/read",
"Microsoft.Storage/*/read",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/powerOff/action ",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Compute/virtualMachines/deallocate/action"
],
"NotActions": [],
"AssignableScopes": [
"/subscriptions/11111111-1111-1111-1111-111111111111"
]
}
具体的action可以根据自己的需求来选择,其中assignablescope里要填写自己想要使用此role的订阅
3. 创建custom role
创建好后保存为json文件到某个路径比如C:\CustomRoles\customrole1.json, 然后运行如下脚本创建custom role
New-AzureRmRoleDefinition -InputFile "C:\CustomRoles\customrole1.json"
创建好后你可以get一下看是否生效:
Get-AzureRmRoleDefinition -Name "Azure VM Power Operator" | ConvertTo-Json
输出如下:
{
"Name": "Azure VM Power Operator",
"Id": "67eb4d22-9063-411c-8be2-75b800b07625",
"IsCustom": true,
"Description": "Allows for Start/Power Off VMs",
"Actions": [
"Microsoft.Compute/*/read",
"Microsoft.Storage/*/read",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/powerOff/action",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Compute/virtualMachines/deallocate/action"
],
"NotActions": [
],
"AssignableScopes": [
"/subscriptions/11111111-1111-1111-1111-111111111111"
]
}
你也可以通过一些powershell命令去增删改你的custome role,具体操作文章开始的连接中也都有,这里不多作详细阐述,主要以介绍思路为主
4. 授权
通过Azure portal或者powershell在相应的VM上对特定账号进行授权:
可以看到role的下拉菜单里已经有我们自定义的“Azure VM Power Operator”
总的来说azure RBAC的custom role可以满足绝大多数企业对Azure的权限管控需求,但具体的哪些role需要哪些action,依然还是要企业云平台的管理者根据自身的情况自己去定义。
如果有哪些更好的使用场景也欢迎大家留言讨论。
“朕赐给你,才是你的;朕不给,你不能抢”--custome role在Azure权限管理中的简单实践的更多相关文章
- [THINKING IN JAVA]复用类
7 复用类 7.1 组合 即在一个类中使用另一个类作为成员变量,这是复用了现有程序代码的功能,而非形式. 7.2 继承 关键字:extends,这种复用是形式的复用,是一种可扩展和限制的复用: 复用: ...
- 网页样式——各种炫酷效果持续更新ing...
1.evanyou效果-彩带的实现,效果如下 注:这个主要用的是Canvas画布实现的,点击背景绘制新的图形,代码如下: /*Html代码:*/ <canvas id=">< ...
- 10、ERP设计之系统基础管理(BS)- 平台化设计
ShareERP 2013-09-03 ERP业务平台化是每个软件提供商必须要进行的趋势,传统定制化路线已死,不能走定制化的老路了.以往最大问的题是不能累积和沉淀技术及提升项目业务管理能力,其次是管理 ...
- Linux系列教程(十六)——Linux权限管理之ACL权限
通过前面的两篇博客我们介绍了Linux系统的用户管理,Linux用户和用户组管理之相关配置文件 讲解了用户管理的相关配置文件,包括用户信息文件/etc/passwd,用户密码文件/etc/shadow ...
- zabbix配置微信报警
首先我们先目睹下微信报警的效果 接下来我们正式开始操作. 一:注册企业微信. 打开企业微信注册:http://work.weixin.qq.com 根据以上提示填入相应的内容,然后注册即可. 二:登录 ...
- 全废话SQL Server统计信息(2)——统计信息基础
接上文:http://blog.csdn.net/dba_huangzj/article/details/52835958 我想在大地上画满窗子,让所有习惯黑暗的眼睛都习惯光明--顾城<我是一个 ...
- casbin-权限管理
概要 权限管理几乎是每个系统或者服务都会直接或者间接涉及的部分. 权限管理保障了资源(大部分时候就是数据)的安全, 权限管理一般都是和业务强关联, 每当有新的业务或者业务变化时, 不能将精力完全放在业 ...
- Linux基础知识之用户和用户组以及 Linux 权限管理
已经开始接触Linux用户管理,用户组管理,以及权限管理这几个逼格满满的关键字.这几个关键字对于前端程序猿的我来说真的是很高大上有木有,以前尝试学 Linux 的时候看到这些名词总是下意识的跳过不敢看 ...
- Linux权限管理之ACL权限
注:转载自:https://www.cnblogs.com/ysocean/p/7801329.html 目录 1.什么是 ACL 权限? 2.查看分区 ACL 权限是否开启:dump2fs ①.查看 ...
随机推荐
- C++ Builder 控件的卸载
控件卸载: 1.选择 BCB 菜单 File→Close All (关闭所有文件) 选择BCB 菜单: Project→Options→Packages 在 ...
- ngnix 安装
1安装PCRE库 ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/ 下载最新的 PCRE 源码包,使用下面命令下载编译和安装 PCRE 包: ...
- 因为 'PRIMARY' 文件组已满。请删除不需要的文件、删除文件组中的对象、将其他文件添加到文件组或为文件组中的现有文件启用自动增长,以便增加可用磁盘空间
导致你的问题的,应该有2种可能性: 1.存放你的primary文件组的磁盘,已经满了: use master--你的数据库名称 go --看看你的primary组里的文件 select ds.name ...
- python代码检查工具pylint 让你的python更规范
1.pylint是什么? Pylint 是一个 Python 代码分析工具,它分析 Python 代码中的错误,查找不符合代码风格标准(Pylint 默认使用的代码风格是 PEP 8,具体信息,请参阅 ...
- SYN4102型 GPS同步时钟
SYN4102型 GPS同步时钟 产品概述 SYN4102型GPS同步时钟是由西安同步电子科技有限公司精心设计.自行研发生产的一款高精度锁相时钟频率源,接收GPS信号,使恒温晶振输出频率同步于GPS ...
- SQL Server Alwayson架构下 服务器 各虚拟IP漂移监控告警的功能实现 -2(虚拟IP视角)
1.需求描述 我们知道Windows Cluster 都是多节点的,当虚拟IP漂移的时候,一般都是从一个节点漂移到另外一个节点.如果可以及时捕捉到旧节点信息是什么.新节点信息是什么对我们提供高可用的数 ...
- MSVBVM60.dll中函数
本文转载!!! 原文作者:飘云(飘云阁安全论坛) 原文地址:http://www.chinapyg.com/forum.php?mod=viewthread&tid=2225&high ...
- Azkaban学习之路(二)—— Azkaban 3.x 编译及部署
一.Azkaban 源码编译 1.1 下载并解压 Azkaban 在3.0版本之后就不提供对应的安装包,需要自己下载源码进行编译. 下载所需版本的源码,Azkaban的源码托管在GitHub上,地址为 ...
- 【MYSQL】mysql大数据量分页性能优化
转载地址: http://www.cnblogs.com/lpfuture/p/5772055.html https://www.cnblogs.com/shiwenhu/p/5757250.html ...
- webpack打包(一)
1.安装webpack打包工具 webpack是使用npm安装 npm install webpack -g //全局安装 在命令行中就可以使用webpack这个命令了. 提示:由于npm安装会去找国 ...