Azure通过RBAC对资源进行管理

Posted smallfox

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Azure通过RBAC对资源进行管理相关的知识,希望对你有一定的参考价值。

下图为Azure 基于用户角色控制的架构图,可以清楚的看出,通过三个层面进行控制;

  1. 安全主体:安全主体是一个对象,表示请求访问 Azure 资源的用户、组或服务主体。
  2. 角色定义:角色定义是权限的集合。 它有时简称为“角色”。 角色定义列出可以执行的操作,例如读取、写入和删除。Azure自带了几个角色,如果觉得不能满足企业需求,也可以创建自定义角色。
  3. 范围:范围是访问权限适用的边界。 分配角色时,可以通过定义范围来进一步限制允许的操作。

当我们创建角色的时候,也遵循以下三步。

技术分享图片

Azure自带的角色定义,大家可以参考https://docs.azure.cn/zh-cn/role-based-access-control/built-in-roles 了解他们直接的区别。

技术分享图片

了解了RBAC的过程以后,我们测试一下,企业需求的场景。

  1. 让某个外包项目的公司紧紧可以操作摸一个资源组下的所有资源,其他资源组均对其不可见。
  • 在AAD创建用户的步骤省略
  • 将创建好的用户分配到改资源组的IAM下,并分配权限。可以看出该用户仅仅可以对该资源组进行操作。

技术分享图片

  • 登录改账户验证,如果该订阅尝试创建新的资源组会提示失败。

技术分享图片

  1. 创建自定义资源组,使用户rbacuser可以对资源组rbacgroup中的虚拟机进行开机,关机,重启操作。
  • 了解适用于 Microsoft.Support 资源提供程序的操作列表。

Get-AzureRMProviderOperation "Microsoft.Compute/virtualMachines/*" | FT OperationName, Operation, Description -AutoSize

OperationName Operation Description

------------- --------- -----------

Get Virtual Machine Microsoft.Compute/virtualMachines/read Get the properties of a virtual machine

Create or Update Virtual Machine Microsoft.Compute/virtualMachines/write Creates a new virtual machine or updates ...

Delete Virtual Machine Microsoft.Compute/virtualMachines/delete Deletes the virtual machine

Start Virtual Machine Microsoft.Compute/virtualMachines/start/action Starts the virtual machine

Power Off Virtual Machine Microsoft.Compute/virtualMachines/powerOff/action Powers off the virtual machine. Note that...

Redeploy Virtual Machine Microsoft.Compute/virtualMachines/redeploy/action Redeploys virtual machine

Restart Virtual Machine Microsoft.Compute/virtualMachines/restart/action Restarts the virtual machine

Deallocate Virtual Machine Microsoft.Compute/virtualMachines/deallocate/action Powers off the virtual machine and releas...

Generalize Virtual Machine Microsoft.Compute/virtualMachines/generalize/action Sets the virtual machine state to General...

Capture Virtual Machine Microsoft.Compute/virtualMachines/capture/action Captures the virtual machine by copying v...

Run Command on Virtual Machine Microsoft.Compute/virtualMachines/runCommand/action Executes a predefined script on the virtu...

Convert Virtual Machine disks to Managed Disks Microsoft.Compute/virtualMachines/convertToManagedDisks/action Converts the blob based disks of the virt...

Perform Maintenance Redeploy Microsoft.Compute/virtualMachines/performMaintenance/action Performs Maintenance Operation on the VM.

Reimage Virtual Machine Microsoft.Compute/virtualMachines/reimage/action Reimages virtual machine which is using d...

Log in to Virtual Machine Microsoft.Compute/virtualMachines/login/action Log in to a virtual machine as a regular ...

Log in to Virtual Machine as administrator Microsoft.Compute/virtualMachines/loginAsAdmin/action Log in to a virtual machine with Windows ...

Get Virtual Machine Instance View Microsoft.Compute/virtualMachines/instanceView/read Gets the detailed runtime status of the v...

Lists Available Virtual Machine Sizes Microsoft.Compute/virtualMachines/vmSizes/read Lists available sizes the virtual machine...

Get Virtual Machine Extension Microsoft.Compute/virtualMachines/extensions/read Get the properties of a virtual machine e...

Create or Update Virtual Machine Extension Microsoft.Compute/virtualMachines/extensions/write Creates a new virtual machine extension o...

