需要为 Horizon Cloud 在 Microsoft Azure 订阅和资源组中执行操作时使用的服务主体分配一个角色,以指定允许服务主体在该订阅及其资源组中执行的操作。即使使用 Microsoft Azure 内置参与者角色允许执行 Horizon Cloud 所需的所有操作,它也会授予最广泛的权限以实现该目的。您可以创建一个具有最低权限集的自定义角色(范围设置为 Horizon Cloud 在关联的订阅中需要执行的最低操作集),并在订阅级别将该自定义角色分配给服务主体,而不是在订阅级别使用该 Microsoft Azure 内置参与者角色。如果采用将单独的订阅用于容器的外部 Unified Access Gateway 配置的方法,并选择将网关资源部署到您创建和维护的资源组中,您可以选择在该单独订阅中为服务主体分配更精细且范围更窄的权限。

最基本的概念是,Horizon Cloud 需要在您的订阅及其资源组中执行特定的操作,以成功创建和维护设置容器及其网关配置所需的资源。作为一个简单示例,由于容器和网关架构需要使用具有网卡的虚拟机,因此,Horizon Cloud 需要能够在您的订阅中创建虚拟机和网卡,并将这些网卡连接到订阅的 VNet 中的子网。您为容器和网关部署选择的一些选项决定了 Horizon Cloud 需要执行的一组特定的操作。根据您为部署容器及其外部网关配置采用的选项,您可以按照下面所述的规则将 Horizon Cloud 在您的订阅中的功能限制为所需的最低操作。

有关 Microsoft Azure 中自定义角色的详细信息以及创建自定义角色所需执行的步骤,请参阅 Microsoft Azure 文档主题 Azure 资源的自定义角色。有关角色工作方式、角色结构以及管理操作结构的详细信息,请参阅 Microsoft Azure 文档中的了解 Azure 资源的角色定义。如该文档主题中所述,角色定义是权限的集合。此角色定义简称为“角色”。角色列出了为其分配该角色的服务主体可以执行的管理操作,以及不可以执行的操作。管理操作是资源和对该资源执行的操作的组合。

本主题包括以下部分。

可用用例概述

在讨论 Horizon Cloud 在 Microsoft Azure 订阅和资源组中所需的操作时,可以使用以下用例。

注: 对于为双订阅用例中的其余容器资源指定的订阅,为该订阅创建的服务主体的角色必须遵循单订阅用例所需的相同规则。
用例 描述
Horizon Cloud 将单个订阅用于容器及其外部 Unified Access Gateway 配置。

在该用例中,必须在订阅级别为服务主体授予访问权限。在该级别分配给服务主体的角色必须允许 Horizon Cloud 需要在您的订阅中执行的操作,以便在该订阅中成功创建所需的资源,并在一段时间内对这些资源执行操作。例如,在该用例中,角色必须提供创建默认资源组、网络安全组、虚拟机等的功能。

两个订阅,并且您希望 Horizon Cloud 在外部网关的指定订阅中自动创建网关的所需资源组和资源,这与在其余容器资源的订阅中相同。
  • 指定将一个订阅用于外部 Unified Access Gateway 配置的资源
  • 将一个订阅用于其余容器资源

在使用该选项时,必须在订阅级别为每个订阅的服务主体授予访问权限,并且允许执行操作的权限与上述单订阅用例相同。

如上所述的两个订阅,但您在外部网关的指定订阅中提前创建一个资源组,并希望 Horizon Cloud 将外部网关的资源部署到该现有资源组中,而不是让 Horizon Cloud 自动创建该外部网关的所需资源组和资源。

可通过两个选项为用于部署外部网关的服务主体授予访问权限:

  • 在订阅级别授予访问权限,与上述用例相同。
  • 使用以下组合:
    • 在订阅级别,使用内置读取者角色授予访问权限。
    • 在指定的资源组级别,使用在自定义角色中定义的权限授予访问权限。在资源组级别授予的权限必须允许 Horizon Cloud 需要在资源组中执行的操作,以便在其中部署和配置外部网关的资源。

