要让第一代 Horizon Cloud 应用程序注册能够在容器的订阅(或可选的外部网关订阅)中进行 API 调用并执行其 VDI 相关操作,必须为其分配一个角色。通常使用 Contributor 角色实现此目的。对于想要避免使用 Contributor 角色的组织,他们可以创建自定义角色,让自定义角色来实现赋予 Horizon Cloud 应用程序注册能够执行所需 API 调用能力的目的。

重要说明: 仅当您有权访问第一代控制平面中的第一代租户环境时,此信息才适用。如 知识库文章 92424 中所述,第一代控制平面已终止提供 (EOA)。有关详细信息,请参阅该文章。

除了将自定义角色用于容器订阅中的 Horizon Cloud 应用程序注册外,如果您的组织希望采用将单独的订阅用于容器外部 Unified Access Gateway 配置的方法,并选择将网关资源部署到贵组织为实现此目的而设置的特定资源组中,该网关订阅的自定义角色可以拥有比容器订阅的自定义角色更精细且范围更窄的权限。

自定义角色简介

最基本的概念是,Horizon Cloud 需要在容器的订阅及其资源组中执行特定的操作,以成功创建和维护设置容器及其网关配置所需的资源。

作为一个简单示例,由于容器和网关架构需要使用具有网卡的虚拟机,因此,Horizon Cloud 需要能够在您的订阅中创建虚拟机和网卡,并将这些网卡连接到订阅的 VNet 中的子网。

在 Microsoft Azure 中,角色将提供一组可由应用程序注册的服务主体执行的管理操作。管理操作是资源和对该资源执行的操作的组合。

您可以按照下面所述的规则,将容器订阅和(可选)网关订阅中的 Horizon Cloud 应用程序注册功能限制为所需的最低操作。

可用用例概述

在讨论 Horizon Cloud 在订阅和资源组中所需的操作时,可以使用以下用例。

注: 在双订阅用例中,用于容器订阅中的应用程序注册的角色必须遵循与单订阅用例所需规则相同的规则。
用例 描述
Horizon Cloud 将单个订阅用于容器及其外部 Unified Access Gateway 配置。

在该用例中,必须在容器的订阅级别为服务主体授予访问权限。在该级别分配给服务主体的角色必须允许 Horizon Cloud 需要在您的订阅中执行的操作,以便在该订阅中成功创建所需的资源,并在一段时间内对这些资源执行操作。例如,在该用例中,角色必须提供创建默认资源组、网络安全组、虚拟机等的功能。

两个订阅,并且您希望 Horizon Cloud 在外部网关的指定订阅中自动创建网关的所需资源组和资源,这与在容器的订阅中相同。
  • 指定将一个订阅用于外部 Unified Access Gateway 配置的资源
  • 将一个订阅用于其余容器资源

在使用该选项时,必须在订阅级别为每个订阅的服务主体授予访问权限,并且允许执行操作的权限与上述单订阅用例相同。

如上所述的两个订阅,但您在外部网关的指定订阅中提前创建一个资源组,并希望 Horizon Cloud 将外部网关的资源部署到该现有资源组中,而不是让 Horizon Cloud 自动创建该外部网关的所需资源组和资源。

可通过两个选项为用于部署外部网关的服务主体授予访问权限:

  • 在订阅级别授予访问权限,与上述用例相同。
  • 使用以下组合:
    • 在订阅级别,使用内置读取者角色授予访问权限。
    • 在指定的资源组级别,使用在自定义角色中定义的权限授予访问权限。在资源组级别授予的权限必须允许 Horizon Cloud 需要在资源组中执行的操作,以便在其中部署和配置外部网关的资源。

      除了针对资源组的权限以外,Horizon Cloud 还需要具有执行以下操作的权限,具体取决于您的部署计划:

