Azure RBAC管理ASM资源

上一篇文章介绍了Azure基于ARM的RBAC，给不同的用户分配不同的权限。

但目前在国内使用的大部分用户还是以ASM的资源为主。比如：VM、Storage、Network、WebAPP、SQL Azure等等。

如果客户希望对这些资源给不同用户授予不同的权限，基于ARM的RBAC是否可以实现呢？

基于ARM的RBAC是可以对ASM的资源进行授权管理的。

本文将以VM为例子，介绍如何针对ASM中的资源进行授权的配置和管理。

1 建ASM的虚拟机

通过老portal管理界面：http://manage.windowsazure.cn

创建两台虚拟机，如下图：

2 创建用户和Role

根据前一篇文章介绍的方法，新建一个[email protected]的账户，同时新建一个Virtual Machine Operator的Role。

具体方法请参考前面一篇文章：

http://www.cnblogs.com/hengwei/p/5874776.html

Virtual Machine Operator拥有的权限如下，查询命令采用的是Azure CLI：

azure role show "Virtual Machine Operator" --json
[
{
"Name": "Virtual Machine Operator",
"Actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ClassicCompute/*/read",
"Microsoft.ClassicCompute/virtualMachines/attachDisk/action",
"Microsoft.ClassicCompute/virtualMachines/detachDisk/action",
"Microsoft.ClassicCompute/virtualMachines/downloadRemoteDesktopConnectionFile/action",
"Microsoft.ClassicCompute/virtualMachines/restart/action",
"Microsoft.ClassicCompute/virtualMachines/shutdown/action",
"Microsoft.ClassicCompute/virtualMachines/start/action",
"Microsoft.ClassicCompute/virtualMachines/stop/action",
"Microsoft.Compute/*/read",
"Microsoft.Compute/virtualMachines/deallocate/action",
"Microsoft.Compute/virtualMachines/powerOff/action",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/*/read",
"Microsoft.Network/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/*/read",
"Microsoft.Storage/*/read"
],
"NotActions": [],
"Id": "xxxx",
"AssignableScopes": [
"/subscriptions/xxxx",
"/subscriptions/xxxx"
],
"Description": "Can monitor and start stop or restart virtual machines.",
"IsCustom": "true"
}
]

其中Microsoft.ClassicCompute指的就是基于ASM的VM资源。通过Powershell命令或CLI命令可以看到相关信息：

azure provider list

info: Executing command provider list
+ Getting ARM registered providers
data: Namespace Registered
data: -------------------------------------- -------------
data: Microsoft.ApiManagement Registered
data: Microsoft.Batch Registered
data: Microsoft.Cache Registered
data: Microsoft.ClassicCompute Registered
data: Microsoft.ClassicNetwork Registered
data: Microsoft.ClassicStorage Registered
data: Microsoft.Compute Registered
data: Microsoft.Devices Registered
data: Microsoft.DocumentDB Registered
data: Microsoft.EventHub Registered
data: Microsoft.HDInsight Registering
data: Microsoft.insights Registered
data: Microsoft.MySql Registered
data: Microsoft.Network Registering
data: Microsoft.SiteRecovery Registered
data: Microsoft.Sql Registered
data: Microsoft.Storage Registered
data: Microsoft.StreamAnalytics Registered
data: Microsoft.Web Registered
data: Microsoft.Authorization Registered
data: Microsoft.ClassicInfrastructureMigrate NotRegistered
data: Microsoft.CognitiveServices NotRegistered
data: Microsoft.Features Registered
data: Microsoft.KeyVault NotRegistered
data: Microsoft.Media NotRegistered
data: Microsoft.Portal NotRegistered
data: Microsoft.Resources Registered
data: Microsoft.Scheduler Registered
data: Microsoft.ServiceBus NotRegistered
data: Microsoft.ServiceFabric NotRegistered
info: provider list command OK

或：

Get-AzureRmResourceProvider | ft ProviderNamespace

ProviderNamespace
-----------------
Microsoft.ApiManagement
Microsoft.Batch
Microsoft.Cache
Microsoft.ClassicCompute
Microsoft.ClassicNetwork
Microsoft.ClassicStorage
Microsoft.Compute
Microsoft.Devices
Microsoft.DocumentDB
Microsoft.EventHub
microsoft.insights
Microsoft.MySql
Microsoft.SiteRecovery
Microsoft.Sql
Microsoft.Storage
Microsoft.StreamAnalytics
Microsoft.Web
Microsoft.Authorization
Microsoft.Features
Microsoft.Resources
Microsoft.Scheduler

3 把用户和Role关联

在新Portal上：http://portal.azure.cn

使用Admin登陆后，对两台虚拟机进行权限分配：

将vmops用户对这台虚拟机的管理角色分配为Virtual Machine Operator。

4 测试

使用vmops登陆后，对这两台虚拟机进行操作：

发现只有前面对ClassComputer拥有的Start、Stop、restart、connect权限。

而admin拥有的权限有：Start、Stop、restart、connect、Caputre、Reset Remote Access、Delete。如下图：

总结：

通过对ClassComputer的资源进行操作的授权，可以控制用户对ASM VM的操作权限。