Azure Cosmos DB 使用基于角色的访问控制读取数据
[英]Azure Cosmos DB read data using role based access control
问题描述
I have a CosmosDB in Azure, I want to give a user access to read the data inside various collections.
我在 Azure 中有一个 CosmosDB,我想授予用户访问权限以读取各种 collections 中的数据。
I tried giving them the 'Reader'-role, it let them se that there existed a CosmosDB, and they could see some meta data.我尝试赋予他们“读者”角色,让他们确定存在 CosmosDB,并且他们可以看到一些元数据。 But they were unable to access the data within但他们无法访问内部的数据
I assigned them the 'Cosmos DB Account Reader' and this had better results.我为他们分配了“Cosmos DB 帐户阅读器”,结果更好。
But it seems to me that the 'Reader' role should superseed the 'Cosmos DB Account Reader' role.但在我看来,“读者”角色应该取代“Cosmos DB 帐户读者”角色。 Or am i on the wrong track here?还是我在这里走错了路? I beleived that the 'Reader'-role gave *all read access.我相信“读者”角色赋予了*所有读取权限。
EDIT:编辑:
There seems to be no issue using the built in 'Data Explorer' on portal.azure.com .在portal.azure.com上使用内置的“数据资源管理器”似乎没有问题。
The real issue is on using cosmos.azure.com , and logging inn using ActiveDirectory, did not let the user see anything with the 'Cosmos DB Account Reader'-role.真正的问题是使用cosmos.azure.com和使用 ActiveDirectory 登录 inn,并没有让用户看到任何具有“Cosmos DB Account Reader”角色的内容。 Might be it requires a user has write-access.可能需要用户具有写访问权限。
1 个解决方案
解决方案1
1 已采纳 2020-07-03 09:34:35
In order to read the data from Cosmos DB accounts, a user should be in a role that allows fetching access keys.为了从 Cosmos DB 帐户读取数据,用户应具有允许获取访问密钥的角色。 A Reader role does not have this capability. Reader角色没有此能力。 However Cosmos DB Account Reader role has the capability to fetch the read-only access keys using which a user in this role can read the data (but not make any changes to that data).但是, Cosmos DB Account Reader者角色能够获取read-only access keys ,该角色中的用户可以使用这些密钥读取数据(但不对数据进行任何更改)。
From this link , here's the definition of Cosmos DB Account Reader role:从此link ,这里是Cosmos DB Account Reader者角色的定义:
{
"assignableScopes": [
"/"
],
"description": "Can read Azure Cosmos DB Accounts data",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-467e-a4d2-9458aa1360c8",
"name": "fbdf93bf-df7d-467e-a4d2-9458aa1360c8",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.DocumentDB/*/read",
"Microsoft.DocumentDB/databaseAccounts/readonlykeys/action",
"Microsoft.Insights/MetricDefinitions/read",
"Microsoft.Insights/Metrics/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Cosmos DB Account Reader Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Microsoft.DocumentDB/databaseAccounts/readonlykeys/action action enables getting read-only access keys and thus read the data. Microsoft.DocumentDB/databaseAccounts/readonlykeys/action操作可以获取只读访问密钥,从而读取数据。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.