对使用 Azure Active Directory 访问事件中心资源的应用程序进行身份验证Authenticate an application with Azure Active Directory to access Event Hubs resources

Azure 基于 Azure Active Directory (Azure AD) 针对资源和应用程序提供了集成的访问控制管理功能。Azure provides integrated access control management for resources and applications based on Azure Active Directory (Azure AD). 将 Azure AD 与 Azure 事件中心配合使用的主要优势在于,不再需要将凭据存储在代码中。A key advantage of using Azure AD with Azure Event Hubs is that you don't need to store your credentials in the code anymore. 可以从 Microsoft 标识平台请求 OAuth 2.0 访问令牌。Instead, you can request an OAuth 2.0 access token from the Microsoft Identity platform. 请求令牌的资源名称为 https://eventhubs.azure.cn/(对于 Kafka 客户端,请求令牌的资源为 https://<namespace>.servicebus.chinacloudapi.cn)。The resource name to request a token is https://eventhubs.azure.cn/ (For Kafka clients, the resource to request a token is https://<namespace>.servicebus.chinacloudapi.cn). Azure AD 对运行应用程序的安全主体(用户、组或服务主体)进行身份验证。Azure AD authenticates the security principal (a user, group, or service principal) running the application. 如果身份验证成功,Azure AD 会将访问令牌返回应用程序,应用程序可随之使用访问令牌对 Azure 事件中心资源请求授权。If the authentication succeeds, Azure AD returns an access token to the application, and the application can then use the access token to authorize request to Azure Event Hubs resources.

将角色分配到 Azure AD 安全主体后,Azure 会向该安全主体授予对这些资源的访问权限。When a role is assigned to an Azure AD security principal, Azure grants access to those resources for that security principal. 访问权限的范围可限定为订阅、资源组、事件中心命名空间级别或其下的任何资源。Access can be scoped to the level of subscription, the resource group, the Event Hubs namespace, or any resource under it. Azure AD 安全主体可向用户、组、应用程序服务主体或 Azure 资源的托管标识分配角色。An Azure AD security can assign roles to a user, a group, an application service principal, or a managed identity for Azure resources.

备注

角色定义是权限的集合。A role definition is a collection of permissions. 基于角色的访问控制 (RBAC) 控制如何通过角色分配实施这些权限。Role-based access control (RBAC) controls how these permissions are enforced through role assignment. 角色分配包含三个要素:安全主体、角色订阅和范围。A role assignment consists of three elements: security principal, role definition, and scope. 有关详细信息,请参阅了解不同的角色For more information, see Understanding the different roles.

Azure 事件中心的内置角色Built-in roles for Azure Event Hubs

Azure 提供了以下 Azure 内置角色,用于通过 Azure AD 和 OAuth 授予对事件中心数据的访问权限:Azure provides the following Azure built-in roles for authorizing access to Event Hubs data using Azure AD and OAuth:

重要

预览版支持向“所有者”或“参与者”角色添加事件中心数据访问特权。Our preview release supported adding Event Hubs data access privileges to Owner or Contributor role. 但是,不再授予“所有者”和“参与者”角色的数据访问特权。However, data access privileges for Owner and Contributor role are no longer honored. 如果使用“所有者”或“参与者”角色,请改用“Azure 事件中心数据所有者”角色。If you are using the Owner or Contributor role, switch to using the Azure Event Hubs Data Owner role.

使用 Azure 门户分配 Azure 角色Assign Azure roles using the Azure portal

若要详细了解如何使用 RBAC 和 Azure 门户管理对 Azure 资源的访问,请参阅此文To learn more on managing access to Azure resources using RBAC and the Azure portal, see this article.

