您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

锁定资源以防止意外更改Lock resources to prevent unexpected changes

管理员可能需要锁定订阅、资源组或资源,以防止组织中的其他用户意外删除或修改关键资源。As an administrator, you may need to lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. 可以将锁定级别设置为 CanNotDeleteReadOnlyYou can set the lock level to CanNotDelete or ReadOnly.

  • CanNotDelete 表示经授权的用户仍可读取和修改资源,但不能删除资源。CanNotDelete means authorized users can still read and modify a resource, but they can't delete the resource.
  • ReadOnly 表示经授权的用户可以读取资源,但不能删除或更新资源。ReadOnly means authorized users can read a resource, but they can't delete or update the resource. 应用此锁类似于将所有经授权的用户限制于使用“读者”角色授予的权限。Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.

锁的应用方式How locks are applied

在父范围应用锁时,该范围内所有资源都将继承相同的锁。When you apply a lock at a parent scope, all resources within that scope inherit the same lock. 即使是之后添加的资源也会从父作用域继承该锁。Even resources you add later inherit the lock from the parent. 继承中限制性最强的锁优先执行。The most restrictive lock in the inheritance takes precedence.

与基于角色的访问控制不同,可以使用管理锁来对所有用户和角色应用限制。Unlike role-based access control, you use management locks to apply a restriction across all users and roles. 若要了解如何为用户和角色设置权限,请参阅 Azure 基于角色的访问控制To learn about setting permissions for users and roles, see Azure Role-based Access Control.

Resource Manager 锁仅适用于管理平面内发生的操作,包括发送到 https://management.azure.com 的操作。Resource Manager locks apply only to operations that happen in the management plane, which consists of operations sent to https://management.azure.com. 锁不会限制资源如何执行各自的函数。The locks do not restrict how resources perform their own functions. 资源更改将受到限制,但资源操作不受限制。Resource changes are restricted, but resource operations are not restricted. 例如,SQL 数据库上的 ReadOnly 锁将阻止删除或修改该数据库,但不会阻止创建、更新或删除该数据库中的数据。For example, a ReadOnly lock on a SQL Database prevents you from deleting or modifying the database, but it does not prevent you from creating, updating, or deleting data in the database. 允许数据事务,因为这些操作不会发送到 https://management.azure.comData transactions are permitted because those operations are not sent to https://management.azure.com.

应用 ReadOnly 可能会导致意外结果,因为看起来好像读取操作的某些操作实际上需要其他操作。Applying ReadOnly can lead to unexpected results because some operations that seem like read operations actually require additional actions. 例如,在存储帐户上放置 ReadOnly 锁将阻止所有用户列出密钥。For example, placing a ReadOnly lock on a storage account prevents all users from listing the keys. 列出密钥操作通过 POST 请求进行处理,因为返回的密钥可用于写入操作。The list keys operation is handled through a POST request because the returned keys are available for write operations. 另举一例,在应用服务资源上放置 ReadOnly 锁将阻止 Visual Studio 服务器资源管理器显示资源文件,因为该交互需要写访问权限。For another example, placing a ReadOnly lock on an App Service resource prevents Visual Studio Server Explorer from displaying files for the resource because that interaction requires write access.

谁可以在组织中创建或删除锁Who can create or delete locks in your organization

若要创建或删除管理锁,必须有权执行 Microsoft.Authorization/*Microsoft.Authorization/locks/* 操作。To create or delete management locks, you must have access to Microsoft.Authorization/* or Microsoft.Authorization/locks/* actions. 在内置角色中,只有“所有者”和“用户访问管理员”有权执行这些操作。Of the built-in roles, only Owner and User Access Administrator are granted those actions.

门户Portal

  1. 在要锁定的资源、资源组或订阅的“设置”边栏选项卡中,选择“锁定”。In the Settings blade for the resource, resource group, or subscription that you wish to lock, select Locks.

    选择锁

  2. 若要添加锁,请选择“添加”。To add a lock, select Add. 如果要在父级别创建锁,请选择父级。If you want to create a lock at a parent level, select the parent. 当前选定的资源将从父级继承锁。The currently selected resource inherits the lock from the parent. 例如,可以锁定资源组,以便向其所有资源应用锁。For example, you could lock the resource group to apply a lock to all its resources.

    添加锁

  3. 为该锁提供名称和锁级别。Give the lock a name and lock level. (可选)可以添加注释来描述该锁。Optionally, you can add notes that describe the lock.

    设置锁

  4. 若要删除锁,请从可用选项中选择省略号和“删除”。To delete the lock, select the ellipsis and Delete from the available options.

    删除锁

模板Template

以下示例演示在存储帐户上创建锁的模板。The following example shows a template that creates a lock on a storage account. 要对其应用锁的存储帐户以参数形式提供。The storage account on which to apply the lock is provided as a parameter. 锁名是通过将包含 /Microsoft.Authorization/ 的资源名称与锁名连接起来创建的(本例中为 myLock)。The name of the lock is created by concatenating the resource name with /Microsoft.Authorization/ and the name of the lock, in this case myLock.