      • 如果该部署将使用您在该订阅的 VNet 上提前创建的子网,则 Horizon Cloud 需要能够在这些子网上创建网卡和网络安全组 (NSG)。子网所属的 VNet 上所需的权限是 Microsoft.Network/virtualNetworks/subnets/*Microsoft.Network/networkSecurityGroups/*
      • 如果该部署让 Horizon Cloud 生成子网,除了上述的 Microsoft.Network/virtualNetworks/subnets/*Microsoft.Network/networkSecurityGroups/* 权限以外,Horizon Cloud 还需要能够创建子网。VNet 上所需的权限为 Microsoft.Network/virtualNetworks/write
      • 如果您的外部网关部署指定使用公共 IP 地址,则 Horizon Cloud 需要能够在指定的资源组中创建公共 IP 地址。指定的资源组上所需的权限为 Microsoft.Network/publicIPAddresses
当您的 VNet 具有自定义路由时。Microsoft Azure 云具有一项称为自定义路由的功能。 如果您的 VNet 具有自定义路由,则除了上述用例的所有权限外,还需要一项权限:Microsoft.Network/routeTables/join/action

在将单个订阅用于容器及其网关配置时,或者将单独的订阅用于外部 Unified Access Gateway 配置并在订阅级别设置权限时

对于这些用例,将在订阅级别分配权限。自定义角色必须允许下表中的操作。*(通配符)可授予对与列出的操作中的字符串匹配的所有操作的访问权限。

表 1. 在订阅级别分配权限时必须在自定义角色中允许的 Microsoft Azure 资源操作
操作 Microsoft Azure 文档中的说明
Microsoft.Authorization/*/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization
Microsoft.Compute/*/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/availabilitySets/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/disks/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/images/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/locations/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/snapshots/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/virtualMachines/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/virtualMachineScaleSets/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.DBforPostgreSQL/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftdbforpostgresql
Microsoft.KeyVault/*/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkeyvault
Microsoft.KeyVault/vaults/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkeyvault
Microsoft.KeyVault/vaults/secrets/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkeyvault
Microsoft.Network/loadBalancers/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.Network/networkInterfaces/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.Network/networkSecurityGroups/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.Network/publicIPAddresses/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.Network/virtualNetworks/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.Network/virtualNetworks/write https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.Network/virtualNetworks/checkIpAddressAvailability/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.Network/virtualNetworks/subnets/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.ResourceHealth/availabilityStatuses/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftresourcehealth
Microsoft.Resources/subscriptions/resourceGroups/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftresources
Microsoft.Resources/deployments/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftresources
Microsoft.Storage/*/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftstorage
Microsoft.Storage/storageAccounts/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftstorage
Microsoft.Compute/galleries/read
Microsoft.Compute/galleries/write
Microsoft.Compute/galleries/delete
Microsoft.Compute/galleries/images/*
Microsoft.Compute/galleries/images/versions/*
https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/read
Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/write
https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftmarketplaceordering

以下 JSON 代码块是一个示例,说明了名为 Horizon Cloud 容器的自定义角色定义在具有一组上述操作时的外观。ID 是自定义角色的唯一 ID。使用 Azure PowerShell 或 Azure CLI 创建自定义角色时,将自动生成此 ID。对于变量 mysubscriptionId1,会替换为将在其中使用自定义角色的订阅的 ID,即容器的订阅或(可选)网关订阅。

表 2. 在订阅级别分配权限时允许执行 Horizon Cloud 所需操作的角色的示例 JSON
{
"Name": "Horizon Cloud Pod",
"Id": "uuid",
"IsCustom": true,
"Description": "Minimum set of Horizon Cloud pod required operations",
"Actions": [
  "Microsoft.Authorization/*/read"
  "Microsoft.Compute/*/read"
  "Microsoft.Compute/availabilitySets/*"
  "Microsoft.Compute/disks/*"
  "Microsoft.Compute/images/*"
  "Microsoft.Compute/locations/*"
  "Microsoft.Compute/virtualMachines/*"
  "Microsoft.Compute/virtualMachineScaleSets/*"
  "Microsoft.Compute/snapshots/*"
  "Microsoft.DBforPostgreSQL/*"
  "Microsoft.KeyVault/*/read"
  "Microsoft.KeyVault/vaults/*"
  "Microsoft.KeyVault/vaults/secrets/*"
  "Microsoft.Network/loadBalancers/*"
  "Microsoft.Network/networkInterfaces/*"
  "Microsoft.Network/networkSecurityGroups/*"
  "Microsoft.Network/publicIPAddresses/*"
  "Microsoft.Network/virtualNetworks/read"
  "Microsoft.Network/virtualNetworks/write"
  "Microsoft.Network/virtualNetworks/checkIpAddressAvailability/read"
  "Microsoft.Network/virtualNetworks/subnets/*"
  "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read"
  "Microsoft.Resources/subscriptions/resourceGroups/*"
  "Microsoft.ResourceHealth/availabilityStatuses/read"
  "Microsoft.Resources/deployments/*"
  "Microsoft.Storage/*/read"
  "Microsoft.Storage/storageAccounts/*"
  "Microsoft.Compute/galleries/read"
  "Microsoft.Compute/galleries/write"
  "Microsoft.Compute/galleries/delete"
  "Microsoft.Compute/galleries/images/*"
  "Microsoft.Compute/galleries/images/versions/*"
  "Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/read"
  "Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/write"
  ],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
  "/subscriptions/mysubscriptionId1"
  ]
}