      除了针对资源组的权限以外,Horizon Cloud 还需要具有执行以下操作的权限,具体取决于您的部署计划:

      • 如果该部署将使用您在该订阅的 VNet 上提前创建的子网,则 Horizon Cloud 需要能够在这些子网上创建网卡和网络安全组 (NSG)。子网所属的 VNet 上所需的权限是 Microsoft.Network/virtualNetworks/subnets/*Microsoft.Network/networkSecurityGroups/*
      • 如果该部署让 Horizon Cloud 生成子网,除了上述的 Microsoft.Network/virtualNetworks/subnets/*Microsoft.Network/networkSecurityGroups/* 权限以外,Horizon Cloud 还需要能够创建子网。VNet 上所需的权限为 Microsoft.Network/virtualNetworks/write
      • 如果您的外部网关部署指定使用公共 IP 地址,则 Horizon Cloud 需要能够在指定的资源组中创建公共 IP 地址。指定的资源组上所需的权限为 Microsoft.Network/publicIPAddresses

在将单个订阅用于容器及其网关配置时,或者将单独的订阅用于外部 Unified Access Gateway 配置并在订阅级别设置权限时

对于这些用例,将在订阅级别分配权限。对于在 Horizon Cloud 工作流的订阅步骤中指定的服务主体上设置的自定义角色,需要在自定义角色定义中允许以下操作。*(通配符)可授予对与列出的资源提供程序操作中的字符串匹配的所有操作的访问权限。有关操作的说明,请参阅下列链接中的 Microsoft Azure 文档。

表 1. 在订阅级别分配权限时必须在自定义角色中允许的 Microsoft Azure 资源操作
操作 Microsoft Azure 文档中的说明
Microsoft.Authorization/*/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization
Microsoft.Compute/*/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/availabilitySets/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/disks/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/images/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/locations/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/snapshots/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/virtualMachines/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/virtualMachineScaleSets/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.DBforPostgreSQL/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftdbforpostgresql
Microsoft.KeyVault/*/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkeyvault
Microsoft.KeyVault/vaults/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkeyvault
Microsoft.KeyVault/vaults/secrets/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkeyvault
Microsoft.Network/loadBalancers/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.Network/networkInterfaces/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.Network/networkSecurityGroups/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.Network/publicIPAddresses/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.Network/virtualNetworks/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.Network/virtualNetworks/write https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.Network/virtualNetworks/checkIpAddressAvailability/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.Network/virtualNetworks/subnets/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.ResourceHealth/availabilityStatuses/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftresourcehealth
Microsoft.Resources/subscriptions/resourceGroups/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftresources
Microsoft.Resources/deployments/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftresources
Microsoft.Storage/*/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftstorage
Microsoft.Storage/storageAccounts/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftstorage

以下 JSON 代码块是一个示例,说明了名为 Horizon Cloud 容器的自定义角色定义在具有一组上述操作时的外观。有关属性和使用情况信息的说明,请参阅 Microsoft Azure 文档主题 Azure 资源的自定义角色中的自定义角色属性部分。ID 是自定义角色的唯一 ID。如果使用 Azure PowerShell 或 Azure CLI 创建自定义角色,则会在创建新角色时自动生成此 ID。如教程:使用 Azure CLI 为 Azure 资源创建自定义角色中所述,mysubscriptionId1 是您自己的订阅的 ID。

