授权访问事件网格资源Authorizing access to Event Grid resources

借助 Azure 事件网格,可以控制授予不同用户用来执行各种管理操作的访问级别,例如列出事件订阅、创建新的事件订阅及生成密钥。Azure Event Grid allows you to control the level of access given to different users to do various management operations such as list event subscriptions, create new ones, and generate keys. 事件网格使用 Azure 的基于角色的访问控制 (RBAC)。Event Grid uses Azure's role-based access control (RBAC).

操作类型Operation types

事件网格支持下列操作:Event Grid supports the following actions:

  • Microsoft.EventGrid/*/readMicrosoft.EventGrid/*/read
  • Microsoft.EventGrid/*/writeMicrosoft.EventGrid/*/write
  • Microsoft.EventGrid/*/deleteMicrosoft.EventGrid/*/delete
  • Microsoft.EventGrid/eventSubscriptions/getFullUrl/actionMicrosoft.EventGrid/eventSubscriptions/getFullUrl/action
  • Microsoft.EventGrid/topics/listKeys/actionMicrosoft.EventGrid/topics/listKeys/action
  • Microsoft.EventGrid/topics/regenerateKey/actionMicrosoft.EventGrid/topics/regenerateKey/action

最后三个操作可能会返回从常规读取操作中筛选出的机密信息。The last three operations return potentially secret information, which gets filtered out of normal read operations. 建议限制对这些操作的访问。It's recommended that you restrict access to these operations.

内置角色Built-in roles

事件网格提供了用于管理事件订阅的两个内置角色。Event Grid provides two built-in roles for managing event subscriptions. 它们对于实施事件域非常重要,因为它们为用户提供了订阅事件域中主题所需的权限。They're important when implementing event domains because they give users the permissions they need to subscribe to topics in your event domain. 这些角色专注于事件订阅,不授予对创建主题等操作的访问权限。These roles are focused on event subscriptions and don't grant access for actions such as creating topics.

你可以将这些角色分配给用户或组You can assign these roles to a user or group.

EventGrid EventSubscription 参与者:管理事件网格订阅操作EventGrid EventSubscription Contributor: manage Event Grid subscription operations

[
  {
    "Description": "Lets you manage EventGrid event subscription operations.",
    "IsBuiltIn": true,
    "Id": "428e0ff05e574d9ca2212c70d0e0a443",
    "Name": "EventGrid EventSubscription Contributor",
    "IsServiceRole": false,
    "Permissions": [
      {
        "Actions": [
          "Microsoft.Authorization/*/read",
          "Microsoft.EventGrid/eventSubscriptions/*",
          "Microsoft.EventGrid/topicTypes/eventSubscriptions/read",
          "Microsoft.EventGrid/locations/eventSubscriptions/read",
          "Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read",
          "Microsoft.Insights/alertRules/*",
          "Microsoft.Resources/deployments/*",
          "Microsoft.Resources/subscriptions/resourceGroups/read",
          "Microsoft.Support/*"
        ],
        "NotActions": [],
        "DataActions": [],
        "NotDataActions": [],
        "Condition": null
      }
    ],
    "Scopes": [
      "/"
    ]
  }
]

EventGrid EventSubscription 读者:读取事件网格订阅EventGrid EventSubscription Reader: read Event Grid subscriptions

[
  {
    "Description": "Lets you read EventGrid event subscriptions.",
    "IsBuiltIn": true,
    "Id": "2414bbcf64974faf8c65045460748405",
    "Name": "EventGrid EventSubscription Reader",
    "IsServiceRole": false,
    "Permissions": [
      {
        "Actions": [
          "Microsoft.Authorization/*/read",
          "Microsoft.EventGrid/eventSubscriptions/read",
          "Microsoft.EventGrid/topicTypes/eventSubscriptions/read",
          "Microsoft.EventGrid/locations/eventSubscriptions/read",
          "Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read",
          "Microsoft.Resources/subscriptions/resourceGroups/read"
        ],
        "NotActions": [],
        "DataActions": [],
        "NotDataActions": []
       }
    ],
    "Scopes": [
      "/"
    ]
  }
]

自定义角色Custom roles

如果需要指定不同于内置角色的权限,可以创建自定义角色。If you need to specify permissions that are different than the built-in roles, you can create custom roles.

下面是允许用户采取不同操作的示例事件网格角色定义。The following are sample Event Grid role definitions that allow users to take different actions. 这些自定义角色与内置角色不同,因为它们授予比只是事件订阅更广泛的访问权限。These custom roles are different from the built-in roles because they grant broader access than just event subscriptions.

EventGridReadOnlyRole.json:仅允许只读操作。EventGridReadOnlyRole.json: Only allow read-only operations.

{
  "Name": "Event grid read only role",
  "Id": "7C0B6B59-A278-4B62-BA19-411B70753856",
  "IsCustom": true,
  "Description": "Event grid read only role",
  "Actions": [
    "Microsoft.EventGrid/*/read"
  ],
  "NotActions": [
  ],
  "AssignableScopes": [
    "/subscriptions/<Subscription Id>"
  ]
}

EventGridNoDeleteListKeysRole.json:允许受限制的发布操作但禁止删除操作。EventGridNoDeleteListKeysRole.json: Allow restricted post actions but disallow delete actions.

{
  "Name": "Event grid No Delete Listkeys role",
  "Id": "B9170838-5F9D-4103-A1DE-60496F7C9174",
  "IsCustom": true,
  "Description": "Event grid No Delete Listkeys role",
  "Actions": [
    "Microsoft.EventGrid/*/write",
    "Microsoft.EventGrid/eventSubscriptions/getFullUrl/action"
    "Microsoft.EventGrid/topics/listkeys/action",
    "Microsoft.EventGrid/topics/regenerateKey/action"
  ],
  "NotActions": [
    "Microsoft.EventGrid/*/delete"
  ],
  "AssignableScopes": [
    "/subscriptions/<Subscription id>"
  ]
}

EventGridContributorRole.json:允许所有事件网格操作。EventGridContributorRole.json: Allows all event grid actions.

{
  "Name": "Event grid contributor role",
  "Id": "4BA6FB33-2955-491B-A74F-53C9126C9514",
  "IsCustom": true,
  "Description": "Event grid contributor role",
  "Actions": [
    "Microsoft.EventGrid/*/write",
    "Microsoft.EventGrid/*/delete",
    "Microsoft.EventGrid/topics/listkeys/action",
    "Microsoft.EventGrid/topics/regenerateKey/action",
    "Microsoft.EventGrid/eventSubscriptions/getFullUrl/action"
  ],
  "NotActions": [],
  "AssignableScopes": [
    "/subscriptions/<Subscription id>"
  ]
}

可以使用 PowerShellAzure CLIREST 创建自定义角色。You can create custom roles with PowerShell, Azure CLI, and REST.

静态加密Encryption at rest

事件网格服务写入到磁盘的所有事件或数据均由 Microsoft 托管密钥进行加密,以确保静态加密。All events or data written to disk by the Event Grid service is encrypted by a Microsoft-managed key ensuring that it's encrypted at rest. 此外,按照事件网格重试策略,保留事件或数据的最长时间为 24 小时。Additionally, the maximum period of time that events or data retained is 24 hours in adherence with the Event Grid retry policy. 事件网格将在 24 小时或事件生存时间(以两者中较小者为准)过后自动删除所有事件或数据。Event Grid will automatically delete all events or data after 24 hours, or the event time-to-live, whichever is less.

事件订阅权限Permissions for event subscriptions

如果你使用不是 WebHook 的事件处理程序(例如事件中心或队列存储),则需要对该资源具有写入访问权限。If you're using an event handler that isn't a WebHook (such as an event hub or queue storage), you need write access to that resource. 此权限检查可防止未经授权的用户向你的资源发送事件。This permissions check prevents an unauthorized user from sending events to your resource.

你必须在作为事件源的资源上具有 Microsoft.EventGrid/EventSubscriptions/Write 权限。You must have the Microsoft.EventGrid/EventSubscriptions/Write permission on the resource that is the event source. 因为要在资源范围内写入新的订阅,所以需要此权限。You need this permission because you're writing a new subscription at the scope of the resource. 所需资源因是订阅系统主题还是订阅自定义主题而异。The required resource differs based on whether you're subscribing to a system topic or custom topic. 本部分介绍了这两种类型。Both types are described in this section.

系统主题(Azure 服务发布服务器)System topics (Azure service publishers)

对于系统主题,需要在资源范围内写入新事件订阅的权限,才能发布该事件。For system topics, you need permission to write a new event subscription at the scope of the resource publishing the event. 该资源的格式为:/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/{resource-provider}/{resource-type}/{resource-name}The format of the resource is: /subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/{resource-provider}/{resource-type}/{resource-name}

例如,若要订阅存储帐户上名为“myacct”的事件,需要 /subscriptions/####/resourceGroups/testrg/providers/Microsoft.Storage/storageAccounts/myacct 的 Microsoft.EventGrid/EventSubscriptions/Write 权限****For example, to subscribe to an event on a storage account named myacct, you need the Microsoft.EventGrid/EventSubscriptions/Write permission on: /subscriptions/####/resourceGroups/testrg/providers/Microsoft.Storage/storageAccounts/myacct

自定义主题Custom topics

对于自定义主题,需要在事件网格主题范围内写入新事件订阅的权限。For custom topics, you need permission to write a new event subscription at the scope of the event grid topic. 该资源的格式为:/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.EventGrid/topics/{topic-name}The format of the resource is: /subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.EventGrid/topics/{topic-name}

例如,若要订阅名为“mytopic”的自定义主题,需要 /subscriptions/####/resourceGroups/testrg/providers/Microsoft.EventGrid/topics/mytopic 的 Microsoft.EventGrid/EventSubscriptions/Write 权限****For example, to subscribe to a custom topic named mytopic, you need the Microsoft.EventGrid/EventSubscriptions/Write permission on: /subscriptions/####/resourceGroups/testrg/providers/Microsoft.EventGrid/topics/mytopic

后续步骤Next steps