您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

Kusto 中基于角色的授权Role-based Authorization in Kusto

授权是允许或禁止安全主体权限执行操作的过程。Authorization is the process of allowing or disallowing a security principal permission to carry out an action. Kusto 使用基于角色的访问控制模型,在此模型下,经过身份验证的主体将映射到角色,并根据分配的角色获取访问权限。Kusto uses a role-based access control model, under which authenticated principals are mapped to roles, and get access according to the roles they're assigned.

Kusto 引擎服务具有以下角色:The Kusto Engine service has the following roles:

角色Role 权限Permissions
所有数据库管理员All Databases admin 可以在任何数据库的作用域中执行任何操作。Can do anything in the scope of any database. 可以显示和更改某些群集级别策略Can show and alter certain cluster-level policies
数据库管理员Database admin 可以在特定数据库的作用域中执行任何操作Can do anything in the scope of a particular database
数据库用户Database user 可以读取数据库的所有数据和元数据。Can read all data and metadata of the database. 此外,可以创建表并成为这些表的表管理员,并在数据库中创建函数。Additionally, can create tables and become the table admin for those tables, and create functions in the database.
所有数据库查看器All Databases viewer 可以读取任何数据库的所有数据和元数据Can read all data and metadata of any database
数据库查看器Database viewer 可以读取特定数据库的所有数据和元数据Can read all data and metadata of a particular database
数据库引入器Database ingestor 可以将数据插入到数据库中的所有现有表,但不能查询数据Can ingest data to all existing tables in the database, but can't query the data
数据库无限制查看器Database unrestrictedviewer 可以查询数据库中启用了RestrictedViewAccess 策略的所有表Can query all tables in the database that have the RestrictedViewAccess policy enabled
数据库监视器Database monitor 可以 .show 在数据库及其子实体的上下文中执行命令Can execute .show commands in the context of the database and its child entities
函数管理Function admin 可以更改函数、删除函数或向其他主体授予管理员权限Can alter function, delete function, or grant admin permissions to another principal
表管理员Table admin 可以在特定表的作用域中执行任何操作Can do anything in the scope of a particular table
表引入器Table ingestor 可以在特定表的作用域内引入数据,但不能查询数据Can ingest data in the scope of a particular table, but can't query the data