0
# Security Management
1
2
Comprehensive security management including cluster and database-level principal assignments, private endpoints, managed private endpoints, and private link resources. This enables fine-grained access control and network isolation for Kusto resources.
3
4
## Capabilities
5
6
### Cluster Principal Assignments
7
8
Management of security principals with cluster-level access permissions.
9
10
```python { .api }
11
def get(
12
resource_group_name: str,
13
cluster_name: str,
14
principal_assignment_name: str,
15
**kwargs
16
) -> ClusterPrincipalAssignment:
17
"""
18
Get a cluster principal assignment.
19
20
Parameters:
21
- resource_group_name: Name of the resource group
22
- cluster_name: Name of the Kusto cluster
23
- principal_assignment_name: Name of the principal assignment
24
25
Returns:
26
ClusterPrincipalAssignment object
27
"""
28
29
def begin_create_or_update(
30
resource_group_name: str,
31
cluster_name: str,
32
principal_assignment_name: str,
33
parameters: ClusterPrincipalAssignment,
34
**kwargs
35
) -> LROPoller[ClusterPrincipalAssignment]:
36
"""
37
Create or update a cluster principal assignment.
38
39
Parameters:
40
- resource_group_name: Name of the resource group
41
- cluster_name: Name of the Kusto cluster
42
- principal_assignment_name: Name of the principal assignment
43
- parameters: ClusterPrincipalAssignment with configuration
44
45
Returns:
46
LROPoller for the long-running operation returning ClusterPrincipalAssignment
47
"""
48
49
def begin_delete(
50
resource_group_name: str,
51
cluster_name: str,
52
principal_assignment_name: str,
53
**kwargs
54
) -> LROPoller[None]:
55
"""
56
Delete a cluster principal assignment.
57
58
Parameters:
59
- resource_group_name: Name of the resource group
60
- cluster_name: Name of the Kusto cluster
61
- principal_assignment_name: Name of the principal assignment
62
63
Returns:
64
LROPoller for the long-running delete operation
65
"""
66
67
def list(
68
resource_group_name: str,
69
cluster_name: str,
70
**kwargs
71
) -> Iterable[ClusterPrincipalAssignment]:
72
"""
73
List cluster principal assignments.
74
75
Parameters:
76
- resource_group_name: Name of the resource group
77
- cluster_name: Name of the Kusto cluster
78
79
Returns:
80
Iterable of ClusterPrincipalAssignment objects
81
"""
82
83
def check_name_availability(
84
resource_group_name: str,
85
cluster_name: str,
86
principal_assignment_name: ClusterPrincipalAssignmentCheckNameRequest,
87
**kwargs
88
) -> CheckNameResult:
89
"""
90
Check if a cluster principal assignment name is available.
91
92
Parameters:
93
- resource_group_name: Name of the resource group
94
- cluster_name: Name of the Kusto cluster
95
- principal_assignment_name: CheckNameRequest with name to validate
96
97
Returns:
98
CheckNameResult indicating availability
99
"""
100
```
101
102
### Database Principal Assignments
103
104
Management of security principals with database-level access permissions.
105
106
```python { .api }
107
def get(
108
resource_group_name: str,
109
cluster_name: str,
110
database_name: str,
111
principal_assignment_name: str,
112
**kwargs
113
) -> DatabasePrincipalAssignment:
114
"""
115
Get a database principal assignment.
116
117
Parameters:
118
- resource_group_name: Name of the resource group
119
- cluster_name: Name of the Kusto cluster
120
- database_name: Name of the database
121
- principal_assignment_name: Name of the principal assignment
122
123
Returns:
124
DatabasePrincipalAssignment object
125
"""
126
127
def begin_create_or_update(
128
resource_group_name: str,
129
cluster_name: str,
130
database_name: str,
131
principal_assignment_name: str,
132
parameters: DatabasePrincipalAssignment,
133
**kwargs
134
) -> LROPoller[DatabasePrincipalAssignment]:
135
"""
136
Create or update a database principal assignment.
