授予对 Azure 事件中心的访问权限Authorize access to Azure Event Hubs

每次你发布或使用事件中心的事件/数据时,客户端会尝试访问事件中心资源。Every time you publish or consume events/data from an event hub, your client is trying to access Event Hubs resources. 每个对安全资源的请求都必须经过授权,以便服务确保客户端具有发布/使用数据所需的权限。Every request to a secure resource must be authorized so that the service can ensure that the client has the required permissions to publish/consume the data.

Azure 事件中心提供以下用于授权访问安全资源的选项:Azure Event Hubs offers the following options for authorizing access to secure resources:

  • Azure Active DirectoryAzure Active Directory
  • 共享访问签名Shared access signature

备注

本文同时适用于事件中心和 Apache Kafka 方案。This article applies to both Event Hubs and Apache Kafka scenarios.

Azure Active DirectoryAzure Active Directory

事件中心资源的 Azure Active Directory (Azure AD) 集成提供了基于角色的访问控制 (RBAC),用于对客户端对资源的访问进行精细控制。Azure Active Directory (Azure AD) integration for Event Hubs resources provides role-based access control (RBAC) for fine-grained control over a client's access to resources. 可以使用基于角色的访问控制 (RBAC) 授予对安全主体的权限,该服务主体可能是用户、组或应用程序服务主体。You can use role-based access control (RBAC) to grant permissions to security principal, which may be a user, a group, or an application service principal. 安全主体经 Azure AD 进行身份验证后会返回 OAuth 2.0 令牌。The security principal is authenticated by Azure AD to return an OAuth 2.0 token. 令牌可用于授权访问事件中心资源的请求。The token can be used to authorize a request to access an Event Hubs resource.

有关使用 Azure AD 进行身份验证的详细信息,请参阅以下文章:For more information about authenticating with Azure AD, see the following articles:

共享访问签名Shared access signatures

事件中心资源的共享访问签名 (SAS) 针对事件中心资源提供有限的委托访问权限。Shared access signatures (SAS) for Event Hubs resources provide limited delegated access to Event Hubs resources. 通过对签名的有效时间间隔或对它授予的权限添加约束,可灵活地管理资源。Adding constraints on time interval for which the signature is valid or on permissions it grants provides flexibility in managing resources. 有关详细信息,请参阅使用共享访问签名 (SAS) 进行身份验证For more information, see Authenticate using shared access signatures (SAS).

使用 Azure AD 返回的 OAuth 2.0 令牌授权用户或应用程序可提供比共享访问签名 (SAS) 更高的安全性和易用性。Authorizing users or applications using an OAuth 2.0 token returned by Azure AD provides superior security and ease of use over shared access signatures (SAS). 使用 Azure AD 时,不需将访问令牌与代码存储在一起,因此没有潜在的安全漏洞风险。With Azure AD, there's no need to store the access tokens with your code and risk potential security vulnerabilities. 尽管你可以继续使用共享访问签名 (SAS) 授予对事件中心资源的精细访问权限,但 Azure AD 提供了类似的功能,并且不需要管理 SAS 令牌,也不需要担心吊销已泄密的 SAS。While you can continue to use shared access signatures (SAS) to grant fine-grained access to Event Hubs resources, Azure AD offers similar capabilities without the need to manage SAS tokens or worry about revoking a compromised SAS.

默认情况下,所有事件中心资源都受到保护,并且只能由帐户所有者使用。By default, all Event Hubs resources are secured, and are available only to the account owner. 虽然你可以使用上述任何授权策略为客户端授予访问事件中心资源的权限,Although you can use any of the authorization strategies outlined above to grant clients access to Event Hub resources. Microsoft 建议尽可能使用 Azure AD,以便最大程度地确保安全性和易用性。Microsoft recommends using Azure AD when possible for maximum security and ease of use.

若要详细了解如何使用 SAS 进行授权,请参阅使用共享访问签名授权访问事件中心资源For more information about authorization using SAS, see Authorizing access to Event Hubs resources using Shared Access Signatures.

后续步骤Next steps