如何运行具有不同安全权限的Service Fabric应用程序? [英] How to run a Service Fabric application with different security permissions?
问题描述
服务结构运行方式功能
默认情况下,Service Fabric应用程序将使用网络服务帐户运行. Microsoft具有有关如何使用其他权限来运行它的(部分)文档:运行方式:以不同的安全权限运行Service Fabric应用程序.
基于此,这就是我想要做的:
- 我的Service Fabric应用程序调用一个正在其他存储库中开发的库.
- 在云中部署后,这些服务将从存储中下载该库的二进制文件,将其解压缩到Service Fabric群集的工作目录中,然后从那里进行加载.
- 在开发时,当我在本地集群中测试或调试应用程序时,我希望从我刚编译它们的本地硬盘驱动器上的某个文件夹中加载该库的二进制文件,接下来就是源代码.
棘手的部分是,我公司的安全策略要求该库的源代码只能由授权用户访问,这将转换为包含受保护代码的文件夹.结果,作为网络服务运行的Service Fabric应用程序无法访问我的二进制文件.无法更改安全策略,也无法授予网络服务访问该文件夹的权限.
如何配置应用程序,使其以具有正确访问权限的用户身份运行?
这是我已经尝试过的:
使用域用户
最简单的解决方案是能够使用我自己的登录名运行Service Fabric应用程序.我通过将以下内容添加到ApplicationManifest.xml中来进行尝试:
<Principals>
<Users>
<User Name="SfUser" AccountName="Domain\UserName" AccountType="DomainUser" Password="pass" />
</Users>
</Principals>
<Policies>
<DefaultRunAsPolicy UserRef="SfUser" />
</Policies>
这有效:该应用程序以Domain \ UserName的身份运行,并且可以访问我需要的所有文件夹.但这需要我在配置文件中输入密码,这并不令人满意.
使用本地用户
然后我尝试使用本地用户,以为我可以使用本地用户组正确配置访问权限.我能想到的最简单的版本是这样:
<Principals>
<Users>
<User Name="SfUser" AccountName="LocalSfUser" AccountType="LocalUser">
<MemberOf>
<SystemGroup Name="MyLocalGroup"/>
</MemberOf>
</User>
</Users>
</Principals>
<Policies>
<DefaultRunAsPolicy UserRef="SfUser" />
</Policies>
我认为此配置是正确的,因为在部署应用程序时,我可以在Windows用户管理器中看到Service Fabric创建了多个技术"用户,它们属于MyLocalGroup.但是我的应用程序从未启动.
我注意到Windows事件查看器中的几条消息似乎与问题有关:
Logon Type: 8
Failure Information:
Failure Reason: The user has not been granted the requested logon type at this machine.
Process Information:
Caller Process Name: C:\Program Files\Microsoft Service Fabric\bin\FabricHost.exe
显然,登录类型8"表示网络明文登录".我怀疑当地有一项政策禁止在我的公司中进行这种登录.
以本地用户身份运行时,这会在计算机上创建一个随机的本地用户帐户.在上面的示例中最有可能失败的原因是<SystemGroup Name="MyLocalGroup"/>必须是有效的Windows系统组,例如管理员".您也确实不需要上面的AccountName属性,但这没有害处.
要解决从远程目录获取文件的问题,您需要像尝试使用域用户一样,因为本地用户没有可以用AD验证的共享密钥.区别在于您可以使用部署到计算机的证书对应用程序清单中的密码进行加密.我在下面放了一个示例ApplicationManifest.xml片段,展示了如何使用名为"MyCert"的证书对域用户的密码进行加密.
<Principals>
<Users>
<User Name="TestUser" AccountType="DomainUser" AccountName="Domain\User" Password="[Put Encrypted Password Here" PasswordEncrypted="true" />
</Users>
</Principals>
<Policies>
<DefaultRunAsPolicy UserRef="TestUser" />
<SecurityAccessPolicies>
<SecurityAccessPolicy ResourceRef="MyCert" PrincipalRef="TestUser" GrantRights="Full" ResourceType="Certificate" />
</SecurityAccessPolicies>
</Policies>
作为旁注,此处的文章 https://azure.microsoft.com/zh-cn/documentation/articles/service-fabric-application-secret-management 展示了如何在settings.xml中创建加密密码,这通常也很有用.
Service Fabric RunAs feature
By default, a Service Fabric application will run with the Network Service account. Microsoft has (partial) documentation on how to run it with other permissions: RunAs: Run a Service Fabric application with different security permissions.
Based on this, here's what I'm trying to do:
- My Service Fabric application calls a library that is being developed in an other repository.
- When deployed in the cloud, the services will download the binaries for the library from a storage, unzip them in a working directory of the Service Fabric cluster and load it from there.
- At development time, when I'm testing or debugging the application in a local cluster, I want the binaries for the library to be loaded from some folder on my local hard drive where I have just compiled them, that is right next to the source code.
The tricky part is that my company's security policies require the source code of said library to be accessible only to authorized users, which translates into the folder containing this code being read-protected. As a consequence my Service Fabric application, which runs as Network Service, can't access my binaries. Changing the security policies is not possible, nor giving Network Service access to the folder.
How can I configure my application so that it runs as a user that would have the correct access rights ?
Here's what I already tried:
Using a domain user
The easiest solution would be to be able to run the Service Fabric application with my own login. I tried this by adding the following to my ApplicationManifest.xml:
<Principals>
<Users>
<User Name="SfUser" AccountName="Domain\UserName" AccountType="DomainUser" Password="pass" />
</Users>
</Principals>
<Policies>
<DefaultRunAsPolicy UserRef="SfUser" />
</Policies>
This works: the application runs as Domain\UserName and can access all the folders I need. But this requires me to put my password in the configuration file, which is not satisfactory.
Using a local user
I then tried using a local user, thinking I would be able to configure access rights correctly using local user groups. The simplest version I could come up with is this:
<Principals>
<Users>
<User Name="SfUser" AccountName="LocalSfUser" AccountType="LocalUser">
<MemberOf>
<SystemGroup Name="MyLocalGroup"/>
</MemberOf>
</User>
</Users>
</Principals>
<Policies>
<DefaultRunAsPolicy UserRef="SfUser" />
</Policies>
I think this configuration is correct since when I deploy my application I can see in Windows user manager that several "technical" users where created by Service Fabric and that they belong to MyLocalGroup. However my application never starts.
I noticed several messages in Windows event viewer that seem related to the problem:
Logon Type: 8
Failure Information:
Failure Reason: The user has not been granted the requested logon type at this machine.
Process Information:
Caller Process Name: C:\Program Files\Microsoft Service Fabric\bin\FabricHost.exe
Apparently, "Logon Type 8" means "Network clear text logon". I suspect a local policy preventing this kind of logon in my company.
When you run as a localuser, this creates a random local user account on the machine. The reason this is most likely failing in the example above is the <SystemGroup Name="MyLocalGroup"/> needs to be a valid Windows system group such as "Administrators". You also do not really need the AccountName attribute above, but it does no harm.
To solve you issue of getting a file from a remote directory you need to use a domain user as you tried since a local user does not have a shared secret that can be verified with AD. The difference is that you can encrypt the password in the application manifest using a certificate that is deployed to the machine. I have put an example ApplicationManifest.xml snippet below, showing how the password for the domain user is encrypted with a certificate called "MyCert".
<Principals>
<Users>
<User Name="TestUser" AccountType="DomainUser" AccountName="Domain\User" Password="[Put Encrypted Password Here" PasswordEncrypted="true" />
</Users>
</Principals>
<Policies>
<DefaultRunAsPolicy UserRef="TestUser" />
<SecurityAccessPolicies>
<SecurityAccessPolicy ResourceRef="MyCert" PrincipalRef="TestUser" GrantRights="Full" ResourceType="Certificate" />
</SecurityAccessPolicies>
</Policies>
As a side note the article here https://azure.microsoft.com/en-us/documentation/articles/service-fabric-application-secret-management show how to create the encrypted password in settings.xml which is also often useful.
这篇关于如何运行具有不同安全权限的Service Fabric应用程序?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
