Lock at&t là gì

Article
02/15/2022
11 minutes to read

Nội dung chính Show

Lock inheritance
Understand scope of locks
Who can create or delete locks
Managed Applications and locks
Configure locks

As an administrator, you can lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. The lock overrides any permissions the user might have.

You can set the lock level to CanNotDelete or ReadOnly. In the portal, the locks are called Delete and Read-only respectively.

CanNotDelete means authorized users can still read and modify a resource, but they can't delete the resource.
ReadOnly means authorized users can read a resource, but they can't delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.

Unlike role-based access control, you use management locks to apply a restriction across all users and roles. To learn about setting permissions for users and roles, see Azure role-based access control (Azure RBAC).

Lock inheritance

When you apply a lock at a parent scope, all resources within that scope inherit the same lock. Even resources you add later inherit the lock from the parent. The most restrictive lock in the inheritance takes precedence.

Understand scope of locks

Note

It's important to understand that locks don't apply to all types of operations. Azure operations can be divided into two categories - control plane and data plane. Locks only apply to control plane operations.

Control plane operations are operations sent to https://management.azure.com. Data plane operations are operations sent to your instance of a service, such as https://myaccount.blob.core.windows.net/. For more information, see Azure control plane and data plane. To discover which operations use the control plane URL, see the Azure REST API.

This distinction means locks prevent changes to a resource, but they don't restrict how resources perform their own functions. For example, a ReadOnly lock on a SQL Database logical server prevents you from deleting or modifying the server. It doesn't prevent you from creating, updating, or deleting data in the databases on that server. Data transactions are permitted because those operations aren't sent to https://management.azure.com.

More examples of the differences between control and data plane operations are described in the next section.

Applying locks can lead to unexpected results because some operations that don't seem to modify the resource actually require actions that are blocked by the lock. Locks will prevent any operations that require a POST request to the Azure Resource Manager API. Some common examples of the operations that are blocked by locks are:

A read-only lock on a storage account prevents users from listing the account keys. The Azure Storage List Keys operation is handled through a POST request to protect access to the account keys, which provide complete access to data in the storage account. When a read-only lock is configured for a storage account, users who don't have the account keys must use Azure AD credentials to access blob or queue data. A read-only lock also prevents the assignment of Azure RBAC roles that are scoped to the storage account or to a data container (blob container or queue).
A cannot-delete lock on a storage account doesn't prevent data within that account from being deleted or modified. This type of lock only protects the storage account itself from being deleted. If a request uses data plane operations, the lock on the storage account doesn't protect blob, queue, table, or file data within that storage account. However, if the request uses control plane operations, the lock protects those resources.

For example, if a request uses File Shares - Delete, which is a control plane operation, the deletion is denied. If the request uses Delete Share, which is a data plane operation, the deletion succeeds. We recommend that you use the control plane operations.
A read-only lock on a storage account doesn't prevent data within that account from being deleted or modified. This type of lock only protects the storage account itself from being deleted or modified, and doesn't protect blob, queue, table, or file data within that storage account.
A read-only lock on an App Service resource prevents Visual Studio Server Explorer from displaying files for the resource because that interaction requires write access.
A read-only lock on a resource group that contains an App Service plan prevents you from scaling up or out the plan.
A read-only lock on a resource group that contains a virtual machine prevents all users from starting or restarting the virtual machine. These operations require a POST request.
A read-only lock on a resource group that contains an automation account prevents all runbooks from starting. These operations require a POST request.
A cannot-delete lock on a resource group prevents Azure Resource Manager from automatically deleting deployments in the history. If you reach 800 deployments in the history, your deployments will fail.
A cannot-delete lock on the resource group created by Azure Backup Service causes backups to fail. The service supports a maximum of 18 restore points. When locked, the backup service can't clean up restore points. For more information, see Frequently asked questions-Back up Azure VMs.
A cannot-delete lock on a resource group prevents Azure Machine Learning from autoscaling Azure Machine Learning compute clusters to remove unused nodes.
A read-only lock on a Log Analytics workspace prevents User and Entity Behavior Analytics (UEBA) from being enabled.
A read-only lock on a subscription prevents Azure Advisor from working correctly. Advisor is unable to store the results of its queries.
A read-only lock on an Application Gateway prevents you from getting the backend health of the application gateway. That operation uses POST, which is blocked by the read-only lock.
A read-only lock on a AKS cluster prevents all users from accessing any cluster resources from the Kubernetes Resources section of AKS cluster left-side blade on the Azure portal. These operations require a POST request for authentication.

