使用 Azure Active Directory 授权访问事件中心资源Authorize access to Event Hubs resources using Azure Active Directory

Azure 事件中心支持使用 Azure Active Directory (Azure AD) 授权对事件中心资源的请求。Azure Event Hubs supports using Azure Active Directory (Azure AD) to authorize requests to Event Hubs resources. 可以通过 Azure AD 使用基于角色的访问控制 (RBAC) 授予对服务主体的访问权限,该服务主体可能是用户或应用程序服务主体。With Azure AD, you can use role-based access control (RBAC) to grant permissions to a security principal, which may be a user, or an application service principal. 若要详细了解角色和角色分配,请参阅了解不同的角色To learn more about roles and role assignments, see Understanding the different roles.

概述Overview

当安全主体(用户或应用程序)尝试访问事件中心资源时,必须授权该请求。When a security principal (a user, or an application) attempts to access an Event Hubs resource, the request must be authorized. 使用 Azure AD 是,访问资源的过程包括两个步骤。With Azure AD, access to a resource is a two-step process.

  1. 首先,验证安全主体的身份并返回 OAuth 2.0 令牌。First, the security principal’s identity is authenticated, and an OAuth 2.0 token is returned. 用于请求令牌的资源名称为 https://eventhubs.azure.cn/The resource name to request a token is https://eventhubs.azure.cn/. 对于 Kafka 客户端,请求令牌的资源为 https://<namespace>.servicebus.chinacloudapi.cnFor Kafka clients, the resource to request a token is https://<namespace>.servicebus.chinacloudapi.cn.
  2. 接下来,将该令牌作为请求的一部分传递给事件中心服务,用于授权访问指定的资源。Next, the token is passed as part of a request to the Event Hubs service to authorize access to the specified resource.

身份验证步骤要求应用程序请求包含在运行时使用的 OAuth 2.0 访问令牌。The authentication step requires that an application request contains an OAuth 2.0 access token at runtime. 如果应用程序在 Azure 实体(如 Azure VM、虚拟机规模集或 Azure 函数应用)中运行,它可以使用托管标识来访问资源。If an application is running within an Azure entity such as an Azure VM, a virtual machine scale set, or an Azure Function app, it can use a managed identity to access the resources. 若要了解如何对托管标识向事件中心服务发出的请求进行身份验证,请参阅对使用 Azure Active Directory 和 Azure 资源的托管标识访问 Azure 事件中心资源进行身份验证To learn how to authenticate requests made by a managed identity to Event Hubs service, see Authenticate access to Azure Event Hubs resources with Azure Active Directory and managed identities for Azure Resources.

授权步骤需要将一个或多个 RBAC 角色分配给安全主体。The authorization step requires that one or more RBAC roles be assigned to the security principal. Azure 事件中心提供 RBAC 角色,其中包括事件中心资源的权限集。Azure Event Hubs provides RBAC roles that encompass sets of permissions for Event Hubs resources. 分配给安全主体的角色确定了该主体拥有的权限。The roles that are assigned to a security principal determine the permissions that the principal will have. 有关 RBAC 角色的详细信息,请参阅 Azure 事件中心的内置 RBAC 角色For more information about RBAC roles, see Built-in RBAC roles for Azure Event Hubs.

向事件中心发出请求的本机应用程序和 Web 应用程序也可以使用 Azure AD 进行授权。Native applications and web applications that make requests to Event Hubs can also authorize with Azure AD. 若要了解如何请求访问令牌并使用它来授权对事件中心资源的请求,请参阅对使用 Azure AD 从应用程序访问 Azure 事件中心进行身份验证To learn how to request an access token and use it to authorize requests for Event Hubs resources, see Authenticate access to Azure Event Hubs with Azure AD from an application.

