问题
I am setting up Azure AD applications for my Service Fabric cluster, so I do not need to rely on Cert Auth to connect to the cluster.
We use a Service Principal from an App Registration that has Contributor access to the subscription to run the ARM template to set up the cluster. Is there a way that I can make the Service Principal an Admin on the Cluster AD Application as well?
Our deployment script is in Powershell and saw this post: Deploying ServiceFabric apps using AzureAD Authentication on how to automate connecting, but I need a way to connect with a Service Principal.
回答1:
I believe you could do it by translating this C# code into Powershell, e.g by using New-Object to create the objects mentioned below.
Make sure to replace the guids with your own AppRegistation details, the thumbprint of the server certificate, and the cluster url.
string tenantId = "C15CFCEA-02C1-40DC-8466-FBD0EE0B05D2";
string clientApplicationId = "118473C2-7619-46E3-A8E4-6DA8D5F56E12";
string webApplicationId = "53E6948C-0897-4DA6-B26A-EE2A38A690B4";
string token = GetAccessToken(
tenantId,
webApplicationId,
clientApplicationId,
"urn:ietf:wg:oauth:2.0:oob");
string serverCertThumb = "A8136758F4AB8962AF2BF3F27921BE1DF67F4326";
string connection = "clustername.westus.cloudapp.azure.com:19000";
var claimsCredentials = new ClaimsCredentials();
claimsCredentials.ServerThumbprints.Add(serverCertThumb);
claimsCredentials.LocalClaims = token;
var fc = new FabricClient(claimsCredentials, connection);
try
{
var ret = fc.ClusterManager.GetClusterManifestAsync().Result;
Console.WriteLine(ret.ToString());
}
catch (Exception e)
{
Console.WriteLine("Connect failed: {0}", e.Message);
}
...
static string GetAccessToken(
string tenantId,
string resource,
string clientId,
string redirectUri)
{
string authorityFormat = @"https://login.microsoftonline.com/{0}";
string authority = string.Format(CultureInfo.InvariantCulture, authorityFormat, tenantId);
var authContext = new AuthenticationContext(authority);
var authResult = authContext.AcquireToken(
resource,
clientId,
new UserCredential("TestAdmin@clustenametenant.onmicrosoft.com", "TestPassword"));
return authResult.AccessToken;
}
They get an access token from Azure AD using the implicit flow (which needs to be enabled in your AppRegistration). And they use it in the ClaimsCredential to pass into FabricClient.
More info here.
回答2:
I figured out how to get it to work.
The first part is to give the service principal the role on the Client App.
- Go to Azure Portal -> Azure Active Directory -> App Registrations and select the Client app created.
- Go to the
Manifestpage and find theAdminapp role and add an entry for"Application"to theallowedMemberTypesproperty. Save when updated. - Go to App Registrations and select the app you are using to run automation with
- Go to API Permissions, Click Add permission Button. Go to the
APIs my organization usestab and search for the SF Cluster Client Application. - Select Application Permissions and chose the
Adminpermission. - Hit the
Grant admin consent for <Tenant Name>
Once permission is granted, you can run the PowerShell script:
Add-Type -Path "./Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
$authority = "https://login.microsoftonline.com/$($tenantId)"
$credentials = [Microsoft.IdentityModel.Clients.ActiveDirectory.ClientCredential]::new($AzureLogin, $AzurePassword)
$authContext = [Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext]::new($authority)
$authResult = $authContext.AcquireTokenAsync($clientAppId, $credentials)
$Token = $authResult.Result.AccessToken
Connect-ServiceFabricCluster -AzureActiveDirectory -SecurityToken $Token `
-ConnectionEndpoint $endpoint -ServerCertThumbprint $thumbprint
来源:https://stackoverflow.com/questions/61828582/assign-service-principal-admin-role-on-service-fabric-ad-app