Restrict 陳述式
restrict 語句會限制查詢語句所看見的數據表/檢視實體集合。 例如,在包含兩個數據表的資料庫中,A
B
應用程式可以使用檢視來防止其餘查詢存取B
,而且只能使用檢視來「查看」有限的數據表A
形式。
restrict 語句的主要案例適用於接受使用者查詢的仲介層應用程式,並想要在這些查詢上套用數據列層級安全性機制。
中介層應用程式可以使用邏輯模型來為用戶的查詢加上前置詞,一組 let 語句定義限制使用者存取數據的檢視,例如 ( T | where UserId == "..."
。 新增最後一個語句時,只會限制用戶的邏輯模型存取權。
注意
restrict 語句可用來限制對另一個資料庫或叢集中實體的存取權(叢集名稱中不支援通配符)。
語法
restrict
access
to
(
EntitySpecifiers)
深入瞭解 語法慣例。
參數
姓名 | 類型 | 必要 | 描述 |
---|---|---|---|
EntitySpecifiers | string |
✔️ | 一或多個逗號分隔的實體規範。 可能的值是: - let 語句定義為表格式檢視的標識碼 - 數據表或函式參考,類似於等位語句所使用的數據表或函式參考 - 模式宣告所定義的模式 |
注意
- 限制語句未指定的所有數據表、表格式檢視或模式,都會變成查詢其餘部分的「不可見」。
- Let、set 和 tabular 語句會串在一起/以分號分隔,否則它們不會被視為相同查詢的一部分。
範例
在 說明叢集中,有一個具有 StormEvents
數據表的 Samples
資料庫。
Let 陳述式
此範例會使用 let 語句, 出現在 restrict
語句之前。
// Limit access to 'Test' let statement only
let Test = () { print x=1 };
restrict access to (Test);
數據表或函式
此範例會使用參考 數據表, 或 函式 在資料庫元數據中定義。
// Assuming the database that the query uses has table Table1 and Func1 defined in the metadata,
// and other database 'DB2' has Table2 defined in the metadata
restrict access to (database().Table1, database().Func1, database('DB2').Table2);
模式
此範例使用可比對多個 let 語句的通配符模式, 或數據表/函式。
let Test1 = () { print x=1 };
let Test2 = () { print y=1 };
restrict access to (*);
// Now access is restricted to Test1, Test2 and no tables/functions are accessible.
// Assuming the database that the query uses has table Table1 and Func1 defined in the metadata.
// Assuming that database 'DB2' has table Table2 and Func2 defined in the metadata
restrict access to (database().*);
// Now access is restricted to all tables/functions of the current database ('DB2' is not accessible).
// Assuming the database that the query uses has table Table1 and Func1 defined in the metadata.
// Assuming that database 'DB2' has table Table2 and Func2 defined in the metadata
restrict access to (database('DB2').*);
// Now access is restricted to all tables/functions of the database 'DB2'
防止使用者查詢其他用戶數據
此範例示範仲介層應用程式如何使用邏輯模型在用戶查詢前面加上防止用戶查詢任何其他用戶數據的邏輯模型。
// Assume the database has a single table, UserData,
// with a column called UserID and other columns that hold
// per-user private information.
//
// The middle-tier application generates the following statements.
// Note that "username@domain.com" is something the middle-tier application
// derives per-user as it authenticates the user.
let RestrictedData = view () { Data | where UserID == "username@domain.com" };
restrict access to (RestrictedData);
// The rest of the query is something that the user types.
// This part can only reference RestrictedData; attempting to reference Data
// will fail.
RestrictedData | summarize MonthlySalary=sum(Salary) by Year, Month
// Restricting access to Table1 in the current database (database() called without parameters)
restrict access to (database().Table1);
Table1 | count
// Restricting access to Table1 in the current database and Table2 in database 'DB2'
restrict access to (database().Table1, database('DB2').Table2);
union
(Table1),
(database('DB2').Table2))
| count
// Restricting access to Test statement only
let Test = () { range x from 1 to 10 step 1 };
restrict access to (Test);
Test
// Assume that there is a table called Table1, Table2 in the database
let View1 = view () { Table1 | project Column1 };
let View2 = view () { Table2 | project Column1, Column2 };
restrict access to (View1, View2);
// When those statements appear before the command - the next works
let View1 = view () { Table1 | project Column1 };
let View2 = view () { Table2 | project Column1, Column2 };
restrict access to (View1, View2);
View1 | count
// When those statements appear before the command - the next access is not allowed
let View1 = view () { Table1 | project Column1 };
let View2 = view () { Table2 | project Column1, Column2 };
restrict access to (View1, View2);
Table1 | count