当自定义路由位于 VNet 及其子网中时

Microsoft Azure 云具有一项称为自定义路由的功能。

如果将此类路由添加到 VNet 及其子网中,则需要此附加权限。

表 3. VNet 具有自定义路由时必须允许的 Microsoft Azure 资源操作
操作 Microsoft Azure 文档中的说明
Microsoft.Network/routeTables/join/action https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork

将单独的订阅用于外部 Unified Access Gateway 配置,部署到自定义资源组,在订阅级别分配读取者角色并在更精细级别分配其他所需权限时

对于此用例,在外部网关的订阅级别,您的组织可以将内置 Reader 角色用于 Horizon Cloud 应用程序注册,并在指定资源组级别使用自定义角色。

您的组织将创建一个自定义角色,用于指定下表中的权限。然后,该自定义角色将分配给 Horizon Cloud 应用程序注册,以用于外部网关订阅中专门指定的资源组。您或您的组织将在要部署外部网关的订阅中预先创建指定的资源组。

子网和 VNet 上的一些特定权限也是必需的,具体取决于您计划的部署选项:

  • 如果该外部网关部署将使用您提前创建的子网,则 Horizon Cloud 需要能够在这些子网上创建网卡和网络安全组 (NSG)。子网所属的 VNet 上所需的权限是 Microsoft.Network/virtualNetworks/subnets/*Microsoft.Network/networkSecurityGroups/*
  • 如果该外部网关部署让 Horizon Cloud 生成子网,除了上述的 Microsoft.Network/virtualNetworks/subnets/*Microsoft.Network/networkSecurityGroups/* 权限以外,Horizon Cloud 还需要能够创建子网。订阅的 VNet 上所需的权限为 Microsoft.Network/virtualNetworks/write
  • 如果您的部署指定将公共 IP 地址用于外部网关配置,则 Horizon Cloud 需要能够在指定的资源组中创建公共 IP 地址。指定的资源组上所需的权限为 Microsoft.Network/publicIPAddresses

需要在指定的资源组中执行以下允许的操作。*(通配符)可授予对与所列资源提供程序操作中的字符串匹配的所有操作的访问权限。

表 4. 必须在指定的资源组上允许的 Microsoft Azure 资源操作
操作 Microsoft Azure 文档中的说明
Microsoft.Authorization/*/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization
Microsoft.Compute/*/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/availabilitySets/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/disks/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/images/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/locations/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/snapshots/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/virtualMachines/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/virtualMachineScaleSets/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.DBforPostgreSQL/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftdbforpostgresql
Microsoft.KeyVault/*/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkeyvault
Microsoft.KeyVault/vaults/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkeyvault
Microsoft.KeyVault/vaults/secrets/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkeyvault
Microsoft.Network/loadBalancers/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.Network/networkInterfaces/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.Network/publicIPAddresses/* - 如果您的部署指定将公共 IP 地址用于外部网关部署。 https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.Network/virtualNetworks/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.Network/virtualNetworks/checkIpAddressAvailability/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.ResourceHealth/availabilityStatuses/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftresourcehealth
Microsoft.Resources/subscriptions/resourceGroups/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftresources
Microsoft.Resources/deployments/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftresources
Microsoft.Storage/*/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftstorage
Microsoft.Storage/storageAccounts/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftstorage
Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/read
Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/write
https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftmarketplaceordering