标签:creates inf 获取 exe rtt 修改 重启 str gen
下图为Azure 基于用户角色控制的架构图,可以清楚的看出,通过三个层面进行控制;
当我们创建角色的时候,也遵循以下三步。
Azure自带的角色定义,大家可以参考https://docs.azure.cn/zh-cn/role-based-access-control/built-in-roles 了解他们直接的区别。
了解了RBAC的过程以后,我们测试一下,企业需求的场景。
Get-AzureRMProviderOperation "Microsoft.Compute/virtualMachines/*" | FT OperationName, Operation, Description -AutoSize
OperationName Operation Description
------------- --------- -----------
Get Virtual Machine Microsoft.Compute/virtualMachines/read Get the properties of a virtual machine
Create or Update Virtual Machine Microsoft.Compute/virtualMachines/write Creates a new virtual machine or updates ...
Delete Virtual Machine Microsoft.Compute/virtualMachines/delete Deletes the virtual machine
Start Virtual Machine Microsoft.Compute/virtualMachines/start/action Starts the virtual machine
Power Off Virtual Machine Microsoft.Compute/virtualMachines/powerOff/action Powers off the virtual machine. Note that...
Redeploy Virtual Machine Microsoft.Compute/virtualMachines/redeploy/action Redeploys virtual machine
Restart Virtual Machine Microsoft.Compute/virtualMachines/restart/action Restarts the virtual machine
Deallocate Virtual Machine Microsoft.Compute/virtualMachines/deallocate/action Powers off the virtual machine and releas...
Generalize Virtual Machine Microsoft.Compute/virtualMachines/generalize/action Sets the virtual machine state to General...
Capture Virtual Machine Microsoft.Compute/virtualMachines/capture/action Captures the virtual machine by copying v...
Run Command on Virtual Machine Microsoft.Compute/virtualMachines/runCommand/action Executes a predefined script on the virtu...
Convert Virtual Machine disks to Managed Disks Microsoft.Compute/virtualMachines/convertToManagedDisks/action Converts the blob based disks of the virt...
Perform Maintenance Redeploy Microsoft.Compute/virtualMachines/performMaintenance/action Performs Maintenance Operation on the VM.
Reimage Virtual Machine Microsoft.Compute/virtualMachines/reimage/action Reimages virtual machine which is using d...
Log in to Virtual Machine Microsoft.Compute/virtualMachines/login/action Log in to a virtual machine as a regular ...
Log in to Virtual Machine as administrator Microsoft.Compute/virtualMachines/loginAsAdmin/action Log in to a virtual machine with Windows ...
Get Virtual Machine Instance View Microsoft.Compute/virtualMachines/instanceView/read Gets the detailed runtime status of the v...
Lists Available Virtual Machine Sizes Microsoft.Compute/virtualMachines/vmSizes/read Lists available sizes the virtual machine...
Get Virtual Machine Extension Microsoft.Compute/virtualMachines/extensions/read Get the properties of a virtual machine e...
Create or Update Virtual Machine Extension Microsoft.Compute/virtualMachines/extensions/write Creates a new virtual machine extension o...
Delete Virtual Machine Extension Microsoft.Compute/virtualMachines/extensions/delete Deletes the virtual machine extension
Get-AzureRmSubscription | ft SubscriptionID
SubscriptionId
--------------
Xxxxxx
Get-AzureRmResourceGroup | ft ResourceId
Get-AzureRmRoleDefinition -Name "Virtual Machine Contributor"
Name : Virtual Machine Contributor
Id : 9980e02c-c2be-4d73-94e8-173b1dc7cf3c
IsCustom : False
Description : Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they‘re connected to.
Actions : {Microsoft.Authorization/*/read, Microsoft.Compute/availabilitySets/*, Microsoft.Compute/locations/*, Microsoft.Compute/virtualMachines
/*...}
NotActions : {}
DataActions : {}
NotDataActions : {}
AssignableScopes : {/}
#获取"Virtual Machine Contributor"配置
$role = Get-AzureRmRoleDefinition "Virtual Machine Contributor"
$role.Id = $null
$role.Name = "Virtual Machine Operator"
$role.Description = "Can monitor and start stop or restart virtual machines."
$role.Actions.Clear()
#添加周边资源读的权限
$role.Actions.Add("Microsoft.Storage/*/read")
$role.Actions.Add("Microsoft.Network/*/read")
$role.Actions.Add("Microsoft.Compute/*/read")
$role.Actions.Add("Microsoft.Authorization/*/read")
$role.Actions.Add("Microsoft.Resources/subscriptions/resourceGroups/read")
#添加VM相关的操作权限
$role.Actions.Add("Microsoft.Compute/virtualMachines/start/action")
$role.Actions.Add("Microsoft.Compute/virtualMachines/restart/action")
$role.Actions.Add("Microsoft.Compute/virtualMachines/powerOff/action")
$role.Actions.Add("Microsoft.Compute/virtualMachines/deallocate/action")
$role.Actions.Add("Microsoft.Insights/alertRules/*")
#把两个Subscription加入到这个Role管理范围中
$role.AssignableScopes.Clear()
$role.AssignableScopes.Add("/subscriptions/xxxxx")
#添加角色
New-AzureRmRoleDefinition -Role $role
Name : Virtual Machine Operator
Id : 55aca895-61dc-4162-b7a6-fbab532d14a2
IsCustom : True
Description : Can monitor and start stop or restart virtual machines.
Actions : {Microsoft.Storage/*/read, Microsoft.Network/*/read, Microsoft.Compute/*/read, Microsoft.Compute/virtualMachines/start/action...}
NotActions : {}
AssignableScopes : {/subscriptions/xxxxx}
New-AzureRmRoleAssignment -SignInName rbacuser@xxxx.partner.onmschina.cn -Scope /subscriptions/xxxxxx/resourceGroups/rbacgroup -RoleDefinitionName "Virtual Machine Operator"
RoleAssignmentId : /subscriptions/xxxxx/resourceGroups/rbacgroup/providers/Microsoft.Authorization/roleAssignments/336b10
d9-4ae7-4832-87a8-7f3d1dccb834
Scope : /subscriptions/xxxxxx/resourceGroups/rbacgroup
DisplayName : RBACUSER
SignInName : rbacuser@xxxxxx.partner.onmschina.cn
RoleDefinitionName : Virtual Machine Operator
RoleDefinitionId : d0b203bd-37e1-4006-871c-8b0330d657f6
ObjectId : 42bfdd38-4d2c-4abb-8b4c-fcf5ab1e7f11
ObjectType : User
CanDelegate : False
仅仅可以看到看到rbacgroup资源组,并且删除虚拟机的时候提示没有权限
标签:creates inf 获取 exe rtt 修改 重启 str gen
原文地址:https://www.cnblogs.com/smallfox/p/10260669.html
