Azure CLI可同时支持多个租户(目录)登录

本文介绍了Azure CLI可同时支持多个租户(目录)登录的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

你好，

我需要通过批处理作业收集各种Azure租户的特定数据，这些作业可以并行运行.

对于特定种类的数据，我需要使用安装在POD中的Azure CLI.

因此，对于每个租户，活动顺序如下:

使用服务主体登录az
Az数据收集命令
az注销

但是，我认为在进行针对租户1的步骤2时，可能会发生针对租户1的z登录(步骤1).

而且，可能会意外的租户(租户2)开始进行z数据收集(预定给租户1).

为了避免这种情况，我正在寻找一种以原子方式运行这些命令的方法(锁定直到发生z注销)或

创建一个特定于租户的令牌，并将该令牌附加到每个数据收集请求中.

请帮助我确定实现此目标的最佳方法.

Hello,

I need to collect specific data for various Azure tenants through batch jobs, which can run in parallel.

For specific kind of data, I need to use Azure CLI installed in POD.

So, the sequence of activities is as follows, for each tenant:

az login using service principal
az data collection commands
az logout

However, I presume that while step 2 for tenant 1 is in progress, it is possible that az login (step 1) for tenant 1 can occur.

And, az data collection (intended for tenant 1) might start happening for the un-intended tenant (tenant 2).

To avoid this, I am looking for a way to either run these commands in an atomic way (lock until az logout occurs) or

Creating a tenant-specific token and attaching that token in every data collection request.

Please help me identify the best way to achieve this.

推荐答案

总之，azure-cli在用于存储aad访问令牌和帐户信息持久性的机器范围资源上没有并行保护.即使2个并发登录会话使用不同的帐户/用户名，由于跨租户令牌刷新，两个会话仍然有可能为同一租户检索多个令牌.但是，这不仅会在登录时发生，而且还会在同时运行的任何azure-cli cmdlet中发生，这会导致自动代币刷新代表您，并且仍然会带来赛车问题.
使用锁定机制来保护它们对于azure-cli是完全可行的，但是我们只是没有收到足够的要求来实现这一目标.

In short, azure-cli has no parallel protections on machine wide resources which are used to store aad access tokens and account information persistence. Even 2 concurrent login sessions use different account/username, because of the cross tenant token refreshing, it is still possible for both sessions to retrieve multiple tokens for the same tenant. This not only happens on login though, but also on any azure-cli cmdlets running at the same time which incurred automatic token refreshing on your behalf, and that still introduce racing.
It is totally feasible for azure-cli to use lock mechanism to protect them, but we just have not received enough ask to get that happen.

这篇关于Azure CLI可同时支持多个租户(目录)登录的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！