在确定角色分配的适当范围后,在 Azure 门户中导航到该资源。After you've determined the appropriate scope for a role assignment, navigate to that resource in the Azure portal. 显示资源的“访问控制(IAM)”设置,并按以下说明管理角色分配:Display the access control (IAM) settings for the resource, and follow these instructions to manage role assignments:

备注

下述步骤将一个角色分配到事件中心命名空间下的事件中心,但你可以遵循相同的步骤,来分配一个范围限定为任何事件中心资源的角色。The steps described below assigns a role to your event hub under the Event Hubs namespaces, but you can follow the same steps to assign a role scoped to any Event Hubs resource.

  1. Azure 门户中,导航到你的事件中心命名空间。In the Azure portal, navigate to your Event Hubs namespace.

  2. 在“概述”页上,选择要为其分配角色的事件中心。On the Overview page, select the event hub for which you want to assign a role.

    选择事件中心

  3. 选择“访问控制(IAM)”以显示事件中心的访问控制设置。Select Access Control (IAM) to display access control settings for the event hub.

  4. 选择“角色分配”选项卡以查看角色分配列表。Select the Role assignments tab to see the list of role assignments. 在工具栏上选择“添加”按钮,然后选择“添加角色分配”。Select the Add button on the toolbar and then select Add role assignment.

    工具栏上的“添加”按钮

  5. 在“添加角色分配” 页上,执行以下步骤:On the Add role assignment page, do the following steps:

    1. 选择要分配的事件中心角色Select the Event Hubs role that you want to assign.

    2. 通过搜索找到要为其分配该角色的安全主体(用户、组、服务主体)。Search to locate the security principal (user, group, service principal) to which you want to assign the role.

    3. 选择“保存”以保存角色分配。Select Save to save the role assignment.

      向用户分配角色

    4. 分配有该角色的标识列出在该角色下。The identity to whom you assigned the role appears listed under that role. 例如,下图显示 Azure-users 充当“Azure 事件中心数据所有者”角色。For example, the following image shows that Azure-users is in the Azure Event Hubs Data Owner role.

      列表中的用户

可以遵循类似的步骤来分配范围限定为事件中心命名空间、资源组或订阅的角色。You can follow similar steps to assign a role scoped to Event Hubs namespace, resource group, or subscription. 定义角色及其范围后,可以使用此 GitHub 位置提供的示例测试此行为。Once you define the role and its scope, you can test this behavior with samples in this GitHub location.

通过应用程序进行身份验证Authenticate from an application

将 Azure AD 与事件中心配合使用的主要优势之一在于,不再需要在代码中存储凭据。A key advantage of using Azure AD with Event Hubs is that your credentials no longer need to be stored in your code. 可以从 Microsoft 标识平台请求 OAuth 2.0 访问令牌。Instead, you can request an OAuth 2.0 access token from Microsoft identity platform. Azure AD 对运行应用程序的安全主体(用户、组或服务主体)进行身份验证。Azure AD authenticates the security principal (a user, a group, or service principal) running the application. 如果身份验证成功,Azure AD 会将访问令牌返回应用程序,应用程序可随之使用访问令牌对 Azure 事件中心请求授权。If authentication succeeds, Azure AD returns the access token to the application, and the application can then use the access token to authorize requests to Azure Event Hubs.

以下部分介绍如何配置本机应用程序或 Web 应用程序,以便在 Microsoft 标识平台 2.0 中进行身份验证。Following sections shows you how to configure your native application or web application for authentication with Microsoft identity platform 2.0. 有关 Microsoft 标识平台 2.0 的详细信息,请参阅 Microsoft 标识平台 (v2.0) 概述For more information about Microsoft identity platform 2.0, see Microsoft identity platform (v2.0) overview.

有关 OAuth 2.0 代码授权流的概述,请参阅使用 OAuth 2.0 代码授权流来授权访问 Azure Active Directory Web 应用程序For an overview of the OAuth 2.0 code grant flow, see Authorize access to Azure Active Directory web applications using the OAuth 2.0 code grant flow.