提供的类型特定于资源类型。The type provided is specific to the resource type. 对于存储,将类型设置为“Microsoft.Storage/storageaccounts/providers/locks”。For storage, set the type to "Microsoft.Storage/storageaccounts/providers/locks".

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "lockedResource": {
      "type": "string"
    }
  },
  "resources": [
    {
      "name": "[concat(parameters('lockedResource'), '/Microsoft.Authorization/myLock')]",
      "type": "Microsoft.Storage/storageAccounts/providers/locks",
      "apiVersion": "2015-01-01",
      "properties": {
        "level": "CannotDelete"
      }
    }
  ]
}

PowerShellPowerShell

可以通过 Azure PowerShell 使用 New-AzureRmResourceLock 命令锁定已部署的资源。You lock deployed resources with Azure PowerShell by using the New-AzureRmResourceLock command.

若要锁定某个资源,请提供该资源的名称、其资源类型及其资源组名称。To lock a resource, provide the name of the resource, its resource type, and its resource group name.

New-AzureRmResourceLock -LockLevel CanNotDelete -LockName LockSite `
  -ResourceName examplesite -ResourceType Microsoft.Web/sites `
  -ResourceGroupName exampleresourcegroup

若要锁定某个资源组,请提供该资源组的名称。To lock a resource group, provide the name of the resource group.

New-AzureRmResourceLock -LockName LockGroup -LockLevel CanNotDelete `
  -ResourceGroupName exampleresourcegroup

若要获取有关某个锁的信息,请使用 Get-AzureRmResourceLockTo get information about a lock, use Get-AzureRmResourceLock. 若要获取订阅中的所有锁,请使用:To get all the locks in your subscription, use:

Get-AzureRmResourceLock

若要获取某个资源的所有锁,请使用:To get all locks for a resource, use:

Get-AzureRmResourceLock -ResourceName examplesite -ResourceType Microsoft.Web/sites `
  -ResourceGroupName exampleresourcegroup

若要获取某个资源组的所有锁,请使用:To get all locks for a resource group, use:

Get-AzureRmResourceLock -ResourceGroupName exampleresourcegroup

Azure PowerShell 还提供了用于处理锁的其他命令,例如,Set-AzureRmResourceLock 用于更新锁,Remove-AzureRmResourceLock 用于删除锁。Azure PowerShell provides other commands for working locks, such as Set-AzureRmResourceLock to update a lock, and Remove-AzureRmResourceLock to delete a lock.

Azure CLIAzure CLI

可以通过 Azure CLI 使用 az lock create 命令锁定已部署的资源。You lock deployed resources with Azure CLI by using the az lock create command.

若要锁定某个资源,请提供该资源的名称、其资源类型及其资源组名称。To lock a resource, provide the name of the resource, its resource type, and its resource group name.

az lock create --name LockSite --lock-type CanNotDelete \
  --resource-group exampleresourcegroup --resource-name examplesite \
  --resource-type Microsoft.Web/sites

若要锁定某个资源组,请提供该资源组的名称。To lock a resource group, provide the name of the resource group.

az lock create --name LockGroup --lock-type CanNotDelete \
  --resource-group exampleresourcegroup

若要获取有关某个锁的信息,请使用 az lock listTo get information about a lock, use az lock list. 若要获取订阅中的所有锁,请使用:To get all the locks in your subscription, use:

az lock list

若要获取某个资源的所有锁,请使用:To get all locks for a resource, use:

az lock list --resource-group exampleresourcegroup --resource-name examplesite \
  --namespace Microsoft.Web --resource-type sites --parent ""

若要获取某个资源组的所有锁,请使用:To get all locks for a resource group, use:

az lock list --resource-group exampleresourcegroup

Azure CLI 还提供了用于处理锁的其他命令,例如,az lock update 用于更新锁,az lock delete 用于删除锁。Azure CLI provides other commands for working locks, such as az lock update to update a lock, and az lock delete to delete a lock.

REST APIREST API

可以使用管理锁的 REST API 锁定已部署的资源。You can lock deployed resources with the REST API for management locks. REST API 可用于创建和删除锁,并且检索有关现有锁的信息。The REST API enables you to create and delete locks, and retrieve information about existing locks.

若要创建一个锁,请运行:To create a lock, run:

PUT https://management.azure.com/{scope}/providers/Microsoft.Authorization/locks/{lock-name}?api-version={api-version}

作用域可能是订阅、资源组或资源。The scope could be a subscription, resource group, or resource. 锁名称可以是想要对该锁使用的任何称谓。The lock-name is whatever you want to call the lock. 对于 api-version,请使用 2015-01-01For api-version, use 2015-01-01.

在请求中,包括指定锁属性的 JSON 对象。In the request, include a JSON object that specifies the properties for the lock.

{
  "properties": {
    "level": "CanNotDelete",
    "notes": "Optional text notes."
  }
} 

后续步骤Next steps