使用 Azure Stack Hub 中具有特殊權限的端點Use the privileged endpoint in Azure Stack Hub

作為 Azure Stack Hub 操作員,您應該在大部分的日常管理工作使用系統管理員入口網站、PowerShell 或 Azure Resource Manager API。As an Azure Stack Hub operator, you should use the administrator portal, PowerShell, or Azure Resource Manager APIs for most day-to-day management tasks. 不過,針對較非一般的作業,您必須使用「具有特殊權限的端點」(PEP)。However, for some less common operations, you need to use the privileged endpoint (PEP). PEP 是預先設定的遠端 PowerShell 主控台,能提供恰到好處的功能來協助您執行必要的工作。The PEP is a pre-configured remote PowerShell console that provides you with just enough capabilities to help you do a required task. 此端點使用 PowerShell JEA (Just Enough Administration) 來只公開一組有限的 Cmdlet。The endpoint uses PowerShell JEA (Just Enough Administration) to expose only a restricted set of cmdlets. 若要存取 PEP 並叫用一組有限的 Cmdlet,可使用低權限的帳戶。To access the PEP and invoke the restricted set of cmdlets, a low-privileged account is used. 無須系統管理員帳戶。No admin accounts are required. 為了增加安全性,不允許使用指令碼。For additional security, scripting isn't allowed.

您可以使用 PEP 來執行下列工作:You can use the PEP to perform these tasks:

  • 低階工作,例如收集診斷記錄Low-level tasks, such as collecting diagnostic logs.
  • 整合式系統的許多部署後資料中心整合工作,例如在部署後新增「網域名稱系統」(DNS) 轉寄站、設定 Microsoft Graph 整合、「Active Directory 同盟服務」(AD FS) 整合、憑證輪用等等。Many post-deployment datacenter integration tasks for integrated systems, such as adding Domain Name System (DNS) forwarders after deployment, setting up Microsoft Graph integration, Active Directory Federation Services (AD FS) integration, certificate rotation, and so on.
  • 與支援人員共同合作,以取得整合系統深入疑難排解所需的暫時和高階存取權。To work with support to obtain temporary, high-level access for in-depth troubleshooting of an integrated system.

PEP 會記錄您在 PowerShell 工作階段中執行的每個動作 (和其對應的輸出)。The PEP logs every action (and its corresponding output) that you perform in the PowerShell session. 這會提供完全透明化和完整稽核的作業。This provides full transparency and complete auditing of operations. 您可以保留這些記錄檔以供日後稽核。You can keep these log files for future audits.

注意

在「Azure Stack 開發套件」(ASDK) 中,您可以在開發套件主機上,直接從 PowerShell 工作階段執行 PEP 中的一些可用命令。In the Azure Stack Development Kit (ASDK), you can run some of the commands available in the PEP directly from a PowerShell session on the development kit host. 不過,您可能會想要使用 PEP 來測試一些作業 (例如記錄收集),因為這是在整合式系統環境中執行特定作業的唯一可用方法。However, you may want to test some operations using the PEP, such as log collection, because this is the only method available to perform certain operations in an integrated systems environment.

注意

您也可以使用「操作員存取工作站」 (OAW) 存取具特殊許可權的端點 (PEP) 、適用于支援案例的系統管理員入口網站,以及 Azure Stack Hub GitHub 工具。You can also use the The Operator Access Workstation (OAW) to access the privileged endpoint (PEP), the Administrator portal for support scenarios, and Azure Stack Hub GitHub Tools. 如需詳細資訊,請參閱 Azure Stack Hub 操作員存取工作站For more information see Azure Stack Hub Operator Access Workstation.

存取具有特殊權限的端點Access the privileged endpoint

您可在裝載 PEP 的虛擬機器 (VM) 上,透過遠端 PowerShell 工作階段來存取 PEP。You access the PEP through a remote PowerShell session on the virtual machine (VM) that hosts the PEP. 在 ASDK 中,此 VM 名為 AzS-ERCS01In the ASDK, this VM is named AzS-ERCS01. 如果您使用整合式系統,則會有三個 PEP 執行個體,每個都在不同主機上的 VM 內執行 (Prefix-ERCS01、Prefix-ERCS02 或 Prefix-ERCS03) 以提供復原能力。If you're using an integrated system, there are three instances of the PEP, each running inside a VM (Prefix-ERCS01, Prefix-ERCS02, or Prefix-ERCS03) on different hosts for resiliency.