137
138
Parameters:
139
- resource_group_name: Name of the resource group
140
- cluster_name: Name of the Kusto cluster
141
- database_name: Name of the database
142
- principal_assignment_name: Name of the principal assignment
143
- parameters: DatabasePrincipalAssignment with configuration
144
145
Returns:
146
LROPoller for the long-running operation returning DatabasePrincipalAssignment
147
"""
148
149
def begin_delete(
150
resource_group_name: str,
151
cluster_name: str,
152
database_name: str,
153
principal_assignment_name: str,
154
**kwargs
155
) -> LROPoller[None]:
156
"""
157
Delete a database principal assignment.
158
159
Parameters:
160
- resource_group_name: Name of the resource group
161
- cluster_name: Name of the Kusto cluster
162
- database_name: Name of the database
163
- principal_assignment_name: Name of the principal assignment
164
165
Returns:
166
LROPoller for the long-running delete operation
167
"""
168
169
def list(
170
resource_group_name: str,
171
cluster_name: str,
172
database_name: str,
173
**kwargs
174
) -> Iterable[DatabasePrincipalAssignment]:
175
"""
176
List database principal assignments.
177
178
Parameters:
179
- resource_group_name: Name of the resource group
180
- cluster_name: Name of the Kusto cluster
181
- database_name: Name of the database
182
183
Returns:
184
Iterable of DatabasePrincipalAssignment objects
185
"""
186
187
def check_name_availability(
188
resource_group_name: str,
189
cluster_name: str,
190
database_name: str,
191
principal_assignment_name: DatabasePrincipalAssignmentCheckNameRequest,
192
**kwargs
193
) -> CheckNameResult:
194
"""
195
Check if a database principal assignment name is available.
196
197
Parameters:
198
- resource_group_name: Name of the resource group
199
- cluster_name: Name of the Kusto cluster
200
- database_name: Name of the database
201
- principal_assignment_name: CheckNameRequest with name to validate
202
203
Returns:
204
CheckNameResult indicating availability
205
"""
206
```
207
208
### Private Endpoint Connections
209
210
Management of private endpoint connections for secure network access to Kusto clusters.
211
212
```python { .api }
213
def get(
214
resource_group_name: str,
215
cluster_name: str,
216
private_endpoint_connection_name: str,
217
**kwargs
218
) -> PrivateEndpointConnection:
219
"""
220
Get a private endpoint connection.
221
222
Parameters:
223
- resource_group_name: Name of the resource group
224
- cluster_name: Name of the Kusto cluster
225
- private_endpoint_connection_name: Name of the private endpoint connection
226
227
Returns:
228
PrivateEndpointConnection object
229
"""
230
231
def begin_create_or_update(
232
resource_group_name: str,
233
cluster_name: str,
234
private_endpoint_connection_name: str,
235
parameters: PrivateEndpointConnection,
236
**kwargs
237
) -> LROPoller[PrivateEndpointConnection]:
238
"""
239
Create or update a private endpoint connection.
240
241
Parameters:
242
- resource_group_name: Name of the resource group
243
- cluster_name: Name of the Kusto cluster
244
- private_endpoint_connection_name: Name of the private endpoint connection
245
- parameters: PrivateEndpointConnection with configuration
246
247
Returns:
248
LROPoller for the long-running operation returning PrivateEndpointConnection
249
"""
250
251
def begin_delete(
252
resource_group_name: str,
253
cluster_name: str,
254
private_endpoint_connection_name: str,
255
**kwargs
256
) -> LROPoller[None]:
257
"""
258
Delete a private endpoint connection.
259
260
Parameters:
261
- resource_group_name: Name of the resource group
262
- cluster_name: Name of the Kusto cluster
263
- private_endpoint_connection_name: Name of the private endpoint connection
264
265
Returns:
266
LROPoller for the long-running delete operation
267
"""
268
269
def list(
270
resource_group_name: str,
271
cluster_name: str,
272
**kwargs
273
) -> Iterable[PrivateEndpointConnection]:
274
"""
275
List private endpoint connections for a cluster.
