您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

Azure HDInsight 中的托管标识Managed identities in Azure HDInsight

托管标识是在 Azure Active Directory (Azure AD) 中注册的标识,其凭据由 Azure 管理。A managed identity is an identity registered in Azure Active Directory (Azure AD) whose credentials are managed by Azure. 利用托管标识,无需在 Azure AD 中注册服务主体。With managed identities, you don't need to register service principals in Azure AD. 或维护凭据,如证书。Or maintain credentials such as certificates.

托管标识在 Azure HDInsight 中用于访问 Azure AD 域服务,或在需要时访问 Azure Data Lake Storage Gen2 中的文件。Managed identities are used in Azure HDInsight to access Azure AD domain services or access files in Azure Data Lake Storage Gen2 when needed.

有两种类型的托管标识:用户分配的托管标识和系统分配的托管标识。There are two types of managed identities: user-assigned and system-assigned. Azure HDInsight 仅支持用户分配的托管标识。Azure HDInsight supports only user-assigned managed identities. HDInsight 不支持系统分配的托管标识。HDInsight doesn't support system-assigned managed identities. 用户分配的托管标识是作为独立的 Azure 资源创建的,你可以将其分配给一个或多个 Azure 服务实例。A user-assigned managed identity is created as a standalone Azure resource, which you can then assign to one or more Azure service instances. 相比之下,系统分配的托管标识是在 Azure AD 中创建的,系统会自动在特定的 Azure 服务实例上直接启用它。In contrast, a system-assigned managed identity is created in Azure AD and then enabled directly on a particular Azure service instance automatically. 然后,系统分配的该托管标识的生存期将绑定到启用该托管标识的服务实例的生存期。The life of that system-assigned managed identity is then tied to the life of the service instance that it's enabled on.

HDInsight 托管标识的实现HDInsight managed identity implementation

在 Azure HDInsight 中,托管标识是在群集的每个节点上预配的。In Azure HDInsight, managed identities are provisioned on each node of the cluster. 但是,这些标识组件只可由 HDInsight 服务使用。These identity components, however, are only usable by the HDInsight service. 当前不支持使用 HDInsight 群集节点上安装的托管标识生成访问令牌。There's currently no supported method to generate access tokens using the managed identities installed on HDInsight cluster nodes. 对于某些 Azure 服务,托管标识是通过可用于获取访问令牌的终结点实现的。For some Azure services, managed identities are implemented with an endpoint that you can use to acquire access tokens. 使用令牌来与其他 Azure 服务交互。Use the tokens for interacting with other Azure services on your own.

创建托管标识Create a managed identity

可以通过以下任何方法创建托管标识:Managed identities can be created with any of the following methods:

托管标识的剩余配置步骤取决于使用该托管标识的方案。The remaining steps for configuring the managed identity depend on the scenario where it will be used.

Azure HDInsight 中的托管标识方案Managed identity scenarios in Azure HDInsight

Azure HDInsight 中的多种方案都会使用托管标识。Managed identities are used in Azure HDInsight in multiple scenarios. 有关详细的设置和配置说明,请参阅相关文档:See the related documents for detailed setup and configuration instructions:

FAQFAQ

如果在创建群集后删除托管标识,会发生什么情况?What happens if I delete the managed identity after the cluster creation?

需要托管标识时,群集将会遇到问题。Your cluster will run into issues when the managed identity is needed. 目前没有办法在创建群集后更新或更改托管标识。There's currently no way to update or change a managed identity after the cluster is created. 建议确保在群集运行时不删除托管标识。So our recommendation is to make sure that the managed identity isn't deleted during the cluster runtime. 或者,你可以重新创建群集并分配一个新的托管标识。Or you can re-create the cluster and assign a new managed identity.

后续步骤Next steps