在開始針對整合式系統進行此程序之前,請確定您可以透過 IP 位址或 DNS 來存取 PEP。Before you begin this procedure for an integrated system, make sure you can access the PEP either by IP address or through DNS. 在初始部署 Azure Stack Hub 之後,您只能透過 IP 位址來存取 PEP,因為尚未設定 DNS 整合。After the initial deployment of Azure Stack Hub, you can access the PEP only by IP address because DNS integration isn't set up yet. 您的 OEM 硬體廠商會提供名為 AzureStackStampDeploymentInfo 的 JSON 檔案,其中包含 PEP IP 位址。Your OEM hardware vendor will provide you with a JSON file named AzureStackStampDeploymentInfo that contains the PEP IP addresses.

您也可以在 Azure Stack Hub 系統管理員入口網站中找到 IP 位址。You may also find the IP address in the Azure Stack Hub administrator portal. 開啟入口網站,例如 https://adminportal.local.azurestack.externalOpen the portal, for example, https://adminportal.local.azurestack.external. 選取 [區域管理] > [屬性]。Select Region Management > Properties.

當您執行具特殊權限的端點時,您必須將目前的文化特性設定設為 en-US,否則,Test-AzureStack 或 Get-AzureStackLog 之類的 Cmdlet 將無法如預期般運作。You will need set your current culture setting to en-US when running the privileged endpoint, otherwise cmdlets such as Test-AzureStack or Get-AzureStackLog will not work as expected.

注意

為了確保安全性,建議您只從硬體生命週期主機以外的主機上執行的強化 VM 連線至 PEP,或者從專用和安全的電腦 (例如特殊權限存取工作站) 來連線到 PEP。For security reasons, we require that you connect to the PEP only from a hardened VM running on top of the hardware lifecycle host, or from a dedicated and secure computer, such as a Privileged Access Workstation. 請不要修改硬體生命週期主機的原始組態 (包括安裝新軟體),也不要用來連線至 PEP。The original configuration of the hardware lifecycle host must not be modified from its original configuration (including installing new software) or used to connect to the PEP.

  1. 建立信任關係。Establish the trust.

    • 在整合的系統中,從提升權限的 Windows PowerShell 工作階段執行下列命令,將 PEP 新增為在硬體生命週期主機或特殊權限存取工作站上執行的強化 VM 的受信任主機。On an integrated system, run the following command from an elevated Windows PowerShell session to add the PEP as a trusted host on the hardened VM running on the hardware lifecycle host or the Privileged Access Workstation.

      Set-Item WSMan:\localhost\Client\TrustedHosts -Value '<IP Address of Privileged Endpoint>' -Concatenate
      
    • 如果您是執行 ASDK,請登入開發套件主機。If you're running the ASDK, sign in to the development kit host.

  2. 在硬體生命週期主機或特殊權限工作站中執行的強化 VM 上,開啟 Windows PowerShell 工作階段。On the hardened VM running on the hardware lifecycle host or the Privileged Access Workstation, open a Windows PowerShell session. 執行下列命令,以在裝載 PEP 的 VM 上建立遠端工作階段:Run the following commands to establish a remote session on the VM that hosts the PEP:

    • 在整合系統上:On an integrated system:

      $cred = Get-Credential
      
      $pep = New-PSSession -ComputerName <IP_address_of_ERCS> -ConfigurationName PrivilegedEndpoint -Credential $cred -SessionOption (New-PSSessionOption -Culture en-US -UICulture en-US)
      Enter-PSSession $pep
      

      ComputerName 參數可以是其中一部裝載 PEP 之 VM 的 IP 位址或 DNS 名稱。The ComputerName parameter can be either the IP address or the DNS name of one of the VMs that hosts the PEP.

      注意

      Azure Stack Hub 不會在驗證 PEP 認證時進行遠端呼叫。Azure Stack Hub doesn't make a remote call when validating the PEP credential. 其會仰賴本機儲存的 RSA 公開金鑰來執行這項操作。It relies on a locally-stored RSA public key to do that.