将应用程序注册到 Azure AD 租户Register your application with an Azure AD tenant

使用 Azure AD 授权访问事件中心资源的第一步是,通过 Azure 门户在 Azure AD 租户中注册客户端应用程序。The first step in using Azure AD to authorize Event Hubs resources is registering your client application with an Azure AD tenant from the Azure portal. 注册客户端应用程序时,需要向 AD 提供关于应用程序的信息。When you register your client application, you supply information about the application to AD. Azure AD 随后会提供客户端 ID(也称为应用程序 ID)。在运行时,可以使用该 ID 将应用程序与 Azure AD 关联。Azure AD then provides a client ID (also called an application ID) that you can use to associate your application with Azure AD runtime. 若要详细了解客户端 ID,请参阅 Azure Active Directory 中的应用程序对象和服务主体对象To learn more about the client ID, see Application and service principal objects in Azure Active Directory.

下图显示了注册 Web 应用程序的步骤:The following images show steps for registering a web application:

注册应用程序

备注

如果将应用程序注册为本机应用程序,可为重定向 URI 指定任何有效的 URI。If you register your application as a native application, you can specify any valid URI for the Redirect URI. 对于本机应用程序,此值不一定要是实际的 URL。For native applications, this value does not have to be a real URL. 对于 Web 应用程序,重定向 URI 必须是有效的 URI,因为它指定了要向哪个 URL 提供令牌。For web applications, the redirect URI must be a valid URI, because it specifies the URL to which tokens are provided.

注册应用程序后,可在“设置”下看到“应用程序(客户端) ID”:After you've registered your application, you'll see the Application (client) ID under Settings:

已注册的应用程序的应用程序 ID

有关向 Azure AD 注册应用程序的详细信息,请参阅将应用程序与 Azure Active Directory 集成。For more information about registering an application with Azure AD, see Integrating applications with Azure Active Directory.

创建客户端机密Create a client secret

请求令牌时,应用程序需要使用客户端机密来证明其身份。The application needs a client secret to prove its identity when requesting a token. 若要添加客户端机密,请执行以下步骤。To add the client secret, follow these steps.

  1. 在 Azure 门户中导航到你的应用注册。Navigate to your app registration in the Azure portal.

  2. 选择“证书和机密”设置。Select the Certificates & secrets setting.

  3. 在“客户端机密”下,选择“新建客户端机密”以创建新的机密。 Under Client secrets, select New client secret to create a new secret.

  4. 提供机密说明,并选择所需的过期时间间隔。Provide a description for the secret, and choose the wanted expiration interval.

  5. 请马上将新机密的值复制到安全位置。Immediately copy the value of the new secret to a secure location. 填充值只会显示一次。The fill value is displayed to you only once.

    客户端机密

用于获取令牌的客户端库Client libraries for token acquisition

注册应用程序并向其授予在 Azure 事件中心发送/接收数据的权限后,可将代码添加到应用程序,以便对安全主体进行身份验证并获取 OAuth 2.0 令牌。Once you've registered your application and granted it permissions to send/receive data in Azure Event Hubs, you can add code to your application to authenticate a security principal and acquire OAuth 2.0 token. 若要进行身份验证并获取令牌,可以使用 Microsoft 标识平台身份验证库,或者其他支持 OpenID 或 Connect 1.0 的开源库。To authenticate and acquire the token, you can use either one of the Microsoft identity platform authentication libraries or another open-source library that supports OpenID or Connect 1.0. 然后,应用程序可以使用访问令牌来授权针对 Azure 事件中心发出的请求。Your application can then use the access token to authorize a request against Azure Event Hubs.

有关支持获取令牌的方案列表,请参阅适用于 .NET 的 Microsoft 身份验证库 (MSAL) GitHub 存储库的方案部分。For a list of scenarios for which acquiring tokens is supported, see the Scenarios section of the Microsoft Authentication Library (MSAL) for .NET GitHub repository.

示例Samples

后续步骤Next steps

请参阅以下相关文章:See the following related articles: