如何使用应用程序密钥身份验证针对 ADXProxy 进行身份验证?
How can I authenticate against ADXProxy using app key authentication?
我正在尝试使用(预览版)ADXProxy 功能通过 Redash 访问 Azure Application Insights 资源。
我已经在 Azure 中创建了一个应用程序注册,并且我有一些概念验证 python 代码可以成功访问我的 Application Insights 资源并执行 Kusto 查询(traces | take 1) 使用应用程序令牌:
import azure.kusto
import azure.kusto.data.request
import msal
cluster = 'https://ade.applicationinsights.io/subscriptions/<MY_SUBSCRIPTION>/resourcegroups/<MY_RESOURCE_GROUP>/providers/microsoft.insights/components/<MY_APP_INSIGHTS_RESOURCE>'
app_id = '<MY_APP_ID>'
app_key = '<MY_SECRET>'
authority_id = '<MY_AAD_SUBSCRIPTION_ID>'
def run():
app = msal.ConfidentialClientApplication(
client_id=app_id,
client_credential=app_key,
authority='https://login.microsoftonline.com/<MY_AAD_SUBSCRIPTION_ID>')
token = app.acquire_token_for_client(['https://help.kusto.windows.net/.default'])
kcsb = azure.kusto.data.request.KustoConnectionStringBuilder.with_aad_application_token_authentication(
connection_string=cluster,
application_token=token['access_token']
)
client = azure.kusto.data.request.KustoClient(kcsb)
result = client.execute('<MY_APP_INSIGHTS_RESOURCE>', 'traces | take 1')
for res in result.primary_results:
print(res)
return 1
if __name__ == "__main__":
run()
但是,Redash 不支持应用程序令牌身份验证:它使用应用程序密钥身份验证,调用如下:
kcsb = azure.kusto.data.request.KustoConnectionStringBuilder.with_aad_application_key_authentication(
connection_string = cluster,
aad_app_id = app_id,
app_key = app_key,
authority_id = '<MY_AAD_SUBSCRIPTION_ID>'
)
我无法使用此类流程成功连接到我的 App Insights 资源。如果我将此 KustoConnectionStringBuilder 替换到我上面的程序中,我会收到一个异常告诉我:
The resource principal named https://ade.applicationinsights.io was not found in the tenant named <MY_AAD_SUBSCRIPTION_ID>. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.
我可以在代码或 Azure 门户配置中做些什么来将我的 'tenant' 连接到 ade.applicationinsights.io 资源主体并使此连接正常工作吗?
Adxproxy 仅支持由 Azure Active Directory (AAD) 创建的令牌。必须为你拥有的 Azure 数据资源管理器群集 (ADX) 创建令牌。如果您没有自己的 ADX 集群,并且出于任何原因想要通过 Adxproxy 访问您的 Application Insights 资源,您始终可以向“https://help.kusto.windows.net”进行身份验证并使用该令牌。
我正在尝试使用(预览版)ADXProxy 功能通过 Redash 访问 Azure Application Insights 资源。
我已经在 Azure 中创建了一个应用程序注册,并且我有一些概念验证 python 代码可以成功访问我的 Application Insights 资源并执行 Kusto 查询(traces | take 1) 使用应用程序令牌:
import azure.kusto
import azure.kusto.data.request
import msal
cluster = 'https://ade.applicationinsights.io/subscriptions/<MY_SUBSCRIPTION>/resourcegroups/<MY_RESOURCE_GROUP>/providers/microsoft.insights/components/<MY_APP_INSIGHTS_RESOURCE>'
app_id = '<MY_APP_ID>'
app_key = '<MY_SECRET>'
authority_id = '<MY_AAD_SUBSCRIPTION_ID>'
def run():
app = msal.ConfidentialClientApplication(
client_id=app_id,
client_credential=app_key,
authority='https://login.microsoftonline.com/<MY_AAD_SUBSCRIPTION_ID>')
token = app.acquire_token_for_client(['https://help.kusto.windows.net/.default'])
kcsb = azure.kusto.data.request.KustoConnectionStringBuilder.with_aad_application_token_authentication(
connection_string=cluster,
application_token=token['access_token']
)
client = azure.kusto.data.request.KustoClient(kcsb)
result = client.execute('<MY_APP_INSIGHTS_RESOURCE>', 'traces | take 1')
for res in result.primary_results:
print(res)
return 1
if __name__ == "__main__":
run()
但是,Redash 不支持应用程序令牌身份验证:它使用应用程序密钥身份验证,调用如下:
kcsb = azure.kusto.data.request.KustoConnectionStringBuilder.with_aad_application_key_authentication(
connection_string = cluster,
aad_app_id = app_id,
app_key = app_key,
authority_id = '<MY_AAD_SUBSCRIPTION_ID>'
)
我无法使用此类流程成功连接到我的 App Insights 资源。如果我将此 KustoConnectionStringBuilder 替换到我上面的程序中,我会收到一个异常告诉我:
The resource principal named https://ade.applicationinsights.io was not found in the tenant named <MY_AAD_SUBSCRIPTION_ID>. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.
我可以在代码或 Azure 门户配置中做些什么来将我的 'tenant' 连接到 ade.applicationinsights.io 资源主体并使此连接正常工作吗?
Adxproxy 仅支持由 Azure Active Directory (AAD) 创建的令牌。必须为你拥有的 Azure 数据资源管理器群集 (ADX) 创建令牌。如果您没有自己的 ADX 集群,并且出于任何原因想要通过 Adxproxy 访问您的 Application Insights 资源,您始终可以向“https://help.kusto.windows.net”进行身份验证并使用该令牌。