    • 如果您是執行 ASDK:If you're running the ASDK:

      $cred = Get-Credential
      
      $pep = New-PSSession -ComputerName azs-ercs01 -ConfigurationName PrivilegedEndpoint -Credential $cred -SessionOption (New-PSSessionOption -Culture en-US -UICulture en-US)
      Enter-PSSession $pep
      

    出現輸入提示時,使用下列認證:When prompted, use the following credentials:

    • 使用者名稱:指定 CloudAdmin 帳戶,格式為 <Azure Stack Hub 網域>\cloudadminUser name: Specify the CloudAdmin account, in the format <Azure Stack Hub domain>\cloudadmin. 針對 ASDK (,使用者名稱為 azurestack\cloudadmin 身分) (For ASDK, the user name is azurestack\cloudadmin)
    • 密碼:輸入與 AzureStackAdmin 網域系統管理員帳戶安裝期間所提供的相同密碼。Password: Enter the same password that was provided during installation for the AzureStackAdmin domain administrator account.

    注意

    如果您無法連線至 ERCS 端點,請使用另一個 ERCS VM IP 位址重試步驟一和步驟二。If you're unable to connect to the ERCS endpoint, retry steps one and two with another ERCS VM IP address.

  3. 連線之後,視環境而定,提示會變更為 [IP 位址或 ERCS VM 名稱]:PS> 或變更為 [azs-ercs01]:PS>After you connect, the prompt will change to [IP address or ERCS VM name]: PS> or to [azs-ercs01]: PS>, depending on the environment. 從這裡執行 Get-Command 可檢視可用的 Cmdlet 清單。From here, run Get-Command to view the list of available cmdlets.

    您可以在 Azure Stack Hub 特殊權限端點參考中找到 Cmdlet 的參考You can find a reference for cmdlets in at Azure Stack Hub privileged endpoint reference

    這些 Cmdlet 有許多僅供整合系統環境 (例如與資料中心整合相關的 cmdlet) 使用。Many of these cmdlets are intended only for integrated system environments (such as the cmdlets related to datacenter integration). 在 ASDK 中,下列 Cmdlet 已經過驗證:In the ASDK, the following cmdlets have been validated:

    • Clear-HostClear-Host
    • Close-PrivilegedEndpointClose-PrivilegedEndpoint
    • Exit-PSSessionExit-PSSession
    • Get-AzureStackLogGet-AzureStackLog
    • Get-AzureStackStampInformationGet-AzureStackStampInformation
    • Get-CommandGet-Command
    • Get-FormatDataGet-FormatData
    • Get-HelpGet-Help
    • Get-ThirdPartyNoticesGet-ThirdPartyNotices
    • Measure-ObjectMeasure-Object
    • New-CloudAdminUserNew-CloudAdminUser
    • Out-DefaultOut-Default
    • Remove-CloudAdminUserRemove-CloudAdminUser
    • Select-ObjectSelect-Object
    • Set-CloudAdminUserPasswordSet-CloudAdminUserPassword
    • Test-AzureStackTest-AzureStack
    • Stop-AzureStackStop-AzureStack
    • Get-ClusterLogGet-ClusterLog

如何使用具特殊權限的端點How to use the privileged endpoint

如以上所述,PEP 是 PowerShell JEA 端點。As mentioned above, the PEP is a PowerShell JEA endpoint. 雖然 JEA 端點提供強大的安全性階層,但也縮減了一些 PowerShell 功能,例如指令碼處理或 TAB 鍵自動完成功能。While providing a strong security layer, a JEA endpoint reduces some of the basic PowerShell capabilities, such as scripting or tab completion. 如果您嘗試任何一種指令碼作業,作業就會失敗,並出現錯誤 ScriptsNotAllowedIf you try any type of script operation, the operation fails with the error ScriptsNotAllowed. 此錯誤是預期行為。This failure is expected behavior.

例如,若要取得特定 Cmdlet 的參數清單,請執行下列命令:For instance, to get the list of parameters for a given cmdlet, run the following command:

    Get-Command <cmdlet_name> -Syntax

或者,您也可以使用 Import-PSSession Cmdlet,將所有 PEP Cmdlet 匯入到本機電腦上的目前工作階段中。Alternatively, you can use the Import-PSSession cmdlet to import all the PEP cmdlets into the current session on your local machine. 如此即可在本機電腦上使用 PEP 的 Cmdlet 和函式,並搭配 TAB 鍵自動完成功能,且更廣泛來說,還包括指令碼處理。The cmdlets and functions of the PEP are now available on your local machine, together with tab completion and, more in general, scripting. 您也可以執行 Get-help 模組以檢閱 Cmdlet 指示。You can also run the Get-Help module to review cmdlet instructions.

若要在本機電腦上匯入 PEP 工作階段,請執行下列步驟:To import the PEP session on your local machine, do the following steps:

  1. 建立信任關係。Establish the trust.

    • 在整合的系統中,從提升權限的 Windows PowerShell 工作階段執行下列命令,將 PEP 新增為在硬體生命週期主機或特殊權限存取工作站上執行的強化 VM 的受信任主機。On an integrated system, run the following command from an elevated Windows PowerShell session to add the PEP as a trusted host on the hardened VM running on the hardware lifecycle host or the Privileged Access Workstation.

      winrm s winrm/config/client '@{TrustedHosts="<IP Address of Privileged Endpoint>"}'
      
    • 如果您是執行 ASDK,請登入開發套件主機。If you're running the ASDK, sign in to the development kit host.

  2. 在硬體生命週期主機或特殊權限工作站中執行的強化 VM 上,開啟 Windows PowerShell 工作階段。On the hardened VM running on the hardware lifecycle host or the Privileged Access Workstation, open a Windows PowerShell session. 執行下列命令,以在裝載 PEP 的虛擬機器上建立遠端工作階段:Run the following commands to establish a remote session on the virtual machine that hosts the PEP:

    • 在整合系統上:On an integrated system:

      $cred = Get-Credential
      
      $session = New-PSSession -ComputerName <IP_address_of_ERCS> `
         -ConfigurationName PrivilegedEndpoint -Credential $cred
      

      ComputerName 參數可以是其中一部裝載 PEP 之 VM 的 IP 位址或 DNS 名稱。The ComputerName parameter can be either the IP address or the DNS name of one of the VMs that hosts the PEP.

    • 如果您是執行 ASDK:If you're running the ASDK:

      $cred = Get-Credential
      
      $session = New-PSSession -ComputerName azs-ercs01 `
         -ConfigurationName PrivilegedEndpoint -Credential $cred
      

    出現輸入提示時,使用下列認證:When prompted, use the following credentials:

    • 使用者名稱:指定 CloudAdmin 帳戶,格式為 <Azure Stack Hub 網域>\cloudadminUser name: Specify the CloudAdmin account, in the format <Azure Stack Hub domain>\cloudadmin. (若為 ASDK,使用者名稱是 azurestack\cloudadmin。)(For ASDK, the user name is azurestack\cloudadmin.)

    • 密碼:輸入與 AzureStackAdmin 網域系統管理員帳戶安裝期間所提供的相同密碼。Password: Enter the same password that was provided during installation for the AzureStackAdmin domain administrator account.

  3. 將 PEP 工作階段匯入到本機電腦:Import the PEP session into your local machine:

    Import-PSSession $session
    
  4. 現在,您可以在本機 PowerShell 工作階段上,搭配 PEP 的所有函式和 Cmdlet 如常使用 TAB 鍵自動完成功能和進行指令碼處理,而無須降低 Azure Stack Hub 的安全性狀態。Now, you can use tab-completion and do scripting as usual on your local PowerShell session with all the functions and cmdlets of the PEP, without decreasing the security posture of Azure Stack Hub. 盡情享受!Enjoy!

關閉具有特殊權限的端點工作階段Close the privileged endpoint session

如先前所述,PEP 會記錄您在 PowerShell 工作階段中執行的每個動作 (和其對應的輸出)。As mentioned earlier, the PEP logs every action (and its corresponding output) that you do in the PowerShell session. 您必須使用 Close-PrivilegedEndpoint Cmdlet 來關閉工作階段。You must close the session by using the Close-PrivilegedEndpoint cmdlet. 此 Cmdlet 會正確關閉端點,並將記錄檔傳送至外部檔案共用作為保留。This cmdlet correctly closes the endpoint, and transfers the log files to an external file share for retention.

若要關閉端點工作階段:To close the endpoint session:

  1. 建立 PEP 可存取的外部檔案共用。Create an external file share that's accessible by the PEP. 在開發套件環境中,您只能在開發套件主機上建立檔案共用。In a development kit environment, you can just create a file share on the development kit host.

  2. 執行下列 Cmdlet:Run the following cmdlet:

    Close-PrivilegedEndpoint -TranscriptsPathDestination "\\fileshareIP\SharedFolder" -Credential Get-Credential
    

    此 Cmdlet 會使用下表中的參數:The cmdlet uses the parameters in the following table:

    參數Parameter 描述Description 類型Type 必要Required
    TranscriptsPathDestinationTranscriptsPathDestination 定義為 "fileshareIP\sharefoldername" 的外部檔案共用路徑Path to the external file share defined as "fileshareIP\sharefoldername" StringString Yes
    認證Credential 存取檔案共用的認證Credentials to access the file share SecureStringSecureString Yes

文字記錄記錄檔在成功傳輸至檔案共用之後,會自動從 PEP 中刪除。After the transcript log files are successfully transferred to the file share, they're automatically deleted from the PEP.

注意

如果您使用 Exit-PSSessionExit Cmdlet 來關閉 PEP 工作階段,或您直接關閉 PowerShell 主控台,該文字記錄記錄就不會傳輸至檔案共用。If you close the PEP session by using the cmdlets Exit-PSSession or Exit, or you just close the PowerShell console, the transcript logs don't transfer to a file share. 它們會存留在 PEP 中。They remain in the PEP. 下次您執行 Close-PrivilegedEndpoint 並包含檔案共用時,也將會傳送上一個工作階段的文字記錄記錄。The next time you run Close-PrivilegedEndpoint and include a file share, the transcript logs from the previous session(s) will also transfer. 請勿使用 Exit-PSSessionExit 關閉 PEP 工作階段:改為使用 Close-PrivilegedEndpointDon't use Exit-PSSession or Exit to close the PEP session; use Close-PrivilegedEndpoint instead.

針對支援案例解除鎖定具特殊許可權的端點Unlocking the privileged endpoint for support scenarios

在支援案例中,Microsoft 支援工程師可能需要提升具有特殊許可權的端點 PowerShell 會話,以存取 Azure Stack Hub 基礎結構的內部。During a support scenario, the Microsoft support engineer might need to elevate the privileged endpoint PowerShell session to access the internals of the Azure Stack Hub infrastructure. 此程式有時稱為「中斷玻璃」或「解除 PEP」。This process is sometimes informally referred to as "break the glass" or "unlock the PEP". PEP 會話提升許可權程式是兩個步驟,兩人,兩個組織驗證程式。The PEP session elevation process is a two step, two people, two organization authentication process. 解除鎖定程式是由 Azure Stack Hub 操作員所起始,他隨時都會保留其環境的控制權。The unlock procedure is initiated by the Azure Stack Hub operator, who retains control of their environment at all times. 操作員會存取 PEP 並執行此 Cmdlet:The operator accesses the PEP and executes this cmdlet:

     Get-SupportSessionToken

此 Cmdlet 會傳回支援會話要求權杖(非常長的英數位元字串)。The cmdlet returns the support session request token, a very long alphanumeric string. 操作員接著會透過其選擇的媒介將要求權杖傳遞給 Microsoft 支援工程師 (例如,聊天、電子郵件) 。The operator then passes the request token to the Microsoft support engineer via a medium of their choice (e.g., chat, email). Microsoft 支援工程師會使用要求權杖來產生支援會話授權權杖(如果有的話),並將它傳回給 Azure Stack Hub 操作員。The Microsoft support engineer uses the request token to generate, if valid, a support session authorization token and sends it back to the Azure Stack Hub operator. 在相同的 PEP PowerShell 會話上,操作員接著會傳遞授權權杖作為此 Cmdlet 的輸入:On the same PEP PowerShell session, the operator then passes the authorization token as input to this cmdlet:

      unlock-supportsession
      cmdlet Unlock-SupportSession at command pipeline position 1
      Supply values for the following parameters:
      ResponseToken:

如果授權權杖有效,則會提供完整的系統管理員功能,並充分利用基礎結構來提高 PEP PowerShell 會話的許可權。If the authorization token is valid, the PEP PowerShell session is elevated by providing full admin capabilities and full reachability into the infrastructure.