276
277
Parameters:
278
- resource_group_name: Name of the resource group
279
- cluster_name: Name of the Kusto cluster
280
281
Returns:
282
Iterable of PrivateEndpointConnection objects
283
"""
284
```
285
286
### Managed Private Endpoints
287
288
Management of managed private endpoints created within the Kusto cluster's managed virtual network.
289
290
```python { .api }
291
def get(
292
resource_group_name: str,
293
cluster_name: str,
294
managed_private_endpoint_name: str,
295
**kwargs
296
) -> ManagedPrivateEndpoint:
297
"""
298
Get a managed private endpoint.
299
300
Parameters:
301
- resource_group_name: Name of the resource group
302
- cluster_name: Name of the Kusto cluster
303
- managed_private_endpoint_name: Name of the managed private endpoint
304
305
Returns:
306
ManagedPrivateEndpoint object
307
"""
308
309
def begin_create_or_update(
310
resource_group_name: str,
311
cluster_name: str,
312
managed_private_endpoint_name: str,
313
parameters: ManagedPrivateEndpoint,
314
**kwargs
315
) -> LROPoller[ManagedPrivateEndpoint]:
316
"""
317
Create or update a managed private endpoint.
318
319
Parameters:
320
- resource_group_name: Name of the resource group
321
- cluster_name: Name of the Kusto cluster
322
- managed_private_endpoint_name: Name of the managed private endpoint
323
- parameters: ManagedPrivateEndpoint with configuration
324
325
Returns:
326
LROPoller for the long-running operation returning ManagedPrivateEndpoint
327
"""
328
329
def begin_update(
330
resource_group_name: str,
331
cluster_name: str,
332
managed_private_endpoint_name: str,
333
parameters: ManagedPrivateEndpoint,
334
**kwargs
335
) -> LROPoller[ManagedPrivateEndpoint]:
336
"""
337
Update a managed private endpoint.
338
339
Parameters:
340
- resource_group_name: Name of the resource group
341
- cluster_name: Name of the Kusto cluster
342
- managed_private_endpoint_name: Name of the managed private endpoint
343
- parameters: ManagedPrivateEndpoint with updates
344
345
Returns:
346
LROPoller for the long-running operation returning updated ManagedPrivateEndpoint
347
"""
348
349
def begin_delete(
350
resource_group_name: str,
351
cluster_name: str,
352
managed_private_endpoint_name: str,
353
**kwargs
354
) -> LROPoller[None]:
355
"""
356
Delete a managed private endpoint.
357
358
Parameters:
359
- resource_group_name: Name of the resource group
360
- cluster_name: Name of the Kusto cluster
361
- managed_private_endpoint_name: Name of the managed private endpoint
362
363
Returns:
364
LROPoller for the long-running delete operation
365
"""
366
367
def list(
368
resource_group_name: str,
369
cluster_name: str,
370
**kwargs
371
) -> Iterable[ManagedPrivateEndpoint]:
372
"""
373
List managed private endpoints for a cluster.
374
375
Parameters:
376
- resource_group_name: Name of the resource group
377
- cluster_name: Name of the Kusto cluster
378
379
Returns:
380
Iterable of ManagedPrivateEndpoint objects
381
"""
382
383
def check_name_availability(
384
resource_group_name: str,
385
cluster_name: str,
386
resource_name: ManagedPrivateEndpointsCheckNameRequest,
387
**kwargs
388
) -> CheckNameResult:
389
"""
390
Check if a managed private endpoint name is available.
391
392
Parameters:
393
- resource_group_name: Name of the resource group
394
- cluster_name: Name of the Kusto cluster
395
- resource_name: CheckNameRequest with name to validate
396
397
Returns:
398
CheckNameResult indicating availability
399
"""
400
```
401
402
### Private Link Resources
403
404
Operations to discover private link resources available for private endpoint connections.
405
406
```python { .api }
407
def get(
408
resource_group_name: str,
409
cluster_name: str,
410
private_link_resource_name: str,
411
**kwargs
412
) -> PrivateLinkResource:
413
"""
414
Get a private link resource.
415
416
Parameters:
417
- resource_group_name: Name of the resource group
418
- cluster_name: Name of the Kusto cluster
419
- private_link_resource_name: Name of the private link resource
420
421
Returns:
422
PrivateLinkResource object
423
"""
424
425
def list(
426
resource_group_name: str,
427
cluster_name: str,
428
**kwargs
429
) -> Iterable[PrivateLinkResource]:
430
"""
431
List private link resources for a cluster.
432
433
Parameters:
434
- resource_group_name: Name of the resource group
435
- cluster_name: Name of the Kusto cluster
436
437
Returns:
438
Iterable of PrivateLinkResource objects
439
"""
440
```
441
442
## Usage Examples
443
444
### Assigning Cluster Admin Role
445
446
```python
447
from azure.mgmt.kusto.models import (
448
ClusterPrincipalAssignment,
449
ClusterPrincipalRole,
450
PrincipalType
451
)
452
453
# Create cluster principal assignment
454
cluster_principal = ClusterPrincipalAssignment(
455
principal_id="12345678-1234-1234-1234-123456789012", # Azure AD Object ID
456
role=ClusterPrincipalRole.ALL_DATABASES_ADMIN,
457
tenant_id="87654321-4321-4321-4321-210987654321", # Azure AD Tenant ID
458
principal_type=PrincipalType.USER
459
)
460
461
# Assign the principal
462
poller = client.cluster_principal_assignments.begin_create_or_update(
463
resource_group_name="my-resource-group",
464
cluster_name="my-cluster",
465
principal_assignment_name="admin-assignment",
466
parameters=cluster_principal
467
)
468
469
assignment = poller.result()
470
print(f"Cluster principal assigned: {assignment.principal_id}")
471
```
472
473
### Assigning Database Viewer Role
474
475
```python
476
from azure.mgmt.kusto.models import (
477
DatabasePrincipalAssignment,
478
DatabasePrincipalRole,
479
PrincipalType
480
)
481
482
# Create database principal assignment
483
database_principal = DatabasePrincipalAssignment(
484
principal_id="group-object-id-here",
485
role=DatabasePrincipalRole.VIEWER,
486
tenant_id="87654321-4321-4321-4321-210987654321",
487
principal_type=PrincipalType.GROUP
488
)
489
490
# Assign the principal to database
491
poller = client.database_principal_assignments.begin_create_or_update(
492
resource_group_name="my-resource-group",
493
cluster_name="my-cluster",
494
database_name="my-database",
495
principal_assignment_name="viewer-group-assignment",
496
parameters=database_principal
497
)
498
499
assignment = poller.result()
500
print(f"Database principal assigned: {assignment.principal_id}")
501
```
502
503
### Creating a Private Endpoint Connection
504
505
```python
506
from azure.mgmt.kusto.models import (
507
PrivateEndpointConnection,
508
PrivateLinkServiceConnectionStateProperty
509
)
510
511
# Configure private endpoint connection
512
connection_state = PrivateLinkServiceConnectionStateProperty(
513
status="Approved",
514
description="Approved by administrator"
515
)
516
517
private_endpoint_conn = PrivateEndpointConnection(
518
private_link_service_connection_state=connection_state
519
)
520
521
# Create private endpoint connection
522
poller = client.private_endpoint_connections.begin_create_or_update(
523
resource_group_name="my-resource-group",
524
cluster_name="my-cluster",
525
private_endpoint_connection_name="my-private-endpoint",
526
parameters=private_endpoint_conn
527
)
528
529
connection = poller.result()
530
print(f"Private endpoint connection created: {connection.name}")
531
```
532
533
### Creating a Managed Private Endpoint
534
535
```python
536
from azure.mgmt.kusto.models import ManagedPrivateEndpoint
537
538
# Configure managed private endpoint
539
managed_endpoint = ManagedPrivateEndpoint(
540
private_link_resource_id="/subscriptions/sub-id/resourceGroups/rg/providers/Microsoft.Storage/storageAccounts/mystorageaccount",
541
private_link_resource_region="East US",
542
group_id="blob",
543
request_message="Please approve this connection"
544
)
545
546
# Create managed private endpoint
547
poller = client.managed_private_endpoints.begin_create_or_update(
548
resource_group_name="my-resource-group",
549
cluster_name="my-cluster",
550
managed_private_endpoint_name="storage-endpoint",
551
parameters=managed_endpoint
552
)
553
554
endpoint = poller.result()
555
print(f"Managed private endpoint created: {endpoint.name}")
556
```
557
558
## Key Types
559
560
```python { .api }
561
class ClusterPrincipalAssignment:
562
"""Represents a cluster-level principal assignment."""
563
# Read-only properties
564
id: str # Resource ID
565
name: str # Assignment name
566
type: str # Resource type
567
provisioning_state: ProvisioningState # Provisioning state
568
principal_name: str # Principal display name
569
tenant_name: str # Tenant display name
570
aad_object_id: str # Azure AD object ID
571
572
# Configuration properties
573
principal_id: str # Principal object ID
574
role: ClusterPrincipalRole # Principal role
575
tenant_id: str # Principal tenant ID
576
principal_type: PrincipalType # Principal type
577
578
class DatabasePrincipalAssignment:
579
"""Represents a database-level principal assignment."""
580
# Read-only properties
581
id: str # Resource ID
582
name: str # Assignment name
583
type: str # Resource type
584
provisioning_state: ProvisioningState # Provisioning state
585
principal_name: str # Principal display name
586
tenant_name: str # Tenant display name
587
aad_object_id: str # Azure AD object ID
588
589
# Configuration properties
590
principal_id: str # Principal object ID
591
role: DatabasePrincipalRole # Principal role
592
tenant_id: str # Principal tenant ID
593
principal_type: PrincipalType # Principal type
594
595
class PrivateEndpointConnection:
596
"""Represents a private endpoint connection."""
597
# Read-only properties
598
id: str # Resource ID
599
name: str # Connection name
600
type: str # Resource type
601
provisioning_state: ProvisioningState # Provisioning state
602
603
# Configuration properties
604
private_endpoint: PrivateEndpointProperty # Private endpoint details
605
private_link_service_connection_state: PrivateLinkServiceConnectionStateProperty # Connection state
606
group_ids: List[str] # Group IDs
607
608
class ManagedPrivateEndpoint:
609
"""Represents a managed private endpoint."""
610
# Read-only properties
611
id: str # Resource ID
612
name: str # Endpoint name
613
type: str # Resource type
614
provisioning_state: ProvisioningState # Provisioning state
615
616
# Configuration properties
617
private_link_resource_id: str # Target resource ID
618
private_link_resource_region: str # Target resource region
619
group_id: str # Private link sub-resource group ID
620
request_message: str # Request message
621
fqdns: List[str] # Fully qualified domain names
622
623
class PrivateLinkResource:
624
"""Represents a private link resource."""
625
# Read-only properties
626
id: str # Resource ID
627
name: str # Resource name
628
type: str # Resource type
629
group_id: str # Group ID
630
required_members: List[str] # Required members
631
required_zone_names: List[str] # Required DNS zone names
632
633
class PrivateEndpointProperty:
634
"""Private endpoint property details."""
635
id: str # Private endpoint resource ID
636
637
class PrivateLinkServiceConnectionStateProperty:
638
"""Private link service connection state."""
639
status: str # Connection status
640
description: str # Connection description
641
actions_required: str # Required actions
642
643
from enum import Enum
644
645
class ClusterPrincipalRole(str, Enum):
646
"""Cluster principal role values."""
647
ALL_DATABASES_ADMIN = "AllDatabasesAdmin"
648
ALL_DATABASES_VIEWER = "AllDatabasesViewer"
649
650
class DatabasePrincipalRole(str, Enum):
651
"""Database principal role values."""
652
ADMIN = "Admin"
653
INGESTOR = "Ingestor"
654
MONITOR = "Monitor"
655
USER = "User"
656
UNRESTRICTED_VIEWER = "UnrestrictedViewer"
657
VIEWER = "Viewer"
658
659
class PrincipalType(str, Enum):
660
"""Principal type values."""
661
APP = "App"
662
GROUP = "Group"
663
USER = "User"
664
```