代码之家  ›  专栏  ›  技术社区  ›  ilooner

使用Azure java sdk创建服务主体失败

azure-sdk azure
  •  0
  • ilooner  · 技术社区  · 7 年前

    我正在尝试使用azuresdk创建服务主体。但是,我收到一个错误 

    {"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."}}}

    我做错什么了?我正在做以下工作: 

    1. az ad sp create-for-rbac -n "OrbitTest5" --role Owner --sdk-auth

    2. 通过环境变量将所创建服务主体的凭据传递给凭据提供程序 

      public class AzureAppEnvCredentialProvider implements AzureCredentialProvider {
  public static final String ENV_CLIENT_ID = "CLIENT_ID";
  public static final String ENV_TENANT_ID = "TENANT_ID";
  public static final String ENV_SUBSCRIPTION_ID = "SUBSCRIPTION_ID";
  public static final String ENV_CLIENT_SECRET = "CLIENT_SECRET";

  private final String subscriptionId;

  public AzureAppEnvCredentialProvider() {
    this.subscriptionId = Preconditions.checkNotNull(System.getenv(ENV_SUBSCRIPTION_ID));
  }

  @Override
  public AzureTokenCredentials getCredentials() {
    final String clientId = Preconditions.checkNotNull(System.getenv(ENV_CLIENT_ID));
    final String tenantId = Preconditions.checkNotNull(System.getenv(ENV_TENANT_ID));
    final String clientSecret = Preconditions.checkNotNull(System.getenv(ENV_CLIENT_SECRET));
    return new ApplicationTokenCredentials(clientId, tenantId, clientSecret, AzureEnvironment.AZURE);
  }

  @Override
  public String getSubscriptionId() {
    return this.subscriptionId;
  }
}


    3.     azureAuthClient = Azure.configure().authenticate(credentialProvider.getCredentials());

    final ServicePrincipal servicePrincipal = 
        azureAuthClient.servicePrincipals()
        .define(clusterId)
        .withNewApplication("http://easycreate.azure.com/" + clusterId)
          .definePasswordCredential("sppass")
          .withPasswordValue("StrongPass!12")
          .attach()
        .create();

    4. 然后我得到一个例外。我知道我的凭据是有效的,因为我可以用sdk创建一个资源组,并从Azure web控制台查看它。

      com.microsoft.azure.management.graphrbac.GraphErrorException:状态代码403,{“odata.error”:{“code”:“Authorization\u RequestDenied”,“message”:{“lang”:“en”,“value”:“权限不足,无法完成操作。”}} 在sun.reflect.NativeConstructorAccessorImpl.newInstance0(本机方法) 在sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl。java:62) 在java.lang.reflect.Constructor.newInstance(Constructor。java:423) 在com.microsoft.azure.AzureResponseBuilder.build(AzureResponseBuilder。java:56) 在com.microsoft.azure.management.graphrbac.implementation.ApplicationsInner.createDelegate(ApplicationsInner。java:194) 在com.microsoft.azure.management.graphrbac.implementation.ApplicationsInner.access$000(ApplicationsInner。java:45) 在com.microsoft.azure.management.graphrbac.implementation.ApplicationsInner$2.call(ApplicationsInner。java:181) 在rx.internal.operators.OnSubscribeMap$MapSubscriber.onNext(OnSubscribeMap。java:69) 在2.adapter.rxjava.CallArbiter.deliverResponse(CallArbiter。java:120) 在2.adapter.rxjava.CallExecuteOnSubscribe.call(CallExecuteOnSubscribe。java:46) 在rx.Observable.unsafeSubscribe(Observable。java:10327) 在rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap。java:48) 在rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap。java:33) 在rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift。java:30) 在rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap。java:48) 在rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap。java:33) 在rx.Observable.unsafeSubscribe(Observable。java:10327) 在rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap。java:48) 在rx.Observable.unsafeSubscribe(Observable。java:10327) 在rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap。java:48) 在rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap。java:33) 在rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift。java:30) 在rx.Observable.unsafeSubscribe(Observable。java:10327) 在rx.internal.operators.OperatorSubscribeOn$SubscribeOnSubscriber.call(OperatorSubscribeOn。java:100) 在rx.internal.schedulers.CachedThreadScheduler$EventLoopWorker$1.call(CachedThreadScheduler。java:230) 在java.util.concurrent.Executors$RunnableAdapter.call(Executors。java:511) 在java.util.concurrent.FutureTask.run(FutureTask。java:266) 在java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor。java:180) 在java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor。java:293) 位于java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor。java:1149)

    1 回复  |  直到 7 年前
        1
  •  1
  •   Tom Sun    7 年前

    正如我提到的,如果我们想创建servicePrincipal,那么资源应该是 http://graph.windows.net https://graph.microsoft.com .

    因此,我们需要添加权限来操作Azure AD Graph API或Microsoft Graph API。

    Grant permission

    我用azureactivedirectoryapi测试它。我这边工作正常。 

    ApplicationTokenCredentials credentials = new ApplicationTokenCredentials(client,
               tenant,
                key,
                AzureEnvironment.AZURE);

Azure.Authenticated azureAuthClient = Azure.configure().authenticate(credentials);
String clusterId = "xxxxxxx";
ServicePrincipal servicePrincipal =
                azureAuthClient.servicePrincipals()
                        .define(clusterId)
                        .withNewApplication("http://easycreate.azure.com/" + clusterId)
                        .definePasswordCredential("sppass")
                        .withPasswordValue("StrongPass!12")
                        .attach()
                        .create();

    enter image description here

    推荐文章
    关于   移动版
    代码之家 - 一站式码农服务社区
    沪ICP备11025650号