分配 RBAC 角色以授予访问权限Assign RBAC roles for access rights

Azure Active Directory (Azure AD) 通过基于角色的访问控制 (RBAC) 授权访问受保护的资源。Azure Active Directory (Azure AD) authorizes access rights to secured resources through role-based access control (RBAC). Azure 事件中心定义了一组内置的 RBAC 角色,它们包含用于访问事件中心数据的通用权限集。你也可以定义用于访问数据的自定义角色。Azure Event Hubs defines a set of built-in RBAC roles that encompass common sets of permissions used to access event hub data and you can also define custom roles for accessing the data.

将 RBAC 角色分配到 Azure AD 安全主体后,Azure 会向该安全主体授予对这些资源的访问权限。When an RBAC role is assigned to an Azure AD security principal, Azure grants access to those resources for that security principal. 访问权限的范围可限定为订阅、资源组、事件中心命名空间级别或其下的任何资源。Access can be scoped to the level of subscription, the resource group, the Event Hubs namespace, or any resource under it. Azure AD 安全主体可以是用户或应用程序服务主体,也可以是 Azure 资源的托管标识An Azure AD security principal may be a user, or an application service principal, or a managed identity for Azure resources.

Azure 事件中心的内置 RBAC 角色Built-in RBAC roles for Azure Event Hubs

Azure 提供以下内置 RBAC 角色,用于授权使用 Azure AD 和 OAuth 访问事件中心数据:Azure provides the following built-in RBAC roles for authorizing access to Event Hubs data using Azure AD and OAuth:

资源范围Resource scope

在将 RBAC 角色分配到某个安全主体之前,请确定该安全主体应该获取的访问范围。Before you assign an RBAC role to a security principal, determine the scope of access that the security principal should have. 最佳做法指出,最好是授予尽可能小的范围。Best practices dictate that it's always best to grant only the narrowest possible scope.

以下列表描述了可将事件中心资源访问权限限定到哪些级别,从最小的范围开始:The following list describes the levels at which you can scope access to Event Hubs resources, starting with the narrowest scope:

  • 使用者组:在此范围,角色分配仅应用到此实体。Consumer group: At this scope, role assignment applies only to this entity. 目前,Azure 门户不支持在此级别向安全主体分配 RBAC 角色。Currently, the Azure portal doesn't support assigning an RBAC role to a security principal at this level.
  • 事件中心:角色分配将应用到事件中心实体及其下面的使用者组。Event hub: Role assignment applies to the Event Hub entity and the consumer group under it.
  • 命名空间:角色分配横跨命名空间下事件中心的整个拓扑,并延伸至与之关联的使用者组。Namespace: Role assignment spans the entire topology of Event Hubs under the namespace and to the consumer group associated with it.
  • 资源组:角色分配将应用到资源组下的所有事件中心资源。Resource group: Role assignment applies to all the Event Hubs resources under the resource group.
  • 订阅:角色分配将应用到订阅的所有资源组中的所有事件中心资源。Subscription: Role assignment applies to all the Event Hubs resources in all of the resource groups in the subscription.

备注

  • 请记住,RBAC 角色分配可能需要最多五分钟的时间进行传播。Keep in mind that RBAC role assignments may take up to five minutes to propagate.
  • 此内容适用于事件中心及用于 Apache Kafka 的事件中心。This content applies to both Event Hubs and Event Hubs for Apache Kafka. 有关用于 Kafka 的事件中心支持的详细信息,请参阅用于 Kafka 的事件中心 - 安全性和身份验证For more information on Event Hubs for Kafka support, see Event Hubs for Kafka - security and authentication.

有关如何定义内置角色的详细信息,请参阅了解角色定义For more information about how built-in roles are defined, see Understand role definitions. 若要了解如何创建自定义 RBAC 角色,请参阅针对 Azure 基于角色的访问控制创建自定义角色For information about creating custom RBAC roles, see Create custom roles for Azure Role-Based Access Control.

示例Samples

后续步骤Next steps

请参阅以下相关文章:See the following related articles: