currently I have some prblem about my DataBricks workspace when an user was deleted and it cause some issue:
Applications or scripts that use the tokens generated by the user will no longer be able to access the Databricks API
Jobs owned by the user will fail
Clusters owned by the user will stop
Queries or dashboards created by the user and shared using the Run as Owner credential will have to be assigned to a new owner to prevent sharing from failing
How can I keep these resource operate normaly ?
How can I keep these resource operate normaly ?
The main solution for this is to use service principals instead of user identity for all production clusters/jobs/SQL queries/dashboards/...
Databricks documentation has a dedicated article about use of the service principals.
Related
I have enabled Kubernetes RBAC authorization in all my Azure kubernetes clusters. Now I need to give permissions for viewing live data in containers tab
How can I do it? Which is the minimum premission needed?
Thanks
As far as I understand from my investigation, if you want to do it using Azure Built-in roles, you need the following three roles at the very least:
Reader role assignment scoped to the AKS cluster to be able to discover the cluster
Azure Kubernetes Service Cluster User Role role assignment scoped to the AKS cluster as mentioned in the note atop the page in the docs. This is needed to allow access to Microsoft.ContainerService/managedClusters/listClusterUserCredential/action API call. This API call lists the cluster user credentials.
Log Analytics Contributor role assignment scoped to the Log Analytics workspace associated to the AKS cluster. This is needed to execute an Analytics query for data, i.e., perform a /workspaces/{workspaceId}/query API call. More here.
This should let one pull up the live data for containers. If not comfortable with this approach, you might also create a Custom Role allowing only those exact actions.
Hope this helps!
I want to create an Azure key vault with fairly restricted access (one or two of our apps). I've created the Key Vault through the Azure portal, but when I look at the Access Control section, I find that several Apps and Users have the Contributor role (inherited from the subscription) for the key vault, which gives them more access than they should have.
Since the subscription is the highest level at which access control can be set, there is no way for me to revoke access for these apps/users without revoking it at the subscription level, and this would probably cause all sorts of problems. (it's not really clear what permissions these need, so it'd be a bit painful to have to give those permissions at a resource group or resource level). What's more, there'd be nothing stopping someone who comes along later from adding contributor roles at the subscription level (for some new app, for instance), and breaking the security of the key vault.
So with all of this in mind, what would be the best way to limit access to an azure key vault, so that only the apps/users I want have access to it, despite the fact that several apps/users already have these permissions at the subscription level?
More info: We're using the Azure Resource Manager model, and everything is currently stored in one subscription.
It looks like you can not achieve this with the way RBAC works today.
Here are a couple of feedback requests already running on Feedback Forums - https://feedback.azure.com. One is for Key Vault and another takes the example of a storage account but essentially looking for the same feature to override the inherited permissions.
You may want to vote up for these requests.
Deny users with inherited permissions to Azure Key Vault Service from modifying Access Policies
Exclude / override RBAC permissions inhereted from a subscription at a resource group level
UPDATE (to answer additional queries from comments):
Not granting subscription-level access in the first place (except to
admins)
Yes this would definitely help.
Another suggestion would be to try and use Resource Groups to organize your resources and then assign roles on these Resource Groups (scope). This way, you don't need to give access to individual items, but at the same time you can avoid giving access at the highest level of subscription.
An option you have is to create a blueprint that you can use to configure locks on your keyvaults.
If you deploy this BP as readonly the locks can't be removed from your vault so no-one can alter te permissions of your vault until you change the blueprint config again to don't lock and then remove the lock from your vault.
Applications etc having access to your vault (aka dataplane) de still access the keys ofcource
Is it possible to sync users from cloud Azure Active Directory to on premise AD? On premise is a bit wrong here because it is actually a virtual network in Azure with a Windows Server virtual machine AD. I started with Azure AD and therefore all users are there but I would like to sync them to this virtual machine AD in a virtual network in Azure. I tried Azure AD Connect but this works to sync form on premise to Azure AD. How can I do it the other way around?
Is it possible to sync users from cloud Azure Active Directory to on
premise AD?
For now, it is not possible.
Here the feedback about it, maybe you can vote up it, that feedback will be monitored and reviewed by the Microsoft engineering teams.
As a workaround, we can use powershell to export Azure AD users' information to local file, then use that file to create users in on premise AD.
Here a similar case about you, please refer to it.
Hope this helps.
I have written a custom algorithm to do the process and it works for me so far so well.
I would state the approach that I have followed. This process will get executed after user logs in through Single Sign On.
Step-by-step process to be followed once the user is validated with AD.
Fetch User Manager Chain for the user with Indian Region Filter
through Graph API
https://graph.microsoft.com/v1.0/users/${usermail}?$expand=manager($levels=max;
Convert User Chain Nested Objects to Array of Users
Loop user array in reverse
For every traversal, check if the user present (match with Object ID)
If User Present in Database,
a. Compare user data with OIDC :id:
b. On Variance, call update() to keep data in sync with AD information
User not Present in DB,
a. Call insert() to insert the user data to the database
Note:
I am calling this process every time a user logs in and it is able to insert any new users or update the data in the database if it doesn't match with AAD. This would be an efficient approach if the management chain is around 10. I couldn't find a way to do this thing anywhere else so came up with this process.
I hired a contractor to work on a web service that uses DocumentDB to store our data. I need the contract to be able to login to Azure and access DocumentDB, but I do not want him playing with major things like users and my subscription. I also do not want him scaling anything up or down.
How do I add him as a user and let him access DocumentDB?
If he needs to manage the docdb resource in the Azure portal, you can give him reader or contributor rights on the invididual resource or on the resource group that contains the documentdb resource. By making him contributor (in case he needs to change things), you ensure that he cannot change any user permissions. Readers obviously cannot change anything.
If you require more complex permissions, you could consider using another built in role or even creating a custom role.
In case he just needs to write an application that accesses the DocDB contents, all you have to give him is a connection string and no portal access at all.
We are looking at using Azure Jobs for out multi-tenant platform, but want to figure the best way to do security for it, without using a certificate that has access to our whole Azure account.
We have a Resource Group called "Scheduler" and for each tenant we create a Job Collection with the Tentants Id "Tenant{tenant.Id}".
Currently we do this using SchedulerManagementClient and passing in CertificateCloudCredentials. We could use the Token to do this, but I believe it still has the same problem - in that the credentials have access to the full azure account, which we don't want.
Ideally we would like to lock down creation to the resource group "Scheduler" and create a certificate/token for this.
Is there a way to do that? Is there a better way to do what we are doing anyway?
Ok I figured this out, as is always the way it seems when you finally post something on StackOverflow. Everything was complicated by the fact I was using the old management libraries (Microsoft.WindowsAzure.Management) and not the new libraries (Microsoft.Azure.Management).
Basically I needed to create an application, and then assign that application roles just like you do users. This also helped:
https://azure.microsoft.com/en-gb/documentation/articles/resource-group-create-service-principal-portal/