注意

在提高許可權的 PEP 會話中執行的所有作業和 Cmdlet 都必須在 Microsoft 支援工程師的嚴格監管下執行。All the operations and cmdlets executed in an elevated PEP session must be performed under strict supervision of the Microsoft support engineer. 若未這麼做,可能會導致嚴重的停機時間、資料遺失,而且可能需要完全重新部署 Azure Stack Hub 環境。Failure to do so could result in serious downtime, data loss and could require a full redeployment of the Azure Stack Hub environment.

當支援會話終止之後,請務必使用 PrivilegedEndpoint 指令程式來關閉提高許可權的 PEP 會話,如上一節中所述。Once the support session is terminated, it is very important to close back the elevated PEP session by using the Close-PrivilegedEndpoint cmdlet as explained in the section above. 其中一個 PEP 會話已結束,解除鎖定權杖不再有效,無法重複使用以重新鎖定 PEP 會話。One the PEP session is terminated, the unlock token is no longer valid and cannot be reused to unlock the PEP session again. 提高許可權的 PEP 會話的有效性為8小時,在這之後,如果未終止,提升許可權的 PEP 會話將會自動鎖定為一般 PEP 會話。An elevated PEP session has a validity of 8 hours, after which, if not terminated, the elevated PEP session will automatically lock back to a regular PEP session.

具有特殊許可權之端點權杖的內容Content of the privileged endpoint tokens

PEP 支援會話要求和授權權杖會利用密碼編譯來保護存取,並確保只有授權的權杖可以將 PEP 會話解除鎖定。The PEP support session request and authorization tokens leverage cryptography to protect access and ensure that only authorized tokens can unlock the PEP session. 權杖的設計目的是為了確保只有產生要求權杖的 PEP 會話可以接受回應權杖。The tokens are designed to cryptographically guarantee that a response token can only be accepted by the PEP session that generated the request token. PEP 權杖不包含可唯一識別 Azure Stack Hub 環境或客戶的任何類型資訊。PEP tokens do not contain any kind of information that could uniquely identify an Azure Stack Hub environment or a customer. 它們完全是匿名的。They are completely anonymous. 提供每個權杖內容的詳細資料。Below the details of the content of each token are provided.

支援會話要求權杖Support session request token

PEP 支援會話要求權杖是由三個物件所組成:The PEP support session request token is composed of three objects:

  • 隨機產生的會話識別碼。A randomly generated Session ID.
  • 自我簽署的憑證,為了具有一次性公開/私密金鑰組而產生。A self-signed certificate, generated for the purpose of having a one-time public/private key pair. 憑證未包含環境中的任何資訊。The certificate does not contain any information on the environment.
  • 指出要求權杖到期的時間戳記。A time stamp that indicates the request token expiration.

然後,會使用向其註冊 Azure Stack Hub 環境的 Azure 雲端公開金鑰來加密要求權杖。The request token is then encrypted with the public key of the Azure cloud against which the Azure Stack Hub environment is registered to.

支援會話授權回應權杖Support session authorization response token

PEP 支援授權回應權杖是由兩個物件所組成:The PEP support authorization response token is composed of two objects:

  • 從要求權杖解壓縮的隨機產生會話識別碼。The randomly generated session ID extracted from the request token.
  • 指出回應權杖到期的時間戳記。A time stamp that indicates the response token expiration.

然後,會使用要求權杖中包含的自我簽署憑證來加密回應權杖。The response token is then encrypted with the self-signed certificate contained in the request token. 自我簽署憑證已使用與註冊 Azure Stack Hub 環境的 Azure 雲端相關聯的私密金鑰進行解密。The self-signed certificate was decrypted with the private key associated with the Azure cloud against which the Azure Stack Hub environment is registered to.

後續步驟Next steps