6  

RockScience,

RockScience,

I see two options here, they both enable you to inherit permissions, as opposed to passing in user and password credentials. To address your specific question, around Linux take a look at:

我在这里看到两个选项，它们都允许您继承权限，而不是传递用户和密码凭据。要解决您的具体问题，请参阅Linux周围的内容:

• Active Directory Authentication with SQL Server on Linux
• 在Linux上使用SQL Server进行Active Directory认证。

If you take the approach of running Windows containers, take a look at Active Directory gMSA (Group Managed Service Accounts) accounts and the following MSDN article and video:

如果您采用运行Windows容器的方法，请查看活动目录gMSA (Group Managed Service Accounts)帐户以及以下MSDN文章和视频:

• Active Directory Service Accounts for Windows Containers

  活动目录服务帐户的Windows容器

• Walk the Path to Containerization - transforming workloads into containers

  沿着容器化的道路走——将工作负载转换为容器

this would enable you to create a Windows container and R environment.

这将使您能够创建一个Windows容器和R环境。

Active Directory Authentication with SQL Server on Linux

The tutorial explains how to configure SQL Server on Linux to support Active Directory (AD) authentication, also known as integrated authentication. AD Authentication enables domain-joined clients on either Windows or Linux to authenticate to SQL Server using their domain credentials and the Kerberos protocol.

本教程解释如何在Linux上配置SQL Server以支持活动目录(AD)身份验证，也称为集成身份验证。AD身份验证允许Windows或Linux上的域连接客户机使用它们的域凭证和Kerberos协议对SQL服务器进行身份验证。

AD Authentication has the following advantages over SQL Server Authentication:

与SQL Server身份验证相比，AD身份验证有以下优点:

• Users authenticate via single sign-on, without being prompted for a password.
• 用户通过单点登录进行身份验证，而不会提示输入密码。
• By creating logins for AD groups, you can manage access and permissions in SQL Server using AD group memberships.
• 通过为AD组创建登录，您可以使用AD组成员关系管理SQL Server中的访问和权限。
• Each user has a single identity across your organization, so you don’t have to keep track of which SQL Server logins correspond to which people.
• 每个用户在整个组织中都有一个单一的标识，所以您不必跟踪哪些SQL Server登录对应于哪些人。
• AD enables you to enforce a centralised password policy across your organisation.
• AD使您能够在整个组织中执行集中的密码策略。

The tutorial consists of the following tasks:

本教程包括以下任务:

• Join SQL Server host to AD domain
• 将SQL服务器主机连接到AD域
• Create AD user for SQL Server and set SPN
• 为SQL Server创建AD用户并设置SPN
• Configure SQL Server service keytab
• 配置SQL Server服务keytab
• Create AD-based logins in Transact-SQL
• 在Transact-SQL中创建基于广告的登录
• Connect to SQL Server using AD Authentication
• 使用AD身份验证连接到SQL服务器

Active Directory Service Accounts for Windows Containers

Today, group Managed Service Accounts are often used to secure connections between one computer or service to another. The general steps to use one are:

现在，组管理的服务帐户通常用于保护一台计算机或服务与另一台计算机之间的连接。使用一个的一般步骤是:

1. Create a gMSA
2. 创建一个gMSA
3. Configure the service to run as the gMSA
4. 将服务配置为作为gMSA运行
5. Give the domain-joined host running the service access to the gMSA secrets in Active Directory
6. 让域连接的主机在活动目录中运行对gMSA秘密的服务访问。
7. Allow access to gMSA on the other service such as a database or file Shares
8. 允许对其他服务(如数据库或文件共享)访问gMSA。

When the service is launched, the domain-joined host automatically gets the gMSA secrets from Active Directory, and runs the service using that account. Since that service is running as the gMSA, it can access any resources the gMSA is allowed to.

当服务启动时，域连接的主机自动从活动目录获取gMSA机密，并使用该帐户运行服务。由于该服务作为gMSA运行，因此可以访问gMSA允许的任何资源。

1. Windows Containers follow a similar process:
2. Windows容器遵循类似的过程:
3. Create a gMSA. By default, a domain administrator or account operator must do this. Otherwise they can delegate the privileges to create & manage gMSAs to admins who manage services which use them. See gMSA Getting started
4. 创建一个gMSA。默认情况下，域管理员或帐户操作符必须这样做。否则，他们可以将创建和管理gMSAs的特权委托给管理使用它们的服务的管理员。看到gMSA开始
5. Give the domain-joined container host access to the gMSA
6. 赋予域联接容器主机对gMSA的访问权限
7. Allow access to gMSA on the other service such as a database or file Shares
8. 允许对其他服务(如数据库或文件共享)访问gMSA。
9. Use the CredentialSpec PowerShell module from windows-server-container-tools to store settings needed to use the gMSA
10. 使用来自windows-server-container-tools的CredentialSpec PowerShell模块来存储使用gMSA所需的设置
11. Start the container with an extra option --security-opt "credentialspec=..."
12. 用一个额外的选项启动容器——security-opt“credentialspec=…”

When the container is launched, the installed services running as Local System or Network Service will appear to run as the gMSA. This is similar to how those accounts work on a domain-joined hosts, except a gMSA is used instead of a computer account.

当容器启动时，作为本地系统或网络服务运行的已安装服务将以gMSA的形式运行。这类似于这些帐户在域连接的主机上的工作方式，除了使用gMSA而不是使用计算机帐户。

Example Uses

SQL Connection Strings

When a service is running as Local System or Network Service in a container, it can use Windows Integrated Authentication to connect to a Microsoft SQL Server.

当服务在容器中作为本地系统或网络服务运行时，它可以使用Windows集成身份验证来连接到Microsoft SQL服务器。

Example:

Copy

复制

Server=sql.contoso.com;Database=MusicStore;Integrated Security=True;MultipleActiveResultSets=True;Connect Timeout=30

On the Microsoft SQL Server, create a login using the domain and gMSA name, followed by a $. Once the login is created, it can be added to a user on a database and given appropriate access permissions.

在Microsoft SQL服务器上，使用域和gMSA名称创建一个登录，后面跟着一个$。创建登录后，可以将其添加到数据库上的用户并授予适当的访问权限。

Example:

SQL

SQL

Copy

复制

CREATE LOGIN "DEMO\WebApplication1$"
    FROM WINDOWS
    WITH DEFAULT_DATABASE = "MusicStore"
GO

USE MusicStore
GO
CREATE USER WebApplication1 FOR LOGIN "DEMO\WebApplication1$"
GO

EXEC sp_addrolemember 'db_datareader', 'WebApplication1'
EXEC sp_addrolemember 'db_datawriter', 'WebApplication1'

To see it in action, check out the recorded demo available from Microsoft Ignite 2016 in the session "Walk the Path to Containerization - transforming workloads into containers".

要查看它的实际操作，请查看微软2016年启动的记录演示版“Walk the Path To contain化—将工作负载转换为容器”。

2  

As @Technophobe01 has shown a windows container would be a more natural fit for inheriting AD permissions.

正如@ technphobe01所示，windows容器更适合继承广告权限。

In terms of getting the R script connected to your file shares and MS SQL Databases I would recommend the following

关于将R脚本连接到您的文件共享和MS SQL数据库，我将推荐以下内容。

MS SQL Connection

Connect to databases using connection strings in the R script
This is a conventional approach rather than inheriting some permissions.
See SQL Server RODBC Connection

使用R脚本中的连接字符串连接数据库，这是一种常规方法，而不是继承一些权限。参见SQL Server RODBC连接

library(RODBC)
conn <- odbcDriverConnect('driver={SQL Server};server=mysqlhost;database=mydbname;uid=user;pwd=pwd')

You can specify any sensitive fields using ENV vars at deploy time or docker secrets and load them into the R script.

您可以使用ENV vars在部署时间或docker机密中指定任何敏感字段，并将它们加载到R脚本中。

File Shares

See https://blogs.msdn.microsoft.com/stevelasker/2016/06/14/configuring-docker-for-windows-volumes/
1. Map the network drives onto your Windows docker host
2. Specify them as available to containers in docker settings, you will need to add a new user account with admin privileges.
3. Assuming network drive is mapped to d:
docker run -v d:/somedata:/data <container> ls /data will mount the drive in the container at /data and list its contents.

参见https://blogs.msdn.microsoft.com/stevelasker/2016/06/14/configuring-docker-for-windows-volumes/ 1。将网络驱动器映射到您的Windows docker主机2。将它们指定为docker设置中的容器，您将需要添加一个具有admin特权的新用户帐户。3所示。假设网络驱动器被映射到d: docker run -v d:/somedata:/data ls /data将驱动器装入容器at /data并列出其内容。