如何使用Python客户端正确验证Kusto? [英] How to properly authenticate Kusto using a Python client?
问题描述
我正在尝试测试节点与Azure数据资源管理器(ADX/Kusto)之间的连接.我正在考虑使用python脚本在Kusto上创建表.
请注意,我对这些都不是很熟悉,因此下面的详细步骤.
我正在遵循
创建客户端机密:
创建Kusto数据库
在集群中,通过UI创建数据库(称为kusto-test)
授权
在ADX群集上>访问控制(IAM)>添加角色分配.
Python脚本
来自azure.kusto.data.request的 导入KustoClient,KustoConnectionStringBuilder从azure.kusto.data.exceptions导入KustoServiceError从azure.kusto.data.helpers导入dataframe_from_result_tableKUSTO_DATABASE ="kusto-test"CLUSTER ="https://mynode.myregion.kusto.windows.net"CLIENT_ID ="KUSTO_TEST_APP_ID"#来自上图CLIENT_SECRET ="KUSTO_TEST_PASS"#来自上图AUTHORITY_ID =<在此处插入您的租户ID>"#从https://login.windows.net/<YourDomain>/.well-known/openid-configuration/获得KCSB_DATA = KustoConnectionStringBuilder.with_aad_application_key_authentication(集群,CLIENT_ID,CLIENT_SECRET,AUTHORITY_ID)KUSTO_CLIENT = KustoClient(KCSB_DATA)CREATE_TABLE_COMMAND =".create table StormEvents(StartTime:datetime,EndTime:datetime,EpisodeId:int,EventId:int,State:string,EventType:string,InjuriesDirect:int,InjuriesIndirect:int,DeathsDirect:int,DeathsIndirect:int,DamageProperty:int,DamageCrops:int,来源:字符串,BeginLocation:字符串,EndLocation:字符串,BeginLat:真实,BeginLon:真实,EndLat:真实,EndLon:真实,EpisodeNarrative:字符串,EventNarrative:字符串,StormSummary:动态)"响应= KUSTO_CLIENT.execute_mgmt(KUSTO_DATABASE,CREATE_TABLE_COMMAND)dataframe_from_result_table(RESPONSE.primary_results [0]) 预期:
- 已在ADX上成功创建表格.
实际:
- 获取 UnauthorizedDatabaseAccessException 错误.
azure.kusto.data.exceptions.KustoServiceError:((KustoServiceError(...),[{u'error':{u'code':u'Forbidden',u'@ permanent':True,u'@ message':u主体'....'无权访问数据库'kusto-test'.",...},u'message':u'呼叫者无权执行此操作',u'@ type':u'Kusto.DataNode.Exceptions.UnauthorizedDatabaseAccessException'}}]) 在Azure门户访问控制"中添加所有者仅向该实体提供管理资源的权限(也称为控制平面"),并且不适用于数据库本身的权限(也称为数据平面").
要为该应用程序提供在数据平面中运行的权限,例如运行查询,创建表等,您需要在适用的数据库权限"部分中为其授予权限:
I'm trying to test a connection between my node and Azure Data Explorer (ADX/ Kusto). I'm thinking to create a table on Kusto using a python script.
Please be aware that I'm not very familiar with any of this, hence the detailed steps below.
I'm following this quickstart guide on Microsoft docs.
Generate application ID and key
Using App Registrations service:
Create new registration (named kusto test):
Create a client secrets:
Create Kusto DB
From the cluster, create a database from the UI (called kusto-test)
Authorization
On the ADX cluster > Access control (IAM) > Add role assignment.
Python script
from azure.kusto.data.request import KustoClient, KustoConnectionStringBuilder
from azure.kusto.data.exceptions import KustoServiceError
from azure.kusto.data.helpers import dataframe_from_result_table
KUSTO_DATABASE = "kusto-test"
CLUSTER = "https://mynode.myregion.kusto.windows.net"
CLIENT_ID = "KUSTO_TEST_APP_ID" # From image above
CLIENT_SECRET = "KUSTO_TEST_PASS" # From image above
AUTHORITY_ID = "<insert here your tenant id>" #Got from https://login.windows.net/<YourDomain>/.well-known/openid-configuration/
KCSB_DATA = KustoConnectionStringBuilder.with_aad_application_key_authentication(
CLUSTER, CLIENT_ID, CLIENT_SECRET, AUTHORITY_ID
)
KUSTO_CLIENT = KustoClient(KCSB_DATA)
CREATE_TABLE_COMMAND = ".create table StormEvents (StartTime: datetime, EndTime: datetime, EpisodeId: int, EventId: int, State: string, EventType: string, InjuriesDirect: int, InjuriesIndirect: int, DeathsDirect: int, DeathsIndirect: int, DamageProperty: int, DamageCrops: int, Source: string, BeginLocation: string, EndLocation: string, BeginLat: real, BeginLon: real, EndLat: real, EndLon: real, EpisodeNarrative: string, EventNarrative: string, StormSummary: dynamic)"
RESPONSE = KUSTO_CLIENT.execute_mgmt(KUSTO_DATABASE, CREATE_TABLE_COMMAND)
dataframe_from_result_table(RESPONSE.primary_results[0])
Expected:
- Have the table successfully created on ADX.
Actual:
- Getting the UnauthorizedDatabaseAccessException error.
azure.kusto.data.exceptions.KustoServiceError: (KustoServiceError(...), [{u'error': {u'code': u'Forbidden', u'@permanent': True, u'@message': u"Principal '....' is not authorized to access database 'kusto-test'.", ...}, u'message': u'Caller is not authorized to perform this action', u'@type': u'Kusto.DataNode.Exceptions.UnauthorizedDatabaseAccessException'}}])
Adding an owner in the Azure portal "access control" only provides that entity with permission to manage the resource (also known as the 'control plane') and is not applicable to the permissions on the database itself (also known as the 'data plane').
To provide that application permission to operate in the data plane for example to run queries, create tables etc. you need to give it permission in the applicable database "Permissions" section:
这篇关于如何使用Python客户端正确验证Kusto?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