Who can create or delete locks

To create or delete management locks, you must have access to Microsoft.Authorization/* or Microsoft.Authorization/locks/* actions. Of the built-in roles, only Owner and User Access Administrator are granted those actions.

Managed Applications and locks

Some Azure services, such as Azure Databricks, use managed applications to implement the service. In that case, the service creates two resource groups. One resource group contains an overview of the service and isn't locked. The other resource group contains the infrastructure for the service and is locked.

If you try to delete the infrastructure resource group, you get an error stating that the resource group is locked. If you try to delete the lock for the infrastructure resource group, you get an error stating that the lock can't be deleted because it's owned by a system application.

Instead, delete the service, which also deletes the infrastructure resource group.

For managed applications, select the service you deployed.

Notice the service includes a link for a Managed Resource Group. That resource group holds the infrastructure and is locked. It can't be directly deleted.

To delete everything for the service, including the locked infrastructure resource group, select Delete for the service.

Configure locks

Portal

In the Settings blade for the resource, resource group, or subscription that you wish to lock, select Locks.
To add a lock, select Add. If you want to create a lock at a parent level, select the parent. The currently selected resource inherits the lock from the parent. For example, you could lock the resource group to apply a lock to all its resources.
Give the lock a name and lock level. Optionally, you can add notes that describe the lock.
To delete the lock, select the Delete button.

Template

When using an Azure Resource Manager template (ARM template) or Bicep file to deploy a lock, you need to be aware of the scope of the lock and the scope of the deployment. To apply a lock at the deployment scope, such as locking a resource group or subscription, don't set the scope property. When locking a resource within the deployment scope, set the scope property.

The following template applies a lock to the resource group it's deployed to. Notice there isn't a scope property on the lock resource because the scope of the lock matches the scope of deployment. This template is deployed at the resource group level.

{ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { }, "resources": [ { "type": "Microsoft.Authorization/locks", "apiVersion": "2016-09-01", "name": "rgLock", "properties": { "level": "CanNotDelete", "notes": "Resource group should not be deleted." } } ] }

resource createRgLock 'Microsoft.Authorization/locks@2016-09-01' = { name: 'rgLock' properties: { level: 'CanNotDelete' notes: 'Resource group should not be deleted.' } }

To create a resource group and lock it, deploy the following template at the subscription level.

{ "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "rgName": { "type": "string" }, "rgLocation": { "type": "string" } }, "variables": {}, "resources": [ { "type": "Microsoft.Resources/resourceGroups", "apiVersion": "2021-04-01", "name": "[parameters('rgName')]", "location": "[parameters('rgLocation')]", "properties": {} }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", "name": "lockDeployment", "resourceGroup": "[parameters('rgName')]", "dependsOn": [ "[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]" ], "properties": { "mode": "Incremental", "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.Authorization/locks", "apiVersion": "2016-09-01", "name": "rgLock", "properties": { "level": "CanNotDelete", "notes": "Resource group and its resources should not be deleted." } } ], "outputs": {} } } } ], "outputs": {} }

The main Bicep file creates a resource group and uses a module to create the lock.

targetScope = 'subscription' param rgName string param rgLocation string resource createRg 'Microsoft.Resources/resourceGroups@2021-04-01' = { name: rgName location: rgLocation } module deployRgLock './lockRg.bicep' = { name: 'lockDeployment' scope: resourceGroup(createRg.name) }

The module uses a Bicep file named lockRg.bicep that adds the resource group lock.

resource createRgLock 'Microsoft.Authorization/locks@2016-09-01' = { name: 'rgLock' properties: { level: 'CanNotDelete' notes: 'Resource group and its resources should not be deleted.' } }

When applying a lock to a resource within the resource group, add the scope property. Set scope to the name of the resource to lock.

The following example shows a template that creates an app service plan, a website, and a lock on the website. The scope of the lock is set to the website.

{ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "hostingPlanName": { "type": "string" }, "location": { "type": "string", "defaultValue": "[resourceGroup().location]" } }, "variables": { "siteName": "[concat('ExampleSite', uniqueString(resourceGroup().id))]" }, "resources": [ { "type": "Microsoft.Web/serverfarms", "apiVersion": "2020-12-01", "name": "[parameters('hostingPlanName')]", "location": "[parameters('location')]", "sku": { "tier": "Free", "name": "f1", "capacity": 0 }, "properties": { "targetWorkerCount": 1 } }, { "type": "Microsoft.Web/sites", "apiVersion": "2020-12-01", "name": "[variables('siteName')]", "location": "[parameters('location')]", "dependsOn": [ "[resourceId('Microsoft.Web/serverfarms', parameters('hostingPlanName'))]" ], "properties": { "serverFarmId": "[parameters('hostingPlanName')]" } }, { "type": "Microsoft.Authorization/locks", "apiVersion": "2016-09-01", "name": "siteLock", "scope": "[concat('Microsoft.Web/sites/', variables('siteName'))]", "dependsOn": [ "[resourceId('Microsoft.Web/sites', variables('siteName'))]" ], "properties": { "level": "CanNotDelete", "notes": "Site should not be deleted." } } ] }

param hostingPlanName string param location string = resourceGroup().location var siteName = concat('ExampleSite', uniqueString(resourceGroup().id)) resource serverFarm 'Microsoft.Web/serverfarms@2020-12-01' = { name: hostingPlanName location: location sku: { tier: 'Free' name: 'f1' capacity: 0 } properties: { targetWorkerCount: 1 } } resource webSite 'Microsoft.Web/sites@2020-12-01' = { name: siteName location: location properties: { serverFarmId: serverFarm.name } } resource siteLock 'Microsoft.Authorization/locks@2016-09-01' = { name: 'siteLock' scope: webSite properties:{ level: 'CanNotDelete' notes: 'Site should not be deleted.' } }

You lock deployed resources with Azure PowerShell by using the New-AzResourceLock command.

To lock a resource, provide the name of the resource, its resource type, and its resource group name.

New-AzResourceLock -LockLevel CanNotDelete -LockName LockSite -ResourceName examplesite -ResourceType Microsoft.Web/sites -ResourceGroupName exampleresourcegroup

To lock a resource group, provide the name of the resource group.

New-AzResourceLock -LockName LockGroup -LockLevel CanNotDelete -ResourceGroupName exampleresourcegroup

To get information about a lock, use Get-AzResourceLock. To get all the locks in your subscription, use:

Get-AzResourceLock

To get all locks for a resource, use:

Get-AzResourceLock -ResourceName examplesite -ResourceType Microsoft.Web/sites -ResourceGroupName exampleresourcegroup

To get all locks for a resource group, use:

Get-AzResourceLock -ResourceGroupName exampleresourcegroup

To delete a lock for a resource, use:

$lockId = (Get-AzResourceLock -ResourceGroupName exampleresourcegroup -ResourceName examplesite -ResourceType Microsoft.Web/sites).LockId Remove-AzResourceLock -LockId $lockId

To delete a lock for a resource group, use:

$lockId = (Get-AzResourceLock -ResourceGroupName exampleresourcegroup).LockId Remove-AzResourceLock -LockId $lockId

Azure CLI

You lock deployed resources with Azure CLI by using the az lock create command.

To lock a resource, provide the name of the resource, its resource type, and its resource group name.

az lock create --name LockSite --lock-type CanNotDelete --resource-group exampleresourcegroup --resource-name examplesite --resource-type Microsoft.Web/sites

To lock a resource group, provide the name of the resource group.

az lock create --name LockGroup --lock-type CanNotDelete --resource-group exampleresourcegroup

To get information about a lock, use az lock list. To get all the locks in your subscription, use:

az lock list

To get all locks for a resource, use:

az lock list --resource-group exampleresourcegroup --resource-name examplesite --namespace Microsoft.Web --resource-type sites --parent ""

To get all locks for a resource group, use:

az lock list --resource-group exampleresourcegroup

To delete a lock for a resource, use:

lockid=$(az lock show --name LockSite --resource-group exampleresourcegroup --resource-type Microsoft.Web/sites --resource-name examplesite --output tsv --query id) az lock delete --ids $lockid

To delete a lock for a resource group, use:

lockid=$(az lock show --name LockSite --resource-group exampleresourcegroup --output tsv --query id) az lock delete --ids $lockid

REST API

You can lock deployed resources with the REST API for management locks. The REST API enables you to create and delete locks, and retrieve information about existing locks.

To create a lock, run:

PUT https://management.azure.com/{scope}/providers/Microsoft.Authorization/locks/{lock-name}?api-version={api-version}

The scope could be a subscription, resource group, or resource. The lock-name is whatever you want to call the lock. For api-version, use 2016-09-01.

In the request, include a JSON object that specifies the properties for the lock.

{ "properties": { "level": "CanNotDelete", "notes": "Optional text notes." } }