Delete Virtual Machine Extension Microsoft.Compute/virtualMachines/extensions/delete Deletes the virtual machine extension

  • 准备订阅信息,资源组信息

Get-AzureRmSubscription | ft SubscriptionID

SubscriptionId

--------------

Xxxxxx

Get-AzureRmResourceGroup | ft ResourceId

技术分享图片

  • 本方案通过Virtual Machine Contributor的模板修改
    • 查看Virtual Machine Contributor

Get-AzureRmRoleDefinition -Name "Virtual Machine Contributor"

Name : Virtual Machine Contributor

Id : 9980e02c-c2be-4d73-94e8-173b1dc7cf3c

IsCustom : False

Description : Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they‘re connected to.

Actions : {Microsoft.Authorization/*/read, Microsoft.Compute/availabilitySets/*, Microsoft.Compute/locations/*, Microsoft.Compute/virtualMachines

/*...}

NotActions : {}

DataActions : {}

NotDataActions : {}

AssignableScopes : {/}

  • 修改virtual Machine Contributor

#获取"Virtual Machine Contributor"配置

$role = Get-AzureRmRoleDefinition "Virtual Machine Contributor"

$role.Id = $null

$role.Name = "Virtual Machine Operator"

$role.Description = "Can monitor and start stop or restart virtual machines."

$role.Actions.Clear()

#添加周边资源读的权限

$role.Actions.Add("Microsoft.Storage/*/read")

$role.Actions.Add("Microsoft.Network/*/read")

$role.Actions.Add("Microsoft.Compute/*/read")

$role.Actions.Add("Microsoft.Authorization/*/read")

$role.Actions.Add("Microsoft.Resources/subscriptions/resourceGroups/read")

#添加VM相关的操作权限

$role.Actions.Add("Microsoft.Compute/virtualMachines/start/action")

$role.Actions.Add("Microsoft.Compute/virtualMachines/restart/action")

$role.Actions.Add("Microsoft.Compute/virtualMachines/powerOff/action")

$role.Actions.Add("Microsoft.Compute/virtualMachines/deallocate/action")

$role.Actions.Add("Microsoft.Insights/alertRules/*")

#把两个Subscription加入到这个Role管理范围中

$role.AssignableScopes.Clear()

$role.AssignableScopes.Add("/subscriptions/xxxxx")

#添加角色

New-AzureRmRoleDefinition -Role $role

Name : Virtual Machine Operator

Id : 55aca895-61dc-4162-b7a6-fbab532d14a2

IsCustom : True

Description : Can monitor and start stop or restart virtual machines.

Actions : {Microsoft.Storage/*/read, Microsoft.Network/*/read, Microsoft.Compute/*/read, Microsoft.Compute/virtualMachines/start/action...}

NotActions : {}

AssignableScopes : {/subscriptions/xxxxx}

  • 分配rbacuser到rbacgroup资源组中。

New-AzureRmRoleAssignment -SignInName [email protected] -Scope /subscriptions/xxxxxx/resourceGroups/rbacgroup -RoleDefinitionName "Virtual Machine Operator"

RoleAssignmentId : /subscriptions/xxxxx/resourceGroups/rbacgroup/providers/Microsoft.Authorization/roleAssignments/336b10

d9-4ae7-4832-87a8-7f3d1dccb834

Scope : /subscriptions/xxxxxx/resourceGroups/rbacgroup

DisplayName : RBACUSER

SignInName : [email protected]

RoleDefinitionName : Virtual Machine Operator

RoleDefinitionId : d0b203bd-37e1-4006-871c-8b0330d657f6

ObjectId : 42bfdd38-4d2c-4abb-8b4c-fcf5ab1e7f11

ObjectType : User

CanDelegate : False

  • 验证

仅仅可以看到看到rbacgroup资源组,并且删除虚拟机的时候提示没有权限

技术分享图片

以上是关于Azure通过RBAC对资源进行管理的主要内容,如果未能解决你的问题,请参考以下文章

Azure基于ARM的RBAC

如何在 Azure 中为另一个租户中的用户使用 RBAC

RBAC权限管理

K8S 使用RBAC进行鉴权管理

所有 Azure 资源的 RBAC 权限列表

阻止 RBAC 继承