表 2. 在订阅级别分配权限时允许执行 Horizon Cloud 所需操作的角色的示例 JSON
{
"Name": "Horizon Cloud Pod",
"Id": "uuid",
"IsCustom": true,
"Description": "Minimum set of Horizon Cloud pod required operations",
"Actions": [
  "Microsoft.Authorization/*/read"
  "Microsoft.Compute/*/read"
  "Microsoft.Compute/availabilitySets/*"
  "Microsoft.Compute/disks/*"
  "Microsoft.Compute/images/*"
  "Microsoft.Compute/locations/*"
  "Microsoft.Compute/virtualMachines/*"
  "Microsoft.Compute/virtualMachineScaleSets/*"
  "Microsoft.Compute/snapshots/*"
  "Microsoft.DBforPostgreSQL/*"
  "Microsoft.KeyVault/*/read"
  "Microsoft.KeyVault/vaults/*"
  "Microsoft.KeyVault/vaults/secrets/*"
  "Microsoft.Network/loadBalancers/*"
  "Microsoft.Network/networkInterfaces/*"
  "Microsoft.Network/networkSecurityGroups/*"
  "Microsoft.Network/publicIPAddresses/*"
  "Microsoft.Network/virtualNetworks/read"
  "Microsoft.Network/virtualNetworks/write"
  "Microsoft.Network/virtualNetworks/checkIpAddressAvailability/read"
  "Microsoft.Network/virtualNetworks/subnets/*"
  "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read"
  "Microsoft.Resources/subscriptions/resourceGroups/*"
  "Microsoft.ResourceHealth/availabilityStatuses/read"
  "Microsoft.Resources/deployments/*"
  "Microsoft.Storage/*/read"
  "Microsoft.Storage/storageAccounts/*"
  ],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
  "/subscriptions/mysubscriptionId1"
  ]
}

将单独的订阅用于外部 Unified Access Gateway 配置,部署到自定义资源组,在订阅级别分配读取者角色并在更精细级别分配其他所需权限时

对于该用例,您可以在订阅级别将内置读取者角色分配给服务主体,然后使用在下表中指定权限的自定义角色在指定的资源组级别授予访问权限。子网和 VNet 上的一些其他权限是必需的,具体取决于您计划的部署选项:

  • 如果该外部网关部署将使用您提前创建的子网,则 Horizon Cloud 需要能够在这些子网上创建网卡和网络安全组 (NSG)。子网所属的 VNet 上所需的权限是 Microsoft.Network/virtualNetworks/subnets/*Microsoft.Network/networkSecurityGroups/*
  • 如果该外部网关部署让 Horizon Cloud 生成子网,除了上述的 Microsoft.Network/virtualNetworks/subnets/*Microsoft.Network/networkSecurityGroups/* 权限以外,Horizon Cloud 还需要能够创建子网。订阅的 VNet 上所需的权限为 Microsoft.Network/virtualNetworks/write
  • 如果您的部署指定将公共 IP 地址用于外部网关配置,则 Horizon Cloud 需要能够在指定的资源组中创建公共 IP 地址。指定的资源组上所需的权限为 Microsoft.Network/publicIPAddresses

需要在指定的资源组中执行以下允许的操作。*(通配符)可授予对与列出的资源提供程序操作中的字符串匹配的所有操作的访问权限。有关操作的说明,请参阅下列链接中的 Microsoft Azure 文档。

表 3. 必须在指定的资源组上允许的 Microsoft Azure 资源操作
操作 Microsoft Azure 文档中的说明
Microsoft.Authorization/*/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization
Microsoft.Compute/*/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/availabilitySets/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/disks/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/images/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/locations/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/snapshots/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/virtualMachines/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/virtualMachineScaleSets/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.DBforPostgreSQL/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftdbforpostgresql
Microsoft.KeyVault/*/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkeyvault
Microsoft.KeyVault/vaults/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkeyvault
Microsoft.KeyVault/vaults/secrets/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkeyvault
Microsoft.Network/loadBalancers/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.Network/networkInterfaces/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.Network/publicIPAddresses/* - 如果您的部署指定将公共 IP 地址用于外部网关部署。 https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.Network/virtualNetworks/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.Network/virtualNetworks/checkIpAddressAvailability/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.ResourceHealth/availabilityStatuses/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftresourcehealth
Microsoft.Resources/subscriptions/resourceGroups/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftresources
Microsoft.Resources/deployments/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftresources
Microsoft.Storage/*/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftstorage
Microsoft.Storage/storageAccounts/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftstorage