排查身份验证和授权问题 - Azure 事件中心Troubleshoot authentication and authorization issues - Azure Event Hubs

排查连接问题一文提供了有关排查 Azure 事件中心连接问题的技巧。The Troubleshoot connectivity issues article provides tips for troubleshooting connectivity issues with Azure Event Hubs. 本文提供的技巧和建议适用于排查 Azure 事件中心的身份验证和授权问题。This article provides tips and recommendations for troubleshooting authentication and authorization issues with Azure Event Hubs.

如果使用 Azure Active DirectoryIf you are using Azure Active Directory

如果使用 Azure Active Directory (Azure AD) 通过 Azure 事件中心进行身份验证和授权,请确认访问事件中心的标识是合适的“资源范围”(使用者组、事件中心、命名空间、资源组或订阅)中合适的“Azure 角色”的成员 。If you are using Azure Active Directory (Azure AD) to authenticate and authorize with Azure Event Hubs, confirm that the identity accessing the event hub is a member of the right Azure role at the right resource scope (consumer group, event hub, namespace, resource group, or subscription).

Azure 角色Azure roles

资源范围Resource scopes

  • 使用者组:在此范围,角色分配仅应用到此实体。Consumer group: At this scope, role assignment applies only to this entity. 目前,Azure 门户不支持在此级别向安全主体分配 Azure 角色。Currently, the Azure portal doesn't support assigning an Azure role to a security principal at this level.
  • 事件中心:角色分配将应用到事件中心实体及其下面的使用者组。Event hub: Role assignment applies to the Event Hub entity and the consumer group under it.
  • 命名空间:角色分配横跨命名空间下事件中心的整个拓扑,并延伸至与之关联的使用者组。Namespace: Role assignment spans the entire topology of Event Hubs under the namespace and to the consumer group associated with it.
  • 资源组:角色分配将应用到资源组下的所有事件中心资源。Resource group: Role assignment applies to all the Event Hubs resources under the resource group.
  • 订阅:角色分配将应用到订阅的所有资源组中的所有事件中心资源。Subscription: Role assignment applies to all the Event Hubs resources in all of the resource groups in the subscription.

有关详细信息,请参阅以下文章:For more information, see the following articles:

如果使用共享访问签名 (SAS)If you are using Shared access signatures (SAS)

如果使用 SAS,请执行以下步骤:If you are using SAS, follow these steps:

  • 确保使用的 SAS 密钥是正确的。Ensure that the SAS key you are using is correct. 否则,请使用正确的 SAS 密钥。If not, use the right SAS key.
  • 确认该密钥具有适当的权限(发送、接收或管理权限)。Verify that the key has the right permissions (send, receive, or manage). 否则,请使用具有所需权限的密钥。If not, use a key that has the permission you need.
  • 检查密钥是否已过期。Check if the key has expired. 建议你在过期之前续订 SAS。We recommend that you renew the SAS well before expiration. 如果客户端与事件中心服务节点之间存在时钟偏差,则身份验证令牌可能会在客户端认出它之前过期。If there is clock skew between client and the Event Hubs service nodes, the authentication token might expire before client realizes it. 当前实现考虑到的时钟偏差长达 5 分钟,也就是说,客户端在令牌过期前 5 分钟内续订令牌。Current implementation accounts clock skew up to 5 minutes, that is, client renews the token 5 minutes before it expires. 因此,如果时钟偏差大于 5 分钟,则客户端可能会出现间歇性的身份验证失败。Therefore, if the clock skew is bigger than 5 minutes the client can observe intermittent authentication failures.
  • 如果将“SAS 开始时间”设置为“立即”,由于时钟偏差(不同计算机上的当前时间存在差异),可能会在前几分钟出现间歇性故障。If SAS start time is set to now, you may see intermittent failures for the first few minutes due to clock skew (differences in current time on different machines). 请将开始时间至少设置为 15 分钟前,或者根本不设置它。Set the start time to be at least 15 minutes in the past or don't set it at all. 同样的原则也适用于过期时间。The same generally applies to the expiry time as well.

有关详细信息,请参阅以下文章:For more information, see the following articles:

后续步骤Next steps

请参阅以下文章:See the following articles: