蔚蓝数据湖授权
[英]azure data lake authorization
问题描述
I am new to Azure Data Lake Analytics and am converting a C# batch job to use service to service authentication before submitting stored procedures to Azure Data Lake Analytics. 
我是Azure Data Lake Analytics的新手,在将存储过程提交到Azure Data Lake Analytics之前,我正在转换C#批处理作业以使用服务进行身份验证。
public void AuthenticateADLUser()
{
//Connect to ADL
// Service principal / appplication authentication with client secret / key
SynchronizationContext.SetSynchronizationContext(new SynchronizationContext());
cTokenCreds = ApplicationTokenProvider.LoginSilentAsync(strDomain, strWebApp_clientId, strClientSecret).Result;
SetupClients(cTokenCreds, strSubscriptionID);
}
public static void SetupClients(ServiceClientCredentials tokenCreds, string subscriptionId)
{
_adlaClient = new DataLakeAnalyticsAccountManagementClient(tokenCreds);
_adlaClient.SubscriptionId = subscriptionId;
_adlaJobClient = new DataLakeAnalyticsJobManagementClient(tokenCreds);
_adlsFileSystemClient = new DataLakeStoreFileSystemManagementClient(tokenCreds);
}
Even though I have given it the correct ClientId the error comes back with a different ClientID in the error when I execute the following code: 即使我已经给它正确的ClientId,当我执行以下代码时,错误会返回错误中的不同ClientID:
var jobInfo = _adlaJobClient.Job.Create(_adlsAccountName, jobId, parameters);.
The error message is: 错误消息是:
The client 'e83bb777-f3af-4526-ae34-f5461a5fde1c' with object id 'e83bb777-f3af-4526-ae34-f5461a5fde1c' does not have authorization to perform action 'Microsoft.Authorization/permissions/read' over scope '/subscriptions/a0fb08ca-a074-489c-bed0-....
- Why is the ClientID different than the one I used in the code? 为什么ClientID与我在代码中使用的不同?
- Is this a code issue or a permissions issue? 这是代码问题还是权限问题? I assume that it is code since the ClientID is not an authorized one that I created. 我假设它是代码,因为ClientID不是我创建的授权。
note: The SubscriptionId is correct. 注意:SubscriptionId是正确的。
2 个解决方案
解决方案1
0 2017-07-12 14:18:01
I assumed you created an Azure Active Directory App and are you the client and domain IDs of this app. 我假设您创建了一个Azure Active Directory应用程序,并且您是此应用程序的客户端和域ID。 If not, you'll need that... If you do have that, then can you check if the App has permissions over your Data Lake Store: https://docs.microsoft.com/en-us/azure/data-lake-store/data-lake-store-authenticate-using-active-directory 如果没有,您将需要...如果您有,那么您可以检查该应用程序是否具有您的Data Lake Store的权限: https : //docs.microsoft.com/en-us/azure/data-湖店/使用活性目录数据湖-STORE-认证-
解决方案2
0 2018-04-19 20:43:40
Had exactly same symptoms. 有完全相同的症状。 WebApp was created in AAD in portal originally to access Azure Data Lake Store and same code-snippet worked perfectly. WebApp最初是在门户网站的AAD中创建的,用于访问Azure Data Lake Store,并且相同的代码片段运行良好。 When I decided to re-use same WebApp (clientid/secret) it failed with same error, even though I have given reader/contributor roles on sub/RG/ADLA to the App. 当我决定重新使用相同的WebApp(clientid / secret)时,它失败了同样的错误,即使我已经将sub / RG / ADLA上的读者/贡献者角色发给了App。
I think the reason is that WebApp underneath has a "service principal" object (thus error msg shows different object id) and ADLA uses it for some reason. 我认为原因是下面的WebApp有一个“服务主体”对象(因此错误消息显示不同的对象ID),ADLA出于某种原因使用它。 Mine didn't have credentials set - empty result: 我没有凭证设置 - 空结果:
Get-AzureRmADSpCredential -objectid <object_id_from_error_msg>
Added new password as described here 添加了此处所述的新密码
New-AzureRmADSpCredential -objectid <object_id_from_error_msg> -password $password
Used the pwd as secret in LoginSilentAsync, clientId was left as before - WebApp clientId (not the principal object id shown in the error) 在LoginSilentAsync中使用pwd作为秘密,clientId与以前一样 - WebApp clientId(不是错误中显示的主要对象id)
I wasn't able to find this principal info in portal, only PS. 我无法在门户网站中找到这个主要信息,只有PS。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.